Analysis
-
max time kernel
46s -
max time network
51s -
platform
windows11-21h2_x64 -
resource
win11-20240419-en -
resource tags
arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system -
submitted
01-07-2024 16:09
Static task
static1
Behavioral task
behavioral1
Sample
RobloxExecutor.exe
Resource
win7-20240419-en
Behavioral task
behavioral2
Sample
RobloxExecutor.exe
Resource
win10-20240404-en
Behavioral task
behavioral3
Sample
RobloxExecutor.exe
Resource
win10v2004-20240508-en
General
-
Target
RobloxExecutor.exe
-
Size
316KB
-
MD5
f0c864fee64edd613b413ddb7c559446
-
SHA1
87e75a58eef9f3765a2eed498f6aca135b1ef7c4
-
SHA256
f20df849f7284d15b7915badc28f7afaad9e1a768279ced17db67796f2f883fd
-
SHA512
9c8e90d0a04740ed6e36d886bb13bb9df3b963236eaca0b2fd0db6bfce1d4052761d689d77dcf66c7c07df53295751f0ff8907a8f426ccc4391b365b282bd154
-
SSDEEP
3072:0n2Af+SLiJO+Y7mR9USl6yOiGB3PSQQivLXdn+mvo+vuChrZtwkYZBwOepe4PUe1:1E+yclwQKjdn+WPtYVJIoBfTVRsjbQ2p
Malware Config
Extracted
xworm
5.0
allows-welfare.gl.at.ply.gg:49180
B2qPpHuLCfcwYFiL
-
Install_directory
%AppData%
-
install_file
System.exe
Signatures
-
Detect Xworm Payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\RarSFX0\Systemdefault.exe family_xworm behavioral4/memory/3180-11-0x00000000005F0000-0x0000000000600000-memory.dmp family_xworm -
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
Processes:
powershell.exepowershell.exepowershell.exepowershell.exepid process 4172 powershell.exe 4616 powershell.exe 1360 powershell.exe 2080 powershell.exe -
Drops startup file 2 IoCs
Processes:
Systemdefault.exedescription ioc process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk Systemdefault.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\System.lnk Systemdefault.exe -
Executes dropped EXE 2 IoCs
Processes:
Systemdefault.exeLOLPOOP.exepid process 3180 Systemdefault.exe 3020 LOLPOOP.exe -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 1 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 9 IoCs
Processes:
powershell.exepowershell.exepowershell.exepowershell.exeSystemdefault.exepid process 4172 powershell.exe 4172 powershell.exe 4616 powershell.exe 4616 powershell.exe 1360 powershell.exe 1360 powershell.exe 2080 powershell.exe 2080 powershell.exe 3180 Systemdefault.exe -
Suspicious use of AdjustPrivilegeToken 6 IoCs
Processes:
Systemdefault.exepowershell.exepowershell.exepowershell.exepowershell.exedescription pid process Token: SeDebugPrivilege 3180 Systemdefault.exe Token: SeDebugPrivilege 4172 powershell.exe Token: SeDebugPrivilege 4616 powershell.exe Token: SeDebugPrivilege 1360 powershell.exe Token: SeDebugPrivilege 2080 powershell.exe Token: SeDebugPrivilege 3180 Systemdefault.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
Systemdefault.exepid process 3180 Systemdefault.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
RobloxExecutor.execmd.exeSystemdefault.exedescription pid process target process PID 4800 wrote to memory of 2108 4800 RobloxExecutor.exe cmd.exe PID 4800 wrote to memory of 2108 4800 RobloxExecutor.exe cmd.exe PID 4800 wrote to memory of 2108 4800 RobloxExecutor.exe cmd.exe PID 2108 wrote to memory of 3180 2108 cmd.exe Systemdefault.exe PID 2108 wrote to memory of 3180 2108 cmd.exe Systemdefault.exe PID 2108 wrote to memory of 3020 2108 cmd.exe LOLPOOP.exe PID 2108 wrote to memory of 3020 2108 cmd.exe LOLPOOP.exe PID 2108 wrote to memory of 3020 2108 cmd.exe LOLPOOP.exe PID 3180 wrote to memory of 4172 3180 Systemdefault.exe powershell.exe PID 3180 wrote to memory of 4172 3180 Systemdefault.exe powershell.exe PID 3180 wrote to memory of 4616 3180 Systemdefault.exe powershell.exe PID 3180 wrote to memory of 4616 3180 Systemdefault.exe powershell.exe PID 3180 wrote to memory of 1360 3180 Systemdefault.exe powershell.exe PID 3180 wrote to memory of 1360 3180 Systemdefault.exe powershell.exe PID 3180 wrote to memory of 2080 3180 Systemdefault.exe powershell.exe PID 3180 wrote to memory of 2080 3180 Systemdefault.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\RobloxExecutor.exe"C:\Users\Admin\AppData\Local\Temp\RobloxExecutor.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c start "" "Systemdefault.exe" & start "" "LOLPOOP.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Systemdefault.exe"Systemdefault.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Systemdefault.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Systemdefault.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'4⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\LOLPOOP.exe"LOLPOOP.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.logFilesize
2KB
MD5627073ee3ca9676911bee35548eff2b8
SHA14c4b68c65e2cab9864b51167d710aa29ebdcff2e
SHA25685b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c
SHA5123c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD51a9fa92a4f2e2ec9e244d43a6a4f8fb9
SHA19910190edfaccece1dfcc1d92e357772f5dae8f7
SHA2560ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888
SHA5125d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cb9070f7a07a5d3fc17121852bff6953
SHA11932f99c2039a98cf0d65bca0f882dde0686fc11
SHA2566c908b4ca5b098e166b48a0e821050db43fba7299a6553be2303bee5b89545ac
SHA51297b9fc5ce40b102e2c9334500f6c17625c982ff8e4afaaabd92c2468cd8deface01d7cdfd267c4f10aac123b7a6173fde85d2b531c6f134a3896a8ca5edfe1f8
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveFilesize
944B
MD5cef328ddb1ee8916e7a658919323edd8
SHA1a676234d426917535e174f85eabe4ef8b88256a5
SHA256a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90
SHA512747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\LOLPOOP.exeFilesize
9KB
MD5c9bd5672882c79b5f7977fc3c37dc9b6
SHA190cfa0e99aacd42bd2561cdb218fd618f0ed4b9f
SHA256c6594102d290245d0830cead7f7e3cacf79db881358f001373fcca0d625d0998
SHA5125586496c54c7c33c3e3f1cd6c4e0117b8e34d42846f55aadf22314144e1e27691e8c7fef924386cd5ae01a958d7437ab1a0b6c709ca06f25f6deab82f6171038
-
C:\Users\Admin\AppData\Local\Temp\RarSFX0\Systemdefault.exeFilesize
40KB
MD52b7216f79728eb5ff4b5553737685a99
SHA1d7f4f41f03485eb76326c75ec2ae0fe53282ebd0
SHA2565a40bff3109b83243b53bf7439dc5e66e29c923363c02d49fa93614c19ce36f5
SHA512b9f4c8e9b5b46785806eb498028e85d2515d743a518c0ecfd9269e8f4cb2351da0bcd9a6bc0e74eabc33e8dd2374bee46566b188d5f4ee49ba3384ece7a54982
-
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pfkl25c4.ras.ps1Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
memory/3020-13-0x0000000000410000-0x0000000000418000-memory.dmpFilesize
32KB
-
memory/3020-12-0x00000000733DE000-0x00000000733DF000-memory.dmpFilesize
4KB
-
memory/3020-17-0x00000000733D0000-0x0000000073B81000-memory.dmpFilesize
7.7MB
-
memory/3020-70-0x00000000733D0000-0x0000000073B81000-memory.dmpFilesize
7.7MB
-
memory/3020-15-0x0000000004EC0000-0x0000000004F52000-memory.dmpFilesize
584KB
-
memory/3020-67-0x00000000733D0000-0x0000000073B81000-memory.dmpFilesize
7.7MB
-
memory/3020-14-0x00000000053B0000-0x0000000005956000-memory.dmpFilesize
5.6MB
-
memory/3020-16-0x0000000005060000-0x000000000506A000-memory.dmpFilesize
40KB
-
memory/3020-66-0x00000000733DE000-0x00000000733DF000-memory.dmpFilesize
4KB
-
memory/3180-9-0x00007FFE6B1F3000-0x00007FFE6B1F5000-memory.dmpFilesize
8KB
-
memory/3180-65-0x00007FFE6B1F3000-0x00007FFE6B1F5000-memory.dmpFilesize
8KB
-
memory/3180-11-0x00000000005F0000-0x0000000000600000-memory.dmpFilesize
64KB
-
memory/3180-68-0x000000001B1C0000-0x000000001B1D0000-memory.dmpFilesize
64KB
-
memory/3180-18-0x000000001B1C0000-0x000000001B1D0000-memory.dmpFilesize
64KB
-
memory/4172-27-0x000001F0795A0000-0x000001F0795C2000-memory.dmpFilesize
136KB