Analysis
-
max time kernel
48s -
max time network
51s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
19/11/2024, 13:57
General
-
Target
Roblox Account Manager.exe
-
Size
5.2MB
-
MD5
a057fae0c8c97ee6cf2c12fb7bcf034d
-
SHA1
64fe0eb242b5c3f9c42f4f2c1685e4a36708e4f6
-
SHA256
cdb0a360cca7a5099c2d2357be1a833e032ffdeb3f467a6fac845f6bb77031c9
-
SHA512
447cf69cf39ef19d098f4ab223d6ad9d760efb1eabb1bb0dac27fd2e55ac14c5a6502f2edd00b199d2db702e38551065bcc087c8df931360e769443908a4d200
-
SSDEEP
98304:b2bT1Qm7d9GP4i7q0LTWgtUmWzmSyZs9S8Z/LywnrSkqXf0Fb7WnhNMYkj7:4Qm59q/tUhzmS9zZ/mY+kSIb7ahNMYk
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 3 IoCs
-
Drops file in System32 directory 49 IoCs
-
Drops file in Windows directory 15 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 11 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies Internet Explorer settings 1 TTPs 2 IoCs
-
Modifies data under HKEY_USERS 9 IoCs
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart2⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vcredist.tmp"C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" /q /norestart3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{9CDC13E5-F9AD-42B6-81C1-D9E9C5B3EAD1}\.cr\vcredist.tmp"C:\Windows\Temp\{9CDC13E5-F9AD-42B6-81C1-D9E9C5B3EAD1}\.cr\vcredist.tmp" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\vcredist.tmp" -burn.filehandle.attached=692 -burn.filehandle.self=696 /q /norestart4⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{2CDBA1B2-6E1B-47B8-A8A5-01FE69E12DDA}\.be\VC_redist.x86.exe"C:\Windows\Temp\{2CDBA1B2-6E1B-47B8-A8A5-01FE69E12DDA}\.be\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{8497DDD9-B51E-4DD6-903E-3ED16C1C0281} {3EAD68F6-8023-4C25-9589-94D8DCF5BC05} 24285⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -uninstall -quiet -burn.related.upgrade -burn.ancestors={e7802eac-3305-4da0-9378-e55d1ed05518} -burn.filehandle.self=952 -burn.embedded BurnPipe.{CAF80705-2C36-4981-A71C-D95EB7E6B84C} {6FFBF40C-327D-43DF-8643-E0B30D1014E5} 21126⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.clean.room="C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -burn.filehandle.attached=516 -burn.filehandle.self=536 -uninstall -quiet -burn.related.upgrade -burn.ancestors={e7802eac-3305-4da0-9378-e55d1ed05518} -burn.filehandle.self=952 -burn.embedded BurnPipe.{CAF80705-2C36-4981-A71C-D95EB7E6B84C} {6FFBF40C-327D-43DF-8643-E0B30D1014E5} 21127⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe"C:\ProgramData\Package Cache\{4d8dcf8c-a72a-43e1-9833-c12724db736e}\VC_redist.x86.exe" -q -burn.elevated BurnPipe.{475F3376-84C6-416E-B7C1-C848C815B4C1} {0214296B-F976-4C99-A5A0-E44D18B6080D} 16088⤵
- System Location Discovery: System Language Discovery
- Modifies registry class
-
-
-
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\Auto Update.exe"C:\Users\Admin\AppData\Local\Temp\Auto Update.exe" -update3⤵
- Deletes itself
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"4⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe"C:\Users\Admin\AppData\Local\Temp\Roblox Account Manager.exe" -restart5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:21⤵
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD506e982edb8dc411d25074730012c60d1
SHA19313f6f61a83647d56c8cf4edb1b0268fa515120
SHA256c1f303caee0c09d9eac041a50915dc6f1900b7a17799797e32c72346a0640b9d
SHA512a0525f3eaa2d8f979e5e061242f05113ee972f591508ad00605eca64a2080f1dfaabb21a1b717ffd45a65b2f33f1b420269876671b61ee1ec87f5a00a49d48e1
-
Filesize
18KB
MD5c3aad8755179e59e7c977aff422395a8
SHA15a9ca41c574be8e32dafed767a5351d632e1101d
SHA256d2ca047f4e06a63b525bc8b99c949c4f28e9400668128b3ef714d81b766fbf91
SHA5127ff626827fc2bb93550a493fb6a7dc0d7b094b5dd123882ae809b668be61e0e140987ad42acffcd3516db7cebc4a8df6dfc2ebc877fec1a762c9a8e52b25c83b
-
Filesize
20KB
MD52f1078488138c7184c3326edbe5b2ed2
SHA133017c4d834a67b1c38d02a2d6b0636c436390b9
SHA256bc811d58f337840ade17a7f59a05005d54d2f339f95797c78355d2d7f4c8c9f2
SHA512462f1ec9852f6f483106f3b361f6c482b232055e2e0477398b60f3f8feb918b3fc289efbf3597f37fc8c1e3f3fa9e147168e7ba4e04f0800ce07b18a22c46d1d
-
Filesize
19KB
MD5397ba4b44357814bb5c64e533f5c0dde
SHA1f30f2ddfa6c181bd0315b26ca7764597c655f823
SHA2565eaebd2123c7bfd7c623181af998a162c9e161a01396362c1961a501d2e0a5ef
SHA5124b4ae6f74a70cfdec84c1458f1c9814e12f63005aaeaa6d6da995fcbe718044c5ab338b293b1aa280bd7d06f050c3815c11e44270491306d9cfac87900790c54
-
Filesize
1KB
MD5a02e8a8a790f0e0861e3b6b0dbe56062
SHA1a3e65805e5c78641cafebc1052906d7350da9d2e
SHA2567fada0f81b63e1ecb265e9620ace8f5f0d40773626081849f5d98e668bc4e594
SHA512108a81f818aa027834d621c771e427ee3f300c59d9dc10d853b94b1e8d635cf6bc06338dce31da30b08660c6fb06a39f9069c983bb585049f5fe9f50b753eb42
-
Filesize
5.2MB
MD5a057fae0c8c97ee6cf2c12fb7bcf034d
SHA164fe0eb242b5c3f9c42f4f2c1685e4a36708e4f6
SHA256cdb0a360cca7a5099c2d2357be1a833e032ffdeb3f467a6fac845f6bb77031c9
SHA512447cf69cf39ef19d098f4ab223d6ad9d760efb1eabb1bb0dac27fd2e55ac14c5a6502f2edd00b199d2db702e38551065bcc087c8df931360e769443908a4d200
-
Filesize
1KB
MD58ab2e345d4a5ecf0d9b4e56d73d5bf04
SHA1484eeaef985040da4bb91d422edce0c03d3e777e
SHA256cde3d0037c00996ff60a66d924e634aacffd54440b97fd848f4d131d0eb60087
SHA512feecb7bb022265f0feb9df4b252b811cb0c50fd2b09811cfa675e97b92e1c66784ac26affb8ec6a3fd7956dd0b638034fc5e850d4674711636fa3bb420c8c57a
-
Filesize
1KB
MD5a022672905a8989b6e092508f822bd86
SHA13b99c4ca34a6cdebe6dce8ba25c0709bd35d55db
SHA256d6de96a10276a42a8c84276877e0ae68787686fed31e0d966b6ce4068df524c2
SHA512ba7a963907e14a74a0cb9481aff71a4c3b210457700cd052eccf63c90673185ae95738338d343be4624d2675595356b9fb0b2253b9b96fe359e19e51454e9eed
-
Filesize
314B
MD5f18fa783f4d27e35e54e54417334bfb4
SHA194511cdf37213bebdaf42a6140c9fe5be8eb07ba
SHA256563eb35fd613f4298cd4dceff67652a13ba516a6244d9407c5709323c4ca4bb1
SHA512602f6a68562bc89a4b3c3a71c2477377f161470bf8ae8e6925bf35691367115abfa9809925bd09c35596c6a3e5a7e9d090e5198e6a885a6658049c8732a05071
-
Filesize
5.4MB
MD5334728f32a1144c893fdffc579a7709b
SHA197d2eb634d45841c1453749acb911ce1303196c0
SHA256be9ddcdedf8c36c64e6b0a32d2686b74a112913c54217ccaa46675bfd1dc82f1
SHA5125df9d63136098d23918eba652b44a87e979430b2ce3e78a3eb8faef3dd4bd9599d6c31980f9eaf2bd6a071e966421bc6cec950c28b3b917f90130e8a582c2a1f
-
Filesize
5KB
MD57e067afe7c779870c370c40240e2ce1f
SHA171d59901ee26810c2b2cfdeca176cec9a54fdb48
SHA2565e0ba1895cf088e6d6907b8abbd8cd41c86f39cc642351a9ab0bf458bf1f5b31
SHA5127ae4e81cd7a06aca5c363e1009d898aa8b42236d6796c38a8ba07adb52eae45f69cd446d008a0e1d12c60c02a43bee1c813231d58884c6dd69a2967e243c9cc6
-
Filesize
6KB
MD50a86fa27d09e26491dbbb4fe27f4b410
SHA163e4b5afb8bdb67fc1d6f8dddeb40be20939289e
SHA2562b6d99db8369b0ff6372737d89d1c9e4101815b4168a3852c7b513f2897e7f3d
SHA512fbebc4dc0925d5d67271cac04c1ed324091442ef4c9f6243d2c1c523c9aa6b338c6a594e4987fc142dd3b2a023338a267c8a3454e47fbf0b3e0dbd7b3b65cc0d
-
Filesize
2KB
MD527863ef2626bec0ef95b08cdfd3df2f9
SHA1ceb4566656d01129c0fcdb3bae716f03865ce281
SHA256c1998e7b31d85d4c8712a506da0bb27d64fbee3d4fbe799c86635c00c70e1312
SHA512431f0bb5f8e4ea8b46008e5162db5033110d647e70a999799d82a032250f9c0a4bb695710197f82fdcc0ab2ef0e7db84fca7ff9e24fa1322807757d51489685e
-
Filesize
2KB
MD5cc625208b22eca996b6a7e9441c9846c
SHA1cdaf7dc42cef4d0e06687a57454cd102cbe568b4
SHA2569db2dc9832d6240527a807a0c8167c8f7030ea7b43a3be3e15cc5e65a5f7c54c
SHA51292fa423c2a664df7ee9e2c19432d2119360dfd80b4f9136b25205b64758d506dbe5019f3f68aadc73f28537be982273d13a96625843adfb933d7cea0c2a7fdb2
-
Filesize
142B
MD5d5cf45cffc66b13eddf860d5f8d9c1f7
SHA1760952ee4783a83efab085896438a52f5902ef55
SHA256d6dc81855bea1d95a55a039aab162c348cc8a93da33fae7e80b38ff53632837a
SHA512e992229fc7917ce20330a54fc11daca54f6e398ed7e8e9535dd97e3578677be8b81da52eabd2f10a41569030d6349bac4102e55e9169df5729e282e690958230
-
Filesize
569B
MD5c273c2417b222538e1bdf1df8ab167be
SHA1fea9b5b154e9e71132610fd5301f3a82d4ae74b9
SHA2565b63a948ff008740ccfa7aa5cfa95140e9ef40569cfa447fca3c56a73333b8ea
SHA5120343d6c2d057ed80a8a398b4518e20b5746bc86bf51d76d8ba2ddd866936bfecb1027d57cbe1a5bc2de205eb6daa94e23cc0fd4b06a74d0c509043faa6be500c
-
Filesize
936B
MD5e4659ac08af3582a23f38bf6c562f841
SHA119cb4f014ba96285fa1798f008deabce632c7e76
SHA256e4b10630d9ec2af508de31752fbbc6816c7426c40a3e57f0a085ce7f42c77bd5
SHA5125bfa1e021cc7ee5e7a00da865d68684202b3b92d3d369b85b80c591fffa67725d434398325dc1e37c659eab62c0a4118b3e279ac0096b95790d252ceb6254249
-
Filesize
13.3MB
MD58a6f4f3282236325360a9ac4413b7bc3
SHA1cb617803813e969be73f2e0e175a67620e53aa59
SHA256dd1a8be03398367745a87a5e35bebdab00fdad080cf42af0c3f20802d08c25d4
SHA5122c1facb8567a052b4fa65d173b0bda64fa5fded2cddb9073b7c28507ed95414c17d2839d06d5e961617c754cda54d6134964b1aff5c9e9cdfbace71f1de2ac3a
-
Filesize
1KB
MD5d6bd210f227442b3362493d046cea233
SHA1ff286ac8370fc655aea0ef35e9cf0bfcb6d698de
SHA256335a256d4779ec5dcf283d007fb56fd8211bbcaf47dcd70fe60ded6a112744ef
SHA512464aaab9e08de610ad34b97d4076e92dc04c2cdc6669f60bfc50f0f9ce5d71c31b8943bd84cee1a04fb9ab5bbed3442bd41d9cb21a0dd170ea97c463e1ce2b5b
-
Filesize
215KB
MD5f68f43f809840328f4e993a54b0d5e62
SHA101da48ce6c81df4835b4c2eca7e1d447be893d39
SHA256e921f69b9fb4b5ad4691809d06896c5f1d655ab75e0ce94a372319c243c56d4e
SHA512a7a799ecf1784fb5e8cd7191bf78b510ff5b07db07363388d7b32ed21f4fddc09e34d1160113395f728c0f4e57d13768a0350dbdb207d9224337d2153dc791e1
-
Filesize
842KB
MD5a04f3e3bd8684cf660619e0f6af4d751
SHA12b5b1a39de1faa20d9a5774ec7b27dee5f6fc065
SHA256b31b87a09f3aa2df573050949e87a68eeda01cb80dc974714d0603cea2c0708b
SHA512fb3c081ad9f23661ed6f167ca878469d702f5cb60c15bb6d04c21331b43f8b88d98a680ad74ff5855e4c286260452be9e25b49b5b245d14fa30297cc8add5828
-
Filesize
4.9MB
MD5654f67c3c99d57a0008427141bd1cfc6
SHA160887d57c8910a5034379ddc7a0ad5e2c2bfcde6
SHA256d87d9b997b91f9e375bf3cf994b67882ce21c0fbd4d0c4611dd6f593d4a8f3be
SHA5120f3182a9c923a51f9ffed2e8639f9bcb72ace859c6253aa860a95c2c67c6b9d80d7945042460a7f73e357614b149c9d906c101f800724825279f07902571a064
-
Filesize
200KB
MD595715c58dd2864b361dbd9e651b2f5ad
SHA1c8b19282b7950e7b8e106b5bbccad4fc7b3aa661
SHA256a6447de0d0d5b56b50988ae350432d68e9d83fbb566e2fcaa3f758a2b2574fea
SHA51210eb258d1c1ab690e03fd782316133305530a7a50769263176765862a754dcf5ec258ca5805d2be447a53b29b3557b519a6cec812208d88982201c86ea8d5fb3
-
Filesize
200KB
MD5975e07089d93c2540f0e91da7e1e0142
SHA1e65a155b9f88cabf6fc34111751051f8872f1dc2
SHA25616547c99e9dc8602603beda79bb9099d06b2f0e06273660aaffd3193d82e8bf5
SHA512047ca9eaf996b5b89cedf0f9e9d7544cb8700bba02e10aa90fbd283fdebb2e1ec98295569f145e0dc9bbf3dbd44f64e4d02429cbcdff7e149f2804c135ee2595
-
Filesize
669KB
MD5f7aca1ef43beaa02107214482e6b51d6
SHA1fb5cec36519b148119dec501cec92d894eb3b60a
SHA256169b8f7025b301ffce5402c98c07f9e01bbadce52a2961175b777279f92624a7
SHA51282cf5ebaa0a16e229b82e2dd550d7ab76409c89b4cfb7f163d1cce6d156db737ec5a09a3aa832b4076039665a6044aaeca3a6d311f8264492707ae281bbe7443
-
Filesize
191KB
MD5eab9caf4277829abdf6223ec1efa0edd
SHA174862ecf349a9bedd32699f2a7a4e00b4727543d
SHA256a4efbdb2ce55788ffe92a244cb775efd475526ef5b61ad78de2bcdfaddac7041
SHA51245b15ade68e0a90ea7300aeb6dca9bc9e347a63dba5ce72a635957564d1bdf0b1584a5e34191916498850fc7b3b7ecfbcbfcb246b39dbf59d47f66bc825c6fd2
-
Filesize
476KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
32KB
-
Filesize
104KB
-
Filesize
760KB
-
Filesize
136KB
-
Filesize
7.7MB
-
Filesize
7.7MB
-
Filesize
712KB
-
Filesize
7.7MB
-
Filesize
40KB
-
Filesize
464KB
-
Filesize
7.7MB
-
Filesize
352KB
-
Filesize
40KB
-
Filesize
584KB
-
Filesize
7.7MB
-
Filesize
208KB
-
Filesize
32KB
-
Filesize
7.7MB
-
Filesize
476KB
-
Filesize
476KB
-
Filesize
640KB
-
Filesize
976KB
-
Filesize
3.3MB
-
Filesize
32KB
-
Filesize
320KB
-
Filesize
232KB
-
Filesize
584KB
-
Filesize
5.6MB
-
Filesize
120KB
-
Filesize
4KB
-
Filesize
120KB
-
Filesize
7.7MB
-
Filesize
280KB
-
Filesize
152KB
-
Filesize
472KB
-
Filesize
5.2MB
-
Filesize
72KB
-
Filesize
7.7MB
-
Filesize
280KB
-
Filesize
5.4MB
