Overview

overview

10

Static

static

10

RobloxShad...up.exe

windows7-x64

10

RobloxShad...up.exe

windows10-2004-x64

10

$PLUGINSDI...er.dll

windows7-x64

3

$PLUGINSDI...er.dll

windows10-2004-x64

3

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDI...ll.dll

windows7-x64

3

$PLUGINSDI...ll.dll

windows10-2004-x64

3

LICENSES.c...m.html

windows7-x64

10

LICENSES.c...m.html

windows10-2004-x64

10

RblxShdrSetup.exe

windows7-x64

1

RblxShdrSetup.exe

windows10-2004-x64

6

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows7-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows7-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows7-x64

1

libGLESv2.dll

windows10-2004-x64

1

resources/...dex.js

windows7-x64

3

resources/...dex.js

windows10-2004-x64

3

resources/...pi.dll

windows7-x64

1

resources/...pi.dll

windows10-2004-x64

1

resources/...e3.dll

windows7-x64

1

resources/...e3.dll

windows10-2004-x64

1

resources/...act.js

windows7-x64

3

resources/...act.js

windows10-2004-x64

3

sqlite-aut...llback

ubuntu-18.04-amd64

1

sqlite-aut...llback

debian-9-armhf

1

sqlite-aut...llback

debian-9-mips

1

Analysis

  • max time kernel
    148s
  • max time network
    155s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07-01-2025 01:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RblxShdrSetup.exe

  • Size

    168.8MB

  • MD5

    822a5b921a86b4c9194cf4ee6a574376

  • SHA1

    8e7373016dc752baa53a3a8e6025b3de3659ead8

  • SHA256

    d4689b304751155717710f5d7ed4e8122b6f814334938ec9f9122d4dfb56b446

  • SHA512

    5caf372afd5b060ded08e589601f3b289151f7fcbc0fce8d9a6ef47b0aae325c54e13461e21eb3bac6e5d40442d2cdecd4cc1815e3e7cb57abe71f4dcbfc6af8

  • SSDEEP

    1572864:JOhiqBPiJU33xaD1gWcdcMPEDCNCgDX0Bf+NNvTPQYhl49RIuKj53fHcTLNKJF96:tgmeNxNNZxqV

Score
6/10
discovery

Malware Config

Signatures

  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 44 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RblxShdrSetup.exe
    "C:\Users\Admin\AppData\Local\Temp\RblxShdrSetup.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "tasklist"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4848
      • C:\Windows\system32\tasklist.exe
        tasklist
        3⤵
        • Enumerates processes with tasklist
        • Suspicious use of AdjustPrivilegeToken
        PID:3808
    • C:\Users\Admin\AppData\Local\Temp\RblxShdrSetup.exe
      "C:\Users\Admin\AppData\Local\Temp\RblxShdrSetup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1752 --field-trial-handle=1756,i,11274794859237431204,9976692811108216876,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
      2⤵
        PID:3736
      • C:\Users\Admin\AppData\Local\Temp\RblxShdrSetup.exe
        "C:\Users\Admin\AppData\Local\Temp\RblxShdrSetup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\unrealgame" --mojo-platform-channel-handle=1916 --field-trial-handle=1756,i,11274794859237431204,9976692811108216876,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
        2⤵
          PID:3884
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "curl http://api.ipify.org/ --ssl-no-revoke"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2812
          • C:\Windows\system32\curl.exe
            curl http://api.ipify.org/ --ssl-no-revoke
            3⤵
              PID:3640
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "wscript "C:\Users\Admin\AppData\Local\Temp\fakeError_3u7zhg61e3v.vbs""
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2332
            • C:\Windows\system32\wscript.exe
              wscript "C:\Users\Admin\AppData\Local\Temp\fakeError_3u7zhg61e3v.vbs"
              3⤵
                PID:8

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\fakeError_3u7zhg61e3v.vbs
            Filesize

            149B

            MD5

            4bca77b62e03d5180190f3c9d735acd4

            SHA1

            1f049220d4411af47d6d767833132f469aa72b6a

            SHA256

            ddbc774d575174100f13ff79218600cc29f5ea3340fddb60c0f15237cbcd28c2

            SHA512

            d4928822cb486f105fe52b4a20dcce9217309bb3a86305b7ac5cb27e759cfa98d5c4fe0291d3a882a0880086a218291947305773b46f629b71c221f6acfd10f8

            Download Submit