c39ed858478de61af49aa465cead803ed4442c890973e2656b2d24c946c5d466

Analysis

max time kernel
60s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
28/09/2024, 17:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

RobloxChromaRGBModSetup.exe
Size

2.8MB
MD5

dea5ad772d800f1306ddc562f9aa877c
SHA1

7cfd0429c3eec3ad87af9a5ad6be4079d4d07cd8
SHA256

c39ed858478de61af49aa465cead803ed4442c890973e2656b2d24c946c5d466
SHA512

c8b23aec26eff38358a8685598609863f3d2d8f030a01a13211e3c4b74f48fc126f8805348f351e5beb389f1b7b19ee6cccc30501b0d7362cd7238e17937c5f7
SSDEEP

49152:4cW4fjCmDE9tIGt/VbvhgPgdlB8ceq2Khoto14t81meZRHaTXXt:4X47C6uz5VbBB/eqvid81meZRMnt

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1704	RobloxChromaRGBModSetup.tmp
344	WPF_RobloxChromaMod.exe

Loads dropped DLL 1 IoCs

pid	Process
344	WPF_RobloxChromaMod.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-M2DQL.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-H3I21.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-J2DE9.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-1CMG8.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-IUNLV.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-ERRC0.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-AGKLO.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-1TS89.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-026NP.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-SE8BS.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-CF9SL.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-C5IJ4.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-H2PG0.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-I5HTF.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-QL7H3.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-PSLPH.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-O8JC4.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-FLFPM.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-TFR33.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-DUAJB.tmp	RobloxChromaRGBModSetup.tmp
File opened for modification	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\WPF_RobloxChromaMod.exe	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-A4TL0.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-A6RIG.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-SN7PP.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-SA0HC.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-CMROL.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-M5D51.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-TU340.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-8S5B4.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-DPV89.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-9ONLI.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-7GLBS.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-3J9FV.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-CI3EI.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-1J0UD.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-2DE2K.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-FINPS.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-1HC57.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-HH66O.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-HIM78.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-EU8GP.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-T3H51.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-D5Q8O.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-D3KU9.tmp	RobloxChromaRGBModSetup.tmp
File opened for modification	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\unins000.dat	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\is-QPQ7C.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\is-9DHNQ.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-FNE5G.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-NIO14.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-NDOT5.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-CE7NV.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-42RKB.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-SV12L.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-5R7MV.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\is-KP28I.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-IDA2G.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-9US2V.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-9GQ59.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-NCMO0.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-I0HFO.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-OGC42.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-UU26L.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\Animations\is-1R4E9.tmp	RobloxChromaRGBModSetup.tmp
File created	C:\Program Files (x86)\Razer\RobloxChromaRGBMod\unins000.dat	RobloxChromaRGBModSetup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxChromaRGBModSetup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	RobloxChromaRGBModSetup.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	WPF_RobloxChromaMod.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1704	RobloxChromaRGBModSetup.tmp
1704	RobloxChromaRGBModSetup.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1704	RobloxChromaRGBModSetup.tmp

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4044 wrote to memory of 1704	4044	RobloxChromaRGBModSetup.exe	82
PID 4044 wrote to memory of 1704	4044	RobloxChromaRGBModSetup.exe	82
PID 4044 wrote to memory of 1704	4044	RobloxChromaRGBModSetup.exe	82
PID 1704 wrote to memory of 344	1704	RobloxChromaRGBModSetup.tmp	93
PID 1704 wrote to memory of 344	1704	RobloxChromaRGBModSetup.tmp	93
PID 1704 wrote to memory of 344	1704	RobloxChromaRGBModSetup.tmp	93

C:\Users\Admin\AppData\Local\Temp\RobloxChromaRGBModSetup.exe
"C:\Users\Admin\AppData\Local\Temp\RobloxChromaRGBModSetup.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4044
- C:\Users\Admin\AppData\Local\Temp\is-9OS4K.tmp\RobloxChromaRGBModSetup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-9OS4K.tmp\RobloxChromaRGBModSetup.tmp" /SL5="$50210,2207760,821760,C:\Users\Admin\AppData\Local\Temp\RobloxChromaRGBModSetup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:1704
- - C:\Program Files (x86)\Razer\RobloxChromaRGBMod\WPF_RobloxChromaMod.exe
    "C:\Program Files (x86)\Razer\RobloxChromaRGBMod\WPF_RobloxChromaMod.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Razer\RobloxChromaRGBMod\CChromaEditorLibrary.dll

Filesize
311KB

MD5
b44f7673eaff7239b4c97acc0ee37ac1

SHA1
bf5e52cf01c1a1f753c4a6077ed9bff33c5cc557

SHA256
f7fd55ada77825d42d89873da7905317688c8da79bcb15598e128a6624202131

SHA512
ad137927acca92511d05ea4249f71821bb69cda8f291f2941bbd085210205e74b51e66c1abd3631e9676239b16b8045bd5def420d09915d6e75c01f33d135d75

Download Submit
C:\Program Files (x86)\Razer\RobloxChromaRGBMod\WPF_RobloxChromaMod.exe

Filesize
103KB

MD5
87b6ab47f70d56d18dad9fd98bad17f8

SHA1
be2d15ac63a0ea7870943db65623a4510026c627

SHA256
c1427682593f67ebe068dc5d9fb3b66b1915408bcf2e64bf599f86480f15cdcb

SHA512
54bdf53a29fe12fe551233e86de6c6c638a021876f4cde8d4353acbbaf8212dabe3d1fbed3fbefad4cbc0bc2719257526a16e52a662f4725c9c4ced2682ec6a5

Download Submit
C:\Program Files (x86)\Razer\RobloxChromaRGBMod\WPF_RobloxChromaMod.exe.config

Filesize
182B

MD5
c6376b7cf21791bee55ce91ce487b80b

SHA1
ea7cc1b2e62a65fc26e026ae8b70f90e5b9fc839

SHA256
eb217cd4aaffd7c0cc720e9bb92f5e8d4199bd678df9e8dff7a07182d3568081

SHA512
c4413cfb89838b48b913f2383c53e5933ca0820f2c31ab7d378bebd2dd7a7ffbed8221c20c7ce08657c3a3281eee8d0d1a7aeed6fd3bb9f68374f09e63ca5de2

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-9OS4K.tmp\RobloxChromaRGBModSetup.tmp

Filesize
2.5MB

MD5
5cf3c3207a7d76e3caea8380a1764290

SHA1
10dd78bfecc481d9226abc005763de22796c1bb8

SHA256
6b137f95890783fbd7255e8872b7236e1a5e9bdb319cda508ff94b36abdd0bd7

SHA512
a4c5ad5fef2a637809ff610fb9127ce86a94f0ae930c9ccaf4dca01813001f0d7dc899089a73b79da925e87b9d1d76bdd4fce6d675f37def4b867019b0899b62

Download Submit
memory/344-292-0x0000000005FC0000-0x0000000005FC8000-memory.dmp

Filesize
32KB

Download
memory/344-288-0x0000000072C10000-0x00000000733C0000-memory.dmp

Filesize
7.7MB

Download
memory/344-296-0x0000000072C1E000-0x0000000072C1F000-memory.dmp

Filesize
4KB

Download
memory/344-295-0x0000000008080000-0x000000000808E000-memory.dmp

Filesize
56KB

Download
memory/344-294-0x00000000080B0000-0x00000000080E8000-memory.dmp

Filesize
224KB

Download
memory/344-283-0x0000000072C1E000-0x0000000072C1F000-memory.dmp

Filesize
4KB

Download
memory/344-284-0x00000000008E0000-0x0000000000900000-memory.dmp

Filesize
128KB

Download
memory/344-285-0x0000000072C10000-0x00000000733C0000-memory.dmp

Filesize
7.7MB

Download
memory/1704-6-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/1704-291-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/1704-278-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/1704-9-0x0000000000400000-0x0000000000691000-memory.dmp

Filesize
2.6MB

Download
memory/4044-2-0x0000000000401000-0x00000000004A9000-memory.dmp

Filesize
672KB

Download
memory/4044-0-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/4044-293-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download
memory/4044-8-0x0000000000400000-0x00000000004D6000-memory.dmp

Filesize
856KB

Download