Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20240802-en -
resource tags
-
submitted
24-08-2024 13:34
General
-
Target
Roblox Account Manager.exe
-
Size
5.5MB
-
MD5
eb54116db322c49ec2faca86f725931e
-
SHA1
c703685ac6221d7de624039d7351886b21ca53fc
-
SHA256
5c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e
-
SHA512
ef6ea52df848bf8c7c77831ee5ca64cf337a92edbb0e8d0d38844e204157545aa3c397eeea12d05f276ce4984f519a1a05cf21bc04514fbb35beebf86d7f8e78
-
SSDEEP
98304:8H6+2bT1Qm7d9G3s2tIfKLUXk8zdywnr5a0kqXf0Fb7WnZhP+MQuPN5Ppauz+l:5Qm59siyLU0lY9a0kSIb7aZhP+MQuPNw
Malware Config
Signatures
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Blocklisted process makes network request 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops file in System32 directory 49 IoCs
-
Drops file in Windows directory 28 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 13 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 9 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 20 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart2⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Auto Update.exe"C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" -update3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vcredist.tmp"C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" /q /norestart6⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{4552967F-1F3A-45EB-A54A-B81352ABC5D5}\.cr\vcredist.tmp"C:\Windows\Temp\{4552967F-1F3A-45EB-A54A-B81352ABC5D5}\.cr\vcredist.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" -burn.filehandle.attached=568 -burn.filehandle.self=576 /q /norestart7⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{779BABFD-08B7-44FA-ADA9-FCED24A75F28}\.be\VC_redist.x86.exe"C:\Windows\Temp\{779BABFD-08B7-44FA-ADA9-FCED24A75F28}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{F14B281F-8C97-4B75-A19C-EE24C72FD58A} {82186E50-E3D4-4873-9E8D-06D1EA53330D} 49768⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={47109d57-d746-4f8b-9618-ed6a17cc922b} -burn.filehandle.self=924 -burn.embedded BurnPipe.{DC40A88B-B54B-4130-B259-011734ECC5C1} {E49D2A28-8B2D-41B5-A73D-439F23C70C08} 35689⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=544 -burn.filehandle.self=560 -uninstall -quiet -burn.related.upgrade -burn.ancestors={47109d57-d746-4f8b-9618-ed6a17cc922b} -burn.filehandle.self=924 -burn.embedded BurnPipe.{DC40A88B-B54B-4130-B259-011734ECC5C1} {E49D2A28-8B2D-41B5-A73D-439F23C70C08} 356810⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{CAD7CDC8-611E-4ED2-BBE3-C4099F136652} {C68552BD-BA61-43E5-AD81-02C0791042F6} 106011⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
-
-
-
-
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s NPSMSvc1⤵
-
C:\Windows\System32\oobe\UserOOBEBroker.exeC:\Windows\System32\oobe\UserOOBEBroker.exe -Embedding1⤵
- Drops file in Windows directory
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s DisplayEnhancementService1⤵
-
C:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exeC:\Users\Admin\AppData\Local\Microsoft\OneDrive\18.151.0729.0013\FileCoAuth.exe -Embedding1⤵
- System Location Discovery: System Language Discovery
-
C:\Users\Admin\AppData\Local\Temp\0C6F0927-0036-402C-A28F-4E9026EEDFB3\dismhost.exeC:\Users\Admin\AppData\Local\Temp\0C6F0927-0036-402C-A28F-4E9026EEDFB3\dismhost.exe {6698114A-1725-4265-A4C4-52771083954A}1⤵
- Drops file in Windows directory
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD556a35d77ecf1856ba46f631951dcd5bd
SHA18d39c6a24cf16debedcc11df515b592767423b4d
SHA256d233b71adba63ddb3527b86f9978ce114940ed7c1a91bf1141d6dafaccd11074
SHA51247fe6fb54cdf5b0737ef61e57f4dab24a2bd2e53365e9b28e5c1dec7df45bc2bd0b5a4432d128180ffdce5fd7f609ed8b13f824663179cc5c3fc3e76332d45c9
-
Filesize
18KB
MD50a8377a3b0886fba19a9aeca9e6d8cf0
SHA13961426d7971d271ec003b7771372e090bad3e7d
SHA256b3a727947a81f989a03f6cd4556486cd2f6ead46c5b2e89da064e90addede581
SHA51223998c72f9e584b29ce0e7c71a964846a915d6b4a55c1ef03219cb9cda11b01ae58b9c83a06967e37c61afd7cc191a24ee4de00c8be26cb9638dabb38c1c9918
-
Filesize
20KB
MD52fc6c893369133fc033cb1d68c8321b6
SHA14d7097372525e3d021fde18867d55fca8661f2a8
SHA256288b81170b70d0d5139f075cac1d06815233781ced44e47cec0a670214402632
SHA512829d56537713e374e17ffa166c226015f0545c8dc5296976edf415941fb6b79f75fbb2484326387b3c1cf1649d2d24c77e5e13bc28e5a26ca0e9cab2a714e479
-
Filesize
19KB
MD571eb56818b49053a7db322ab0cc32134
SHA1cff1af11a3dc91cbc9230af7e5c06e971bd71d6d
SHA2565090ee6f327a0518d92b99c2bc78edcb2262d6c00c099594f7a3dff89489c388
SHA512c5c8c07ccd40740b65642e299e0cf4fe58fbeed81bf18b205503a69030d10d0e257ef898a4cb95efac438b7cf5c6b32047377743f74bc22b4c78d3d7ed709408
-
Filesize
1KB
MD572c442c0ee7dde7b3455bb315289bcf2
SHA1d33367411ce01348f531e098495885b9d2ea110b
SHA256180f825c19263ae06fc891efcde51f993b720a27bd6e563742a110b40cb3fe41
SHA512b66e975424f17e3b4dce2d2746d78b8a05001ee17a7208c1f5f81ed8530aa2e3d4b10f4c64b33ba7c05a5e9e2afc548abf6bdfaffd6015c2cb7d624a688dc018
-
Filesize
706B
MD552ca7c7d72cf263717e21ba42ef77d00
SHA1bfdc1da2880c5a07d6b772f23069fa12e97e4c3b
SHA2569cd36320ec74971a518781e7ec5e0c152792af9776603fb22fa0b5881fe9c717
SHA512477f6366d9e72850393eeeb083db1a50082c4f8444c2b918d20648805a02a58e498c44573125f436c3f23e980be2762c972f31853109459ec3a8b87dcba310ba
-
Filesize
5.5MB
MD5eb54116db322c49ec2faca86f725931e
SHA1c703685ac6221d7de624039d7351886b21ca53fc
SHA2565c7d96455bbb045cb3cb3726d7b4fff2d0810a21d7fdb34ad134696aa7f47d5e
SHA512ef6ea52df848bf8c7c77831ee5ca64cf337a92edbb0e8d0d38844e204157545aa3c397eeea12d05f276ce4984f519a1a05cf21bc04514fbb35beebf86d7f8e78
-
Filesize
1014B
MD51d917eaf5dcc8e06dd032c33f3a3d36a
SHA11eacb4eced22393fd5140910d30070f2e054e2fe
SHA256787fa9af1c32b7e198119469c0e2c02c06b34ec7c990b62b9f4fb9bc8cedaa5f
SHA5123cf5bc6160262ad454477cc0fab401696a7e5dff9e6fae1cdcfa0579ded640ea8c383dfcea6194f55c914927058e2355fd661d1fa83f87c10aeffa6a91cb9fcd
-
Filesize
942B
MD5f99fcdcfd630d18e441188092a56ae6a
SHA1ffda4080b708554f32cd1fe1545298b40ce456f6
SHA2563596dd7a1aa6d5ea2e030b7fc1b04e0eb4e58b01b4edd8d8f6d1882cfbea37fe
SHA512291d4d942f8752c8eb1dee4d6f68c2d2b15e8e426f271968eb372470faca9bb6866184a4ee2b9e0d91f38b45327440c4f18601c1a16bfda2b98cfe524db69f62
-
Filesize
314B
MD5f18fa783f4d27e35e54e54417334bfb4
SHA194511cdf37213bebdaf42a6140c9fe5be8eb07ba
SHA256563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1
SHA512602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071
-
Filesize
5.4MB
MD5334728f32a1144c893fdffc579a7709b
SHA197d2eb634d45841c1453749acb911ce1303196c0
SHA256be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1
SHA5125df9d63136098d23918eba652b44a87e979430b2ce3e78a3eb8faef3dd4bd9599d6c31980f9eaf2bd6a071e966421bc6cec950c28b3b917f90130e8a582c2a1f
-
Filesize
6KB
MD5d5e4966de947333592289d70916257a9
SHA15907df0fd07df6c33926906e94f4ed08d40be017
SHA256d726d47b772a70fabc777c8ed46655fe5200e672f01f11dd95c5f4994e0a71e0
SHA512c618054766bee664f0605a037f065c196c35495ee993b305f0bece4738ec9f7bd632dc8fb541bcf9d156f12e115455f31dd8db2a8cceb9d7d2f0d05d501831e9
-
Filesize
6KB
MD50a86fa27d09e26491dbbb4fe27f4b410
SHA163e4b5afb8bdb67fc1d6f8dddeb40be20939289e
SHA2562b6d99db8369b0ff6372737d89d1c9e4101815b4168a3852c7b513f2897e7f3d
SHA512fbebc4dc0925d5d67271cac04c1ed324091442ef4c9f6243d2c1c523c9aa6b338c6a594e4987fc142dd3b2a023338a267c8a3454e47fbf0b3e0dbd7b3b65cc0d
-
Filesize
2KB
MD5574f0c715ade59a09e5fe38b5e6d3a1e
SHA1bd6476c024b2fed40bf205410b802df5718ec155
SHA2567c3d90352fbb85bfee9b8c3a7335a27771881f724c9860b036faa59063f72960
SHA512addc34479629d3231b2fcb9f8aa04bc01d72436d2dc71639fd618ff0187977ef0b098e957ccd5c976396107a65fd2eefa80f7388bb2535f4e18f7ef574e06bad
-
Filesize
3KB
MD545ea8363b988464bd62d24a07f598f4e
SHA14f249c11524b98dd56b9fe3de2f5984e70a0cd69
SHA256136c48b839630064d205603fef3114be4b87ee0df5d75b27139d9f0c0802ae05
SHA51210061d63e11d5bfe31e91a73a985a9e217565986a5dea1f3b9973480ab735e53435543ec212ed609f71148e7b16ecb0de4cbfe286f501278f97c604ead2d7a0a
-
Filesize
158B
MD5f4a87ce515ccc1c7ce51a11a9867d7c4
SHA1affb7235f8b6d6d5b4e0834d9022b704982d276b
SHA256d38282975197a81f748459ba4c63b498f2f418f3380c3b6d2ce6006d47be043c
SHA5124cbc9497769778512e980bb6cb32c2ccfba90b0f0998552a4c07ed6114cb5badcab498e6cec16d2e101ec8623a7a811c4c31a3dc7a073b1801dbe472b377c92e
-
Filesize
585B
MD5941757708295fccad6ac607b322ce792
SHA10e73740d64c170c97dd27e28433b3e05f705538a
SHA256425667dd2c17f37b54577df46ac5aa01094437ab626c4de70a7a8da9b6a0098d
SHA512eaa5a5270af87b71cb7cdf33181d8b335c5c03a3d1cd4c71e208f8a41bc6bbd0702990aeeb68be48e032c51fa9e402cb6a1213e47618a9c5b22991241e2ee2e9
-
Filesize
936B
MD5e4659ac08af3582a23f38bf6c562f841
SHA119cb4f014ba96285fa1798f008deabce632c7e76
SHA256e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5
SHA5125bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249
-
Filesize
13.2MB
MD58457542fd4be74cb2c3a92b3386ae8e9
SHA1198722b4f5fc62721910569d9d926dce22730c22
SHA256a32dd41eaab0c5e1eaa78be3c0bb73b48593de8d97a7510b97de3fd993538600
SHA51291a6283f774f9e2338b65aa835156854e9e76aed32f821b13cfd070dd6c87e1542ce2d5845beb5e4af1ddb102314bb6e0ad6214d896bb3e387590a01eae0c182
-
Filesize
634KB
MD5337b547d2771fdad56de13ac94e6b528
SHA13aeecc5933e7d8977e7a3623e8e44d4c3d0b4286
SHA25681873c2f6c8bc4acaad66423a1b4d90e70214e59710ea7f11c8aeb069acd4cd0
SHA5120d0102fafb7f471a6836708d81952f2c90c2b126ad1b575f2e2e996540c99f7275ebd1f570cafcc945d26700debb1e86b19b090ae5cdec2326dd0a6a918b7a36
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
822KB
MD525bd21af44d3968a692e9b8a85f5c11d
SHA1d805d1624553199529a82151f23a1330ac596888
SHA256f4576ef2e843c282d2a932f7c55d71cc3fcbb35b0a17a0a640eb5f21731cc809
SHA512ed3660183bf4e0d39e4f43a643007afc143b1d4ec0b45f0fdce28d8e896f646ec24a2a7a5429e8b10f4379cb4ffd1572adba10fc426990d05c0cafefdd87a4fb
-
Filesize
4.9MB
MD53a7979fbe74502ddc0a9087ee9ca0bdf
SHA13c63238363807c2f254163769d0a582528e115af
SHA2567327d37634cc8e966342f478168b8850bea36a126d002c38c7438a7bd557c4ca
SHA5126435db0f210ad317f4cd00bb3300eb41fb86649f7a0e3a05e0f64f8d0163ab53dbdb3c98f99a15102ce09fcd437a148347bab7bfd4afe4c90ff2ea05bb4febff
-
Filesize
180KB
MD52ba51e907b5ee6b2aef6dfe5914ae3e3
SHA16cc2c49734bf9965fe0f3977705a417ed8548718
SHA256be137dc2b1ec7e85ae7a003a09537d3706605e34059361404ea3110874895e3a
SHA512e3ba5aa8f366e3b1a92d8258daa74f327248fb21f168b7472b035f8d38f549f5f556eb9093eb8483ca51b78e9a77ee6e5b6e52378381cce50918d81e8e982d47
-
Filesize
180KB
MD5828f217e9513cfff708ffe62d238cfc5
SHA19fb65d4edb892bf940399d5fd6ae3a4b15c2e4ba
SHA256a2ad58d741be5d40af708e15bf0dd5e488187bf28f0b699d391a9ef96f899886
SHA512ffc72b92f1431bbd07889e28b55d14ea11f8401e2d0b180e43a898914209893941affacc0a4ea34eeefc9b0ca4bc84a3045591cd98aae6bdb11ae831dc6bb121
-
Filesize
280KB
-
Filesize
5.4MB
-
Filesize
476KB
-
Filesize
7.7MB
-
Filesize
584KB
-
Filesize
5.5MB
-
Filesize
7.7MB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
152KB
-
Filesize
280KB
-
Filesize
5.6MB
-
Filesize
472KB
-
Filesize
40KB
-
Filesize
72KB
-
Filesize
120KB
-
Filesize
476KB
-
Filesize
104KB
-
Filesize
40KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
464KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
856KB
-
Filesize
32KB
-
Filesize
208KB
-
Filesize
136KB
-
Filesize
712KB
-
Filesize
352KB
-
Filesize
40KB
-
Filesize
640KB
-
Filesize
7.7MB
-
Filesize
476KB
-
Filesize
232KB
-
Filesize
3.3MB
-
Filesize
640KB
-
Filesize
32KB
-
Filesize
464KB
-
Filesize
320KB
-
Filesize
248KB
-
Filesize
976KB
