hxxp://robloxhackers[.]lol

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
13/09/2024, 13:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

http://robloxhackers.lol

Score

3^/10

discovery

Malware Config

Signatures

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc5000000000020000000000106600000001000020000000809707ab854d31272dead8766d76ea77610c6dd18ab0a9ce1c09c7646f27527e000000000e8000000002000020000000179b879c22e525f86e4bd23129a5cd5d258deb5ea7f79534aac6ad308511e2ea200000008991bf78ef1a42673e734a9541274641be80c8d962d57f6ae394f8df05bfd5d340000000ecde6d2055fcbf97a931ba1e4d560b76a03b6a502ca2c0046457598b9838b88cd7746e30aaaf05618f112eeb87e6f30b91710a6ef35fcb71bf1d3902364ee50a	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000303eef0e2cd1a9499efdd285a56ddc500000000002000000000010660000000100002000000059d9a32543a6e8f4ca067ab53541c7061b58ef5bf46e886218dc9730e462c44b000000000e80000000020000200000008b074a2f9164fc560a68d704046d8851ca542f3d5535a6fcd0c2749e3e4e05fc90000000544f5a0c7b8726812ddc00d42694a4bd2c49c683abb5b214d1bcdb820d4963a23c6cbaabdf22c76a35089f2b972e8b5c9f75a998636038870196cff9506dacb8b05af47c5b4eb950fc478b0c3bc7ff37842f64cecda0a1a9726a5970132b19f33b981481ffaa8f51dad8708c43e772a19cefa137faf339b2f15bd825ed952272caad5efade3140546f714c19431d755040000000991bc6aa0213a49810e6626e2cb5fb4b4d3659254620b564905cba35d02c0dbf15ecd258f701292b0f5a2cc3e80cb4d9de207b47b3a6b0ed139b8225bf1d6602	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{AD6455E1-71D7-11EF-A087-5EE01BAFE073} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "432397529"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0390784e405db01	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2532	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2532	iexplore.exe
2532	iexplore.exe
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE
2112	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2532 wrote to memory of 2112	2532	iexplore.exe	30
PID 2532 wrote to memory of 2112	2532	iexplore.exe	30
PID 2532 wrote to memory of 2112	2532	iexplore.exe	30
PID 2532 wrote to memory of 2112	2532	iexplore.exe	30

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://robloxhackers.lol
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2532
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2532 CREDAT:275457 /prefetch:2
  2⤵
  - System Location Discovery: System Language Discovery
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:2112

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
72c566fbf51d26e6c7eb1b6299b4423d

SHA1
e40fbac2d98868e83074a3274e2735beba0f4d43

SHA256
bec57e873d8ae97aa052384b8732fb1a8e2d6ee495a0b92c95a2173278b85f23

SHA512
e93be61a61c1ed36448369a4d6968e4197adcbf79fa8feb7da268cf909e46da851ab571e3b1ee2d0072af7be5697099e12d8b2395e789204b8c4a5fdf98eb940

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9d0518a4caef1ddfe462ec3bee033575

SHA1
9a1668f837f05d8a30a5d2c62bc20a5a4faa0ec7

SHA256
aa06a35faa7a43d00836e44ff008c36ff818dad79a0f21769e2a916df1262d71

SHA512
d945cce64c2d43987d1b1b028de5f7bce6c53a8dbe32872cedc6101609f641158cc5a97f993eca42e29b24a8e40cff94f7ed6c3475c00f9824e2ed42482a96f0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b348814b449aca2fd515a32154b83ad5

SHA1
bb24e1f85554ca4d22560c949746ecf859179ffd

SHA256
f6cc2e3cf0ac667d626680acbf1de70640c7a7d54639fbf3c8039b4ad995da00

SHA512
ad407f22ad770cf696d589f00611cf67f966b046cef076fa3055155fe04ab993847685b1b0fb40c9328fff318c7e0cb8beecbba440a77eb459bb19bbd25e90d3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cfbde5e3b1e567c990d3886a470a2ede

SHA1
8a409f133a812b514827f24c9f6ff7ee3ed96eee

SHA256
a1db9304f8ad8baf36b24ff34fe56f0253373de239e6a5f17be91a0061248d6c

SHA512
d7ce44796e9b4906a98a4c1967c79e4a403fbc29f21ac3977a560bbf866a08f66ad65e70ab72b54478e4408e5d7d40419e3c2ba4c28d2b5d909a411d5af2deff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec84079e99d24bfced88b72f0f202a7a

SHA1
0364937e5ff13987cafb9d23120455409d4eb31d

SHA256
d8608c093e7aa9e0dc23880639f43fc085b6569d31a9a9a1e339f5208cf0d5d3

SHA512
09cc90c76c19c537f0aee9963f179a89b3fa674e1246a489fe91e06f4ae782eac2b76a37d3165dc658069cd15d75cf112123efeb982d2442b0c7198fa7d76a57

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a4a66ec92ca4a90fe92d99ddc828a994

SHA1
5a67ac34a5a93b9c5fff4f5f4e4f6cb6400d1e20

SHA256
435639041616bc508bb215c3b1635f5934604767b446e2dc695ba98c5d20af5e

SHA512
f1eb0bb592f3c0ee409bbddbfb6164546439671f8dd7fa6572c1d130c94bb8b53c46a992b7aa6a8f6a2c7561f6244d869953d559397c2b701cb77178f3c2f45f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8f607f1d289d86fe04adb00756f7567f

SHA1
d65b9fa9e697e0b7942df918b2a4aaf699bff7c1

SHA256
9a728685367f59cae2979b9c2670019873f4bcd4c3c3a9a86d45cd3c6e08c375

SHA512
ed95cdea6f814c94dca081253444b2ec9c17c4bf1320517c1d97636aff200785afc3853faa2b931535a77639c5e978209ba9521846288ea17080719f30f583e2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
f0ccb0dd5bf811a0bc6d637c4fc69c94

SHA1
15ff82fdbb6739ef19b607cf7bdb0c7fb7997775

SHA256
4acf67d951ad1fa6af1d6bba45048dbf9a98ee8ddefa97128388a8dbf73d7afb

SHA512
40d8f20a155f516a8bc6c6549f94c6b04a855a298e1965b3c1d919dbc5a92a0bba4405c1c69e7347adc3ba1c6fa9eb98a3b1016f2cba5035150184a1e4968c21

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b421da60a7d1d0f15f717be18b39211c

SHA1
6dc0bfac6c232c47e017969a9f9cef821fe5656b

SHA256
2bffb77acb4837f9da597f1da8384a94bf56e70f9e1bf34fc38362c632ef6c28

SHA512
ac18089be6486c8d9c2622cf8c0380ffc1f3ba8616c00f133fd9973d99fabdbbd7d66892d501325f1bcfc5bd8cf0931913eac4ed3fab3f63bf4aa088426ab675

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
05ab4ecaa6bc756e1ac9ab5c2c4980cd

SHA1
da853af484dfeff5074287d34ada52605b14ebf8

SHA256
30b219a017f4d20fe56e27b60c9295a79634ae07159a13ac54cf2bea1dd1eedc

SHA512
c53a10c45659dc4a3656f01f3b19005d9d2c999dbb13cf84cda23d83a518313698e5593e043890c5fdd97d13b015a2d53a8d1277bd83fb5ff261264463d8923f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
b76c1d176fdbeb53aa7d80dddbce774f

SHA1
43b975e0668e42d16ac07cb4785d3a2b7bb4da89

SHA256
c20b6dc4e20b005e3b8d5f9711471adb2b73f2b969169af1cd92336476e435d0

SHA512
e4d08781558c3ffb43f96bda8e64037a46c63edaf4fccae2ec88ae7fce0225b7f52e635c6415912f25782668aea51953bcfe60a63396144154d8fc83be3c630f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
ec7dd9f62cc9169ab4c2fdc29eb94c00

SHA1
1edc40c9afc7c46965f94b6495f6fe12e44075f8

SHA256
fbdf4a288dc2d2e4d64dcd4b6fc46e5be58a2f938158bab22d346e6ec481a774

SHA512
7f291fc056d268fc0d184256d36c570b6eed03306f058eea1f44985617d67b5e0442b3c9f10184336a6d0405898a729923675f999e0b8a8a0e1515bccece66ed

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0d2179aee1f3bddf51b3c3162a0a6168

SHA1
dc6e0015d299ebad053344ab7652eae8b90f8a22

SHA256
74aeb1c44c2b1cf97de0f9f389a1a459556435d3fba64d2b8fb424c066e169fb

SHA512
7bd5bd6a29f5e6a1cb98d351f8fa6a02940e9faad77d3b83f5d0a52b2e008b880323995a5549ab7c514e2fa01bbb3ceb5381eea4eb3d2040fbf5b7af5a76a602

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
62ee2cdaed56e37c1c10b776512e6716

SHA1
99fb196a1900fbecc3f27e6d62fe53d6508ed546

SHA256
bf77184619b7e9bae228095915ce564dad6ceef9a3e0c0e8580db3de7b823e61

SHA512
a7145307d7a18e5c158fcef685a248e7bdb0b9a690549369bb75834bd9aea19727769717befa2221fed50edbce2289e7dbe687aa745cda83e53e63cdcc006a49

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8e9d472ee38ddb134767593b3cb85676

SHA1
8508a18936394662f742a626addaae32e3fde7e9

SHA256
a0a14c3a5fc5461bc69a8bb1abd1cc0b1263b9e30f6c99b9d5141a9b96df5a5e

SHA512
712ed855bff74e811e3d4bd7c8f6f3072e294f65ddd995f5a1c59ebc3ce1303fdacba72a0c83c48cc33c331fe1d377577f24bc9d962ebe0ef1b75333078eb89b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1327898cf02214eca70e7d3df4f7d915

SHA1
230d7d45e7cf2d5f52fac72d120afca4fcc70a20

SHA256
9557ab1768bd98e24106a18bf9d9e5a0d8e2166e9e1f89177fa7f88dbc178963

SHA512
f90f24d169bb13bca2f01482deb8912a294b41482e29a044ebb47564cb2c45a4e0c4514dee4ebdfc2ed348b4f0cbb5410ca6ef508002b4c1d84a2d2df0e5af4e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2d08406a2563ceaace68143b7019d516

SHA1
0ffa64882855db4fb575b72a985d85122bdaf03b

SHA256
1db6bcbf1be8e2278d1447f8f34fed63b2fa69eeb00c37f65078ae4f44c3afc8

SHA512
fb73d88883dc2da9ab394bce805b7071cfc32f7920b6b7a6681bbf8bbfab5e0837c172803f1afe4027c3c74380319c6d455676aac8c8633404a4c8e757537616

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
624eb0c82977bbbb1c49f3df613b95b9

SHA1
1b8d8a40a8b9660f79f93ece8d4d057629faad8e

SHA256
12953e67ee5cf53d8a0f2e6039fbd0fac8a2fe4e56e60878934f5b494ca758e3

SHA512
5978a573ebdf8962c9c2996c824d4089dddbcd43275aa084b6ffdaa33757f9410410f5faa7c33d3665a86eec21dd97601b74d18ea58ba716c69b040de843a70b

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabC939.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarC94C.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit