Analysis
-
max time kernel
142s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
-
submitted
14/08/2024, 16:45
General
-
Target
Roblox Account Manager.exe
-
Size
5.4MB
-
MD5
334728f32a1144c893fdffc579a7709b
-
SHA1
97d2eb634d45841c1453749acb911ce1303196c0
-
SHA256
be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1
-
SHA512
5df9d63136098d23918eba652b44a87e979430b2ce3e78a3eb8faef3dd4bd9599d6c31980f9eaf2bd6a071e966421bc6cec950c28b3b917f90130e8a582c2a1f
-
SSDEEP
98304:42bT1Qm7d9G4/Ml61KO9bjRxMLywnrmYa0kqXf0FJ7WLhrBzcgPgL6b:/Qm59RMowO9bjRmmYiYa0kSIJ7zgPE
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 1 IoCs
-
Modifies registry class 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 12 IoCs
-
Suspicious use of WriteProcessMemory 12 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vcredist.tmp"C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" /q /norestart3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{0EFFF5FB-BAEF-410D-8745-87A75CA52065}\.cr\vcredist.tmp"C:\Windows\Temp\{0EFFF5FB-BAEF-410D-8745-87A75CA52065}\.cr\vcredist.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" -burn.filehandle.attached=544 -burn.filehandle.self=552 /q /norestart4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{92508C45-2F33-4F1D-A1E0-DF58B1239B5F}\.be\VC_redist.x86.exe"C:\Windows\Temp\{92508C45-2F33-4F1D-A1E0-DF58B1239B5F}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{08CCDC27-CB52-4ABF-97D2-96581E15BEA1} {DD2F70DF-64F1-4719-8660-50848B6693BC} 3805⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 380 -s 15445⤵
- Program crash
-
-
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=1012,i,3861745594156495651,17595114179815238301,262144 --variations-seed-version --mojo-platform-channel-handle=4376 /prefetch:81⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 380 -ip 3801⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5a02e8a8a790f0e0861e3b6b0dbe56062
SHA1a3e65805e5c78641cafebc1052906d7350da9d2e
SHA2567fada0f81b63e1ecb265e9620ace8f5f0d40773626081849f5d98e668bc4e594
SHA512108a81f818aa027834d621c771e427ee3f300c59d9dc10d853b94b1e8d635cf6bc06338dce31da30b08660c6fb06a39f9069c983bb585049f5fe9f50b753eb42
-
Filesize
314B
MD5f18fa783f4d27e35e54e54417334bfb4
SHA194511cdf37213bebdaf42a6140c9fe5be8eb07ba
SHA256563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1
SHA512602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071
-
Filesize
6KB
MD50a86fa27d09e26491dbbb4fe27f4b410
SHA163e4b5afb8bdb67fc1d6f8dddeb40be20939289e
SHA2562b6d99db8369b0ff6372737d89d1c9e4101815b4168a3852c7b513f2897e7f3d
SHA512fbebc4dc0925d5d67271cac04c1ed324091442ef4c9f6243d2c1c523c9aa6b338c6a594e4987fc142dd3b2a023338a267c8a3454e47fbf0b3e0dbd7b3b65cc0d
-
Filesize
936B
MD5e4659ac08af3582a23f38bf6c562f841
SHA119cb4f014ba96285fa1798f008deabce632c7e76
SHA256e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5
SHA5125bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249
-
Filesize
13.2MB
MD58457542fd4be74cb2c3a92b3386ae8e9
SHA1198722b4f5fc62721910569d9d926dce22730c22
SHA256a32dd41eaab0c5e1eaa78be3c0bb73b48593de8d97a7510b97de3fd993538600
SHA51291a6283f774f9e2338b65aa835156854e9e76aed32f821b13cfd070dd6c87e1542ce2d5845beb5e4af1ddb102314bb6e0ad6214d896bb3e387590a01eae0c182
-
Filesize
634KB
MD5337b547d2771fdad56de13ac94e6b528
SHA13aeecc5933e7d8977e7a3623e8e44d4c3d0b4286
SHA25681873c2f6c8bc4acaad66423a1b4d90e70214e59710ea7f11c8aeb069acd4cd0
SHA5120d0102fafb7f471a6836708d81952f2c90c2b126ad1b575f2e2e996540c99f7275ebd1f570cafcc945d26700debb1e86b19b090ae5cdec2326dd0a6a918b7a36
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
120KB
-
Filesize
152KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
4KB
-
Filesize
7.7MB
-
Filesize
280KB
-
Filesize
5.6MB
-
Filesize
5.4MB
-
Filesize
232KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
640KB
-
Filesize
352KB
-
Filesize
712KB
-
Filesize
136KB
-
Filesize
104KB
-
Filesize
976KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
40KB
-
Filesize
464KB
-
Filesize
7.7MB
-
Filesize
7.7MB
