Analysis
-
max time kernel
27s -
max time network
36s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
13-11-2024 18:58
Static task
static1
Behavioral task
behavioral1
Sample
Roblox Account Manager.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Roblox Account Manager.exe
Resource
win10v2004-20241007-en
General
-
Target
Roblox Account Manager.exe
-
Size
5.4MB
-
MD5
334728f32a1144c893fdffc579a7709b
-
SHA1
97d2eb634d45841c1453749acb911ce1303196c0
-
SHA256
be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1
-
SHA512
5df9d63136098d23918eba652b44a87e979430b2ce3e78a3eb8faef3dd4bd9599d6c31980f9eaf2bd6a071e966421bc6cec950c28b3b917f90130e8a582c2a1f
-
SSDEEP
98304:42bT1Qm7d9G4/Ml61KO9bjRxMLywnrmYa0kqXf0FJ7WLhrBzcgPgL6b:/Qm59RMowO9bjRmmYiYa0kSIJ7zgPE
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
Roblox Account Manager.exeRoblox Account Manager.exeIEXPLORE.EXEdescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Roblox Account Manager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Roblox Account Manager.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
Processes:
iexplore.exeIEXPLORE.EXEdescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4C0FB9C1-A1F1-11EF-A5D6-7E6174361434} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
iexplore.exepid Process 2440 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
iexplore.exeIEXPLORE.EXEpid Process 2440 iexplore.exe 2440 iexplore.exe 1976 IEXPLORE.EXE 1976 IEXPLORE.EXE 1976 IEXPLORE.EXE 1976 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Roblox Account Manager.exeRoblox Account Manager.exeiexplore.exedescription pid Process procid_target PID 1656 wrote to memory of 2244 1656 Roblox Account Manager.exe 28 PID 1656 wrote to memory of 2244 1656 Roblox Account Manager.exe 28 PID 1656 wrote to memory of 2244 1656 Roblox Account Manager.exe 28 PID 1656 wrote to memory of 2244 1656 Roblox Account Manager.exe 28 PID 2244 wrote to memory of 2440 2244 Roblox Account Manager.exe 29 PID 2244 wrote to memory of 2440 2244 Roblox Account Manager.exe 29 PID 2244 wrote to memory of 2440 2244 Roblox Account Manager.exe 29 PID 2244 wrote to memory of 2440 2244 Roblox Account Manager.exe 29 PID 2440 wrote to memory of 1976 2440 iexplore.exe 30 PID 2440 wrote to memory of 1976 2440 iexplore.exe 30 PID 2440 wrote to memory of 1976 2440 iexplore.exe 30 PID 2440 wrote to memory of 1976 2440 iexplore.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=Roblox Account Manager.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.03⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:275457 /prefetch:24⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1976
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD545ee46474cfe42202111f6f9ef4518ac
SHA1e2a71f952f3dd6ae65ebc4af97c5146d873dca87
SHA2567310496ced4308260dda57dda8f780c2b76935283e500572688507995d9e2355
SHA5127ff523a627850eabce236803e6ce36694a0854d548333bb259dcf3a43e23a426fe4ceaf0285fa44874635928fe681362e002fec7275753208142bf6f31fc9471
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5379ed3684aa7f7288affca848dd35b7a
SHA13c887f3be704935cfdc4347fce8401d587cc35a3
SHA256a15a6766c401fc37c47607278922f15ece425338711f3c8210c89842b3c5492a
SHA5127e226760d5aedeacbdf2e4077e12c471a643104221987d088c5331f1eb3a5b43aceb9a4e17ffb1beb43614a6c93d01e40b633ec25d130895e8cef7da0ccd218c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56f98696009cc75a2c0f66ff0ac88d020
SHA169fc8bf3bbcc1bab72433ccbb602617741320e63
SHA2565f7951c8815e18174d8e88222371a42a30132ddad0ae685de7c82221f91df113
SHA512ed8101d20538d4e5aa99c7526ff5047e2ff810ce15c57324f7c0062f6f6800500562fee7202ad7b902cc4f90d474090e87a864d91ae241312be7173e4f4cf390
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5d30e08ad6af8f26f16507fe02bbd654b
SHA1f2a66999fbf90e33b94671eeb8b12ed7d689e22e
SHA256d4974212df2f6bdc777ff5776e19b959b956e512c778a9ef6e38ef0675309216
SHA512cf4fdbe89440c88aa775c9bcaac0b46800f292fd538453f14e41e79f35f8259c688c0a48dc58617b31491cc9f0ef3f231f7feab33d26793168bc5b4090b84caf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD56a2402de310703a6aec1dc3a24a2f98c
SHA176e531a3aa0e4188a214b0df8c029adc0f7702a9
SHA256cb2b41fcd6f3591169528b6981bc09ae8c91de19a99a918fc6d12df6ca07e050
SHA512ee048efb7362a7d18196060eefd1926efa1e841e1945588caed555f9d29363035c35a779d228755fbf0432b800550b828970b6b2701d8e1a5a112d9d3cf5a6b1
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD57a80e89effb53fc77912863baac89dee
SHA1bc8006948f7aa6245431fc9706e312f9767b70f2
SHA2567c2c3c75be9eda47f3ee9ef60eba2557c5249aa4c5b6df04bb9ca4a4af6b1816
SHA512170160afcb62fb7de2b4e58ec2bcac4ef23ecee7aab7e8fafdd3988a58f2145eb12d54006685c6774595377ce502321b4fdd9d4992ae0fef69e1ad369fbd40ea
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ab3b5e019dab1d504b617de9b03029bc
SHA1a58e4b0caaeba72f6216ab762078a82b0cee7b73
SHA256f26d3e020440248f6bae6615ebf56ecd72d0613f0b31b62310c591d11bc1d5e0
SHA512d3f24e3b1a249b3c597356b6cbd5d978e3b1d962fbb51c48fc7a65a08aaea455b02f53cdcac683347a5897fc0eaee261019b6f3138366fc6e2428592a8596c98
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5ff3026b94314cb9c7b663fcc2476b814
SHA122e7b1a4930f0f5916133ab6d87fba649c61190d
SHA256d15d33e3221deba403526c01067668e0f2c268cd0c67b03df98097992b7caeba
SHA5120df924427100ff7799c7f9ed586086b4e5d5e9f6f2926fb48adfb09835229cc75f625042de59bec7a8e6557d87f0e8ecf421d929ab5f44e40481254426c8841f
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD58ab1c77474ab1fb98d196593c481c5a3
SHA19cf33af880aa8703433cf70371aefad0207da4d3
SHA256ea75f64111d68e2c57472a4d702571caf976a104f072a926dc1bad7d2a147fc2
SHA51287c18f2971c9e53ac044d817abd41d8acf13cb20b28c6593015390ffa7a6ca61ffeab1766e94991e7f3fc6d4147b41f0a2ecc1f9570228858089f89b18d71968
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize342B
MD5f3d8654b74a904af122c38ab025dda5a
SHA1e4dff7466e2163ea96a51db3f68203ead2554093
SHA25659bccfcd7cdbc12b1a759677abcffaa0077cc93247f1719169a12442cdac0fd6
SHA512607f71303376ea2bb69ee06a5a6ef7ef00ad6f7b3b4d7b6987653e8790a4ad7e98f75813a361ef428de3d2a0717a0b231e8135c463cead2922a6de29bc5dc5c9
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
6KB
MD50a86fa27d09e26491dbbb4fe27f4b410
SHA163e4b5afb8bdb67fc1d6f8dddeb40be20939289e
SHA2562b6d99db8369b0ff6372737d89d1c9e4101815b4168a3852c7b513f2897e7f3d
SHA512fbebc4dc0925d5d67271cac04c1ed324091442ef4c9f6243d2c1c523c9aa6b338c6a594e4987fc142dd3b2a023338a267c8a3454e47fbf0b3e0dbd7b3b65cc0d
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b