Resubmissions

02-09-2024 05:32

240902-f8mwxstgmd 10

02-09-2024 05:30

240902-f7lx8sshlj 10

Analysis

  • max time kernel
    145s
  • max time network
    141s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02-09-2024 05:30

General

  • Target

    https://www.roblox.com.bi/users/5445740091/profile

Score
3/10

Malware Config

Signatures

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.roblox.com.bi/users/5445740091/profile
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2876
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbe95c3cb8,0x7ffbe95c3cc8,0x7ffbe95c3cd8
      2⤵
        PID:3444
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1680,12459775323347864584,11900221095929718014,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
        2⤵
          PID:1808
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1680,12459775323347864584,11900221095929718014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2272 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:488
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1680,12459775323347864584,11900221095929718014,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2792 /prefetch:8
          2⤵
            PID:2552
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1680,12459775323347864584,11900221095929718014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3316 /prefetch:1
            2⤵
              PID:3332
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1680,12459775323347864584,11900221095929718014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3332 /prefetch:1
              2⤵
                PID:788
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1680,12459775323347864584,11900221095929718014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5336 /prefetch:1
                2⤵
                  PID:2516
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1680,12459775323347864584,11900221095929718014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5544 /prefetch:1
                  2⤵
                    PID:572
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1680,12459775323347864584,11900221095929718014,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5584 /prefetch:1
                    2⤵
                      PID:4404
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1680,12459775323347864584,11900221095929718014,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5456 /prefetch:1
                      2⤵
                        PID:3764
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1680,12459775323347864584,11900221095929718014,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5488 /prefetch:1
                        2⤵
                          PID:672
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1680,12459775323347864584,11900221095929718014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5592 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2636
                        • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1680,12459775323347864584,11900221095929718014,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6304 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2316
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1680,12459775323347864584,11900221095929718014,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=4760 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2356
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:1528
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:2832

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\77EC63BDA74BD0D0E0426DC8F8008506

                            Filesize

                            328B

                            MD5

                            08a9787f552a547019ebe03f80e5b671

                            SHA1

                            c26bc8fe099ae415dd7f3d3a0ac15e3bc02255f3

                            SHA256

                            12edef6da963b6e853e4a43d87513f367018bf2ad9289152a4e359f27d89e382

                            SHA512

                            abd5dbe2e558da95cad34ad102b9e8a817b6d34ec6c8196e0dd4838bf0c6e22ff651340bb75ce849db55a5ac5956cfa258082d4daaadb6d18912816a854f44b6

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            4c3889d3f0d2246f800c495aec7c3f7c

                            SHA1

                            dd38e6bf74617bfcf9d6cceff2f746a094114220

                            SHA256

                            0a4781bca132edf11500537cbf95ff840c2b6fd33cd94809ca9929f00044bea4

                            SHA512

                            2d6cb23e2977c0890f69751a96daeb71e0f12089625f32b34b032615435408f21047b90c19de09f83ef99957681440fdc0c985e079bb196371881b5fdca68a37

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            c4a10f6df4922438ca68ada540730100

                            SHA1

                            4c7bfbe3e2358a28bf5b024c4be485fa6773629e

                            SHA256

                            f286c908fea67163f02532503b5555a939f894c6f2e683d80679b7e5726a7c02

                            SHA512

                            b4d407341989e0bbbe0cdd64f7757bea17f0141a89104301dd7ffe45e7511d3ea27c53306381a29c24df68bdb9677eb8c07d4d88874d86aba41bb6f0ce7a942c

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                            Filesize

                            2KB

                            MD5

                            01e50804560f4ef18517399ea7727e29

                            SHA1

                            b8cb27fd7c3276aa81510d9e8163ce5faa88931f

                            SHA256

                            60ca49744e7e44536b00edae9a4850ade21b6dee8003feb927c98e1206d43b74

                            SHA512

                            1511e6b9f316040bb71faddd7fc24460f5172fee307456d12befa9ea0218b7041b51c8d13063a771b114140ab43431e15835294b47aa0830729dfd1956f6d5f6

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                            Filesize

                            2KB

                            MD5

                            ea6f7605a95ac629934bdf152587a3d7

                            SHA1

                            8da12a44013014c8bffda54f4d8e8ab85e3e13ee

                            SHA256

                            a233708454f4ed453cf6714cf06bd851cea46efda59ec1fcf64b0bd923353515

                            SHA512

                            c8bf8e6a0e58743c8137fa63a18aeae2a1ffea960fd5bc71c67c49c4f9529c3cf9d50c660ca96a214501ce6307de82945edc8659f9c735cee72044c85710b39e

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            0ad56d583da0b6b7672794bcec0ad48d

                            SHA1

                            4da7ecb3ae2268a90ffdee1375cb0a5f268a929b

                            SHA256

                            6995312f4ab0be01d1e94a03379e1eb7117ea0e9c39649943ee38aae13cf5c0f

                            SHA512

                            b0c40214fe2f9fe49b4bc2c95c1cbae77ecb555ee27f8599ff222c1a0c2af9a03e002a4424023ccc766df53029ab0d4fdea4140a65b34a779a63cd513a7aeeaa

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            d4ef16971e374e612ad21ce0f4c28946

                            SHA1

                            da99eb75555b6bba738432030418793a515af55d

                            SHA256

                            c1876ebed63264a657aa25a6c6a8f02a5396fc66869745f9b27684c53340756a

                            SHA512

                            6910cc957c2c745def73b81560e549d66bce13e1194e3f1aee19fa1194a1c33abe7d42c76f34c73b35552cb8ab45981eef92b99dee18851609d09e7b6915b9a2

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                            Filesize

                            1KB

                            MD5

                            45802af6eeff5c2958dac5a102855538

                            SHA1

                            770c999ee459708a9a4efab51cfe84ca89655d30

                            SHA256

                            c83869c81ec9133e1c6e657a614fde31f6beee3b57f2755ea76b1be324b976e8

                            SHA512

                            c1c7abe508ac8ea4f35fe0cb1d032f4e2541fab09afa50fd5200170916ee9f260fdd85079a312284eaf618eb5231b24ad4ab990d616d3d741dc0a553bf7f5b01

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                            Filesize

                            1KB

                            MD5

                            9800f966d5bf2ba2281743eb6a310fa0

                            SHA1

                            1fe156796f9ea00f28fa9fa4a57aa43f44156c55

                            SHA256

                            c26807e83f186fc8c5e6ac1f4a373b0a67cd4bfe1f2aee4a0c9e34f603fc9541

                            SHA512

                            6edfbc2847c54c53c72849f6e14390c2e250874ef9e7534a5975a031d90e03afe1f8cc7ccefd9dda30a3d516180778f4880c0560b762d8306a1977f4cff516ec

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                            Filesize

                            1KB

                            MD5

                            ef6ce3e67582f92b56c4808490f3db24

                            SHA1

                            6d4bc6287dd626d7012b7e539f70a72c4fee92c2

                            SHA256

                            d70e7330d9b64cc6fa377743f10ddbb15e67db4a4fcda1b8e1ec098e98be1ead

                            SHA512

                            22a9daa9bc60c54b14fb5ba76942e6116c8cd6d10531ce952f20a2771b51386266bc9a7f128cff25686ca9f535652152b1694409b144caf577965ed894a47b54

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f7fc.TMP

                            Filesize

                            1KB

                            MD5

                            65e817b41577d560ef582c64ba98d2c5

                            SHA1

                            6e9c01a9cbc66f0ca571e40688526f9b24e362d5

                            SHA256

                            013a323e3b9a518a7d1232664f231feacd508db4331ef6de0cf249898a47c70e

                            SHA512

                            19d4f3de600c057e5072d58f55948531a36463550e18186c86b51d4f2fd82eb851dd024920388d613236e0161697487369ecf080d284d87fa01170c23fdd53a5

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            46295cac801e5d4857d09837238a6394

                            SHA1

                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                            SHA256

                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                            SHA512

                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            206702161f94c5cd39fadd03f4014d98

                            SHA1

                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                            SHA256

                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                            SHA512

                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            10KB

                            MD5

                            d85f34590b0e1aebb4dfcadcebba9a64

                            SHA1

                            d75043b47c78774ee3c8e398c6c445813c6e7abe

                            SHA256

                            8860d50a479cff1d36c76a2263f1242b4619937eb38814a2e6c6df8cd8334339

                            SHA512

                            ce354338543375c00552cd778cee95e4031df8e7281e5389355682a67694b36ec7d35789a7c0a59bc8c7d0ee8a6646b4d16c56a5f5ba0a48bc91637475b23324

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            11KB

                            MD5

                            0b2d83824981b14134f43823d11050a8

                            SHA1

                            6611d052d0fe9420542aefedde4ca91fe9dc9521

                            SHA256

                            e24c0faea724ae738f09cf3f2600f967c659e5212a9c56a8f826717bdbe2c9e3

                            SHA512

                            ae9a3c866e98c71292898bd7ad997a448bdfdff7b1049dab1848339db77bc581e13c9fcea104dc16d95f010614238c7a0a019cb169ca7395a236852e869ffd17

                          • \??\pipe\LOCAL\crashpad_2876_QAWLHJSRSUVUXYDS

                            MD5

                            d41d8cd98f00b204e9800998ecf8427e

                            SHA1

                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                            SHA256

                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                            SHA512

                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e