5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e

General

Target

Roblox Account Manager.exe
Size

5.5MB
MD5

eb54116db322c49ec2faca86f725931e
SHA1

c703685ac6221d7de624039d7351886b21ca53fc
SHA256

5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e
SHA512

ef6ea52df848bf8c7c77831ee5ca64cf337a92edbb0e8d0d38844e204157545aa3c397eeea12d05f276ce4984f519a1a05cf21bc04514fbb35beebf86d7f8e78
SSDEEP

98304:8H6+2bT1Qm7d9G3s2tIfKLUXk8zdywnr5a0kqXf0Fb7WnZhP+MQuPN5Ppauz+l:5Qm59siyLU0lY9a0kSIb7aZhP+MQuPNw

Score

6^/10

Malware Config

Signatures

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
23	raw.githubusercontent.com
24	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-940600906-3464502421-4240639183-1000\Software\Microsoft\Internet Explorer\TypedURLs	Roblox Account Manager.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	Roblox Account Manager.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	Roblox Account Manager.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2740	Roblox Account Manager.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2088 wrote to memory of 2740	2088	Roblox Account Manager.exe	31
PID 2088 wrote to memory of 2740	2088	Roblox Account Manager.exe	31
PID 2088 wrote to memory of 2740	2088	Roblox Account Manager.exe	31
PID 2088 wrote to memory of 2740	2088	Roblox Account Manager.exe	31

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2088
- C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
  "C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart
  2⤵
  - Modifies Internet Explorer settings
  - Modifies system certificate store
  - Suspicious use of AdjustPrivilegeToken
  PID:2740

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7868fcc51aeda97cb11596c9658c3406

SHA1
fc8c567a6369da203d79ca2536144eb998dc73d4

SHA256
aa746d33012c8f392f67752c927cdc4289bb6623ed5eebcb59a4fce6ed1f867a

SHA512
43e9c6d01552169dae48e4d571836757e31e683fb9c4902bdbd32da96e7c0d21fb453b77174bd426ea0dc7e39cbc47f67ecfba07e50e5b36594dcffb3cf21737

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f8a1648f179f2f0b2f47aeb9ef9b4c8

SHA1
2d01955849008a12850801c3be635f5373acdaa0

SHA256
433622262fa44e5777d63983cd9e454dbc9196dd1ac5849db940a81d71540436

SHA512
fdef1396f956403d421adf4efa46ee9a6d97e90e8a25deb4dc570a3a35ab9c49f7b6e82053ee381c243459e95e503cdd575b1d343f94cf1b72aa00f23861b2ea

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB79.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMSettings.ini

Filesize
1014B

MD5
1d917eaf5dcc8e06dd032c33f3a3d36a

SHA1
1eacb4eced22393fd5140910d30070f2e054e2fe

SHA256
787fa9af1c32b7e198119469c0e2c02c06b34ec7c990b62b9f4fb9bc8cedaa5f

SHA512
3cf5bc6160262ad454477cc0fab401696a7e5dff9e6fae1cdcfa0579ded640ea8c383dfcea6194f55c914927058e2355fd661d1fa83f87c10aeffa6a91cb9fcd

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMTheme.ini

Filesize
314B

MD5
f18fa783f4d27e35e54e54417334bfb4

SHA1
94511cdf37213bebdaf42a6140c9fe5be8eb07ba

SHA256
563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1

SHA512
602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe.config

Filesize
6KB

MD5
d5e4966de947333592289d70916257a9

SHA1
5907df0fd07df6c33926906e94f4ed08d40be017

SHA256
d726d47b772a70fabc777c8ed46655fe5200e672f01f11dd95c5f4994e0a71e0

SHA512
c618054766bee664f0605a037f065c196c35495ee993b305f0bece4738ec9f7bd632dc8fb541bcf9d156f12e115455f31dd8db2a8cceb9d7d2f0d05d501831e9

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB7D.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\log4.config

Filesize
936B

MD5
e4659ac08af3582a23f38bf6c562f841

SHA1
19cb4f014ba96285fa1798f008deabce632c7e76

SHA256
e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5

SHA512
5bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249

Download Submit
memory/2088-4-0x0000000000BC0000-0x0000000000BE6000-memory.dmp

Filesize
152KB

Download
memory/2088-6-0x0000000074C40000-0x000000007532E000-memory.dmp

Filesize
6.9MB

Download
memory/2088-5-0x0000000000BF0000-0x0000000000C0E000-memory.dmp

Filesize
120KB

Download
memory/2088-0-0x0000000074C4E000-0x0000000074C4F000-memory.dmp

Filesize
4KB

Download
memory/2088-16-0x0000000074C40000-0x000000007532E000-memory.dmp

Filesize
6.9MB

Download
memory/2088-3-0x0000000074C40000-0x000000007532E000-memory.dmp

Filesize
6.9MB

Download
memory/2088-2-0x0000000000B20000-0x0000000000B66000-memory.dmp

Filesize
280KB

Download
memory/2088-1-0x00000000000D0000-0x000000000064A000-memory.dmp

Filesize
5.5MB

Download
memory/2740-20-0x000000000AA30000-0x000000000AAD0000-memory.dmp

Filesize
640KB

Download
memory/2740-18-0x0000000074C40000-0x000000007532E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-21-0x0000000074C40000-0x000000007532E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-19-0x0000000005610000-0x0000000005644000-memory.dmp

Filesize
208KB

Download
memory/2740-27-0x0000000009510000-0x0000000009568000-memory.dmp

Filesize
352KB

Download
memory/2740-30-0x0000000005EC0000-0x0000000005EDA000-memory.dmp

Filesize
104KB

Download
memory/2740-31-0x0000000005F60000-0x0000000005F68000-memory.dmp

Filesize
32KB

Download
memory/2740-29-0x000000000ADD0000-0x000000000AEA6000-memory.dmp

Filesize
856KB

Download
memory/2740-32-0x000000000B510000-0x000000000B5C2000-memory.dmp

Filesize
712KB

Download
memory/2740-22-0x00000000054C0000-0x00000000054CA000-memory.dmp

Filesize
40KB

Download
memory/2740-15-0x0000000004810000-0x0000000004884000-memory.dmp

Filesize
464KB

Download
memory/2740-13-0x0000000074C40000-0x000000007532E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-11-0x0000000074C40000-0x000000007532E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-277-0x0000000002640000-0x0000000002648000-memory.dmp

Filesize
32KB

Download
memory/2740-279-0x0000000074C40000-0x000000007532E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-280-0x0000000074C40000-0x000000007532E000-memory.dmp

Filesize
6.9MB

Download
memory/2740-281-0x0000000074C40000-0x000000007532E000-memory.dmp

Filesize
6.9MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads