hxxps://build-up[.]ec[.]europa[.]eu/system/files/2024-08/roblox-robux-generato-updated_0[.]pdf

Resubmissions

25/08/2024, 00:53

240825-a83z9azald 3

Analysis

max time kernel
31s
max time network
42s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
25/08/2024, 00:53

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

https://build-up.ec.europa.eu/system/files/2024-08/roblox-robux-generato-updated_0.pdf

Score

3^/10

discovery

Malware Config

Signatures

Browser Information Discovery 1 TTPs
Enumerate browser information.
discovery

Browser Information Discovery
T1217

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133690208464532553"	chrome.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3556	chrome.exe
3556	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 5 IoCs

pid	Process
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe

Suspicious use of AdjustPrivilegeToken 60 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe
Token: SeShutdownPrivilege	3556	chrome.exe
Token: SeCreatePagefilePrivilege	3556	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe
3556	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3556 wrote to memory of 4472	3556	chrome.exe	85
PID 3556 wrote to memory of 4472	3556	chrome.exe	85
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 3668	3556	chrome.exe	86
PID 3556 wrote to memory of 4328	3556	chrome.exe	87
PID 3556 wrote to memory of 4328	3556	chrome.exe	87
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88
PID 3556 wrote to memory of 2028	3556	chrome.exe	88

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --disable-background-networking --disable-component-update --simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT' --single-argument https://build-up.ec.europa.eu/system/files/2024-08/roblox-robux-generato-updated_0.pdf
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3556
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0xf8,0xfc,0x100,0xd4,0x104,0x7ffacaddcc40,0x7ffacaddcc4c,0x7ffacaddcc58
  2⤵
  PID:4472
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --no-appcompat-clear --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --field-trial-handle=1884,i,9575892349021867680,158528049392912115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=1880 /prefetch:2
  2⤵
  PID:3668
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=1764,i,9575892349021867680,158528049392912115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2476 /prefetch:3
  2⤵
  PID:4328
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --field-trial-handle=2124,i,9575892349021867680,158528049392912115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=2584 /prefetch:8
  2⤵
  PID:2028
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --field-trial-handle=3112,i,9575892349021867680,158528049392912115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3152 /prefetch:1
  2⤵
  PID:1580
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --field-trial-handle=3124,i,9575892349021867680,158528049392912115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=3416 /prefetch:1
  2⤵
  PID:5088
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --no-appcompat-clear --field-trial-handle=4616,i,9575892349021867680,158528049392912115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4628 /prefetch:8
  2⤵
  PID:4184
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --field-trial-handle=4688,i,9575892349021867680,158528049392912115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4868 /prefetch:1
  2⤵
  PID:392
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --field-trial-handle=4412,i,9575892349021867680,158528049392912115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=4992 /prefetch:1
  2⤵
  PID:1384
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --no-appcompat-clear --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --field-trial-handle=5016,i,9575892349021867680,158528049392912115,262144 --variations-seed-version=20240801-180145.014000 --mojo-platform-channel-handle=5220 /prefetch:1
  2⤵
  PID:3060

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
PID:4420

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalSystemNetworkRestricted -p -s NgcSvc
1⤵
PID:4036

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Browser Information Discovery

T1217

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\BrowsingTopicsState

Filesize
649B

MD5
8141b3bd52e1f570aeab2c8e87530e41

SHA1
c43e1c4d9291583082d1f933ea77eede446b3c6f

SHA256
bf1f369e004bb238991ad87afe7112982007ad1791411e6b55a163c06ba638b2

SHA512
a373037e2c0be92d462436edcd485ba72f4064b885ab3d7cd6b93a143681b805492639f515b98c3b3c6ca32031f68362517dff623b96d0ba024da1dd7c1556f6

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Cache\Cache_Data\f_000003

Filesize
212KB

MD5
2257803a7e34c3abd90ec6d41fd76a5a

SHA1
f7a32e6635d8513f74bd225f55d867ea56ae4803

SHA256
af23860fb3a448f2cc6107680078402555a345eb45bc5efb750f541fe5d7c174

SHA512
e9f4dc90d0829885f08879e868aa62041150b500f62682fc108da258eee26ad9509dcbf6e8a55f2d0bdba7aa9118dd149a70a7d851820d4ea683db7808c48540

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\SCT Auditing Pending Reports

Filesize
2B

MD5
d751713988987e9331980363e24189ce

SHA1
97d170e1550eee4afc0af065b78cda302a97674c

SHA256
4f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945

SHA512
b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
519B

MD5
d3b1a125f191f6c91bffaf4e7636f96f

SHA1
eb26df47807d3f78765f82b2d2561def47e95b4a

SHA256
5bda985bea977a64286e78979a8796657d0b59291db3b08d6390da33905dc394

SHA512
1e842698c6176759382c7949bf407f73d93d3e3c2663142746611e0cc58d216ee7059a8bd5b0ba48d283c933b763d3affd043e242259db1bbe0859e2697924b3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Network\TransportSecurity

Filesize
519B

MD5
6677d3d8207e0538f0bd936bb8478546

SHA1
fa77916117ffa48e96620b466d2fa5d97c1c2985

SHA256
c0b7761d31a60cf34ceba03cd462a1459a9df31381f49f7b22ad45bac5b39591

SHA512
36a398acc76b75a7906e6237f475134ea5f6e90c367d8fa53f15bcc25c66090e9c26c0a9693a0f8a391ea40d15b0f8e73b68001ee9f60521ac57ab88e9a59234

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
49eeb4f4a8ae2cc363eb9f33b9f54a05

SHA1
9bf2dd06dfe0e9eedcd4f796a8712bbdbb99a6fc

SHA256
b01bf2f2744a8e6c5999bb5a52baa3da0b336d99489f07db1b09337d3333b8c1

SHA512
661e32158ad749cb6a18d8810b11bd17cb3efdc037af9f2774d4602dc00bafd5a04556cd2df557864350dd4ca128f3a889e3e532bd73558cf2f5564d33a13c86

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
9KB

MD5
78d8df3d78c58e1a05e807d38e2cf34e

SHA1
4a550e19bd299d93c52b4e4e476dc71b42f669a5

SHA256
31d88e3105af5865910900e045a30b66fa0f8150ae381ea3245353040dc2e555

SHA512
11dbe358a73c2493e1b72df3a2c5aa51b16aacce4e4c78fbe930f0c1e0935a33499a40c0455c520e00b8a83b3a6bd4d0cd8ba2c3d6cd263eece466eb1db1be18

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
99KB

MD5
88c4f802863f0cebd2263299498a8a32

SHA1
62e7b537f32f12ddf6c4fd3e6810a7160a95f7f1

SHA256
67a302948563b753e7b0a0fd3a66a59d545b38c97f6b37bf86335f4c60c46ca5

SHA512
9416eb0ceaf11d82f190bec7ef38b336c3c444fecedef141a381be00afc8236bb5b4de1c667a8d4e2a57c65ce5a435724cc0c71defad6ec95c1e867584117dc4

Download Submit