Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
49s -
max time network
34s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
-
submitted
05/01/2025, 14:09
General
-
Target
roblox.exe
-
Size
800KB
-
MD5
02c70d9d6696950c198db93b7f6a835e
-
SHA1
30231a467a49cc37768eea0f55f4bea1cbfb48e2
-
SHA256
8f2e28588f2303bd8d7a9b0c3ff6a9cb16fa93f8ddc9c5e0666a8c12d6880ee3
-
SHA512
431d9b9918553bff4f4a5bc2a5e7b7015f8ad0e2d390bb4d5264d08983372424156524ef5587b24b67d1226856fc630aaca08edc8113097e0094501b4f08efeb
-
SSDEEP
12288:qhd8cjaLXVh84wEFkW1mocaBj6WtiRPpptHxQ0z:2ycjar84w5W4ocaBj6y2tHDz
Malware Config
Signatures
-
Downloads MZ/PE file
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 1 IoCs
-
Unexpected DNS network traffic destination 23 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
-
Drops file in Program Files directory 2 IoCs
-
Browser Information Discovery 1 TTPs
Enumerate browser information.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Enumerates system info in registry 2 TTPs 3 IoCs
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
-
Modifies registry class 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 13 IoCs
-
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 7 IoCs
-
Suspicious use of AdjustPrivilegeToken 44 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\roblox.exe"C:\Users\Admin\AppData\Local\Temp\roblox.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c ipconfig /all2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
-
-
-
C:\Windows\SYSTEM32\cmd.exe"cmd" /c wmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\Wbem\WMIC.exewmic nicconfig where (IPEnabled=TRUE) call SetDNSServerSearchOrder ("1.1.1.1", "1.0.0.1")3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.12.exe"C:\Users\Admin\AppData\Local\Temp\BootstrapperV2.12.exe" --oldBootstrapper "C:\Users\Admin\AppData\Local\Temp\roblox.exe" --isUpdate true2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument https://discord.gg/w9yACJan553⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x128,0x12c,0x130,0x124,0x134,0x7ffe288846f8,0x7ffe28884708,0x7ffe288847184⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2188,17058869454604765665,2225202714972690108,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2200 /prefetch:24⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2188,17058869454604765665,2225202714972690108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2252 /prefetch:34⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2188,17058869454604765665,2225202714972690108,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2500 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17058869454604765665,2225202714972690108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2996 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17058869454604765665,2225202714972690108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3004 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17058869454604765665,2225202714972690108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5224 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=audio.mojom.AudioService --field-trial-handle=2188,17058869454604765665,2225202714972690108,131072 --lang=en-US --service-sandbox-type=audio --mojo-platform-channel-handle=5196 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=video_capture.mojom.VideoCaptureService --field-trial-handle=2188,17058869454604765665,2225202714972690108,131072 --lang=en-US --service-sandbox-type=video_capture --mojo-platform-channel-handle=5396 /prefetch:84⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17058869454604765665,2225202714972690108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5752 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17058869454604765665,2225202714972690108,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,17058869454604765665,2225202714972690108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:84⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --configure-user-settings --verbose-logging --system-level --msedge --force-configure-user-settings4⤵
- Drops file in Program Files directory
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --type=crashpad-handler /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler --database=C:\Windows\TEMP\MsEdgeCrashpad --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x248,0x24c,0x250,0x224,0x254,0x7ff7d1bf5460,0x7ff7d1bf5470,0x7ff7d1bf54805⤵
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2188,17058869454604765665,2225202714972690108,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5260 /prefetch:84⤵
- Suspicious behavior: EnumeratesProcesses
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17058869454604765665,2225202714972690108,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5104 /prefetch:14⤵
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2188,17058869454604765665,2225202714972690108,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=64 /prefetch:14⤵
-
-
-
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
152B
MD58b712a4c83dfb3c522d032cf900e863a
SHA14f5bec4be6f4ebfa959e899ceafc62309bb1f141
SHA25631da2a41a051db11559c47feb923d4baad32a384f530013a435fa884dad64493
SHA51203b24d9307623b3a341230805f3ea662b0107c314650a51ae7e89d901cb3ad212d4219bab4d763d0aa8d50831aa0e6d4e3379573cc2f724873804578e8642898
-
Filesize
152B
MD524dada8956438ead89d9727022bac03a
SHA109b4fb1dba48ec8e47350131ae6113edd0fdecf0
SHA256bf1e5c7828e4672982b16451b5a201e65e812e98a97b87c9f2f7c22677cb4ec1
SHA51203f092a4b20a4d8cc111220b35fbf5470878b7723faeddee65b1d9cf327167053792c77864103b4530b9b9f819e32a5721b44189291dfdb5832769835ea5dd94
-
Filesize
48B
MD5ca2ddd8fc3d7af02928b744a4ee5aa9e
SHA16cbf3f38932b2c0ba8436615e476acc1853ea855
SHA256037f8095fee391face50b3264d2f4e671f2ddc7c9ecb3b2866d279770f3fb162
SHA5124ebb63a99c841bfaffe118beef810d1f444e2a90a5c70e56ccb303110b6aecdf5ac3945c10c1830cdd39943e79d02584a78565c6766e4c0f8e793ebf22aca8aa
-
Filesize
576B
MD509fd4ed99e467fae372ef83c6fb7d4f9
SHA1aaeafbc74bfda4602535186adb726389421613b7
SHA256ad42cf6cdb292eaa50c142ff8b2c2a3373eea9106d35eccbf9859b587b8ad04f
SHA512779c162ff7620475f80e9cab5b4f1e40433934bf056a27c8c991bb64a44e117e932f8f00fea11e4b3f2feff40db9a163a443ca33bb3693cb3d81ccca97134522
-
Filesize
70KB
MD5e5e3377341056643b0494b6842c0b544
SHA1d53fd8e256ec9d5cef8ef5387872e544a2df9108
SHA256e23040951e464b53b84b11c3466bbd4707a009018819f9ad2a79d1b0b309bc25
SHA51283f09e48d009a5cf83fa9aa8f28187f7f4202c84e2d0d6e5806c468f4a24b2478b73077381d2a21c89aa64884df3c56e8dc94eb4ad2d6a8085ac2feb1e26c2ef
-
Filesize
41B
MD55af87dfd673ba2115e2fcf5cfdb727ab
SHA1d5b5bbf396dc291274584ef71f444f420b6056f1
SHA256f9d31b278e215eb0d0e9cd709edfa037e828f36214ab7906f612160fead4b2b4
SHA512de34583a7dbafe4dd0dc0601e8f6906b9bc6a00c56c9323561204f77abbc0dc9007c480ffe4092ff2f194d54616caf50aecbd4a1e9583cae0c76ad6dd7c2375b
-
Filesize
4KB
MD53fe279b7775339461e284ac97b60ea9b
SHA1853e5b1a8183ef957ed55c4e1554a87ae0dd2e57
SHA256c8157c185e8e949e0aabe4e081f7d73de0ed740ade551a81f24c60c1ae545590
SHA512937921b10585955dbe009fb0cecbe71a28e3d2bbe6fa18e141e89bc37ac5aae39debf71fca26d6d42899ef16cc119539b85db1c0d30f7b6ab2185e7111ff15b2
-
Filesize
5KB
MD59849af0b8cd4604d24805d7b4af6a10a
SHA11cd1bfbad28aa7da0d2aa1b1a21e4f1733f5362e
SHA256891c2810afe46871a8bdceaa8e00acb6bda6086e3ed560b02192ce057022ca4d
SHA512afdf43a39f86db799e2f44de531fc26be85e0685b4417fe5487929262b2000f6f2da078faa044e562345c397cbdc83e467225513abc89e2451a699f6cfaaccf3
-
Filesize
24KB
MD585eca930a791cbcb1373f5fdaf17857b
SHA1ffea7d54e9803374a484f1e4c124766e80024efc
SHA256fbc990061790350f00dc28f2dda277aac81bb8385a6e92e90a20101436c3312c
SHA5122ffe0de3f80ac60f2ffa55f334026979e6be328b7c69f4603aa3c5d1bfa6c3b3744d86ac2a34ecf904d0a41b36bc485392ece58f6cc89d7ffca293d02efe5bed
-
Filesize
24KB
MD599a7edf9124dba808b6d025b14aea278
SHA1f1de2fdd81ea87ee78e8afdc1a7cdffcf62a92ef
SHA2569d38a8d193a503b9be7b39be5d150bcf22038c84fbf3d53979e2f075a35b9089
SHA512fc371b7ad5606a9948ba4a315e40a0a93592f57103be4a3712020977b43e4277d95d74ff35e490239dbce1cc475fe1d1746764f5970d2e9f04483c985268f5c7
-
Filesize
16B
MD5206702161f94c5cd39fadd03f4014d98
SHA1bd8bfc144fb5326d21bd1531523d9fb50e1b600a
SHA2561005a525006f148c86efcbfb36c6eac091b311532448010f70f7de9a68007167
SHA5120af09f26941b11991c750d1a2b525c39a8970900e98cba96fd1b55dbf93fee79e18b8aab258f48b4f7bda40d059629bc7770d84371235cdb1352a4f17f80e145
-
Filesize
16B
MD546295cac801e5d4857d09837238a6394
SHA144e0fa1b517dbf802b18faf0785eeea6ac51594b
SHA2560f1bad70c7bd1e0a69562853ec529355462fcd0423263a3d39d6d0d70b780443
SHA5128969402593f927350e2ceb4b5bc2a277f3754697c1961e3d6237da322257fbab42909e1a742e22223447f3a4805f8d8ef525432a7c3515a549e984d3eff72b23
-
Filesize
8KB
MD53ef65d7a9647b156e8e08d5292575015
SHA153f3bb2d160411933f5df50cbf58d7d590df8240
SHA2561f331910e8533dc1d74080388578c657117dae3bd9ce8211b6d058da26959df3
SHA512303a7c85428d3c42c7aced499d114e7008b4d22456ef4bb03f65f7944061cf311226bdbb1c17cac901da4b422cd92fe10f2f27124c5e6f3b832f67020d2172c2
-
Filesize
2.9MB
MD5a36750fe814c6cd0a94312ebaf85e07e
SHA19382378c4831247b2efc387581dc909c6352571f
SHA256933acdb61d5d05bb55cd56957312b677719ac237a2daae0f1daf9d70dc68f2de
SHA512d028e93cfe594c557e74376854916c33ad0614db1fa1efdf4a4477ff246ccb791510192c35296d5a32b81b376e9ee94ec5f5c0109f04f0320ed788ceda092f21
-
Filesize
29B
MD5b86aef3d31fdcc68c0138b25a632f939
SHA15f2a826056fadf32b85a9f2f0d960c2bf4ee99eb
SHA2569bed077bb37dd2f770ed6f960f9e1a22054174fb14ba1aa49cb13cf3008a8486
SHA512dd6262a375d7195289bbe3f78163d8a1ec2b8db8d4eaee8e3434c3c686a2a38e9bec4fc0fc406aa1915e04475e0ca041b0bfcdd033f08829f1893d6fd0d06e19
-
Filesize
3KB
MD51398d74f9cfa24f8d15e4e696b57ec8c
SHA108b9011e675c8adc63339ef335b6d4155e2e8bc3
SHA25623524cd9c8df52314eca39ddd1bae5590fea580db76f7a6af92dd516d97f17d6
SHA51217a3176e5dd57a295fb47f78b21e58ec93f7a7cbaccadb7e1e938f3154cc24b00b5b3da566cd01ccde6e7d22b6218aac81d11a49a5197055e32688ba21dda24f
-
Filesize
3KB
MD553432ecb8e7093e0cab8588d9172f578
SHA1e2539f71a42489958ea9d5eb16a155605077bb74
SHA25628b02589153f32a7e30055a803dd57abc0612616bdee2a56e27111cf542358b1
SHA5127b26a3f6744eb4d33e28da8dd1498bdd52f9cfe429db651f49606dbc515fe88d70e7baecd80f1dd07e6af5d51d25aa5edf695068b0d7c5a1e99e640f25867ef5
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
136KB
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
824KB
-
Filesize
32KB
-
Filesize
32KB
-
Filesize
40KB
-
Filesize
40KB
-
Filesize
88KB
-
Filesize
32KB
-
Filesize
152KB
-
Filesize
40KB
-
Filesize
1024KB
-
Filesize
56KB
-
Filesize
224KB
-
Filesize
64KB
-
Filesize
2.9MB