Analysis Overview
SHA256
d390cedf4222277eccbc02514a5d9a47c67379d14bc1d67ee95b096addce601f
Threat Level: Known bad
The file Roblox.zip was found to be: Known bad.
Malicious Activity Summary
AsyncRat
Asyncrat family
Async RAT payload
Executes dropped EXE
System Location Discovery: System Language Discovery
Checks SCSI registry key(s)
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of FindShellTrayWindow
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of SendNotifyMessage
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 01:31
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 01:31
Reported
2024-10-30 01:34
Platform
win10ltsc2021-20241023-en
Max time kernel
126s
Max time network
99s
Command Line
Signatures
AsyncRat
Asyncrat family
Async RAT payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\Roblox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Roblox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Roblox.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\Roblox.exe | N/A |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Roblox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Roblox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Roblox.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\Roblox.exe | N/A |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000 | C:\Windows\system32\taskmgr.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A | C:\Windows\system32\taskmgr.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Roblox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\Desktop\Roblox.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\system32\taskmgr.exe | N/A |
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Roblox.zip"
C:\Users\Admin\Desktop\Roblox.exe
"C:\Users\Admin\Desktop\Roblox.exe"
C:\Users\Admin\Desktop\Roblox.exe
"C:\Users\Admin\Desktop\Roblox.exe"
C:\Windows\system32\taskmgr.exe
"C:\Windows\system32\taskmgr.exe" /0
C:\Users\Admin\Desktop\Roblox.exe
"C:\Users\Admin\Desktop\Roblox.exe"
C:\Users\Admin\Desktop\Roblox.exe
"C:\Users\Admin\Desktop\Roblox.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| NL | 20.31.169.57:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.42.69.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 69.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | checkappexec.microsoft.com | udp |
| GB | 13.87.96.169:443 | checkappexec.microsoft.com | tcp |
| US | 8.8.8.8:53 | 169.96.87.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:6606 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:7707 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:8808 | tcp | |
| N/A | 127.0.0.1:6606 | tcp |
Files
C:\Users\Admin\Desktop\Roblox.exe
| MD5 | 4068c787e0957ef2bcace223b329e350 |
| SHA1 | 64953413198c9e73d3cb2dee812bf80a359c4d60 |
| SHA256 | 0fe742209ac27e9da3613b6a5a6007f45c9ffbf4f71583752cdf0fa9a70c7780 |
| SHA512 | f3794b639c45becfae73f3c3e3fe5e722f1b36d904b95bbfde3b7d89b091f457ed6487ed38e650870391fca00c4fc08dd0389092e508d3f759e7cfd60493c849 |
memory/2068-4-0x0000000074E9E000-0x0000000074E9F000-memory.dmp
memory/2068-5-0x0000000000E30000-0x0000000000E56000-memory.dmp
memory/2068-6-0x0000000074E90000-0x0000000075641000-memory.dmp
memory/2068-7-0x00000000057F0000-0x0000000005856000-memory.dmp
memory/2068-8-0x0000000005C90000-0x0000000005D2C000-memory.dmp
memory/2068-9-0x0000000074E9E000-0x0000000074E9F000-memory.dmp
memory/2068-10-0x0000000074E90000-0x0000000075641000-memory.dmp
memory/1548-12-0x0000000074E90000-0x0000000075641000-memory.dmp
memory/4804-15-0x000001D3D50B0000-0x000001D3D50B1000-memory.dmp
memory/4804-14-0x000001D3D50B0000-0x000001D3D50B1000-memory.dmp
memory/4804-13-0x000001D3D50B0000-0x000001D3D50B1000-memory.dmp
memory/4804-20-0x000001D3D50B0000-0x000001D3D50B1000-memory.dmp
memory/4804-25-0x000001D3D50B0000-0x000001D3D50B1000-memory.dmp
memory/4804-24-0x000001D3D50B0000-0x000001D3D50B1000-memory.dmp
memory/4804-23-0x000001D3D50B0000-0x000001D3D50B1000-memory.dmp
memory/4804-22-0x000001D3D50B0000-0x000001D3D50B1000-memory.dmp
memory/4804-21-0x000001D3D50B0000-0x000001D3D50B1000-memory.dmp
memory/4804-19-0x000001D3D50B0000-0x000001D3D50B1000-memory.dmp
memory/1548-27-0x0000000074E90000-0x0000000075641000-memory.dmp
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\Roblox.exe.log
| MD5 | 8c7889bde41724ce3db7c67e730677f6 |
| SHA1 | 485891cc9120cb2203a2483754dbd5e6ea24f28e |
| SHA256 | 83c70bfcb1b41892c9c50cabe9bc2d96b2f7420b28545afabd32f682ac62d0ad |
| SHA512 | b7c3aab27fc924dcaef78987b492931e164b9e30b813c532fe87e1d40001ed1861c4b5ddbdd85cd2278681a22e32eee816877f4f63cecaa9972976d87e38f5cc |