838f71ca07ef5c1e41032372c579ef9084b5867720b65a92ca9adb75244031f4

General

Target

LIVE-WindowsPlayer-version-ad321ed0d27f48b2.zip
Size

256.0MB
Sample

240829-sjce4sxhmf
MD5

23008d092456af71acc8e7a88f5d0cdb
SHA1

cec151e9b6effaddefc56a7983eb7426b04210e7
SHA256

838f71ca07ef5c1e41032372c579ef9084b5867720b65a92ca9adb75244031f4
SHA512

2d7269e128f1fd2a95840d71d4262559d3e0bc76a0b8c9345c5381cda800dc82e8f09d651d215ebb048877e83e666ff8ed55361003acbc99c4eb577506340073
SSDEEP

3145728:ir4lAn94u8M9lXLTlteucUq5KAUjhWfBLOHxwg73KEjxtq:ikw8YvLZc14aVOHV31G

Score

8^/10

Malware Config

Targets

- Target
  
  RobloxCrashHandler.exe
- Size
  
  6.5MB
- MD5
  
  438b76ab429b2606939684cc9f3ba92d
- SHA1
  
  f019b2620a37f42430bbc1c8df8275222442fef7
- SHA256
  
  84a8bf2b11c84baa4cb5e6065ba41f4f4f54c1badd1e7584d5422c4a31fcce7f
- SHA512
  
  31c5c623df72d74dd03dfbf77c58de4a1266f29cc2860ee31e8c6579ec15fbc2d3b53b60b516d55254f2cd965f98b87867a4edb980cb8ec7ab2351a64e141b32
- SSDEEP
  
  98304:15+M+oTv976HeW9Tu+LSes7a8GYvfmQ3Hk7B:PSoz976HpRu+Lv+cYXmQ32B
Score

1^/10
behavioral1
- Target
  
  RobloxPlayerBeta.dll
- Size
  
  17.6MB
- MD5
  
  96bca51ea33ffdea312c96faa39de8de
- SHA1
  
  8433f68f457f1758f76aed8cc50985153c772729
- SHA256
  
  416b08018c2fe00615453924079f30ec9276d660c78a5f543ca5c7c67c1221ad
- SHA512
  
  3f76ab8dad8e2212ad320e025e21990bd00b4a9e93865ee74fedec32b68202a574e502084bb14dbb085d5a7a714d47c9333556fa985c9ca22e47490f70629cf8
- SSDEEP
  
  98304:5K+etTF+hKfjcQwvYkvYJ0y/HfTKFrWTj3LrLQ0SXBD8ffIZugzY7rRv7cVZPQbJ:5VqtDrWb8yZvqcG
Score

5^/10
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral2
- Target
  
  RobloxPlayerBeta.exe
- Size
  
  89.7MB
- MD5
  
  5cd3a0e41713831afef8a8e3a4a2bea4
- SHA1
  
  753c47346c46bbbc588a5bdea79bf9ce8675225b
- SHA256
  
  d4ef8610661c9b8b6a1014ab23725a70ac09d0e56dd531ca62584602608be8da
- SHA512
  
  1dba87105cb93a230ecbcc7c3c812ba21d4fcfc951836640aa2fc3d1d63647e34782854fb0d014cd04c81d412d0efa63db6e8988d85a5ac87863f918750a86ea
- SSDEEP
  
  1572864:OhsGtSkkOJRi3+UT/WHL0g7Pl0wTKs3jxgU/6MXIAoJ:BLOHxwg73KEjxty
Score

6^/10

discovery
- Legitimate hosting services abused for malware hosting/C2
- Looks up external IP address via web service
  Uses a legitimate IP lookup service to find the infected system's external IP.
- Drops file in System32 directory
- Suspicious use of NtCreateThreadExHideFromDebugger
- Suspicious use of NtSetInformationThreadHideFromDebugger
behavioral3
- Target
  
  WebView2Loader.dll
- Size
  
  154KB
- MD5
  
  577f05cd683ed0577f6c970ea57129e0
- SHA1
  
  aedf54a8976f0f8ff5588447c344595e3c468925
- SHA256
  
  7127f20daa0a0a74e120ab7423dd1b30c45908f8ee929f0c6cd2312b41c5bddf
- SHA512
  
  2d1aea243938a6a1289cf4efcd541f28ab370a85ef05ed27b7b6d81ce43cea671e06a0959994807923b1dfec3b382ee95bd6f9489b74bba59239601756082047
- SSDEEP
  
  3072:R8AhKsY0iHlDhvlUQN2gWNZ6hVThFEtqQbucPqAJwU:usY0+lNv6E2JYEtzbuuV
Score

1^/10
behavioral4
- Target
  
  WebView2RuntimeInstaller/MicrosoftEdgeWebview2Setup.exe
- Size
  
  1.5MB
- MD5
  
  610b1b60dc8729bad759c92f82ee2804
- SHA1
  
  9992b7ae7a9c4e17a0a6d58ffd91b14cbb576552
- SHA256
  
  921d51979f3416ca19dca13a057f6fd3b09d8741f3576cad444eb95af87ebe08
- SHA512
  
  0614c4e421ccd5f4475a690ba46aac5bbb7d15caea66e2961895724e07e1ec7ee09589ca9394f6b2bcfb2160b17ac53798d3cf40fb207b6e4c6381c8f81ab6b4
- SSDEEP
  
  49152:Jy53/rfy7dJ1zlMCXCFaJQyiOMFxBBr3kqeac:JyJrfy7dvBMCXEaFrM3BBTleac
Score

8^/10

discovery persistence privilege_escalation
- Downloads MZ/PE file
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
- Executes dropped EXE
- Loads dropped DLL
- Checks installed software on the system
  Looks up Uninstall key entries in the registry to enumerate software on the system.
  discovery
- Checks system information in the registry
  System information is often read in order to detect sandboxing environments.
behavioral5
- Target
  
  content/configs/PerformanceConfigs/rofiler.js
- Size
  
  218KB
- MD5
  
  607f78a6ef865334b982cc97393fc5fa
- SHA1
  
  5df3f23f50968c7859a1412bf819da8c6a4ee930
- SHA256
  
  a82fb1ecb6c7ccc716802fa9827499d4c83a20c1b37c8b0209999bde2fe27839
- SHA512
  
  38d17ed0b1d013395a18d266cb98be9a97bb5eacc52cab51e4989ba5c16aa97c73bdaed1cb2de5700e305524df078b8077099dcafc6a4efc3cff8380a6713431
- SSDEEP
  
  3072:vsCWqReOwaWWEQ1i1tgOcq95JnMFuXnPErUA:ECWKeOwaWWEQ1i1tg0JnMFuXnPErx
Score

3^/10

execution
behavioral6
- Target
  
  content/configs/PerformanceConfigs/rofiler.tools.js
- Size
  
  374KB
- MD5
  
  7cb083793a4ca175c6c60a8e42663fbe
- SHA1
  
  24bbde9de94b245b2bc51ed33a0ba5b9be7b11a4
- SHA256
  
  04100af42332d8f3a981908a5c3808f67b3fa47df739ee20939c729d2f89d00a
- SHA512
  
  861b7908f2be0d6955d744f0834e958786f175751c600b5f3a49a3a6243e7c43c8eac9212e628668794d12c2fba81a5d73a258859369f5a409970cd976ebcb3b
- SSDEEP
  
  6144:wyVTYfnyZCtekLdnB4jmUN3gflo5C+ZZqx3ka3lqBK3CQKC:waTYfn2CTLxahFZItT
Score

3^/10

execution
behavioral7