Analysis
-
max time kernel
44s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
24-11-2024 19:35
Static task
static1
Behavioral task
behavioral1
Sample
Roblox Cheat Free.rar
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
Roblox Cheat Free.rar
Resource
win11-20241007-en
General
-
Target
Roblox Cheat Free.rar
-
Size
1.6MB
-
MD5
4ba1bd42e77a2370c240d08e568efc72
-
SHA1
b1d86361ed425fcf70e77f23d90867d87f1a7353
-
SHA256
81e9674a18dcb4fad7e6314b353b71de92f04116438b950fdf177a1b0c5f1525
-
SHA512
3482b3fb9c78958e482aa2115e661f7128b9bf9ea492d488810cb40d929f3a3e8ef6ee4e4ca94546afe8bd4be83ddd759aa743ba612abd4347e489eed8fa67d0
-
SSDEEP
49152:mwnklGp051IOBaI8QTkH/oXeUC3A4Z4gzk9JOw:mCAGpDOAI8QTu/rLwG4Yw
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 3588 Roblox.exe -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Roblox.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2376 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 2376 7zFM.exe Token: 35 2376 7zFM.exe Token: SeSecurityPrivilege 2376 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2376 7zFM.exe 2376 7zFM.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2376 wrote to memory of 3588 2376 7zFM.exe 80 PID 2376 wrote to memory of 3588 2376 7zFM.exe 80 PID 2376 wrote to memory of 3588 2376 7zFM.exe 80
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Roblox Cheat Free.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2376 -
C:\Users\Admin\AppData\Local\Temp\7zO84990AA7\Roblox.exe"C:\Users\Admin\AppData\Local\Temp\7zO84990AA7\Roblox.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3588
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4.3MB
MD50348fffafb59ece4aa4e5304ee89488d
SHA16c1a2c3cb6e7a4b81e7c5011ff5b98e87d6740df
SHA256679a1ccf565bc8e97f67637df2dfda231a2d5a4ea5d83cefa2fb2c6b390ed082
SHA5120a37d386ff0924790706692503f1e18036f67d5841ed26b913249eddf336382d29fdb4e8d20d3b4a3d1cd31f57b7bf3a661e5f961b4054f84923c413423a7210