Overview

overview

10

Static

static

3

RobloxExecutor.exe

windows7-x64

10

RobloxExecutor.exe

windows10-1703-x64

10

RobloxExecutor.exe

windows10-2004-x64

10

RobloxExecutor.exe

windows11-21h2-x64

10

Resubmissions

01-07-2024 16:09

240701-tl9n3ascnn 10

01-07-2024 00:42

240701-a2hqqstgjn 10

Analysis

  • max time kernel
    46s
  • max time network
    51s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240419-en
  • resource tags

    arch:x64arch:x86image:win11-20240419-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    01-07-2024 16:09

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    RobloxExecutor.exe

  • Size

    316KB

  • MD5

    f0c864fee64edd613b413ddb7c559446

  • SHA1

    87e75a58eef9f3765a2eed498f6aca135b1ef7c4

  • SHA256

    f20df849f7284d15b7915badc28f7afaad9e1a768279ced17db67796f2f883fd

  • SHA512

    9c8e90d0a04740ed6e36d886bb13bb9df3b963236eaca0b2fd0db6bfce1d4052761d689d77dcf66c7c07df53295751f0ff8907a8f426ccc4391b365b282bd154

  • SSDEEP

    3072:0n2Af+SLiJO+Y7mR9USl6yOiGB3PSQQivLXdn+mvo+vuChrZtwkYZBwOepe4PUe1:1E+yclwQKjdn+WPtYVJIoBfTVRsjbQ2p

Score
10/10
xwormexecutionrattrojan

Malware Config

Extracted

Family

xworm

Version

5.0

C2

allows-welfare.gl.at.ply.gg:49180

Mutex

B2qPpHuLCfcwYFiL

Attributes
  • Install_directory

    %AppData%

  • install_file

    System.exe

aes.plain

Signatures

  • Detect Xworm Payload 2 IoCs
  • Xworm

    Xworm is a remote access trojan written in C#.

    trojanratxworm
  • Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs

    Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

    execution
  • Drops startup file 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\RobloxExecutor.exe
    "C:\Users\Admin\AppData\Local\Temp\RobloxExecutor.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4800
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /c start "" "Systemdefault.exe" & start "" "LOLPOOP.exe"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Systemdefault.exe
        "Systemdefault.exe"
        3⤵
        • Drops startup file
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:3180
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\RarSFX0\Systemdefault.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4172
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'Systemdefault.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:4616
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\System.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:1360
        • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
          "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'System.exe'
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2080
      • C:\Users\Admin\AppData\Local\Temp\RarSFX0\LOLPOOP.exe
        "LOLPOOP.exe"
        3⤵
        • Executes dropped EXE
        PID:3020

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

1
T1059

PowerShell

1
T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
    Filesize

    2KB

    MD5

    627073ee3ca9676911bee35548eff2b8

    SHA1

    4c4b68c65e2cab9864b51167d710aa29ebdcff2e

    SHA256

    85b280a39fc31ba1e15fb06102a05b8405ff3b82feb181d4170f04e466dd647c

    SHA512

    3c5f6c03e253b83c57e8d6f0334187dbdcdf4fa549eecd36cbc1322dca6d3ca891dc6a019c49ec2eafb88f82d0434299c31e4dfaab123acb42e0546218f311fb

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    1a9fa92a4f2e2ec9e244d43a6a4f8fb9

    SHA1

    9910190edfaccece1dfcc1d92e357772f5dae8f7

    SHA256

    0ee052d5333fd5fd86bc84856fec98e045f077a7ac8051651bf7c521b9706888

    SHA512

    5d2361476fa22200e6f83883efe7dcb8c3fe7dae8d56e04e28a36e9ae1270c327b6aa161d92b239593da7661289d002c574446ecfd6bd19928209aae25e3ef64

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    cb9070f7a07a5d3fc17121852bff6953

    SHA1

    1932f99c2039a98cf0d65bca0f882dde0686fc11

    SHA256

    6c908b4ca5b098e166b48a0e821050db43fba7299a6553be2303bee5b89545ac

    SHA512

    97b9fc5ce40b102e2c9334500f6c17625c982ff8e4afaaabd92c2468cd8deface01d7cdfd267c4f10aac123b7a6173fde85d2b531c6f134a3896a8ca5edfe1f8

    Download Submit
  • C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
    Filesize

    944B

    MD5

    cef328ddb1ee8916e7a658919323edd8

    SHA1

    a676234d426917535e174f85eabe4ef8b88256a5

    SHA256

    a1b5b7ada8ebc910f20f91ada3991d3321104e9da598c958b1edac9f9aca0e90

    SHA512

    747400c20ca5b5fd1b54bc24e75e6a78f15af61df263be932d2ee7b2f34731c2de8ce03b2706954fb098c1ac36f0b761cf37e418738fa91f2a8ea78572f545cb

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\LOLPOOP.exe
    Filesize

    9KB

    MD5

    c9bd5672882c79b5f7977fc3c37dc9b6

    SHA1

    90cfa0e99aacd42bd2561cdb218fd618f0ed4b9f

    SHA256

    c6594102d290245d0830cead7f7e3cacf79db881358f001373fcca0d625d0998

    SHA512

    5586496c54c7c33c3e3f1cd6c4e0117b8e34d42846f55aadf22314144e1e27691e8c7fef924386cd5ae01a958d7437ab1a0b6c709ca06f25f6deab82f6171038

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\RarSFX0\Systemdefault.exe
    Filesize

    40KB

    MD5

    2b7216f79728eb5ff4b5553737685a99

    SHA1

    d7f4f41f03485eb76326c75ec2ae0fe53282ebd0

    SHA256

    5a40bff3109b83243b53bf7439dc5e66e29c923363c02d49fa93614c19ce36f5

    SHA512

    b9f4c8e9b5b46785806eb498028e85d2515d743a518c0ecfd9269e8f4cb2351da0bcd9a6bc0e74eabc33e8dd2374bee46566b188d5f4ee49ba3384ece7a54982

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_pfkl25c4.ras.ps1
    Filesize

    60B

    MD5

    d17fe0a3f47be24a6453e9ef58c94641

    SHA1

    6ab83620379fc69f80c0242105ddffd7d98d5d9d

    SHA256

    96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

    SHA512

    5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    Download Submit
  • memory/3020-13-0x0000000000410000-0x0000000000418000-memory.dmp
    Filesize

    32KB

    Download
  • memory/3020-12-0x00000000733DE000-0x00000000733DF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3020-17-0x00000000733D0000-0x0000000073B81000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3020-70-0x00000000733D0000-0x0000000073B81000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3020-15-0x0000000004EC0000-0x0000000004F52000-memory.dmp
    Filesize

    584KB

    Download
  • memory/3020-67-0x00000000733D0000-0x0000000073B81000-memory.dmp
    Filesize

    7.7MB

    Download
  • memory/3020-14-0x00000000053B0000-0x0000000005956000-memory.dmp
    Filesize

    5.6MB

    Download
  • memory/3020-16-0x0000000005060000-0x000000000506A000-memory.dmp
    Filesize

    40KB

    Download
  • memory/3020-66-0x00000000733DE000-0x00000000733DF000-memory.dmp
    Filesize

    4KB

    Download
  • memory/3180-9-0x00007FFE6B1F3000-0x00007FFE6B1F5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3180-65-0x00007FFE6B1F3000-0x00007FFE6B1F5000-memory.dmp
    Filesize

    8KB

    Download
  • memory/3180-11-0x00000000005F0000-0x0000000000600000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3180-68-0x000000001B1C0000-0x000000001B1D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/3180-18-0x000000001B1C0000-0x000000001B1D0000-memory.dmp
    Filesize

    64KB

    Download
  • memory/4172-27-0x000001F0795A0000-0x000001F0795C2000-memory.dmp
    Filesize

    136KB

    Download