General

  • Target

    RobloxPlayerInstaller.exe

  • Size

    5.5MB

  • Sample

    240727-wvn5tswanf

  • MD5

    4b333632262ce2606c39b1613f345ce5

  • SHA1

    fda30b2198ab865e5780c86415333df8d83b50fd

  • SHA256

    d9bd50a3c1ef0cf2f9978862e786731e8be1d97d50540d85b58f92614fa84cda

  • SHA512

    7c742f50846036b94b2844c70f8c350344685674db1a8b253af9000ab7b9b78abe7049e9c3d9b28d9d98ae6ba243f6a4377ac2c873d9cf8ff923dc61ea734e72

  • SSDEEP

    98304:Q8vj23XO7INTOKdWOm39VQOuKigT3SsPyFRUhE1Azc9uPp:njgO7InF+6gTkFRjew9ip

Malware Config

Targets

    • Target

      RobloxPlayerInstaller.exe

    • Size

      5.5MB

    • MD5

      4b333632262ce2606c39b1613f345ce5

    • SHA1

      fda30b2198ab865e5780c86415333df8d83b50fd

    • SHA256

      d9bd50a3c1ef0cf2f9978862e786731e8be1d97d50540d85b58f92614fa84cda

    • SHA512

      7c742f50846036b94b2844c70f8c350344685674db1a8b253af9000ab7b9b78abe7049e9c3d9b28d9d98ae6ba243f6a4377ac2c873d9cf8ff923dc61ea734e72

    • SSDEEP

      98304:Q8vj23XO7INTOKdWOm39VQOuKigT3SsPyFRUhE1Azc9uPp:njgO7InF+6gTkFRjew9ip

    • Downloads MZ/PE file

    • Event Triggered Execution: Image File Execution Options Injection

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    • Executes dropped EXE

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Checks whether UAC is enabled

    • Checks system information in the registry

      System information is often read in order to detect sandboxing environments.

    • Suspicious use of NtCreateThreadExHideFromDebugger

    • Suspicious use of NtSetInformationThreadHideFromDebugger

MITRE ATT&CK Enterprise v15

Tasks