Analysis

  • max time kernel
    149s
  • max time network
    147s
  • platform
    windows10-1703_x64
  • resource
    win10-20240611-en
  • resource tags

    arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system
  • submitted
    02-09-2024 13:47

General

  • Target

    https://www.roblox.com.bi/users/5445740091/profile

Score
4/10

Malware Config

Signatures

  • Drops file in Windows directory 4 IoCs
  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies registry class 64 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs

Processes

  • C:\Windows\system32\LaunchWinApp.exe
    "C:\Windows\system32\LaunchWinApp.exe" "https://www.roblox.com.bi/users/5445740091/profile"
    1⤵
      PID:2840
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:4228
    • C:\Windows\system32\browser_broker.exe
      C:\Windows\system32\browser_broker.exe -Embedding
      1⤵
      • Modifies Internet Explorer settings
      PID:1384
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4328
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies Internet Explorer settings
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of SetWindowsHookEx
      PID:4072
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Drops file in Windows directory
      • Modifies registry class
      PID:3796
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:5084
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:5208
    • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
      "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
      1⤵
      • Modifies registry class
      PID:5292

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157

      Filesize

      4KB

      MD5

      1bfe591a4fe3d91b03cdf26eaacd8f89

      SHA1

      719c37c320f518ac168c86723724891950911cea

      SHA256

      9cf94355051bf0f4a45724ca20d1cc02f76371b963ab7d1e38bd8997737b13d8

      SHA512

      02f88da4b610678c31664609bcfa9d61db8d0b0617649981af948f670f41a6207b4ec19fecce7385a24e0c609cbbf3f2b79a8acaf09a03c2c432cc4dce75e9db

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\ZVQ9VIUB\edgecompatviewlist[1].xml

      Filesize

      74KB

      MD5

      d4fc49dc14f63895d997fa4940f24378

      SHA1

      3efb1437a7c5e46034147cbbc8db017c69d02c31

      SHA256

      853d2f4eb81c9fdcea2ee079f6faf98214b111b77cdf68709b38989d123890f1

      SHA512

      cc60d79b4afe5007634ac21dc4bc92081880be4c0d798a1735b63b27e936c02f399964f744dc73711987f01e8a1064b02a4867dd6cac27538e5fbe275cc61e0a

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\PFMCZV3W\api[2].js

      Filesize

      376B

      MD5

      612e612ebc922b19bcda0a4899a50a66

      SHA1

      09b0017a2c25e1b2aa9be4543ca16b367a0d6e5c

      SHA256

      20bbf65fbeb252f305a52000604e524d4c8490f5bc5e7136b57366d8ec95a8f3

      SHA512

      a99f20f09ba658277ef8983b601fa5eac08276dd80fa0f42f10f16a944186b701a18254e8ecdbb5e8a9a9b800a99ab972e7fbcec2a95647c206e3f5115925a77

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\Cache\WRSRF8W8\funcaptcha_api[1].js

      Filesize

      147KB

      MD5

      759ab24cf5846f06c5cdb324ee4887ea

      SHA1

      41969c5b737bc40bbb54817da755e3aa7d02f3c6

      SHA256

      7037e6c967c38477a5fcd583c74892e16b7a9066cd60287c7035bf0760d05471

      SHA512

      3470ae07eb7c54feee1e791e63a365cfb0da42f570a66e6c84faf5db6bf8395173c6cb60e8c5cf28eae409f26ea5433c3c5d6ea32eb07e5997c979c6e3ccf4be

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\PYV12400\www.roblox.com[1].xml

      Filesize

      388B

      MD5

      164e01d6556bdd4825ee75de51c923e8

      SHA1

      945825bbb1af71e7bfa830c9d97f2b6dce5e6b77

      SHA256

      fe95794a31f09838e6a2d6e01d18fd65440a96a525bbd97e45c6206281a5042e

      SHA512

      0c59bd669567b70aac88febf58739bd06693ad18053adc684be97830cc41d4840814fcf90237595462e20e854b534e24e644e6d37c9d5fd00629880976fdbc7b

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\PYV12400\www.roblox.com[1].xml

      Filesize

      95B

      MD5

      eda7ed43b92cb60e3f241b9c4d942147

      SHA1

      0634314793dd9469aaba616a0faecb424b829cb4

      SHA256

      a15fa76db7200f2ea8c959cb4bd641d534afca1e5d8dcf7ab9620b68ef008152

      SHA512

      a6bb0650fbd33076011324ead38520de41b94cd2dcf6ad8266e936fe71932ec16a62f9bd581412f049c3dbc1404c7b454bce3ddb08b8760a88ef250c73dc8c58

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\PYV12400\www.roblox.com[1].xml

      Filesize

      184B

      MD5

      9f201f192cb12dff48659e9ed5ed4a10

      SHA1

      25c2b31be8a1d339bfc81d545475a3c118d31e74

      SHA256

      fe5086cfb58c292543a74621f11aeac220dda1bdb2109f97b9a7c34e3ad9e985

      SHA512

      df0a070a5a60659ac2052dee3463c5cc07b34a5e12c93e913b5e29f2a61a565dd17dda7174eeb91989fd45893f842d0d15d8e07a9cd33c813b61ce5cdafd57c0

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\#!001\MicrosoftEdge\User\Default\DOMStore\PYV12400\www.roblox.com[1].xml

      Filesize

      298B

      MD5

      97bb8c0fa1ec2e5c61f9902a8a0eb79d

      SHA1

      5a92bdd88d4f4a633d43309395f2b94fb0ea9155

      SHA256

      ff633714668492406eccda82c575bb4452850e5d2b3458e540d934cae90e9c67

      SHA512

      822d6a0bcf323366667ba9f46b475cb20bed298254f52fcec801b205c7e97de98ffc99f08910c31444c353b9946cc663fdb0b93f2e9ef0b2e75470ef77077c3f

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\DV63NOGG\7bba321f4d8328683d6e59487ce514eb[1].ico

      Filesize

      4KB

      MD5

      7bba321f4d8328683d6e59487ce514eb

      SHA1

      ae0edd3d76e39c564740b30e4fe605b4cd50ad48

      SHA256

      68984ffee2a03c1cdb6296fd383d64cc2c75e13471221a4bcb4d93fcfa8dab54

      SHA512

      ed6a932f8818d5340e2e2c09dcc61693e9f9032c7201e05a0ce21c6c521b4ac7dd9204affbbfffd3bcebbebe88337fbd32091eaa1e35469b861834f2523c800d

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\I3ITYWGW\suggestions[1].en-US

      Filesize

      17KB

      MD5

      5a34cb996293fde2cb7a4ac89587393a

      SHA1

      3c96c993500690d1a77873cd62bc639b3a10653f

      SHA256

      c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

      SHA512

      e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

    • memory/3796-476-0x00000279ED310000-0x00000279ED312000-memory.dmp

      Filesize

      8KB

    • memory/3796-376-0x00000279EBCC0000-0x00000279EBCC2000-memory.dmp

      Filesize

      8KB

    • memory/3796-386-0x00000279EA0A0000-0x00000279EA0C0000-memory.dmp

      Filesize

      128KB

    • memory/3796-395-0x00000279EBF60000-0x00000279EBF62000-memory.dmp

      Filesize

      8KB

    • memory/3796-398-0x00000279EC160000-0x00000279EC162000-memory.dmp

      Filesize

      8KB

    • memory/3796-408-0x00000279EBE00000-0x00000279EBF00000-memory.dmp

      Filesize

      1024KB

    • memory/3796-413-0x00000279EC360000-0x00000279EC362000-memory.dmp

      Filesize

      8KB

    • memory/3796-416-0x00000279EB780000-0x00000279EB880000-memory.dmp

      Filesize

      1024KB

    • memory/3796-435-0x00000279EC510000-0x00000279EC610000-memory.dmp

      Filesize

      1024KB

    • memory/3796-478-0x00000279ED330000-0x00000279ED332000-memory.dmp

      Filesize

      8KB

    • memory/3796-480-0x00000279ED340000-0x00000279ED342000-memory.dmp

      Filesize

      8KB

    • memory/3796-472-0x00000279EC7F0000-0x00000279EC7F2000-memory.dmp

      Filesize

      8KB

    • memory/3796-66-0x00000279D73B0000-0x00000279D73B2000-memory.dmp

      Filesize

      8KB

    • memory/3796-474-0x00000279ECEF0000-0x00000279ECEF2000-memory.dmp

      Filesize

      8KB

    • memory/3796-497-0x00000279ECB60000-0x00000279ECB80000-memory.dmp

      Filesize

      128KB

    • memory/3796-506-0x00000279EDA90000-0x00000279EDAB0000-memory.dmp

      Filesize

      128KB

    • memory/3796-387-0x00000279E9F80000-0x00000279E9FA0000-memory.dmp

      Filesize

      128KB

    • memory/3796-388-0x00000279EBF20000-0x00000279EBF22000-memory.dmp

      Filesize

      8KB

    • memory/3796-747-0x00000279ECD80000-0x00000279ECE80000-memory.dmp

      Filesize

      1024KB

    • memory/3796-760-0x00000279D7080000-0x00000279D7090000-memory.dmp

      Filesize

      64KB

    • memory/3796-763-0x00000279D7080000-0x00000279D7090000-memory.dmp

      Filesize

      64KB

    • memory/3796-765-0x00000279D7080000-0x00000279D7090000-memory.dmp

      Filesize

      64KB

    • memory/3796-767-0x00000279D7080000-0x00000279D7090000-memory.dmp

      Filesize

      64KB

    • memory/3796-766-0x00000279D7080000-0x00000279D7090000-memory.dmp

      Filesize

      64KB

    • memory/3796-764-0x00000279D7080000-0x00000279D7090000-memory.dmp

      Filesize

      64KB

    • memory/3796-762-0x00000279D7080000-0x00000279D7090000-memory.dmp

      Filesize

      64KB

    • memory/3796-761-0x00000279D7080000-0x00000279D7090000-memory.dmp

      Filesize

      64KB

    • memory/3796-378-0x00000279EBCE0000-0x00000279EBCE2000-memory.dmp

      Filesize

      8KB

    • memory/3796-68-0x00000279D73D0000-0x00000279D73D2000-memory.dmp

      Filesize

      8KB

    • memory/3796-64-0x00000279D7390000-0x00000279D7392000-memory.dmp

      Filesize

      8KB

    • memory/4072-45-0x0000025A40C00000-0x0000025A40D00000-memory.dmp

      Filesize

      1024KB

    • memory/4228-0-0x000001D15BE20000-0x000001D15BE30000-memory.dmp

      Filesize

      64KB

    • memory/4228-35-0x000001D159490000-0x000001D159492000-memory.dmp

      Filesize

      8KB

    • memory/4228-16-0x000001D15BF20000-0x000001D15BF30000-memory.dmp

      Filesize

      64KB