Malware Analysis Report

2025-08-05 18:13

Sample ID 241117-rpv9qs1hrf
Target RobloxPlayerInstaller.exe
SHA256 c4e4b832dfab883152602b2ffef83f57281ebd8d08b3b8b12540f580fe0526d0
Tags
discovery evasion trojan
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

c4e4b832dfab883152602b2ffef83f57281ebd8d08b3b8b12540f580fe0526d0

Threat Level: Shows suspicious behavior

The file RobloxPlayerInstaller.exe was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery evasion trojan

Checks whether UAC is enabled

Drops file in Program Files directory

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious behavior: EnumeratesProcesses

Enumerates system info in registry

Modifies Internet Explorer settings

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-17 14:22

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-17 14:22

Reported

2024-11-17 14:26

Platform

win11-20241023-en

Max time kernel

150s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe"

Signatures

Checks whether UAC is enabled

evasion trojan
Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\VR\VRPointerDiscRed.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\ExtraContent\textures\ui\Controls\DesignSystem\ButtonL3.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\configs\ReflectionLoggerConfig\EphemeralCounterWhitelistMock.json C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\CollisionGroupsEditor\delete.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\ExtraContent\textures\ui\LuaChat\graphic\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\Controls\DefaultController\ButtonR1.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\ExtraContent\textures\ui\LuaApp\graphic\gr-avatar [email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\ExtraContent\textures\ui\LuaChat\icons\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\Capture\Shutter.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\ExtraContent\textures\ui\LuaChat\icons\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\ExtraContent\textures\ui\LuaApp\ExternalSite\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\AnimationEditor\image_keyframe_linear_selected.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\TerrainTools\mtrl_slate.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\Settings\Players\BlockIcon.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\ExtraContent\textures\ui\LuaChat\9-slice\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\TerrainEditor\crater.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\Controls\PlayStationController\PS4\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\Settings\LeaveGame\Button_1080.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\avatar\unification\R15.rbxm C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\fonts\GrenzeGotisch-Regular.ttf C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\9SliceEditor\Dragger2Right.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\TerrainTools\mtrl_ground_2022.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\CollisionGroupsEditor\rename.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\Controls\DefaultController\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\ExtraContent\textures\ui\InGameMenu\game_tiles_background.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ManageCollaborators\arrowRight_dark.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\MaterialManager\Recents.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\Controls\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\VoiceChat\SpeakerNew\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\Controls\PlayStationController\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\LegacyRbxGui\brickSide.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\fonts\Montserrat-Black.ttf C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\StudioToolbox\Clear.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\TerrainTools\mtrl_basalt.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\TextureViewer\refresh_dark_theme.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\TopBar\coloredlogo.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\VR\buttonBackground.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\PlatformContent\pc\textures\sky\indoor512_rt.tex C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\avatar\scripts\CompositorAnimate\v1betaRC1\AnimateDependencies.rbxm C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\AnimationEditor\animation_editor_blue.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\StudioSharedUI\radio_selected_enabled_dark.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\Controls\XboxController\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\Controls\PlayStationController\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\ExtraContent\textures\ui\LuaChat\9-slice\tag-bubble.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\ExtraContent\textures\ui\LuaChatV2\ic-friend-empty-border.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\ExtraContent\textures\ui\LuaApp\icons\ic-game.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\GameSettings\delete.PNG C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\ExtraContent\textures\ui\ImageSet\AE\img_set_1x_1.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\Controls\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\PlayerList\TileShadowMissingTop.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\StudioSharedUI\packages.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\TagEditor\huesatgradient.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\TerrainTools\icon_regions_fill.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\Backpack\Backpack.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\StudioToolbox\AssetConfig\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\StudioToolbox\AssetConfig\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\StudioUIEditor\icon_resize4.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\VoiceChat\MicLight\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\ExtraContent\textures\ui\Controls\DesignSystem\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\RoactStudioWidgets\toggle_disable_light.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\TerrainTools\mtrl_concrete.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\Controls\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ui\Emotes\Large\[email protected] C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
File created C:\Program Files (x86)\Roblox\Versions\version-32f36ac944b34913\content\textures\ViewSelector\right_zh_cn.png C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\BaseBoardManufacturer C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Internet Explorer\ProtocolExecute\roblox-studio\WarnOnOpen = "0" C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\version = "version-e0a840597ded474b" C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\URL Protocol C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon\ = "C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe" C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\shell\open\command\ = "\"C:\\Program Files (x86)\\Roblox\\Versions\\RobloxStudioInstaller.exe\" %1" C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\ = "URL: Roblox Protocol" C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\roblox-studio\DefaultIcon C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe

"C:\Users\Admin\AppData\Local\Temp\RobloxPlayerInstaller.exe"

Network

Country Destination Domain Proto
N/A 127.0.0.1:49770 tcp
US 8.8.8.8:53 ecsv2.roblox.com udp
GB 128.116.119.4:443 ecsv2.roblox.com tcp
US 8.8.8.8:53 client-telemetry.roblox.com udp
GB 128.116.119.4:443 client-telemetry.roblox.com tcp
N/A 127.0.0.1:49774 tcp
FR 13.249.9.54:443 clientsettingscdn.roblox.com tcp
US 205.234.175.102:443 setup.rbxcdn.com tcp
N/A 127.0.0.1:49777 tcp
N/A 127.0.0.1:49792 tcp
US 205.234.175.102:443 setup.rbxcdn.com tcp
US 205.234.175.102:443 setup.rbxcdn.com tcp

Files

C:\Program Files (x86)\Roblox\Versions\RobloxStudioInstaller.exe

MD5 7478745f2ffdcebdb1c5ccbd482312b8
SHA1 6f754125fdea66ca783875f7c6c0f96be14211d3
SHA256 ae19ae02450f9e885abbed2e40fbabf9992acf61fd206d6ec0da8fcc2ecfeecb
SHA512 9ff8e19eb3471d69654a9a83fdc62f9d340dfee344a1cc89802ab4924921edc2c4b1e4f6573143ac61cb61d970d6150ae694369c90ba453cfeb63966d85bf352

C:\Users\Admin\AppData\Local\Roblox\Downloads\roblox-player\c261fa92769bc5ab6443aade831bdc18

MD5 c261fa92769bc5ab6443aade831bdc18
SHA1 60c313b138fdc767d1b6108e6ce5c800ac1f4bf1
SHA256 c6f1c59442953fb894b7414e2bc7c494d379df20a81bef8a974afec150e0cab5
SHA512 85f433f98441707bffb7d071e8dd20c77766244cc649b6887f43cc01e6d791f70a87f83d836a6f20d35c148327f466e184b3db7ae8db20fab9d3f36efc675e35