f25582f73b8557d509b7b9d0fc598bf8dfe4591aeeca8e360bcd3e984a5ac5a6

General

Target

roblox.exe
Size

27KB
MD5

ece47f6a290117baac1abe8e972fe774
SHA1

b4b330dfd2054f0ce2341b8e3c3425adf260615d
SHA256

f25582f73b8557d509b7b9d0fc598bf8dfe4591aeeca8e360bcd3e984a5ac5a6
SHA512

834a382c09c53e97406762c278a2541adac1d5466bb37a74315022d44e8ebbe1425c914e783afb4af425446f72a087177c0641d12fab013b88dd424eea781b9e
SSDEEP

384:lLEUcMLkeA08lfShrk2Ig9BPEBRXM+AQk93vmhm7UMKmIEecKdbXTzm9bVhcaz6:lVRq1ShZB+A/vMHTi9bD

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\Control Panel\International\Geo\Nation	roblox.exe

Drops startup file 2 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	roblox.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk	roblox.com

Executes dropped EXE 1 IoCs

pid	Process
2968	roblox.com

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-641261377-2215826147-608237349-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows2 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\roblox.com"	roblox.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	roblox.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	roblox.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2968	roblox.com

Suspicious use of AdjustPrivilegeToken 33 IoCs

description	pid	Process
Token: SeDebugPrivilege	2968	roblox.com
Token: 33	2968	roblox.com
Token: SeIncBasePriorityPrivilege	2968	roblox.com
Token: 33	2968	roblox.com
Token: SeIncBasePriorityPrivilege	2968	roblox.com
Token: 33	2968	roblox.com
Token: SeIncBasePriorityPrivilege	2968	roblox.com
Token: 33	2968	roblox.com
Token: SeIncBasePriorityPrivilege	2968	roblox.com
Token: 33	2968	roblox.com
Token: SeIncBasePriorityPrivilege	2968	roblox.com
Token: 33	2968	roblox.com
Token: SeIncBasePriorityPrivilege	2968	roblox.com
Token: 33	2968	roblox.com
Token: SeIncBasePriorityPrivilege	2968	roblox.com
Token: 33	2968	roblox.com
Token: SeIncBasePriorityPrivilege	2968	roblox.com
Token: 33	2968	roblox.com
Token: SeIncBasePriorityPrivilege	2968	roblox.com
Token: 33	2968	roblox.com
Token: SeIncBasePriorityPrivilege	2968	roblox.com
Token: 33	2968	roblox.com
Token: SeIncBasePriorityPrivilege	2968	roblox.com
Token: 33	2968	roblox.com
Token: SeIncBasePriorityPrivilege	2968	roblox.com
Token: 33	2968	roblox.com
Token: SeIncBasePriorityPrivilege	2968	roblox.com
Token: 33	2968	roblox.com
Token: SeIncBasePriorityPrivilege	2968	roblox.com
Token: 33	2968	roblox.com
Token: SeIncBasePriorityPrivilege	2968	roblox.com
Token: 33	2968	roblox.com
Token: SeIncBasePriorityPrivilege	2968	roblox.com

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1972 wrote to memory of 2968	1972	roblox.exe	86
PID 1972 wrote to memory of 2968	1972	roblox.exe	86
PID 1972 wrote to memory of 2968	1972	roblox.exe	86
PID 1972 wrote to memory of 3408	1972	roblox.exe	87
PID 1972 wrote to memory of 3408	1972	roblox.exe	87
PID 1972 wrote to memory of 3408	1972	roblox.exe	87
PID 2968 wrote to memory of 4580	2968	roblox.com	91
PID 2968 wrote to memory of 4580	2968	roblox.com	91
PID 2968 wrote to memory of 4580	2968	roblox.com	91
PID 2968 wrote to memory of 2552	2968	roblox.com	92
PID 2968 wrote to memory of 2552	2968	roblox.com	92
PID 2968 wrote to memory of 2552	2968	roblox.com	92

Views/modifies file attributes 1 TTPs 3 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
3408	attrib.exe
4580	attrib.exe
2552	attrib.exe

C:\Users\Admin\AppData\Local\Temp\roblox.exe
"C:\Users\Admin\AppData\Local\Temp\roblox.exe"
1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1972
- C:\Users\Admin\AppData\Local\Temp\roblox.com
  "C:\Users\Admin\AppData\Local\Temp\roblox.com"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2968
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:4580
- - C:\Windows\SysWOW64\attrib.exe
    attrib +h +r +s "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2552
- C:\Windows\SysWOW64\attrib.exe
  attrib +h +r +s "C:\Users\Admin\AppData\Local\Temp\roblox.com"
  2⤵
  - System Location Discovery: System Language Discovery
  - Views/modifies file attributes
  PID:3408

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Hide Artifacts

1

T1564

Hidden Files and Directories

Modify Registry

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\roblox.com

Filesize
27KB

MD5
ece47f6a290117baac1abe8e972fe774

SHA1
b4b330dfd2054f0ce2341b8e3c3425adf260615d

SHA256
f25582f73b8557d509b7b9d0fc598bf8dfe4591aeeca8e360bcd3e984a5ac5a6

SHA512
834a382c09c53e97406762c278a2541adac1d5466bb37a74315022d44e8ebbe1425c914e783afb4af425446f72a087177c0641d12fab013b88dd424eea781b9e

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Windows.lnk

Filesize
1KB

MD5
45553c9f5b5be8590f4cf6b9807141db

SHA1
d830703c83753d9d34554939b500989c6094d0d5

SHA256
b82108c64f7acea33e9273d191f76deb9eab7c59471380c91874527c6b8788a5

SHA512
8b662ddaf4e8886b7224fbe59f164a44398dcd3d70dccc5cbec5c8ea4009a617fb577297427fd663086f68cb5295c5d4cef66d6c0f874476207c8a9dccb8d7df

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Templates\Windows.lnk

Filesize
1KB

MD5
21eaf37b395f05f15f3e138ecf593548

SHA1
1da480a35399a2d377b0fd2f0a6a09d619fcf15c

SHA256
341a111b2a2b7b3e69a1bf867476d222ef423a3128afaaadfa1bbe091196c524

SHA512
ac34ab428d5971afe19aca423df8c361350ee1a455f2c1a4760a65a0f08566b2a166c3f3f72c194cdd19e572dd7ffa2a6314d31c3946973e055e63672f9dbf63

Download Submit
memory/1972-0-0x00000000754C2000-0x00000000754C3000-memory.dmp

Filesize
4KB

Download
memory/1972-1-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/1972-2-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/1972-5-0x00000000754C2000-0x00000000754C3000-memory.dmp

Filesize
4KB

Download
memory/1972-6-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/1972-16-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2968-17-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2968-19-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download
memory/2968-23-0x00000000754C0000-0x0000000075A71000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads