47a2e8bbef18d5491be3c449d9a5464a8804d9d1a85bc7e24ff80876e85104a3

Resubmissions

11/07/2024, 01:42

240711-b4wwtathph 8

11/07/2024, 01:41

240711-b4gf5a1hqm 7

Analysis

max time kernel
20s
max time network
22s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
11/07/2024, 01:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxPlayerLauncher.exe
Size

5.8MB
MD5

b022682dd39d113f2d5a65a172dbd28f
SHA1

aa874df3d3d0a9539c53a8a0c96c4c119bae2c52
SHA256

47a2e8bbef18d5491be3c449d9a5464a8804d9d1a85bc7e24ff80876e85104a3
SHA512

d6746ca7c1e10b1ed7fb48d857210ce5cd0f0542c81fdbf00a6afaf4607f30020ccc09f4c41ef9f50bc2562bf6e4380e7abaef1d5a5b1e91773281bcd9e58525
SSDEEP

98304:6Qv2DFDUtJEjcseLtY1pthFX26elVJ2qg4FMvq821kRlzcV7yMuh:B2BDULEjL//elNg44R+VGMA

Score

6^/10

evasion trojan

Malware Config

Signatures

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	RobloxPlayerLauncher.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerLauncher.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	RobloxPlayerLauncher.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer	RobloxPlayerLauncher.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	RobloxPlayerLauncher.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	RobloxPlayerLauncher.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1544 wrote to memory of 2712	1544	RobloxPlayerLauncher.exe	30
PID 1544 wrote to memory of 2712	1544	RobloxPlayerLauncher.exe	30
PID 1544 wrote to memory of 2712	1544	RobloxPlayerLauncher.exe	30
PID 1544 wrote to memory of 2712	1544	RobloxPlayerLauncher.exe	30
PID 1544 wrote to memory of 2712	1544	RobloxPlayerLauncher.exe	30
PID 1544 wrote to memory of 2712	1544	RobloxPlayerLauncher.exe	30
PID 1544 wrote to memory of 2712	1544	RobloxPlayerLauncher.exe	30

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe"
1⤵
- Checks whether UAC is enabled
- Enumerates system info in registry
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe
  C:\Users\Admin\AppData\Local\Temp\RobloxPlayerLauncher.exe --crashpad --no-rate-limit --database=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --metrics-dir=C:\Users\Admin\AppData\Local\Temp\crashpad_roblox --url=https://uploads.backtrace.rbx.com/post --annotation=RobloxChannel=production --annotation=RobloxGitHash=cb5e1ef861e0b94bbfd3c1c166285778889972be --annotation=UploadAttachmentKiloByteLimit=100 --annotation=UploadPercentage=0 --annotation=format=minidump --annotation=token=a2440b0bfdada85f34d79b43839f2b49ea6bba474bd7d126e844bc119271a1c3 --initial-client-data=0x414,0x418,0x41c,0x3e4,0x424,0x1f36a74,0x1f36a84,0x1f36a94
  2⤵
  - Enumerates system info in registry
  - Modifies system certificate store
  PID:2712

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

Filesize
2KB

MD5
c361abef55c9deca3430fc383378c04c

SHA1
c5eee0cc9e59c101c90414cb562688cfd7d48421

SHA256
bf8c55dbfdf76fffcb08902063d95865a9b767247c1b79dc3705f39f006ef05a

SHA512
1c39ab2018eb769191198a8d0f4695ee90bdeec99bc74bb87db7d1df74672ec0ba91cc9ba6bc0fbd0b3d3b67e227fe50e64a0a5cb0e7472848325415bb00114e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
1KB

MD5
4930610a8a69f0dbb782ed1e766dde54

SHA1
7e4cb627f187156b2121594a9028dbdfa138c617

SHA256
00a45205bc050ece00eaf2a5435405593bce15aaf43af5474be5ed8670135aab

SHA512
c112a3100a016bd36b13de88130cea3dbc2ec51dc42bd6705b04d02685e679428cc09ef63800b25aa07f45053659579f5ed62aaa0592430302ae1b5c0752c608

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_BACC6CD2B29F18349081C9FD2343833B

Filesize
488B

MD5
2430449e025f006827b9ed921c1d470e

SHA1
f546f272672c8194af8c82aa48b8613bb48db0e4

SHA256
ee1a52ac758c0462a8f3e6411a2edc3a5f102b95caa7ac0827737a231bdf7a35

SHA512
39b41d94f399aca7e664f522c23737b34f23967ef77a5fb5c3c206793531dd8ea52dd5008086853ca8f2f25087ba2adc1082ddf18678bd67cfdbabdde9739459

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c8390aa681e775fb02d703a3d32e30f4

SHA1
2d9f4f443ffbf72a57ea04d08d8abac1b066b5b9

SHA256
c6089f08ab7ce0f874f7b8c44d0913406c663f55d907d18a534cd6eb86ef535f

SHA512
ada83f41d82ebb4873fea63eede5a73732432b95bf727bea989dfe341e5d7b94c400f5769e31f9ebee64751f7b2c6d1039db1903843467e267fe256c5e5b9ccf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5583245b65fc6593105bbd2c855c7ca3

SHA1
73b942239567a7015f05266dc7d25d9fa1ebeaca

SHA256
3bbf1b911733f64931d7f8a54ae69f85e150489fc91a53ada7882ef1cecf102a

SHA512
ed6c4b40ccd114ece81baf2480d04e9ba0c6e81d39b6fe8a4856106d3d32ec1f3d8c217f069eee7420f511e87a4a7dfbb523550f2b28d4831e138f01dd2ea519

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd2da701c614fbf81e65b9029f439205

SHA1
aec40e497ae764f52a25b337466c0a4b94c51218

SHA256
3d949c587a98ce4d75f031c18e8fed76639ed4f3874a269563d6a6ad833ad409

SHA512
9802c1cbce72d30c89632857eaf058a5cdfd2a89ee06589d06fe349babddcb4bd61f0799bc4f7327e00d488c4c5e1a9d3001a78f3b3b57fba2ba740d5bf5e00a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711E

Filesize
482B

MD5
62f1297bb5526e119b0e9665c4ffc6ba

SHA1
2dc26003db3b0786d58c2179ab4019cdbafb6c0c

SHA256
4d4d020874aa7b8e213158023c001b951a543ae5fb0d30481f9705c27b0c28b0

SHA512
9c4a0a6dde884e6bcb84437bef4c5f7717f3dbbe524453ae04883c2a1428257ab4757097dc55a667a926a8654a03267dd955b2f16ca0c51802bcda994c70de9d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1586.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar15A8.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads