Analysis
-
max time kernel
178s -
max time network
268s -
platform
windows10-2004_x64 -
resource
win10v2004-20231127-en -
resource tags
arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system -
submitted
12-12-2023 16:07
Behavioral task
behavioral1
Sample
GOBLIN SERVICES.exe
Resource
win10v2004-20231127-en
Behavioral task
behavioral2
Sample
discord_token_grabber.pyc
Resource
win10v2004-20231127-en
Behavioral task
behavioral3
Sample
get_cookies.pyc
Resource
win10v2004-20231127-en
Behavioral task
behavioral4
Sample
misc.pyc
Resource
win10v2004-20231130-en
Behavioral task
behavioral5
Sample
passwords_grabber.pyc
Resource
win10v2004-20231130-en
Behavioral task
behavioral6
Sample
source_prepared.pyc
Resource
win10v2004-20231130-en
General
-
Target
get_cookies.pyc
-
Size
10KB
-
MD5
ddc40a1cee51500039f5c98ef7b1d3c9
-
SHA1
1e65cf0d7acb74e429844d2ee5b2d39369d17750
-
SHA256
1201adef44d0ba8be86b7d4aa4e8f69f1f8f800522fa574291974a3b40250436
-
SHA512
c9a89f5fe6ef87d7d8ce63a59f87fd5684d91e5dccfda644d84a40d5316b85b9930e90f096f13e811f646da724bc267ac853c15e451a6888083d5ab0572f27db
-
SSDEEP
192:TzOCIeivQfUFPLqwOEVOFc1mNe47+S5zEzzzzz1zz+HoowAE:TzOUi4aFEe4KSPIAE
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-2013768333-4045878716-2922883000-1000_Classes\Local Settings OpenWith.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
svchost.exedescription pid process Token: SeManageVolumePrivilege 332 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
OpenWith.exepid process 4344 OpenWith.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc1⤵
- Modifies registry class
PID:2152
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4344
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe1⤵PID:3764
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k UnistackSvcGroup1⤵
- Suspicious use of AdjustPrivilegeToken
PID:332
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
MD5463ef45b7eceb98265b59cc5df638030
SHA133a9b08ae5de4a09e1ee88c1007948971e44aa3b
SHA256506efaa2e9c833cb273693b21958361089125bc3261d6f79e74cbc8c9daf4aa7
SHA5128a18655a309130b36448d86893ed02a412b84fb0ad9599387f5d36eada41ae19aa9d5bd8405375a6e391a49f180b7d42a0fedb8be6cecb58c9665a8846855aff