Resubmissions

19/07/2024, 19:57

240719-yn8l1axbrq 1

19/07/2024, 19:55

240719-yndfvs1amh 1

Analysis

  • max time kernel
    1680s
  • max time network
    1684s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240709-en
  • resource tags

    arch:x64arch:x86image:win11-20240709-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    19/07/2024, 19:57

General

  • Target

    https://github.com/ic3w0lf22/Roblox-Account-Manager/releases/download/3.7.2/Roblox.Account.Manager.3.7.2.zip

Score
1/10

Malware Config

Signatures

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • NTFS ADS 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 34 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://github.com/ic3w0lf22/Roblox-Account-Manager/releases/download/3.7.2/Roblox.Account.Manager.3.7.2.zip
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2416
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffcf6d23cb8,0x7ffcf6d23cc8,0x7ffcf6d23cd8
      2⤵
        PID:784
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
        2⤵
          PID:2676
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2388 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1412
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2784 /prefetch:8
          2⤵
            PID:2188
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3308 /prefetch:1
            2⤵
              PID:1540
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
              2⤵
                PID:1572
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2732 /prefetch:1
                2⤵
                  PID:4356
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5160 /prefetch:8
                  2⤵
                  • NTFS ADS
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4452
                • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6080 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:4496
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5740 /prefetch:1
                  2⤵
                    PID:5616
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5760 /prefetch:1
                    2⤵
                      PID:5744
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6136 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:3252
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5296 /prefetch:1
                      2⤵
                        PID:5032
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5264 /prefetch:1
                        2⤵
                          PID:2036
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1888,14664774336213441104,2595805155486465492,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5804 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:1956
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:5300
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:1664

                          Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  b26cef15e9a3cc82fb429a163f96ac6b

                                  SHA1

                                  718ac4822198b1a21f43b6941d0d8df107fd0015

                                  SHA256

                                  73af2c2ebc9187187d887e4abc8b04561c55f36f7f9cdf20293d522ce5c2f506

                                  SHA512

                                  87f96314ea9a1f394d24de5657e61cc6809c961fd05280b4875a06bb928f4e19dadf725fcd0417f16c93cdceca349dd27dd95d0f8f0f756020322803b2f91cdc

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                  Filesize

                                  152B

                                  MD5

                                  5efcc43219d778bd14d32016100f2708

                                  SHA1

                                  b06f6726698a68781854bc342a54e06bc4562217

                                  SHA256

                                  a7534c7d125854f7fe662a7951443cad1d1ff0d8d3eb537dde5a381cd3415666

                                  SHA512

                                  6bbdf16b41bbc3ac5d4e2b93683a712d56eb58719799f69cb7240a77f799928b48af2771f76d9d7829846db12d0116e3a8ea6c5d0f02d5e840db1b3c018480b4

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                  Filesize

                                  265B

                                  MD5

                                  f5cd008cf465804d0e6f39a8d81f9a2d

                                  SHA1

                                  6b2907356472ed4a719e5675cc08969f30adc855

                                  SHA256

                                  fcea95cc39dc6c2a925f5aed739dbedaa405ee4ce127f535fcf1c751b2b8fb5d

                                  SHA512

                                  dc97034546a4c94bdaa6f644b5cfd1e477209de9a03a5b02a360c254a406c1d647d6f90860f385e27387b35631c41f0886cb543ede9116436941b9af6cd3285d

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  5KB

                                  MD5

                                  7686dc45614059c02cee91daaf305c29

                                  SHA1

                                  b2a065da41c58a16cab0c2e0b331e69ee7ea3c0a

                                  SHA256

                                  e959998c8ab7ecc613cf61f0f3ebb49474b2cc3dfb7b68eb34a7f86174c2fd98

                                  SHA512

                                  ad02fa5ebb829ae8f2b5837105439b841c9838511c16ee98cd999bb4c9c44d048c7c2d1943102858cdfe96f98c0f68d4f09b53ada756a7131de165e0fd8a8a0d

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                  Filesize

                                  5KB

                                  MD5

                                  6aca2f422294d0006c7eaf0978af666b

                                  SHA1

                                  2e317bba52d1a19141348433381fd543bf125466

                                  SHA256

                                  453af42f08fec86df8addebb38f5314384e2005f7668db225d02738eaed301ca

                                  SHA512

                                  3056044e7f5dd3c54ee5c2ff890cda54a6045b0eb26aab899738e36dee2a1edf4093d606d285a04499d04ef3cc66158b0c3e9995523f10a0924449cd57c973a5

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                  Filesize

                                  16B

                                  MD5

                                  46295cac801e5d4857d09837238a6394

                                  SHA1

                                  44e0fa1b517dbf802b18faf0785eeea6ac51594b

                                  SHA256

                                  0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                                  SHA512

                                  8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                  Filesize

                                  16B

                                  MD5

                                  206702161f94c5cd39fadd03f4014d98

                                  SHA1

                                  bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                                  SHA256

                                  1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                                  SHA512

                                  0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                                • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                  Filesize

                                  11KB

                                  MD5

                                  742bc53223dcf6450bfb65b3cb1a40a3

                                  SHA1

                                  e106904d63ae2afd34bbea1a6bba07f13ae92a2f

                                  SHA256

                                  20b3fe136b1bbe5df450260fcb0f91d25d300943cf66207bd7985a1286ebe126

                                  SHA512

                                  a5a64896a8812796a055a536134dd50d8472551a7695bf70b77038d92048aa27966cd71a80f7f4f1578504a3f5cd6fe6c9f66b1450caca43cdd666a36b886007

                                • C:\Users\Admin\Downloads\Roblox.Account.Manager.3.7.2.zip

                                  Filesize

                                  4.2MB

                                  MD5

                                  d58b79cb3d3635ba963427362f75d075

                                  SHA1

                                  0e33eeff9b625fceb2d2d0195e6f32523d57db79

                                  SHA256

                                  49b2c015da0851a2ed43820799a7bcda08e1bc5f315e107598f87f4b1bd36dac

                                  SHA512

                                  176de76618d0dc43f17e2971787666b737d7308a67f40bd2bb82ab4f0d3276f877fbeb7cc987f797e6572ec736c29d8568f441194a45cb5ba8d751bf139ab79a

                                • C:\Users\Admin\Downloads\Roblox.Account.Manager.3.7.2.zip:Zone.Identifier

                                  Filesize

                                  26B

                                  MD5

                                  fbccf14d504b7b2dbcb5a5bda75bd93b

                                  SHA1

                                  d59fc84cdd5217c6cf74785703655f78da6b582b

                                  SHA256

                                  eacd09517ce90d34ba562171d15ac40d302f0e691b439f91be1b6406e25f5913

                                  SHA512

                                  aa1d2b1ea3c9de3ccadb319d4e3e3276a2f27dd1a5244fe72de2b6f94083dddc762480482c5c2e53f803cd9e3973ddefc68966f974e124307b5043e654443b98