Overview

overview

10

Static

static

10

RobloxVersionFix.exe

windows7-x64

10

RobloxVersionFix.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    35s
  • max time network
    36s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26/03/2025, 00:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RobloxVersionFix.exe

  • Size

    1.7MB

  • MD5

    c4ecabd9a15748628acdb4eabe1f5733

  • SHA1

    2abc8d0b03faae2a3dfbb5b3ace7bb049a895a49

  • SHA256

    0c240b2768116ef0f03af241b177004e5e456ed9039744c8619956d0c960d31e

  • SHA512

    9d673547d7369a18f9254f1b73ea33aadb51e6c84da8c6de84f5fe0bd7e3813778f980ea6646ff32d1b981bc56c8751acfa877025cb835088ec72c2bea24e687

  • SSDEEP

    24576:h2G/nvxW3W70w+LhSRJVv14LegEY2nac1VbECN8Bz5jftyrp9+CA:hbA3pw+eJJ4pzZtU+

Score
10/10
dcratdiscoveryinfostealerratspywarestealer

Malware Config

Signatures

  • DcRat

    DarkCrystal(DC) is a new .NET RAT active since June 2019 capable of loading additional plugins.

    ratinfostealerdcrat
  • Dcrat family
    dcrat
  • Process spawned unexpected child process 33 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • DCRat payload 2 IoCs

    Detects payload of DCRat, commonly dropped by NSIS installers.

    rat
  • Checks computer location settings 2 TTPs 4 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Drops file in Program Files directory 2 IoCs
  • Drops file in Windows directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 4 IoCs
  • Scheduled Task/Job: Scheduled Task 1 TTPs 33 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 61 IoCs
  • Suspicious use of AdjustPrivilegeToken 7 IoCs
  • Suspicious use of FindShellTrayWindow 51 IoCs
  • Suspicious use of SendNotifyMessage 51 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxVersionFix.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxVersionFix.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:5984
    • C:\Windows\SysWOW64\WScript.exe
      "C:\Windows\System32\WScript.exe" "C:\DriverbrokerCrt\MlPmIZTueRfhTMCPi.vbe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5596
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\DriverbrokerCrt\8os3Em7t.bat" "
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3612
        • C:\DriverbrokerCrt\surrogateproviderSvc.exe
          "C:\DriverbrokerCrt\surrogateproviderSvc.exe"
          4⤵
          • Checks computer location settings
          • Executes dropped EXE
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of WriteProcessMemory
          PID:4864
          • C:\Windows\System32\cmd.exe
            "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\KbaEyM6z97.bat"
            5⤵
            • Suspicious use of WriteProcessMemory
            PID:6080
            • C:\Windows\system32\w32tm.exe
              w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
              6⤵
                PID:1716
              • C:\Users\Default\Application Data\upfc.exe
                "C:\Users\Default\Application Data\upfc.exe"
                6⤵
                • Checks computer location settings
                • Executes dropped EXE
                • Modifies registry class
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                • Suspicious use of WriteProcessMemory
                PID:5180
                • C:\Windows\System32\WScript.exe
                  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\2402a924-0a70-4539-8f00-5ba1ce6c0e5f.vbs"
                  7⤵
                    PID:2096
                  • C:\Windows\System32\WScript.exe
                    "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\b9018f5d-7ce8-46d5-850b-a4186abb7489.vbs"
                    7⤵
                      PID:5368
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 8 /tr "'C:\60739cf6f660743813\Idle.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5044
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Idle" /sc ONLOGON /tr "'C:\60739cf6f660743813\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4868
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "IdleI" /sc MINUTE /mo 13 /tr "'C:\60739cf6f660743813\Idle.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5992
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\60739cf6f660743813\taskhostw.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:452
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostw" /sc ONLOGON /tr "'C:\60739cf6f660743813\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5376
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "taskhostwt" /sc MINUTE /mo 11 /tr "'C:\60739cf6f660743813\taskhostw.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2412
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 5 /tr "'C:\DriverbrokerCrt\SearchApp.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3536
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchApp" /sc ONLOGON /tr "'C:\DriverbrokerCrt\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5452
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SearchAppS" /sc MINUTE /mo 7 /tr "'C:\DriverbrokerCrt\SearchApp.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4216
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3768
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3012
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 13 /tr "'C:\Recovery\WindowsRE\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:380
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 9 /tr "'C:\Users\Admin\PrintHood\SppExtComObj.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:904
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObj" /sc ONLOGON /tr "'C:\Users\Admin\PrintHood\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5284
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "SppExtComObjS" /sc MINUTE /mo 10 /tr "'C:\Users\Admin\PrintHood\SppExtComObj.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4192
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Program Files\edge_BITS_4632_146432339\Registry.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:1164
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Program Files\edge_BITS_4632_146432339\Registry.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2340
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 6 /tr "'C:\Program Files\edge_BITS_4632_146432339\Registry.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:384
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 7 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2120
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3324
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 5 /tr "'C:\900323d723f1dd1206\RuntimeBroker.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:444
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\AccountPictures\Registry.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3352
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "Registry" /sc ONLOGON /tr "'C:\Users\Public\AccountPictures\Registry.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4356
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "RegistryR" /sc MINUTE /mo 13 /tr "'C:\Users\Public\AccountPictures\Registry.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2456
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 14 /tr "'C:\Windows\GameBarPresenceWriter\TextInputHost.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3744
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHost" /sc ONLOGON /tr "'C:\Windows\GameBarPresenceWriter\TextInputHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4572
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "TextInputHostT" /sc MINUTE /mo 6 /tr "'C:\Windows\GameBarPresenceWriter\TextInputHost.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4160
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 12 /tr "'C:\DriverbrokerCrt\WaaSMedicAgent.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3388
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WaaSMedicAgent" /sc ONLOGON /tr "'C:\DriverbrokerCrt\WaaSMedicAgent.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2292
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "WaaSMedicAgentW" /sc MINUTE /mo 14 /tr "'C:\DriverbrokerCrt\WaaSMedicAgent.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:3736
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 8 /tr "'C:\Users\Default\Application Data\upfc.exe'" /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:4272
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\Users\Default\Application Data\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:5508
        • C:\Windows\system32\schtasks.exe
          schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 9 /tr "'C:\Users\Default\Application Data\upfc.exe'" /rl HIGHEST /f
          1⤵
          • Process spawned unexpected child process
          • Scheduled Task/Job: Scheduled Task
          PID:2348
        • C:\Windows\system32\taskmgr.exe
          "C:\Windows\system32\taskmgr.exe" /4
          1⤵
          • Checks SCSI registry key(s)
          • Modifies registry class
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SendNotifyMessage
          PID:5172
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:2636

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\DriverbrokerCrt\8os3Em7t.bat
            Filesize

            45B

            MD5

            8405523b77e502a8c914dc70b892f108

            SHA1

            2e861fbbb6d8c0c8d8202ffb465910daf421d731

            SHA256

            4dd3dbaedd2a4d877343c570eddc9e12cfa97e448ae2592cc935e3f01f425634

            SHA512

            1a08c548af62031afe3dd82acfd33d9334c97c5bd50d2e23e44bd327ad35f952124679c0be0adbc8848cb3ca659928767aba0ebaebee8f7a1f1b8d748a5330fe

            Download Submit

          • C:\DriverbrokerCrt\MlPmIZTueRfhTMCPi.vbe
            Filesize

            200B

            MD5

            60c621e78018ae32d80ea7b1b1343f33

            SHA1

            cb52f961012f10d4b680155e6a6126cda3335f3e

            SHA256

            247abbd47f1a493ccbf109422cbba67f78a58dbe2866a2fad50899f18975b1bb

            SHA512

            9eca5dd5f44a01cfce920158599b3494b147ccbbc32d459488399917f9fcf3e0c87b54f63df61c5bca2dbc9ddde68aa11450fdc11e4945c02f56f118ec45003d

            Download Submit

          • C:\DriverbrokerCrt\surrogateproviderSvc.exe
            Filesize

            1.2MB

            MD5

            b5badb070116d5e8125017ad9499762f

            SHA1

            9014974312328c23b2c5042ab83a12bf6f5da5a6

            SHA256

            7446c50c8697e9194564a0764f981ef475736a7dfbbc7ef10ed641c4d5e11cba

            SHA512

            86befc275da13cb4b7d00798883fcf65b07557d4c599da962573e5169e79126b1597997181961c5fb1a449dcc0210824d6583e654aef2879ba1dad6d4b89bc88

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\2402a924-0a70-4539-8f00-5ba1ce6c0e5f.vbs
            Filesize

            718B

            MD5

            b90880b2f6d80a719dceaa5ce6113093

            SHA1

            70712b8be83b06d3e2760f0206c0be66314924bb

            SHA256

            41660b252d4a06d8b63d166b1c95985c68431950f8dfae7f3be39ba973fd0ac1

            SHA512

            159c894ef39c3b658d15a0283284f292b4dc2d7adb26c9b2baaca8a3f4980ee0d60b0a8dc1feb033896a88888d99ee21649c32387af840518ece494cbb2d46a5

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\KbaEyM6z97.bat
            Filesize

            207B

            MD5

            519426c2314337b069246aeb62e3661f

            SHA1

            66dd458227b55bbb8eb51283b43044edb48d2c91

            SHA256

            5c53afd0da8531b59bbdc6e25d7f56bd2c2256da12bda8e7f43d8dda6fe5531a

            SHA512

            f090182ffe7666d38ef2a83248a8824477b6d202b95048ce125a0f34fac0fc8bcd747a7477724c93c9cfa064d01c7da5f486c4879f1100bc6694c43fa9db1093

            Download Submit

          • C:\Users\Admin\AppData\Local\Temp\b9018f5d-7ce8-46d5-850b-a4186abb7489.vbs
            Filesize

            494B

            MD5

            3235ed0409cf86c270b7641c0829ed2f

            SHA1

            c98d8c559ac02a66a4cc4ead8e21e39c7b716f9f

            SHA256

            b400781485bd0f7de4eb927063532cb2a20173895c8bf83fb1446c5c748448ab

            SHA512

            5a068f249a657f9b9d38c8de59829f1c5ef40eb29c2a72179cfb0b4ca66d5e9130209ae7d264342642913b33283ea8a0d2a1bf91817e8691460272f050f9a0f9

            Download Submit

          • memory/4864-14-0x0000000001860000-0x000000000187C000-memory.dmp

            Filesize

            112KB

            Download

          • memory/4864-16-0x0000000001990000-0x00000000019A6000-memory.dmp

            Filesize

            88KB

            Download

          • memory/4864-18-0x0000000003270000-0x000000000327E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/4864-17-0x00000000019B0000-0x00000000019BA000-memory.dmp

            Filesize

            40KB

            Download

          • memory/4864-15-0x0000000003300000-0x0000000003350000-memory.dmp

            Filesize

            320KB

            Download

          • memory/4864-12-0x00007FFA86E13000-0x00007FFA86E15000-memory.dmp

            Filesize

            8KB

            Download

          • memory/4864-13-0x0000000000EE0000-0x0000000001020000-memory.dmp

            Filesize

            1.2MB

            Download

          • memory/5172-58-0x000001E23D0B0000-0x000001E23D0B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5172-59-0x000001E23D0B0000-0x000001E23D0B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5172-47-0x000001E23D0B0000-0x000001E23D0B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5172-57-0x000001E23D0B0000-0x000001E23D0B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5172-56-0x000001E23D0B0000-0x000001E23D0B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5172-55-0x000001E23D0B0000-0x000001E23D0B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5172-54-0x000001E23D0B0000-0x000001E23D0B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5172-53-0x000001E23D0B0000-0x000001E23D0B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5172-48-0x000001E23D0B0000-0x000001E23D0B1000-memory.dmp

            Filesize

            4KB

            Download

          • memory/5172-49-0x000001E23D0B0000-0x000001E23D0B1000-memory.dmp

            Filesize

            4KB

            Download