Resubmissions

02-09-2024 07:39

240902-jg1kgswfpb 10

02-09-2024 07:35

240902-jex2ksvgql 10

02-09-2024 07:31

240902-jcgxksvgmn 10

Analysis

  • max time kernel
    145s
  • max time network
    141s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    02-09-2024 07:35

General

  • Target

    https://www.roblox.com.bi/users/5445740091/profile

Score
3/10

Malware Config

Signatures

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://www.roblox.com.bi/users/5445740091/profile
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffbec733cb8,0x7ffbec733cc8,0x7ffbec733cd8
      2⤵
        PID:1512
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,14305631957183762822,6465114696125178662,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1732 /prefetch:2
        2⤵
          PID:3168
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1940,14305631957183762822,6465114696125178662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2404 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:2440
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1940,14305631957183762822,6465114696125178662,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2824 /prefetch:8
          2⤵
            PID:3972
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14305631957183762822,6465114696125178662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3372 /prefetch:1
            2⤵
              PID:3996
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14305631957183762822,6465114696125178662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:1
              2⤵
                PID:4328
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14305631957183762822,6465114696125178662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4092 /prefetch:1
                2⤵
                  PID:4516
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14305631957183762822,6465114696125178662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5612 /prefetch:1
                  2⤵
                    PID:3612
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14305631957183762822,6465114696125178662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5632 /prefetch:1
                    2⤵
                      PID:1392
                    • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1940,14305631957183762822,6465114696125178662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=6160 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:2720
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14305631957183762822,6465114696125178662,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5916 /prefetch:1
                      2⤵
                        PID:420
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1940,14305631957183762822,6465114696125178662,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5924 /prefetch:1
                        2⤵
                          PID:1128
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1940,14305631957183762822,6465114696125178662,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5792 /prefetch:8
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:2420
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1940,14305631957183762822,6465114696125178662,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5172 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:240
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:1148
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:4132

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            db1dacae9540e883ae83489b18cfc326

                            SHA1

                            ec3b68e635d8ce3bdafe258bca5187536d43065b

                            SHA256

                            3427a8a3b4868bd25a231ee8fe0ebada0b3474f2d8dc0fdd01a8931a8700a37f

                            SHA512

                            2e40df3bd1a045c69173f1a169b7080163de8f62a44d41d46c28f1643943657c532caa72f65b44a2175f976fdfd3d8328d989e011730aa851aecbcf02dde4a95

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            04aa3f476e468ef3c0866e8dedd8f6e4

                            SHA1

                            1e9fa8fd586c03447a4c5b4cee261900e9f464ae

                            SHA256

                            87b74207d65f6745b38a19dce13336ee839fb4d7929fce446c3d1177aa80c42a

                            SHA512

                            7d860bbe9c847ea0b60f210860d865f1e936aa2210a6f9aa87e9fd72f992a022ecb9a1827212eb9b97dd7798540770f55c67362714d90d0bfd080ad1e5e7aaa8

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                            Filesize

                            2KB

                            MD5

                            29a986d3ea64af3493d3fe03bf0c5f1d

                            SHA1

                            d9447d7d645755243124bf35bf3ac67998c61da7

                            SHA256

                            39ad5ba09dc97bef0ed174764787434cf376a921a1046129068793c47422a18f

                            SHA512

                            87b1dd376c2278c293c469fa676d62500b10aae57fd3bb03978e43e984d72475b281b3163fe8d12b425d46eed2f34edefdc378c12b84c0a75ba3133c1f8b71dd

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                            Filesize

                            2KB

                            MD5

                            f4d32597b62f6abb1dbe33f9a39cf62a

                            SHA1

                            b8120dc37b4a029def446920b0bff79c3efef3c9

                            SHA256

                            74d2b553fa05e0dd6ef93cc9650a3c4b04c3dba0c9c2fd35b5cba00df3de3470

                            SHA512

                            2cdc4ba17233072b12f7e538fe7e2ca61e9dee6eff403cb302402557f30d2e57d6516cc8981dcb54eca3cdfa76408a8a911b1d59bc9bb86c81b54c26b5f2bac8

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            3b32d7ddfa799c58441f8a5c64f9a1cb

                            SHA1

                            99f67730897c41d40c853c355f5aab752667ebba

                            SHA256

                            1d6e98e51cd60f269d9fe215a38ede80988fde2d774bcd366e1e0c48fd516000

                            SHA512

                            17f2da8117778428ade5291029d796445f9a0d1bc51d58af70055bc98cef4a0f2e3bc434607f9f4472c3139d1aed44cb390fc6db5f44e7b98cf9427729d91b79

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            805b9149794b238946ed75ce8cdce431

                            SHA1

                            ce7609e15b857ef665b41d8402fdd13bf174cd78

                            SHA256

                            96dc1a025ec89ea1d41e655868c242c8413047695c8bac9f50c5c718a388923d

                            SHA512

                            2048d4b0dcae401536d3463280171e5469162f4da5aa69d91cdf3c1a81195eff33decfd4ce9875d8efad16feb77efe3a3fbeddb1afc7e342c095f4f521f36ec0

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Secure Preferences

                            Filesize

                            25KB

                            MD5

                            a34680f8b1266e2832acacdd5974cb48

                            SHA1

                            8ed0a05cd9bb03b4990ba77cc79662cacb1e9700

                            SHA256

                            cebd372ccf5372c18ce3b746cd8dff2d0e01ec59542d1b3079887f9a8d1d1c21

                            SHA512

                            6e4739b7489525c9979dd92f7c480d9574b4215aa92f65edee6e5db9aaf555d9c0ba578d6b6ad92c839648060157967e97a16fdb9d66ce173db6f7c82dd8562d

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                            Filesize

                            1KB

                            MD5

                            fac4100cd014ae109ccb48b3454b5c6f

                            SHA1

                            5d3dc537896cb3b6d9d0068c08501e0e8398bed6

                            SHA256

                            1e27106dad29105380e8f7166ab483113e9520e8296f91acc8ec003f9f38d835

                            SHA512

                            d331d9f4690457463258cac4f15e435ed36c4868c76a9d8313d888fb00395355c4ad8f7227e215d865c9ba983a4b493d86456ca2387b2d0f13edd1684229cd8d

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                            Filesize

                            1KB

                            MD5

                            9eee694ef8cf26c449d05467ea360068

                            SHA1

                            f21d90069bebe6538ff0c44c81503996d89f02a0

                            SHA256

                            6900aae9f62c86e7a09fa6b7ebc2ae748b2af3804981a8d36523e984a50a9328

                            SHA512

                            3b2b7d204755ab41b2b576ab172d1d0bcc43debbc237cf42f89b6fdf941b3bc0b8d1c5d5a79358ab5af82e6cd691dab390d72df1e4a9cd177150af25137c2102

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                            Filesize

                            1KB

                            MD5

                            d7a63c54a7f4909c8c698229f3efc2ff

                            SHA1

                            046823a0f0a6f391801262fab543814d648160ca

                            SHA256

                            cc85e6febcfaf3e90f5639441625a4059471ff86379d9dc519c26489ace38c14

                            SHA512

                            b6142717f77a3cffe9570cea7a36a05cf704106d5c13ebb298339fdc52c7e274cd4170d2e54d9860e0bfc5536d028442fe9cd92db7635d992319b666b01b78bb

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57c69c.TMP

                            Filesize

                            1KB

                            MD5

                            37ce0196f837b754f97286c42aabcaa3

                            SHA1

                            b9bb5d4f477c891470a2f6300b534ee6d03f050e

                            SHA256

                            957d623ad68c789c912849dd1a13ae8d8068a714367d73eb0166ce88efa9ef9b

                            SHA512

                            b60c437181230439deffbd9784be45451cd0153bd5966c67a6fc4cc507e49226c8456f2b8b329a0a108c4866ec095802efaa3235c3655bf4cfdc1d8382593f92

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            46295cac801e5d4857d09837238a6394

                            SHA1

                            44e0fa1b517dbf802b18faf0785eeea6ac51594b

                            SHA256

                            0f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443

                            SHA512

                            8969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            206702161f94c5cd39fadd03f4014d98

                            SHA1

                            bd8bfc144fb5326d21bd1531523d9fb50e1b600a

                            SHA256

                            1005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167

                            SHA512

                            0af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            10KB

                            MD5

                            3afffa249f62ea14ab1f6be64b0e8ba6

                            SHA1

                            1f69b8dd709229279de304db876f2cab37616791

                            SHA256

                            0a26e675986d32893249171b799ba09cff5f98d9419ee345c94f8a3741343f46

                            SHA512

                            ce3d316098809da857d1a738619eb6c9116ebc76ef77b0dcdeb64d712404ea9b448a0e15dc607d74e5be6eb6ed4d3ea9a949431e44469a1e9ce6ed1cfd6ef967

                          • \??\pipe\LOCAL\crashpad_2448_UXRLPMDHXKFSYZLH

                            MD5

                            d41d8cd98f00b204e9800998ecf8427e

                            SHA1

                            da39a3ee5e6b4b0d3255bfef95601890afd80709

                            SHA256

                            e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                            SHA512

                            cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e