hxxps://cdn[.]discordapp[.]com/attachments/1005912106362740836/1108843684990029958/main[.]py

General

Target

https://cdn.discordapp.com/attachments/1005912106362740836/1108843684990029958/main.py

Score

1^/10

Malware Config

Signatures

Modifies Internet Explorer Phishing Filter 1 TTPs 2 IoCs

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\PhishingFilter	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\PhishingFilter\ClientSupported_MigrationTime = d3273793ae45d901	iexplore.exe

Modifies Internet Explorer settings 1 TTPs 15 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\RepId\PublicId = "{D284EEEE-2170-4EFE-AB68-A20D56BEE61F}"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\RepId	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{F94BC214-F5C5-11ED-9F77-4E89871AD1F5} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1675742406-747946869-1029867430-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2848	iexplore.exe
2848	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2848	iexplore.exe
2848	iexplore.exe
4816	IEXPLORE.EXE
4816	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 4816	2848	iexplore.exe	84
PID 2848 wrote to memory of 4816	2848	iexplore.exe	84
PID 2848 wrote to memory of 4816	2848	iexplore.exe	84

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" https://cdn.discordapp.com/attachments/1005912106362740836/1108843684990029958/main.py
1⤵
- Modifies Internet Explorer Phishing Filter
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
  "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2848 CREDAT:17410 /prefetch:2
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of SetWindowsHookEx
  PID:4816

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
PID:3732

C:\Program Files\Mozilla Firefox\firefox.exe
"C:\Program Files\Mozilla Firefox\firefox.exe"
1⤵
PID:4656
- C:\Program Files\Mozilla Firefox\firefox.exe
  "C:\Program Files\Mozilla Firefox\firefox.exe"
  2⤵
  PID:1140
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1140.0.977433001\2144601065" -parentBuildID 20221007134813 -prefsHandle 1800 -prefMapHandle 1796 -prefsLen 20890 -prefMapSize 232675 -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ef0ec32-1d82-4a6a-9fa7-3448779039b9} 1140 "\\.\pipe\gecko-crash-server-pipe.1140" 1916 167c5ce3e58 gpu
    3⤵
    PID:4352
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1140.1.1282388971\1215025387" -parentBuildID 20221007134813 -prefsHandle 2304 -prefMapHandle 2300 -prefsLen 20926 -prefMapSize 232675 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {c3ef616c-bc7f-4725-aa68-a0ace4becd7c} 1140 "\\.\pipe\gecko-crash-server-pipe.1140" 2316 167b8d72b58 socket
    3⤵
    PID:4988
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1140.2.1254353809\55350391" -childID 1 -isForBrowser -prefsHandle 3008 -prefMapHandle 3004 -prefsLen 21074 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {f6fd5faa-61e1-4baf-bd14-1e1665bceacf} 1140 "\\.\pipe\gecko-crash-server-pipe.1140" 3020 167c5c7e058 tab
    3⤵
    PID:1392
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1140.3.81370814\2061627741" -childID 2 -isForBrowser -prefsHandle 3620 -prefMapHandle 3636 -prefsLen 26519 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {d2fa5631-147b-4bb4-9d26-7eca45524e72} 1140 "\\.\pipe\gecko-crash-server-pipe.1140" 3724 167c9ec2558 tab
    3⤵
    PID:1488
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1140.4.413982596\171628120" -childID 3 -isForBrowser -prefsHandle 3884 -prefMapHandle 4140 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {7004019c-8960-4628-8628-d3f1b11857cf} 1140 "\\.\pipe\gecko-crash-server-pipe.1140" 3268 167cc13ee58 tab
    3⤵
    PID:2724
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1140.5.309441554\411177138" -childID 4 -isForBrowser -prefsHandle 4912 -prefMapHandle 4944 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {e8daa961-4238-46a7-be48-5b199a1df482} 1140 "\\.\pipe\gecko-crash-server-pipe.1140" 4844 167caf4de58 tab
    3⤵
    PID:5052
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1140.6.334766627\1020924287" -childID 5 -isForBrowser -prefsHandle 5128 -prefMapHandle 5132 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {715b3e60-d491-49ad-b6b0-8d1b868386dc} 1140 "\\.\pipe\gecko-crash-server-pipe.1140" 4896 167caf4b758 tab
    3⤵
    PID:3960
- - C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="1140.7.1267007934\78655990" -childID 6 -isForBrowser -prefsHandle 5412 -prefMapHandle 5408 -prefsLen 26659 -prefMapSize 232675 -jsInitHandle 1464 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {a788f277-7771-4c3a-a53c-69f165cf8512} 1140 "\\.\pipe\gecko-crash-server-pipe.1140" 5328 167caf4d858 tab
    3⤵
    PID:1180

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

2

T1112

Credential Access

Discovery

Query Registry

1

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\TUIJN6ZA\main[1].py

Filesize
23KB

MD5
67e27cb30745288053df0ad06e44480d

SHA1
00b630076827595a512f7eb202e3578132538616

SHA256
998622cf4363f8df133326bee43e34389ebcc90292c245b7471426129e95a1df

SHA512
3a664db18964b7d5fe2ec5e4260f1d7768a1bf05159dde921cb0e9df34a4c2c3d554f2bf1b2aee224b8b7213f88b91498900ea64d6a03d890c2ae796d0904e7d

Download Submit
C:\Users\Admin\AppData\Local\Mozilla\Firefox\Profiles\3o4pebi0.default-release\activity-stream.discovery_stream.json.tmp

Filesize
152KB

MD5
0701daa0a56ab1332b05e2ee864e09b8

SHA1
5938bbf4cb3d15af4b609db50a27f002ea25563d

SHA256
2784852a59f12fc381f94489871a75a18ddb8a2576c204fcd1b0aec9293c2434

SHA512
3cf9adb54bd028e8197de5441d0396aaff92466de89dc464d2a6915e94b1015d5515fdc15ef7db74c3b9484fcf3d9901583d999a4424f89558fe376b85b24150

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

Filesize
6KB

MD5
e65265b201bf05981172bd3da6dfbd64

SHA1
7dccf0a4eb785a11b67a30c49a20ec52fb5c5ade

SHA256
10d6308810b8b0ab833f3860743b60d21b60a6a531ad12788b1425ae5bf7a6ae

SHA512
fa2dce368254a12e483613525e6a2d1c4fb7458f35a8c533bb51c840d1b7560323f7ff592ced733566a610956628ed50fe562b085dbfa4a6cd59a95aa5ad1272

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs-1.js

Filesize
6KB

MD5
1063a91419d2a2f5c7674ed45c5ebe19

SHA1
56df374f4da87180738d515bbd72e5d419cce7e0

SHA256
731e4595dde4021907eb214ae08834149b120b50747982809c5cb804a760a74b

SHA512
21e6183a23415dc3bab0bc690e446a659e8f8ae3d7ffe5f8650a4bfbd35cb803852236aa0f80ae6ce880147550b528a3c4f434a79755847c6bc98178f4128621

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\prefs.js

Filesize
6KB

MD5
1984b45f201f1fd79d2154406648433b

SHA1
42f082dc6d4d43333688690bf4dfa7c7f8b618ab

SHA256
000a408519010d12b94281710f9a987f822093a1efb5293bbb50ca2e4a6a9df9

SHA512
e73a00cc8994d4023168e93ff5f5b6e6b13ffeb740872b64f565787cbb57e49e64eb03e4de1d8068a6f303f0615749fb27cb47bdbc4cef3fef1290bd3a3a17cc

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\3o4pebi0.default-release\sessionstore-backups\recovery.jsonlz4

Filesize
1KB

MD5
6668ee98210d14b0d03f0775ca675a18

SHA1
f997bab4eb70694b1f897a30ca59285ec6d915c0

SHA256
c246bb30868633b134657ccccc695f59ce271762635af028e07727a447c9f78e

SHA512
0bdea63218b0437057b6120e471298c31808826d6d351146bc4e4a9be47864b96a07be44c7de1471fa4bf31e792a3b0c654a831efb56f810bf7a78d76acdf6c4

Download Submit
C:\Users\Admin\Downloads\main.py.wy9kaz1.partial

Filesize
23KB

MD5
67e27cb30745288053df0ad06e44480d

SHA1
00b630076827595a512f7eb202e3578132538616

SHA256
998622cf4363f8df133326bee43e34389ebcc90292c245b7471426129e95a1df

SHA512
3a664db18964b7d5fe2ec5e4260f1d7768a1bf05159dde921cb0e9df34a4c2c3d554f2bf1b2aee224b8b7213f88b91498900ea64d6a03d890c2ae796d0904e7d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads