Resubmissions

23/11/2024, 18:20

241123-wy1ysszlfy 3

23/11/2024, 18:16

241123-wwn68azkhx 6

Analysis

  • max time kernel
    145s
  • max time network
    142s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23/11/2024, 18:16

General

  • Target

    https://www.roblox.com/home

Score
3/10

Malware Config

Signatures

  • Browser Information Discovery 1 TTPs

    Enumerate browser information.

  • Enumerates system info in registry 2 TTPs 3 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
  • Suspicious use of FindShellTrayWindow 25 IoCs
  • Suspicious use of SendNotifyMessage 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --start-maximized --single-argument https://www.roblox.com/home
    1⤵
    • Enumerates system info in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4732
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=90.0.4430.212 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=90.0.818.66 --initial-client-data=0x100,0x104,0x108,0xdc,0x10c,0x7ffc3add3cb8,0x7ffc3add3cc8,0x7ffc3add3cd8
      2⤵
        PID:1512
      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,965859138937409504,15101055238162431199,131072 --gpu-preferences=SAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=1912 /prefetch:2
        2⤵
          PID:3372
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1900,965859138937409504,15101055238162431199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2364 /prefetch:3
          2⤵
          • Suspicious behavior: EnumeratesProcesses
          PID:1952
        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=1900,965859138937409504,15101055238162431199,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2660 /prefetch:8
          2⤵
            PID:4728
          • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
            "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,965859138937409504,15101055238162431199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3244 /prefetch:1
            2⤵
              PID:340
            • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
              "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,965859138937409504,15101055238162431199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3252 /prefetch:1
              2⤵
                PID:124
              • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,965859138937409504,15101055238162431199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4584 /prefetch:1
                2⤵
                  PID:3604
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --field-trial-handle=1900,965859138937409504,15101055238162431199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4680 /prefetch:8
                  2⤵
                  • Suspicious behavior: EnumeratesProcesses
                  PID:3368
                • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                  "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,965859138937409504,15101055238162431199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=9 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3940 /prefetch:1
                  2⤵
                    PID:1016
                  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,965859138937409504,15101055238162431199,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5244 /prefetch:1
                    2⤵
                      PID:4584
                    • C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\90.0.818.66\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=1900,965859138937409504,15101055238162431199,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5776 /prefetch:8
                      2⤵
                      • Suspicious behavior: EnumeratesProcesses
                      PID:816
                    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,965859138937409504,15101055238162431199,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5068 /prefetch:1
                      2⤵
                        PID:4948
                      • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                        "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=1900,965859138937409504,15101055238162431199,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5540 /prefetch:1
                        2⤵
                          PID:4980
                        • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
                          "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=1900,965859138937409504,15101055238162431199,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.22000.1 --gpu-preferences=SAAAAAAAAADoAAAwAAAAAAAAAAAAAAAAAABgAAAQAAAoAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAB4AAAAAAAAAHgAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAAIAAAAAAAAAAgAAAAAAAAA --mojo-platform-channel-handle=5172 /prefetch:2
                          2⤵
                          • Suspicious behavior: EnumeratesProcesses
                          PID:792
                      • C:\Windows\System32\CompPkgSrv.exe
                        C:\Windows\System32\CompPkgSrv.exe -Embedding
                        1⤵
                          PID:2764
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:5112

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            4c1a24fa898d2a98b540b20272c8e47b

                            SHA1

                            3218bff9ce95b52842fa1b8bd00be073177141ef

                            SHA256

                            bbcc378fcbf64580e7a48b4e7ca9be57fa0a1f2e747f488325685bdb18d73a95

                            SHA512

                            e61f196e7f1c9a5fe249abe9b11eea770fb2f4babc61f60b12c71f43e6fe9354cf14869daf46abc2c2655bce180252acd43c10562a2dcd31fa7d90d33253820e

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad\settings.dat

                            Filesize

                            152B

                            MD5

                            f1d2c7fd2ca29bb77a5da2d1847fbb92

                            SHA1

                            840de2cf36c22ba10ac96f90890b6a12a56526c6

                            SHA256

                            58d0f80310f4a84f687c5ce0adaa982eb42fe4480510399fa2ae975d40bb8bc5

                            SHA512

                            ede1fafea2404f16948fe0b5ea5161ccee3ee6e40c55ff98c337eac981a6776b9c73dc030a5c59e4347aec91259f497539206e71949c33adcecbf2c846709e14

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Code Cache\js\index-dir\the-real-index

                            Filesize

                            1KB

                            MD5

                            cde575700f9d33b6070adf26624d0d44

                            SHA1

                            395c1023e7836769e76006db4d9d7b1c7e3e2ccb

                            SHA256

                            90a147402c44ea7c7521f34926cdcff7280d22dfa2032ec99d968f1dc74188e8

                            SHA512

                            6613746d6d2e196a8b4cbd525b424476c98b586dc2249a76bbe391fd0bdfccb43d63f2d5827a3df5ec0e4fb28ca202936657deaacc3ccec50ce7671d736cdb1d

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Network Persistent State

                            Filesize

                            689B

                            MD5

                            6b46cd737628294c52d4ba6553496214

                            SHA1

                            fb447516be2d1fd769519bedeaea309c82dbc9bb

                            SHA256

                            ec52e7385ef147004ac52aebe95cc5efa755f54277e702a25297a6a0a26186b6

                            SHA512

                            dfb3d1fa3186e1b7ee310e86d610d6e58e33a3c24819a25919bbe635576ace422fdf1b1878f0ef5d280c1f9c67ba6348448a5f54281137c1706cbff87d8d43f2

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            5KB

                            MD5

                            efe0faaf5761f1ba543bf4d253b8224e

                            SHA1

                            1e741ea91b36a8c5c052a83ee9c65f07e3181ff0

                            SHA256

                            fd226a16d319a37388c65a0034e053bba9575a9328ac690b87669cd3b82e50ac

                            SHA512

                            a99fe5f6531a82b2155e9e8344ba5e1aadf9ea48d729f28c554d847fcee154643b0112d3eb2388a9afd36ed3fbf4c677336c8b0a3ab4a868b64df475dbabff16

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\Preferences

                            Filesize

                            6KB

                            MD5

                            a5791dcada9cfb4c0a3102cf25608b18

                            SHA1

                            7cf39c691202984dbe0b786d75e32e9ef27af142

                            SHA256

                            53b545f7c935bf0e4f38d0940c53c51d1c3a5b63eed63d174d81d70e0e77fdd3

                            SHA512

                            047e9b967af0b9a314585b3bb1fd1afa13b31a65546fb4866f6463a2832e4b4cdf0cc53eb0fcd366d29b85dc59dea2d6a08c8840be941a1dca581949ff67a307

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                            Filesize

                            1KB

                            MD5

                            390bc0cd3c36e3b2558a8c9b38e153ed

                            SHA1

                            0cdf4ddc8bd9b63f49067df890177888293bcb63

                            SHA256

                            867c2ba45b2ef8b61b013184c45eaf39f7da0cb9b35cee5cb242f77e5aa9b549

                            SHA512

                            c1a87b11ad5fcb54798f8c7c489db4cfe6fad36bc355bd6d058d1e23ebb39ce097ab6cfd872f16a14e22df52524de1b74aefced85660379030678c7af2c855b7

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                            Filesize

                            1KB

                            MD5

                            68afcdaa804e160ec92cadd6d82fbb00

                            SHA1

                            a31e32411963fa6110d98f7214a3dface3f4085a

                            SHA256

                            e27fd7149d4261ead5b963b048c3b5a6e3a604e4f9f58fa8f61eb7de2797d71f

                            SHA512

                            bb7f1187116b01c80e6d8df3f27388ebefb76d76f06491d7a13442452db3a647134379e246986d35bfe2c7773ca7020f87f4cb2baf4a7b394a42900e86ad1020

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity

                            Filesize

                            1KB

                            MD5

                            0558a1b83ec294e217ae508dbc2773e7

                            SHA1

                            a28583e03296a4ea5445e0174eda4cde56761178

                            SHA256

                            064ccca8ddac30790345f53ac8bef84e489fa72c84e49ec00e862a0baee10552

                            SHA512

                            2a720b96c5984766465ddcce22407e07023a5bbca82b36e2e8327556a1c76b24467f0139c6b3d758afb179cd2205940d8f0fec9ae5ada6212e3af2a150477849

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\TransportSecurity~RFe57f637.TMP

                            Filesize

                            1KB

                            MD5

                            af1f47d917f014af900bf6c578ccac4f

                            SHA1

                            d4462fa2452570ccc987c54b8558da1a2d0d9b53

                            SHA256

                            5da22749cf321421ce7db16a7d95ccd1f41a2104599da5a4d854bdd89bab7656

                            SHA512

                            5fe3795858c287c20f5f51173b7f26280ce49bbc03c9bf2fa8e904d5301a7d0631a676a870f5e246f4add602005f761caef0619f69d3b9319232f2d8dbf15294

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Default\data_reduction_proxy_leveldb\CURRENT

                            Filesize

                            16B

                            MD5

                            6752a1d65b201c13b62ea44016eb221f

                            SHA1

                            58ecf154d01a62233ed7fb494ace3c3d4ffce08b

                            SHA256

                            0861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd

                            SHA512

                            9cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389

                          • C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Local State

                            Filesize

                            10KB

                            MD5

                            795f18487c703a75b6f639250a428950

                            SHA1

                            de02a85d5d2e7f37bf9b3c19cf49ea742527bfbd

                            SHA256

                            132de90419b66bb5e201d0ff618e5979e897eaffb1f93f9ca574ac0f8b71806c

                            SHA512

                            7790786366c5366a469b921543c0de643660ff572efd5b3aa1ddb079439e577939ddc3286e5b03d5f4cf980219d215eb426a63ac16774f8702cee24c8cd3c4c7