Analysis

  • max time kernel
    27s
  • max time network
    36s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    13-11-2024 18:58

General

  • Target

    Roblox Account Manager.exe

  • Size

    5.4MB

  • MD5

    334728f32a1144c893fdffc579a7709b

  • SHA1

    97d2eb634d45841c1453749acb911ce1303196c0

  • SHA256

    be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1

  • SHA512

    5df9d63136098d23918eba652b44a87e979430b2ce3e78a3eb8faef3dd4bd9599d6c31980f9eaf2bd6a071e966421bc6cec950c28b3b917f90130e8a582c2a1f

  • SSDEEP

    98304:42bT1Qm7d9G4/Ml61KO9bjRxMLywnrmYa0kqXf0FJ7WLhrBzcgPgL6b:/Qm59RMowO9bjRmmYiYa0kSIJ7zgPE

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies Internet Explorer settings 1 TTPs 26 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
    "C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1656
    • C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe
      "C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2244
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch&plcid=0x409&o1=.NETFramework,Version=v4.8&processName=Roblox Account Manager.exe&platform=0009&osver=5&isServer=0&shimver=4.0.30319.0
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2440
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2440 CREDAT:275457 /prefetch:2
          4⤵
          • System Location Discovery: System Language Discovery
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    45ee46474cfe42202111f6f9ef4518ac

    SHA1

    e2a71f952f3dd6ae65ebc4af97c5146d873dca87

    SHA256

    7310496ced4308260dda57dda8f780c2b76935283e500572688507995d9e2355

    SHA512

    7ff523a627850eabce236803e6ce36694a0854d548333bb259dcf3a43e23a426fe4ceaf0285fa44874635928fe681362e002fec7275753208142bf6f31fc9471

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    379ed3684aa7f7288affca848dd35b7a

    SHA1

    3c887f3be704935cfdc4347fce8401d587cc35a3

    SHA256

    a15a6766c401fc37c47607278922f15ece425338711f3c8210c89842b3c5492a

    SHA512

    7e226760d5aedeacbdf2e4077e12c471a643104221987d088c5331f1eb3a5b43aceb9a4e17ffb1beb43614a6c93d01e40b633ec25d130895e8cef7da0ccd218c

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6f98696009cc75a2c0f66ff0ac88d020

    SHA1

    69fc8bf3bbcc1bab72433ccbb602617741320e63

    SHA256

    5f7951c8815e18174d8e88222371a42a30132ddad0ae685de7c82221f91df113

    SHA512

    ed8101d20538d4e5aa99c7526ff5047e2ff810ce15c57324f7c0062f6f6800500562fee7202ad7b902cc4f90d474090e87a864d91ae241312be7173e4f4cf390

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    d30e08ad6af8f26f16507fe02bbd654b

    SHA1

    f2a66999fbf90e33b94671eeb8b12ed7d689e22e

    SHA256

    d4974212df2f6bdc777ff5776e19b959b956e512c778a9ef6e38ef0675309216

    SHA512

    cf4fdbe89440c88aa775c9bcaac0b46800f292fd538453f14e41e79f35f8259c688c0a48dc58617b31491cc9f0ef3f231f7feab33d26793168bc5b4090b84caf

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    6a2402de310703a6aec1dc3a24a2f98c

    SHA1

    76e531a3aa0e4188a214b0df8c029adc0f7702a9

    SHA256

    cb2b41fcd6f3591169528b6981bc09ae8c91de19a99a918fc6d12df6ca07e050

    SHA512

    ee048efb7362a7d18196060eefd1926efa1e841e1945588caed555f9d29363035c35a779d228755fbf0432b800550b828970b6b2701d8e1a5a112d9d3cf5a6b1

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    7a80e89effb53fc77912863baac89dee

    SHA1

    bc8006948f7aa6245431fc9706e312f9767b70f2

    SHA256

    7c2c3c75be9eda47f3ee9ef60eba2557c5249aa4c5b6df04bb9ca4a4af6b1816

    SHA512

    170160afcb62fb7de2b4e58ec2bcac4ef23ecee7aab7e8fafdd3988a58f2145eb12d54006685c6774595377ce502321b4fdd9d4992ae0fef69e1ad369fbd40ea

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ab3b5e019dab1d504b617de9b03029bc

    SHA1

    a58e4b0caaeba72f6216ab762078a82b0cee7b73

    SHA256

    f26d3e020440248f6bae6615ebf56ecd72d0613f0b31b62310c591d11bc1d5e0

    SHA512

    d3f24e3b1a249b3c597356b6cbd5d978e3b1d962fbb51c48fc7a65a08aaea455b02f53cdcac683347a5897fc0eaee261019b6f3138366fc6e2428592a8596c98

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    ff3026b94314cb9c7b663fcc2476b814

    SHA1

    22e7b1a4930f0f5916133ab6d87fba649c61190d

    SHA256

    d15d33e3221deba403526c01067668e0f2c268cd0c67b03df98097992b7caeba

    SHA512

    0df924427100ff7799c7f9ed586086b4e5d5e9f6f2926fb48adfb09835229cc75f625042de59bec7a8e6557d87f0e8ecf421d929ab5f44e40481254426c8841f

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    8ab1c77474ab1fb98d196593c481c5a3

    SHA1

    9cf33af880aa8703433cf70371aefad0207da4d3

    SHA256

    ea75f64111d68e2c57472a4d702571caf976a104f072a926dc1bad7d2a147fc2

    SHA512

    87c18f2971c9e53ac044d817abd41d8acf13cb20b28c6593015390ffa7a6ca61ffeab1766e94991e7f3fc6d4147b41f0a2ecc1f9570228858089f89b18d71968

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    f3d8654b74a904af122c38ab025dda5a

    SHA1

    e4dff7466e2163ea96a51db3f68203ead2554093

    SHA256

    59bccfcd7cdbc12b1a759677abcffaa0077cc93247f1719169a12442cdac0fd6

    SHA512

    607f71303376ea2bb69ee06a5a6ef7ef00ad6f7b3b4d7b6987653e8790a4ad7e98f75813a361ef428de3d2a0717a0b231e8135c463cead2922a6de29bc5dc5c9

  • C:\Users\Admin\AppData\Local\Temp\CabD960.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe.config

    Filesize

    6KB

    MD5

    0a86fa27d09e26491dbbb4fe27f4b410

    SHA1

    63e4b5afb8bdb67fc1d6f8dddeb40be20939289e

    SHA256

    2b6d99db8369b0ff6372737d89d1c9e4101815b4168a3852c7b513f2897e7f3d

    SHA512

    fbebc4dc0925d5d67271cac04c1ed324091442ef4c9f6243d2c1c523c9aa6b338c6a594e4987fc142dd3b2a023338a267c8a3454e47fbf0b3e0dbd7b3b65cc0d

  • C:\Users\Admin\AppData\Local\Temp\TarD992.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • memory/1656-0-0x000000007490E000-0x000000007490F000-memory.dmp

    Filesize

    4KB

  • memory/1656-11-0x0000000074900000-0x0000000074FEE000-memory.dmp

    Filesize

    6.9MB

  • memory/1656-6-0x0000000074900000-0x0000000074FEE000-memory.dmp

    Filesize

    6.9MB

  • memory/1656-5-0x0000000000A50000-0x0000000000A6E000-memory.dmp

    Filesize

    120KB

  • memory/1656-4-0x0000000000A20000-0x0000000000A46000-memory.dmp

    Filesize

    152KB

  • memory/1656-3-0x0000000074900000-0x0000000074FEE000-memory.dmp

    Filesize

    6.9MB

  • memory/1656-2-0x0000000000740000-0x0000000000786000-memory.dmp

    Filesize

    280KB

  • memory/1656-1-0x0000000000AB0000-0x000000000101C000-memory.dmp

    Filesize

    5.4MB