Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
68s -
max time network
66s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
02/08/2024, 23:07
Static task
static1
Behavioral task
behavioral1
Sample
Roblox.Multi-Instance.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
Roblox.Multi-Instance.exe
Resource
win10v2004-20240802-en
General
-
Target
Roblox.Multi-Instance.exe
-
Size
56.1MB
-
MD5
8cf2eee502269a61ff4a23f391535921
-
SHA1
8a83b36dc087bb4bb94707e1b6491564a1c74c99
-
SHA256
569df3da9319a9ae298c37dffeb98c861bd773a513d99091d02f44cca3d945c2
-
SHA512
67ebd0cedfd9528761493f9e67c1190b2ec2938cde35c877ec2423bd2c3f1fc4db494400c8e5ac3f860c0eacf80cf8dd189fcbbafc2a628e297f70b76624f995
-
SSDEEP
786432:JCME85pzHPF6K6XHj3J+xA+miL0SoTyPUixTp2i:hE8XQ20oTpt
Malware Config
Signatures
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Roblox.Multi-Instance.exe -
Checks SCSI registry key(s) 3 TTPs 3 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 taskmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A taskmgr.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName taskmgr.exe -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString taskmgr.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 taskmgr.exe -
Suspicious behavior: EnumeratesProcesses 18 IoCs
pid Process 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
description pid Process Token: SeDebugPrivilege 3960 taskmgr.exe Token: SeSystemProfilePrivilege 3960 taskmgr.exe Token: SeCreateGlobalPrivilege 3960 taskmgr.exe Token: 33 3960 taskmgr.exe Token: SeIncBasePriorityPrivilege 3960 taskmgr.exe -
Suspicious use of FindShellTrayWindow 43 IoCs
pid Process 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe -
Suspicious use of SendNotifyMessage 43 IoCs
pid Process 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe 3960 taskmgr.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Roblox.Multi-Instance.exe"C:\Users\Admin\AppData\Local\Temp\Roblox.Multi-Instance.exe"1⤵
- System Location Discovery: System Language Discovery
PID:3460
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /71⤵
- Checks SCSI registry key(s)
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:3960