Overview

overview

10

Static

static

3

RobloxExecutor.exe

windows7-x64

10

RobloxExecutor.exe

windows10-1703-x64

10

RobloxExecutor.exe

windows10-2004-x64

10

RobloxExecutor.exe

windows11-21h2-x64

10

Resubmissions

01-07-2024 16:09

240701-tl9n3ascnn 10

01-07-2024 00:42

240701-a2hqqstgjn 10

Analysis

  • max time kernel
    45s
  • max time network
    52s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    01-07-2024 16:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RobloxExecutor.exe

  • Size

    316KB

  • MD5

    f0c864fee64edd613b413ddb7c559446

  • SHA1

    87e75a58eef9f3765a2eed498f6aca135b1ef7c4

  • SHA256

    f20df849f7284d15b7915badc28f7afaad9e1a768279ced17db67796f2f883fd

  • SHA512

    9c8e90d0a04740ed6e36d886bb13bb9df3b963236eaca0b2fd0db6bfce1d4052761d689d77dcf66c7c07df53295751f0ff8907a8f426ccc4391b365b282bd154

  • SSDEEP

    3072:0n2Af+SLiJO+Y7mR9USl6yOiGB3PSQQivLXdn+mvo+vuChrZtwkYZBwOepe4PUe1:1E+yclwQKjdn+WPtYVJIoBfTVRsjbQ2p

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

allows-welfare.gl.at.ply.gg:49180

Mutex

B2qPpHuLCfcwYFiL

Attributes
  • Install_directory

    %AppData%

  • install_file

    System.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxExecutor.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxExecutor.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2424
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start "" "Systemdefault.exe" & start "" "LOLPOOP.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:200
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Systemdefault.exe
        "Systemdefault.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3000
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Systemdefault.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4548
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Systemdefault.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4688
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:3916
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          PID:4268
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\LOLPOOP.exe
        "LOLPOOP.exe"
        3⤵
        • Executes dropped EXE
        PID:4832

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    3KB

    MD5

    8592ba100a78835a6b94d5949e13dfc1

    SHA1

    63e901200ab9a57c7dd4c078d7f75dcd3b357020

    SHA256

    fdd7d9def6f9f0c0f2e60dbc8a2d1999071cd7d3095e9e087bb1cda7a614ac3c

    SHA512

    87f98e6cb61b2a2a7d65710c4d33881d89715eb7a06e00d492259f35c3902498baabffc5886be0ec5a14312ad4c262e3fc40cd3a5cb91701af0fb229726b88c3

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    4fe9f87c51261a00e91cd99753907c0c

    SHA1

    8b5f251289c777a7fb1b20f35e20c1c211019077

    SHA256

    55186dc507827ac8aa95a51ca99e81efcdb3a3d713700052780af5b916f5ff62

    SHA512

    acfa37a5d26a833016cd1ebd96aff7d460ab12fcac8a48be7b1b1c973670eadee0d4d1fe1ff7131530b111cb37f1acc594a4de8a44739fb2cf50d479bb2fbc46

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    766080d0a3bc39cc10eeff410804cf1e

    SHA1

    c704135f8d80cd9a95c131cd5dcf476c40eba7e6

    SHA256

    0049f89e7549ea8b562e328d153b594b20e066bf11d60d01a83a84e392b295ac

    SHA512

    ac9389653e6a11e33a7003cbe5f05b33ce31a4c3ba074a9870163efca50c4c317eababcda741610a2e2ce4e6deed5cfaad6ea96b5bc8a093a7b0164ac397ebf1

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    1KB

    MD5

    104bfd705288fdea04fc3050855a1898

    SHA1

    eeb089a6a52c42ba39450e45606c04c35533fa1c

    SHA256

    fec76ba7aa2906040ec2cce5ff271aa148ea6b6813fc79790ca641706092425f

    SHA512

    d5bf004ac18f5f859e1da6b8f283452ddea4798a7b22152484a604b28635ea1084597148e30b2b9ca4bfcc4272b127159bb51fc0dd07320b363a7c315e461f7c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\LOLPOOP.exe
    Filesize

    9KB

    MD5

    c9bd5672882c79b5f7977fc3c37dc9b6

    SHA1

    90cfa0e99aacd42bd2561cdb218fd618f0ed4b9f

    SHA256

    c6594102d290245d0830cead7f7e3cacf79db881358f001373fcca0d625d0998

    SHA512

    5586496c54c7c33c3e3f1cd6c4e0117b8e34d42846f55aadf22314144e1e27691e8c7fef924386cd5ae01a958d7437ab1a0b6c709ca06f25f6deab82f6171038

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Systemdefault.exe
    Filesize

    40KB

    MD5

    2b7216f79728eb5ff4b5553737685a99

    SHA1

    d7f4f41f03485eb76326c75ec2ae0fe53282ebd0

    SHA256

    5a40bff3109b83243b53bf7439dc5e66e29c923363c02d49fa93614c19ce36f5

    SHA512

    b9f4c8e9b5b46785806eb498028e85d2515d743a518c0ecfd9269e8f4cb2351da0bcd9a6bc0e74eabc33e8dd2374bee46566b188d5f4ee49ba3384ece7a54982

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bi1yhg3j.mvw.ps1
    Filesize

    1B

    MD5

    c4ca4238a0b923820dcc509a6f75849b

    SHA1

    356a192b7913b04c54574d18c28d46e6395428ab

    SHA256

    6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

    SHA512

    4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

    Download Submit
  • memory/3000-20-0x000000001B2B0000-0x000000001B2C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3000-12-0x00007FFFE5D63000-0x00007FFFE5D64000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3000-202-0x000000001B2B0000-0x000000001B2C0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3000-199-0x00007FFFE5D63000-0x00007FFFE5D64000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3000-13-0x0000000000530000-0x0000000000540000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4548-25-0x000001C0ECB00000-0x000001C0ECB22000-memory.dmp
    Filesize

    136KB

    Download
  • memory/4548-28-0x000001C0ED280000-0x000001C0ED2F6000-memory.dmp
    Filesize

    472KB

    Download
  • memory/4832-16-0x0000000005C00000-0x00000000060FE000-memory.dmp
    Filesize

    5.0MB

    Download
  • memory/4832-15-0x0000000000D90000-0x0000000000D98000-memory.dmp
    Filesize

    32KB

    Download
  • memory/4832-14-0x00000000724DE000-0x00000000724DF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4832-18-0x0000000005680000-0x000000000568A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/4832-17-0x00000000055D0000-0x0000000005662000-memory.dmp
    Filesize

    584KB

    Download
  • memory/4832-200-0x00000000724DE000-0x00000000724DF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4832-201-0x00000000724D0000-0x0000000072BBE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4832-19-0x00000000724D0000-0x0000000072BBE000-memory.dmp
    Filesize

    6.9MB

    Download