Analysis
-
max time kernel
196s -
max time network
200s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
09/02/2023, 13:58
Static task
static1
URLScan task
urlscan1
Behavioral task
behavioral1
Sample
https://github.com/Kammerflimmern/discord-stealer-token-grabber/releases/download/Release/Release.zip
Resource
win7-20221111-en
windows7-x64
6 signatures
150 seconds
Behavioral task
behavioral2
Sample
https://github.com/Kammerflimmern/discord-stealer-token-grabber/releases/download/Release/Release.zip
Resource
win10v2004-20221111-en
windows10-2004-x64
6 signatures
150 seconds
General
-
Target
https://github.com/Kammerflimmern/discord-stealer-token-grabber/releases/download/Release/Release.zip
Score
1/10
Malware Config
Signatures
-
Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\PhishingFilter iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = ebb3b15315f6d801 iexplore.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url5 = 0000000000000000 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00129036973cd901 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{33358F9A-B429-4172-B1EF-D36EBB429E51}" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url2 = "https://www.facebook.com/" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url4 = "https://signin.ebay.com/ws/ebayisapi.dll" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url4 = 0000000000000000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url6 = 0000000000000000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\IESettingSync iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "6" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ed7ab5085afac4d882f24407edfa60400000000020000000000106600000001000020000000d727524610b849000c06ccbb0ef553e92420dcdbe9c6dcab70b6a927f24b6e75000000000e8000000002000020000000943c7884e844742e28698d682706ca30387525432450327f9549d17148cfa6ed20000000824aac512487c882c6996a7f3daa1b6dabe410eefe99d4b828e2c12ecb683a1640000000ab649976b71e7b6217f818676e9a0adf82fbed4d0de2cf9fbeb3ad141d91c91ff0cafcfa38709fa74d14875f0a302831acb62441e56444d3b77c8091ca0f5b72 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = b0acb534973cd901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ed7ab5085afac4d882f24407edfa6040000000002000000000010660000000100002000000042056f87198982395060af1c30ac7a4983e5a53fccb1f5f2d48ef6ebb8771052000000000e80000000020000200000005c21f031b743b39880ac58fb2239139e095b94db1dd538cbc26218ae8dca9e0a2000000066a1b76f0eb67b2ee0cc9fe4ede2ae666a040e8d18eb47d68e4a923049f6d4014000000000ead1f4d6067c51dc35345435d037e09fb52fbd38ec5ed96795bfdc1bf27d45fb468e46495b1be701131d25f30778998fcc14a6cc1fc7b81c19d9b54890e1b7 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TypedURLsTime iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\TypedURLs iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url2 = 0000000000000000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url3 = "https://login.aliexpress.com/" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{4A4077B1-A88A-11ED-919F-7218A89707DE} = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000004ed7ab5085afac4d882f24407edfa604000000000200000000001066000000010000200000001b51595b61f6785b1f01b5cbe6e2ebdf372e805e4df4dd0f096a45da3c384670000000000e8000000002000020000000f214af818d2101226c13738b2e62208df12271a15cdd9fb2c3713b37717fb6ff200000007a3ad79a4dedf99511760367a83f39fa828a7d8bdbf3a5018580344342f0635b40000000ca09f776825c205003383844e77154047b2a1a2f49557bd218e13ec1a1e1158eccd41212abd7498752b6063eb4b38ab570049ed140189fd9d56f2bba14fa2f84 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 00ccfa34973cd901 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\RepId iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url1 = "https://github.com/Kammerflimmern/discord-stealer-token-grabber/releases/download/Release/Release.zip" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url1 = c9ab7a36973cd901 iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLsTime\url3 = 0000000000000000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url5 = "https://login.live.com/" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\TypedURLs\url6 = "https://twitter.com/" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "382719748" iexplore.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-4246620582-653642754-1174164128-1000_Classes\Local Settings iexplore.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2236 iexplore.exe 2236 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 2236 iexplore.exe 2236 iexplore.exe 1892 IEXPLORE.EXE 1892 IEXPLORE.EXE 1892 IEXPLORE.EXE 1892 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 2236 wrote to memory of 1892 2236 iexplore.exe 80 PID 2236 wrote to memory of 1892 2236 iexplore.exe 80 PID 2236 wrote to memory of 1892 2236 iexplore.exe 80
Processes
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" https://github.com/Kammerflimmern/discord-stealer-token-grabber/releases/download/Release/Release.zip1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2236 CREDAT:17410 /prefetch:22⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1892
-
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:2624
-
C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\Release\GUP.exe"C:\Users\Admin\AppData\Local\Temp\Temp1_Release.zip\Release\GUP.exe"1⤵PID:1864
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
426KB
MD5a5a6cea064575fa4ef35cefe4653b0c3
SHA1faa50decb1653bd7e46be640973dd5b4c42f13b2
SHA256955975f6463f89c01b8b9a0498f14a294e6cd7ed4d5e55d6d3fde03a7b1aff4e
SHA512249185e2e00a6e740a50fc31a03c7728d807a94b156d523622378670ca7f2768cd7ddf7b3bac22fb43a9ba095fb69b2a10e65cbb4446370ff17709cfa74920ae