Overview

overview

9

Static

static

1

URLScan

urlscan

1

http://roblox.com

windows10-2004-x64

9

Resubmissions

19-09-2024 06:15

240919-g1bdlavdpn 9

Analysis

  • max time kernel
    18s
  • max time network
    16s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-09-2024 06:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    http://roblox.com

Score
9/10
credential_accessdiscoverystealer

Malware Config

Signatures

  • Credentials from Password Stores: Credentials from Web Browsers 1 TTPs

    Malicious Access or copy of Web Browser Credential store.

    credential_accessstealer
  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 21 IoCs
  • Suspicious use of SendNotifyMessage 20 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url "http://roblox.com"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:448
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe" -osint -url http://roblox.com
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3860
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2032 -parentBuildID 20240401114208 -prefsHandle 1960 -prefMapHandle 1952 -prefsLen 23680 -prefMapSize 244658 -appDir "C:\Program Files\Mozilla Firefox\browser" - {67f747e0-b5dc-4be9-8dd1-a787a941dd12} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" gpu
        3⤵
          PID:920
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2464 -parentBuildID 20240401114208 -prefsHandle 2456 -prefMapHandle 2452 -prefsLen 24600 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5e2747e3-c8c0-470a-b448-1849510b141a} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" socket
          3⤵
            PID:1412
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=2984 -childID 1 -isForBrowser -prefsHandle 2656 -prefMapHandle 2868 -prefsLen 22652 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5be3b05a-525e-4230-90af-9b304c82f81a} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" tab
            3⤵
              PID:1932
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=3716 -childID 2 -isForBrowser -prefsHandle 3708 -prefMapHandle 3704 -prefsLen 29090 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {3f9bb9c4-9368-429e-8860-9f780afa96e0} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" tab
              3⤵
                PID:2552
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=4856 -parentBuildID 20240401114208 -sandboxingKind 0 -prefsHandle 4920 -prefMapHandle 4916 -prefsLen 29090 -prefMapSize 244658 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {aaf86f33-f76f-442d-a64c-df16b2eb4d1e} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" utility
                3⤵
                • Checks processor information in registry
                PID:4296
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5348 -childID 3 -isForBrowser -prefsHandle 5340 -prefMapHandle 5336 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {8f265fd2-69d9-4329-aac8-f1a5b6bb66da} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" tab
                3⤵
                  PID:2880
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5492 -childID 4 -isForBrowser -prefsHandle 5572 -prefMapHandle 5568 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {6e53feaa-0391-4fe1-926d-e2b653fb09db} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" tab
                  3⤵
                    PID:996
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5476 -childID 5 -isForBrowser -prefsHandle 5704 -prefMapHandle 5708 -prefsLen 27051 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {abae8db9-d4d6-4e5e-8c75-3597c329bf76} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" tab
                    3⤵
                      PID:3120
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel=5572 -childID 6 -isForBrowser -prefsHandle 6092 -prefMapHandle 5364 -prefsLen 27132 -prefMapSize 244658 -jsInitHandle 896 -jsInitLen 234952 -parentBuildID 20240401114208 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {5b1e8362-c193-4bb3-96fc-45e9cd22e0a4} 3860 "\\.\pipe\gecko-crash-server-pipe.3860" tab
                      3⤵
                        PID:4876

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\AlternateServices.bin
                    Filesize

                    6KB

                    MD5

                    891f32d1e8e89d5a0604e4929844d76b

                    SHA1

                    3a015dfbf23463597722a4d8030ea43083a47c1d

                    SHA256

                    118909623fb7b2c04bbbaa8d0f50669e235cea3f09c5b0ef09bf8607c816dd59

                    SHA512

                    4018b852ac0ccefa2382a3c15eb43ec7ac6939f63428682ce649f8d8c7e7d9a04afae114617486073833755c9b8789deedd1825229bdfe2b04091ae77cfdeb80

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    5KB

                    MD5

                    ec244945cc13407c8a6bfb1007fa177a

                    SHA1

                    e882df1834aa41e0eff45d69f89d0a71613b24bc

                    SHA256

                    ad39f27bfb8fd0da9839483866730cdfeda68dbe3764448739ab02e8c0e204a5

                    SHA512

                    98671fdfdd16f2a44bce8d9ee91dc7a13b28ddc350210ded318eb16124335b9faa9d37207b962518ef9a0db9837c00a547a36d47b3d69dcd57fce327c8088974

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\db\data.safe.tmp
                    Filesize

                    6KB

                    MD5

                    ba98171f92f8cb59a599df6f096b2e20

                    SHA1

                    8c80769267acfe5a8e4c3f44fbf45423d68af293

                    SHA256

                    05ab5ce11012bb9dcdc3c5256613c0b50a78df20b9814d653668df81789d17ba

                    SHA512

                    b41b8c5bfb016f20d494b1272079f0ee2a2a03e410f592bd0252b4aeeedcc1f0ed8ca6a376b3bae77370038ea601c86ff6cae92b3a14f27c8284fe503ec67200

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\0b4b254f-bee0-4888-86a3-81d05aaae426
                    Filesize

                    982B

                    MD5

                    9a552bd9dc32fcc1d2627c5f0bb5488c

                    SHA1

                    0745e3dd61aa11201c56e2f0f7eb5d7b5dda21d9

                    SHA256

                    54f90a89469ea85c41cb9954ee13a95ed1c8b4fceeeb9348aaa8b7b2508f5dfa

                    SHA512

                    a4ac67fbbbd2c25e406a0655850c79f15794c0400d3b107babfb7761643ab8f314ef687dea792e65e6c2306688fe1884fa45192c9a50923678769b24395bff9b

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\907f039a-09e3-4f78-83e5-58791a35b3e9
                    Filesize

                    671B

                    MD5

                    84007fa222c385472275a578eef4f45c

                    SHA1

                    ec4a62d21b6b2d30df415ed58e336085feff9977

                    SHA256

                    bf63de6734464f1b293794eff746fb431db99697ab34aa5cd78070db8a0082ef

                    SHA512

                    4b22ba69c9eb29c50331f950d8f09ea1d31bb98829bf34af1da7469107fced975b4eb910410af63612f26771f1e942601392da43de891d7bc86793d68a3827fa

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\5utpapi8.default-release\datareporting\glean\pending_pings\e31bfd37-3bec-4a1c-84cf-7a6533268c0a
                    Filesize

                    29KB

                    MD5

                    49c9df694ba500ef4d9a98d584a9b313

                    SHA1

                    e387b1f8cf6f139f96537c4e1cd52c4d058bb3e3

                    SHA256

                    e1fce87c457a82920628c5726d38e253479ca61b8b416c0c6416d415325eb7a4

                    SHA512

                    d27eab2f96f554b00ce58e251c43c3d611508e3441cfb407d8930c24673b08a141b7569ec14983992fe5f05b9f0ce9d5d639ca2706c6215b2dc82e656e83be9e

                    Download Submit