Analysis
-
max time kernel
1680s -
max time network
1684s -
platform
windows11-21h2_x64 -
resource
win11-20240709-en -
resource tags
arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system -
submitted
19/07/2024, 19:57
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/ic3w0lf22/Roblox-Account-Manager/releases/download/3.7.2/Roblox.Account.Manager.3.7.2.zip
Resource
win11-20240709-en
General
-
Target
https://github.com/ic3w0lf22/Roblox-Account-Manager/releases/download/3.7.2/Roblox.Account.Manager.3.7.2.zip
Malware Config
Signatures
-
Enumerates system info in registry 2 TTPs 3 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
NTFS ADS 1 IoCs
description ioc Process File opened for modification C:\Users\Admin\Downloads\Roblox.Account.Manager.3.7.2.zip:Zone.Identifier msedge.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
pid Process 1412 msedge.exe 1412 msedge.exe 2416 msedge.exe 2416 msedge.exe 4452 msedge.exe 4452 msedge.exe 4496 identity_helper.exe 4496 identity_helper.exe 3252 msedge.exe 3252 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe 1956 msedge.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
pid Process 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe -
Suspicious use of FindShellTrayWindow 34 IoCs
pid Process 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe -
Suspicious use of SendNotifyMessage 12 IoCs
pid Process 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe 2416 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2416 wrote to memory of 784 2416 msedge.exe 81 PID 2416 wrote to memory of 784 2416 msedge.exe 81 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 2676 2416 msedge.exe 82 PID 2416 wrote to memory of 1412 2416 msedge.exe 83 PID 2416 wrote to memory of 1412 2416 msedge.exe 83 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84 PID 2416 wrote to memory of 2188 2416 msedge.exe 84
Processes
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ic3w0lf22/Roblox-Account-Manager/releases/download/3.7.2/Roblox.Account.Manager.3.7.2.zip1⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcf6d23cb8,0x7ffcf6d23cc8,0x7ffcf6d23cd82⤵PID:784
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:22⤵PID:2676
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:32⤵
- Suspicious behavior: EnumeratesProcesses
PID:1412
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:82⤵PID:2188
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:12⤵PID:1540
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:12⤵PID:1572
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2732 /prefetch:12⤵PID:4356
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:82⤵
- NTFS ADS
- Suspicious behavior: EnumeratesProcesses
PID:4452
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:4496
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:12⤵PID:5616
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:12⤵PID:5744
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:3252
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:12⤵PID:5032
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:12⤵PID:2036
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5804 /prefetch:22⤵
- Suspicious behavior: EnumeratesProcesses
PID:1956
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:5300
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:1664
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD5b26cef15e9a3cc82fb429a163f96ac6b
SHA1718ac4822198b1a21f43b6941d0d8df107fd0015
SHA25673af2c2ebc9187187d887e4abc8b04561c55f36f7f9cdf20293d522ce5c2f506
SHA51287f96314ea9a1f394d24de5657e61cc6809c961fd05280b4875a06bb928f4e19dadf725fcd0417f16c93cdceca349dd27dd95d0f8f0f756020322803b2f91cdc
-
Filesize
152B
MD55efcc43219d778bd14d32016100f2708
SHA1b06f6726698a68781854bc342a54e06bc4562217
SHA256a7534c7d125854f7fe662a7951443cad1d1ff0d8d3eb537dde5a381cd3415666
SHA5126bbdf16b41bbc3ac5d4e2b93683a712d56eb58719799f69cb7240a77f799928b48af2771f76d9d7829846db12d0116e3a8ea6c5d0f02d5e840db1b3c018480b4
-
Filesize
265B
MD5f5cd008cf465804d0e6f39a8d81f9a2d
SHA16b2907356472ed4a719e5675cc08969f30adc855
SHA256fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d
SHA512dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d
-
Filesize
5KB
MD57686dc45614059c02cee91daaf305c29
SHA1b2a065da41c58a16cab0c2e0b331e69ee7ea3c0a
SHA256e959998c8ab7ecc613cf61f0f3ebb49474b2cc3dfb7b68eb34a7f86174c2fd98
SHA512ad02fa5ebb829ae8f2b5837105439b841c9838511c16ee98cd999bb4c9c44d048c7c2d1943102858cdfe96f98c0f68d4f09b53ada756a7131de165e0fd8a8a0d
-
Filesize
5KB
MD56aca2f422294d0006c7eaf0978af666b
SHA12e317bba52d1a19141348433381fd543bf125466
SHA256453af42f08fec86df8addebb38f5314384e2005f7668db225d02738eaed301ca
SHA5123056044e7f5dd3c54ee5c2ff890cda54a6045b0eb26aab899738e36dee2a1edf4093d606d285a04499d04ef3cc66158b0c3e9995523f10a0924449cd57c973a5
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
11KB
MD5742bc53223dcf6450bfb65b3cb1a40a3
SHA1e106904d63ae2afd34bbea1a6bba07f13ae92a2f
SHA25620b3fe136b1bbe5df450260fcb0f91d25d300943cf66207bd7985a1286ebe126
SHA512a5a64896a8812796a055a536134dd50d8472551a7695bf70b77038d92048aa27966cd71a80f7f4f1578504a3f5cd6fe6c9f66b1450caca43cdd666a36b886007
-
Filesize
4.2MB
MD5d58b79cb3d3635ba963427362f75d075
SHA10e33eeff9b625fceb2d2d0195e6f32523d57db79
SHA25649b2c015da0851a2ed43820799a7bcda08e1bc5f315e107598f87f4b1bd36dac
SHA512176de76618d0dc43f17e2971787666b737d7308a67f40bd2bb82ab4f0d3276f877fbeb7cc987f797e6572ec736c29d8568f441194a45cb5ba8d751bf139ab79a
-
Filesize
26B
MD5fbccf14d504b7b2dbcb5a5bda75bd93b
SHA1d59fc84cdd5217c6cf74785703655f78da6b582b
SHA256eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913
SHA512aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98