cdb0a360cca7a5099c2d2357be1a833e032ffdeb3f467a6fac845f6bb77031c9

Resubmissions

11/08/2024, 01:08

240811-bg9t6asaqe 7

11/08/2024, 01:05

240811-bftfsasakf 7

Analysis

max time kernel
40s
max time network
47s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
11/08/2024, 01:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Roblox Account Manager.exe
Size

5.2MB
MD5

a057fae0c8c97ee6cf2c12fb7bcf034d
SHA1

64fe0eb242b5c3f9c42f4f2c1685e4a36708e4f6
SHA256

cdb0a360cca7a5099c2d2357be1a833e032ffdeb3f467a6fac845f6bb77031c9
SHA512

447cf69cf39ef19d098f4ab223d6ad9d760efb1eabb1bb0dac27fd2e55ac14c5a6502f2edd00b199d2db702e38551065bcc087c8df931360e769443908a4d200
SSDEEP

98304:b2bT1Qm7d9GP4i7q0LTWgtUmWzmSyZs9S8Z/LywnrSkqXf0Fb7WnhNMYkj7:4Qm59q/tUhzmS9zZ/mY+kSIb7ahNMYk

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
1504	Auto Update.exe

Executes dropped EXE 3 IoCs

pid	Process
1504	Auto Update.exe
1028	Roblox Account Manager.exe
4544	Roblox Account Manager.exe

Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs

Web Service

T1102

flow	ioc
2	raw.githubusercontent.com
11	raw.githubusercontent.com
22	raw.githubusercontent.com

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox Account Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox Account Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Auto Update.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox Account Manager.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Roblox Account Manager.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Microsoft\Internet Explorer\TypedURLs	Roblox Account Manager.exe
Key created	\REGISTRY\USER\S-1-5-21-242286936-336880687-2152680090-1000\Software\Microsoft\Internet Explorer\TypedURLs	Roblox Account Manager.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1504	Auto Update.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
4544	Roblox Account Manager.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	4540	Roblox Account Manager.exe
Token: SeDebugPrivilege	1504	Auto Update.exe
Token: SeIncreaseQuotaPrivilege	1504	Auto Update.exe
Token: SeDebugPrivilege	4544	Roblox Account Manager.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2652 wrote to memory of 4540	2652	Roblox Account Manager.exe	82
PID 2652 wrote to memory of 4540	2652	Roblox Account Manager.exe	82
PID 2652 wrote to memory of 4540	2652	Roblox Account Manager.exe	82
PID 4540 wrote to memory of 1504	4540	Roblox Account Manager.exe	83
PID 4540 wrote to memory of 1504	4540	Roblox Account Manager.exe	83
PID 4540 wrote to memory of 1504	4540	Roblox Account Manager.exe	83
PID 1028 wrote to memory of 4544	1028	Roblox Account Manager.exe	86
PID 1028 wrote to memory of 4544	1028	Roblox Account Manager.exe	86
PID 1028 wrote to memory of 4544	1028	Roblox Account Manager.exe	86

C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2652
- C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
  "C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4540
- - C:\Users\Admin\AppData\Local\Temp\Auto Update.exe
    "C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" -update
    3⤵
    - Deletes itself
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1504
  - - C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
      "C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1028
    - - C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
        
        "C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        
        PID:4544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Roblox Account Manager.exe.log

Filesize
1KB

MD5
72c442c0ee7dde7b3455bb315289bcf2

SHA1
d33367411ce01348f531e098495885b9d2ea110b

SHA256
180f825c19263ae06fc891efcde51f993b720a27bd6e563742a110b40cb3fe41

SHA512
b66e975424f17e3b4dce2d2746d78b8a05001ee17a7208c1f5f81ed8530aa2e3d4b10f4c64b33ba7c05a5e9e2afc548abf6bdfaffd6015c2cb7d624a688dc018

Download Submit
C:\Users\Admin\AppData\Local\Temp\Auto Update.exe

Filesize
5.2MB

MD5
a057fae0c8c97ee6cf2c12fb7bcf034d

SHA1
64fe0eb242b5c3f9c42f4f2c1685e4a36708e4f6

SHA256
cdb0a360cca7a5099c2d2357be1a833e032ffdeb3f467a6fac845f6bb77031c9

SHA512
447cf69cf39ef19d098f4ab223d6ad9d760efb1eabb1bb0dac27fd2e55ac14c5a6502f2edd00b199d2db702e38551065bcc087c8df931360e769443908a4d200

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMSettings.ini

Filesize
1KB

MD5
5369e83203a8972ee844ac973efd985a

SHA1
d91909ad9be3a67f66687a5cc58258fe2b715986

SHA256
fbbf21c6c6a3594b126ad1e48a06e315478022b6fa54ab0dc54b9ddaf30089ee

SHA512
af7fbb21b3ff7a32b34c72a303f380edda527a0f4273237f3c9a9f8804e83eb2bbbc1300135d094f64888227d72fdd832616dc2e18797398ad3df6db0d6b16f6

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMSettings.ini

Filesize
979B

MD5
55b8673b79b50f986f86a11d2d070f4f

SHA1
51a3100f7cd5906526263c3d3393eced7d0ee637

SHA256
1df09256c36fd4688402dcb748319d78827606aa53686bffdf709aa43d6765c7

SHA512
7ae72de3fcdf4e175699714fd78fc35b04ed3aaef8efe717ebdf62c9e4e125e22642dda9eaf3c00659d73ea8638452b0e9cd1a21cd88a6f4e72f98113d0b072a

Download Submit
C:\Users\Admin\AppData\Local\Temp\RAMTheme.ini

Filesize
314B

MD5
f18fa783f4d27e35e54e54417334bfb4

SHA1
94511cdf37213bebdaf42a6140c9fe5be8eb07ba

SHA256
563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1

SHA512
602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe

Filesize
5.4MB

MD5
334728f32a1144c893fdffc579a7709b

SHA1
97d2eb634d45841c1453749acb911ce1303196c0

SHA256
be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1

SHA512
5df9d63136098d23918eba652b44a87e979430b2ce3e78a3eb8faef3dd4bd9599d6c31980f9eaf2bd6a071e966421bc6cec950c28b3b917f90130e8a582c2a1f

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe.config

Filesize
5KB

MD5
7e067afe7c779870c370c40240e2ce1f

SHA1
71d59901ee26810c2b2cfdeca176cec9a54fdb48

SHA256
5e0ba1895cf088e6d6907b8abbd8cd41c86f39cc642351a9ab0bf458bf1f5b31

SHA512
7ae4e81cd7a06aca5c363e1009d898aa8b42236d6796c38a8ba07adb52eae45f69cd446d008a0e1d12c60c02a43bee1c813231d58884c6dd69a2967e243c9cc6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe.config

Filesize
6KB

MD5
0a86fa27d09e26491dbbb4fe27f4b410

SHA1
63e4b5afb8bdb67fc1d6f8dddeb40be20939289e

SHA256
2b6d99db8369b0ff6372737d89d1c9e4101815b4168a3852c7b513f2897e7f3d

SHA512
fbebc4dc0925d5d67271cac04c1ed324091442ef4c9f6243d2c1c523c9aa6b338c6a594e4987fc142dd3b2a023338a267c8a3454e47fbf0b3e0dbd7b3b65cc0d

Download Submit
C:\Users\Admin\AppData\Local\Temp\log.txt

Filesize
142B

MD5
83c99a94c48cbf4ebef7ba739486cf1b

SHA1
5313d13e9957164d452d6551883b98b705bdfa55

SHA256
3c72e5b286da37266df0c16afcc16b96994420685c00ea0e3d0fe1cd7e04bc91

SHA512
e1a8f2e7a8a417f9ae2d8ea67797743211530d772b5623b1edb8323e29b407a578c624a674607e83677ea9e43e271d7a47933e6c6db8d983c88a376b18e71511

Download Submit
C:\Users\Admin\AppData\Local\Temp\log.txt

Filesize
569B

MD5
a20ca95caeaf5928fcab7829f1afa0e5

SHA1
07a10356ad152efb65c277f278abf4d467aa3897

SHA256
1dbfe999b6d6e7d23dede069334f5d5116034a56c642c853f938d7fbaa22d518

SHA512
d09937eb21301927520dc57069d9c31f7a7b72f4b86957d2b5b7f6001e0cf170d30a5d40777b3c868529cc27515d9673bb4f618051d9d4ae38487232ac2d5a5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\log4.config

Filesize
936B

MD5
e4659ac08af3582a23f38bf6c562f841

SHA1
19cb4f014ba96285fa1798f008deabce632c7e76

SHA256
e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5

SHA512
5bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249

Download Submit
memory/1028-71-0x0000000005CC0000-0x0000000005D06000-memory.dmp

Filesize
280KB

Download
memory/1028-70-0x0000000000E90000-0x00000000013FC000-memory.dmp

Filesize
5.4MB

Download
memory/1504-55-0x0000000008FA0000-0x0000000008FB2000-memory.dmp

Filesize
72KB

Download
memory/1504-56-0x0000000009040000-0x00000000090B6000-memory.dmp

Filesize
472KB

Download
memory/1504-62-0x000000000B010000-0x000000000B02E000-memory.dmp

Filesize
120KB

Download
memory/2652-2-0x00000000066A0000-0x0000000006C46000-memory.dmp

Filesize
5.6MB

Download
memory/2652-4-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/2652-3-0x0000000005EA0000-0x0000000005EE6000-memory.dmp

Filesize
280KB

Download
memory/2652-5-0x00000000060F0000-0x0000000006182000-memory.dmp

Filesize
584KB

Download
memory/2652-14-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/2652-6-0x0000000005FB0000-0x0000000005FD6000-memory.dmp

Filesize
152KB

Download
memory/2652-1-0x0000000000F60000-0x000000000149E000-memory.dmp

Filesize
5.2MB

Download
memory/2652-7-0x0000000005FF0000-0x000000000600E000-memory.dmp

Filesize
120KB

Download
memory/2652-0-0x0000000074E8E000-0x0000000074E8F000-memory.dmp

Filesize
4KB

Download
memory/4540-25-0x000000000AF30000-0x000000000AFC2000-memory.dmp

Filesize
584KB

Download
memory/4540-24-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/4540-36-0x000000000B7A0000-0x000000000B7A8000-memory.dmp

Filesize
32KB

Download
memory/4540-37-0x000000000B790000-0x000000000B798000-memory.dmp

Filesize
32KB

Download
memory/4540-38-0x000000000BED0000-0x000000000BF82000-memory.dmp

Filesize
712KB

Download
memory/4540-39-0x000000000C100000-0x000000000C10A000-memory.dmp

Filesize
40KB

Download
memory/4540-34-0x000000000B6A0000-0x000000000B75E000-memory.dmp

Filesize
760KB

Download
memory/4540-53-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/4540-33-0x000000000B670000-0x000000000B692000-memory.dmp

Filesize
136KB

Download
memory/4540-31-0x000000000B4A0000-0x000000000B4F8000-memory.dmp

Filesize
352KB

Download
memory/4540-26-0x000000000AFC0000-0x000000000AFCA000-memory.dmp

Filesize
40KB

Download
memory/4540-35-0x000000000B760000-0x000000000B77A000-memory.dmp

Filesize
104KB

Download
memory/4540-23-0x000000000A910000-0x000000000A944000-memory.dmp

Filesize
208KB

Download
memory/4540-22-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/4540-15-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/4540-20-0x0000000005FB0000-0x0000000005FBA000-memory.dmp

Filesize
40KB

Download
memory/4540-19-0x0000000006670000-0x00000000066E4000-memory.dmp

Filesize
464KB

Download
memory/4540-16-0x0000000074E80000-0x0000000075631000-memory.dmp

Filesize
7.7MB

Download
memory/4544-82-0x000000000B370000-0x000000000B410000-memory.dmp

Filesize
640KB

Download
memory/4544-81-0x000000000AF60000-0x000000000AF9A000-memory.dmp

Filesize
232KB

Download
memory/4544-88-0x000000000D5E0000-0x000000000D6D4000-memory.dmp

Filesize
976KB

Download
memory/4544-89-0x000000000D8C0000-0x000000000D910000-memory.dmp

Filesize
320KB

Download
memory/4544-90-0x0000000005D80000-0x0000000005D88000-memory.dmp

Filesize
32KB

Download
memory/4544-91-0x000000000D910000-0x000000000DC67000-memory.dmp

Filesize
3.3MB

Download