Resubmissions

20-10-2024 02:00

241020-cfbreathkm 9

20-10-2024 01:55

241020-cceznatfnr 10

Analysis

  • max time kernel
    131s
  • max time network
    128s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-10-2024 01:55

General

  • Target

    http://roblox.com

Score
9/10

Malware Config

Signatures

  • Grants admin privileges 1 TTPs

    Uses net.exe to modify the user's privileges.

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Permission Groups Discovery: Local Groups 1 TTPs

    Attempt to find local system groups and permission settings.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Modifies data under HKEY_USERS 15 IoCs
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 6 IoCs
  • Suspicious behavior: LoadsDriver 64 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 26 IoCs
  • Suspicious use of SendNotifyMessage 24 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://roblox.com
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1036
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0xfc,0x100,0x104,0xb4,0x108,0x7ffcf8f346f8,0x7ffcf8f34708,0x7ffcf8f34718
      2⤵
        PID:3800
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2088 /prefetch:2
        2⤵
          PID:4216
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2156 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:4876
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2672 /prefetch:8
          2⤵
            PID:2744
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3228 /prefetch:1
            2⤵
              PID:4620
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
              2⤵
                PID:1964
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4984 /prefetch:1
                2⤵
                  PID:3932
                • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
                  2⤵
                    PID:3436
                  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5168 /prefetch:8
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    PID:4656
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5368 /prefetch:1
                    2⤵
                      PID:1528
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5308 /prefetch:1
                      2⤵
                        PID:3788
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5332 /prefetch:1
                        2⤵
                          PID:4916
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2076,3450260385568267004,4845412676291789834,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5480 /prefetch:1
                          2⤵
                            PID:2068
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:3560
                          • C:\Windows\System32\CompPkgSrv.exe
                            C:\Windows\System32\CompPkgSrv.exe -Embedding
                            1⤵
                              PID:4296
                            • C:\Windows\system32\cmd.exe
                              "C:\Windows\system32\cmd.exe"
                              1⤵
                                PID:3956
                              • C:\Windows\system32\cmd.exe
                                "C:\Windows\system32\cmd.exe"
                                1⤵
                                  PID:872
                                • C:\Windows\system32\cmd.exe
                                  "C:\Windows\system32\cmd.exe"
                                  1⤵
                                    PID:4200
                                    • C:\Windows\system32\net.exe
                                      net user add /add
                                      2⤵
                                        PID:3656
                                        • C:\Windows\system32\net1.exe
                                          C:\Windows\system32\net1 user add /add
                                          3⤵
                                            PID:4632
                                        • C:\Windows\system32\net.exe
                                          net localgroup administrators add /add
                                          2⤵
                                            PID:3172
                                            • C:\Windows\system32\net1.exe
                                              C:\Windows\system32\net1 localgroup administrators add /add
                                              3⤵
                                                PID:1920
                                            • C:\Windows\system32\logoff.exe
                                              logoff
                                              2⤵
                                                PID:4624
                                            • C:\Windows\system32\LogonUI.exe
                                              "LogonUI.exe" /flags:0x4 /state0:0xa393b055 /state1:0x41c64e6d
                                              1⤵
                                              • Modifies data under HKEY_USERS
                                              • Suspicious use of SetWindowsHookEx
                                              PID:2132

                                            Network

                                            MITRE ATT&CK Enterprise v15

                                            Replay Monitor

                                            Loading Replay Monitor...

                                            Downloads

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\396fd16f-3ba8-4ef2-a4b3-21f6d77237cb.tmp

                                              Filesize

                                              12KB

                                              MD5

                                              c688cf8cdf72028d78551e6165f4f99c

                                              SHA1

                                              7c7eb560a41bab1e236a9992811a52c6991b9151

                                              SHA256

                                              667454090e6b658f98123e1a62774a6d602bcda71082dd66c6baf182c762bee0

                                              SHA512

                                              5e8d5d393e1f8915664cfc0ed963792ae1858fc6893fde0c0b006acf0bd0b5ca158c7af0c6236781780372d817fcf11a56f4cfeb3dc42369de13ad1ac2f92978

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              56a4f78e21616a6e19da57228569489b

                                              SHA1

                                              21bfabbfc294d5f2aa1da825c5590d760483bc76

                                              SHA256

                                              d036661e765ee8fd18978a2b5501e8df6b220e4bca531d9860407555294c96fb

                                              SHA512

                                              c2c3cd1152bb486028fe75ab3ce0d0bc9d64c4ca7eb8860ddd934b2f6e0140d2c913af4fa082b88e92a6a6d20fd483a1cb9813209f371a0f56374bc97d7f863b

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                                              Filesize

                                              152B

                                              MD5

                                              e443ee4336fcf13c698b8ab5f3c173d0

                                              SHA1

                                              9bf70b16f03820cbe3158e1f1396b07b8ac9d75a

                                              SHA256

                                              79e277da2074f9467e0518f0f26ca2ba74914bee82553f935a0ccf64a0119e8b

                                              SHA512

                                              cbf6f6aa0ea69b47f51592296da2b7be1180e7b483c61b4d17ba9ee1a2d3345cbe0987b96f4e25de1438b553db358f330aad8a26e8522601f055c3d5a8313cdd

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                                              Filesize

                                              1KB

                                              MD5

                                              5ae8ba32702ba9278c7c2cdbdfdf29b7

                                              SHA1

                                              c8fbe9fdd6bad8f2d4a29f369d143487ade2fa17

                                              SHA256

                                              0c7e6b587bbfe082fdaa36a2c921260549e0da1b537d9874a1363e89906b091e

                                              SHA512

                                              19d9d5c7fcdda3019c3630cce68594de4277b1d2856c9c31cce0f5dea61aefe9229c3f5fb6baa1e179530ec5e8f8ec7b6d012894d4fea9969ca7a3d8b977b16c

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                                              Filesize

                                              689B

                                              MD5

                                              ec66d59ee399767f14f3c64e32914941

                                              SHA1

                                              b00035f355a331ac8539ffca115505e225a0957a

                                              SHA256

                                              79126967f23873cf24ed7c8135b7ece6d40af41a75baae78157f4a6e45d22ce5

                                              SHA512

                                              8fdfa3ae7b4c1f89a5b9859997ce756386a5962bdfdbc1ac4b985ad9c845bab2dc8c443ccc4888dc7f4ce22ebb318def95c737a4f4a2d39c3abb6d762cca0f81

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              5KB

                                              MD5

                                              e618d0d8d91d507f18785ddda05c6967

                                              SHA1

                                              cc6c6a6be87332da571ef856d52dda2e7c7f3e03

                                              SHA256

                                              7cca3eea08d8e7135b30f6819074b85a972ae9d5d924b3ebec40915808c22e24

                                              SHA512

                                              381fe1d7e330b5d52b9173bd0fcabd76fe9caf0126eed211ba1babab46c51ceaef57dba683227f1b8f1aacb23bc66d19dde5506e1669d628cacf38211cab31dc

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              8bebc03570eafc57e52bbc2385fceb66

                                              SHA1

                                              922ba5d698ac9bead27a4e85732a312c7ed11fcc

                                              SHA256

                                              0028416c30e4ce2493245eae65f99e19ebc3a740227e0f6b0cfd4e5cebe3e788

                                              SHA512

                                              b9e6f617ad2fc1621a1f8a17426363ab244ae9cb69672e19d5958258557cf8598a9d1f2bb72fd5b13cf09dc76ae7dbee46e740b5cde8d11106bd05860f1a46c0

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                                              Filesize

                                              6KB

                                              MD5

                                              235daef238f23634da1531d3f253ac56

                                              SHA1

                                              4731f3a6b9873db4bc076109ea63a61a287f0877

                                              SHA256

                                              ffa8403793acdf76315c65734e9e26a180b7bee26e5565010cf0ce24fd05f322

                                              SHA512

                                              47cc9bc4573591529b32e4587aa7aa4cbdb92dfc0049f69f41142217a652a60c4456e9761401d472b4861c5dc2a995b6167739e1bec23cc9efac7b5294753df2

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                              Filesize

                                              1KB

                                              MD5

                                              0c5d1c5b158ecf14f39abe9c9d1f5a71

                                              SHA1

                                              684171eb3af8bd0f1d960d112072e7314541fab9

                                              SHA256

                                              cdb0d23e31aec55c7ead7c8c008aaeb81a84fbd7017f195d5d82eed25954c4b4

                                              SHA512

                                              d515a67e24ebac914fe82af5badfeccdd0bc99f5c6f2e4a8514be5e12b5ac5fc8581ff736cdd38a7e631ce1eeabb029fc3328484e3589bd3ccfe238f57fd582b

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                              Filesize

                                              1KB

                                              MD5

                                              f0be1265a2572156834f4d90d3411de9

                                              SHA1

                                              07f56cc73201af84594899e89dbc68eead857705

                                              SHA256

                                              f53449f89974c926b3c56b787a891185ede4592e9f417baf45134f9e1bb8660a

                                              SHA512

                                              ea5b264f18dee6a4129ef992ab92c0cb673edba44923bdb3641e472938fd487e6fe96f03e867dedd9c937909c1aa19fa163dcc8c623075ed17d964c087bcb012

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                              Filesize

                                              1KB

                                              MD5

                                              f596c6ad8f32e31a99958710207c0e10

                                              SHA1

                                              afa0334d42da1627949ca0648f403268fb5101cb

                                              SHA256

                                              ca9ccf29d22c87d3e1d1611064645c547b14d88815855e09433675df2e0d8539

                                              SHA512

                                              7e9fad74064ced816187773501888a3ad94fbe529e03fa1da5ff961a841da0770bb3f31d13bcce01b587b8a2f529a64a679fbe4553f57f8e18fab6fec1704003

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                                              Filesize

                                              1KB

                                              MD5

                                              7a0977b7abb63e9eb715035f0ebac56b

                                              SHA1

                                              c8e48696c447783831d00c9318280cd128a9cd9e

                                              SHA256

                                              44617072274d7b198cd1490782def7a83d89493c68a5ec49fc16fab77652f5c0

                                              SHA512

                                              e73d94dbb01f6e5419b40f287f91fc34ae9d90a4b9bd395585cf245fb196cf37d34ee70b03dfaae8b51d711f462ca72e1c925301ca01b50a4176144c81c66585

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f52d.TMP

                                              Filesize

                                              1KB

                                              MD5

                                              9dee17bae2f1fd292f30f52b8b9b6449

                                              SHA1

                                              f5236676ac107bd880b90ba08a139cd9c0ef0030

                                              SHA256

                                              2dfa21d490f150bb4407846ba4895029ad4937e241c298362ea157f7cb69675f

                                              SHA512

                                              3a3efdb11679f3ba2bf042e080217f3390f4342c558e4206fe6bdd4e17f197575ac11f36a9461a03b508170af8b0bc778e54a98fc755f7504938dc36a3b21794

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                                              Filesize

                                              16B

                                              MD5

                                              6752a1d65b201c13b62ea44016eb221f

                                              SHA1

                                              58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                                              SHA256

                                              0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                                              SHA512

                                              9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              12KB

                                              MD5

                                              86e371cf6a8348ab68300b8aaf7452f7

                                              SHA1

                                              51d560f073d8e4b841a6fe148831b8ffea9148b9

                                              SHA256

                                              0016e2022dccc91079288dd69d5bcc73597c4a724fdc068c753d48f0ab7e9aa7

                                              SHA512

                                              f4e61d24f4972b2433a35af02f11a7a18fc2c13d87fb74308b79d343daa071341ad7cc26b75772afe1d1272530948a36fb7f3d8afb23b8c88695876a55056589

                                            • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                                              Filesize

                                              11KB

                                              MD5

                                              8100686a5339dc017bbd25ca46a1c708

                                              SHA1

                                              143c68971265e628857d3cfc2eb45c91a6f011a1

                                              SHA256

                                              16f8291c488eca398bf925d57863620f6695849d7bcaf78aaab881d4e651bab4

                                              SHA512

                                              3e637547fb7a2b37230706ca8f3ee7df4142ab8d6108037601d93702f847657cf8aae5aa2a0a592611c1614df532343d5390751eb52294643401c2671708d74b