ace56fea4b7af878e92fa3caa903c1dd21e0b3b43c96ba114e682afa1c2413ed

Analysis

max time kernel
122s
max time network
131s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 22:18

Target

Blank-Grabber-main/Blank Grabber/env/Scripts/build/Built.exe/PYZ-00.pyz
Size

1.6MB
MD5

f64a698c05e1400327179d88aaa3ce02
SHA1

bf21c6eba63829084e2ea14d540a7817bb56a7e5
SHA256

a8ad1a6d1aefa1536addb6bf6f6b900d3d6ff1c2e11d764ee726653d2036b760
SHA512

2472c397ad0d3623f84bbed19f178b3ec9d99dc8e2b1d5797267bc44a6ee5613890be7153f789740b4daef32605af007fe1b6f95a9e407654a2f60e4c03d24f8
SSDEEP

24576:kozI+9DvSCJRCMmYyOJTAVpaQ+OlkA0pXB9pU8LBVUf1zAbz/jlplIUxakjg:RzHvLJR9JTSQ380XBfU8LLo1WjFxf0

Score

3^/10

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyz_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyz\ = "pyz_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyz_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyz_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyz_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyz_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\.pyz	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000_CLASSES\pyz_auto_file\shell	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2380 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2380 AcroRd32.exe
2380 AcroRd32.exe

pid	process
2380	AcroRd32.exe

pid	process
2380	AcroRd32.exe
2380	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2460 wrote to memory of 2704	2460	cmd.exe	rundll32.exe
PID 2460 wrote to memory of 2704	2460	cmd.exe	rundll32.exe
PID 2460 wrote to memory of 2704	2460	cmd.exe	rundll32.exe
PID 2704 wrote to memory of 2380	2704	rundll32.exe	AcroRd32.exe
PID 2704 wrote to memory of 2380	2704	rundll32.exe	AcroRd32.exe
PID 2704 wrote to memory of 2380	2704	rundll32.exe	AcroRd32.exe
PID 2704 wrote to memory of 2380	2704	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Blank-Grabber-main\Blank Grabber\env\Scripts\build\Built.exe\PYZ-00.pyz"
1⤵
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Blank-Grabber-main\Blank Grabber\env\Scripts\build\Built.exe\PYZ-00.pyz
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Blank-Grabber-main\Blank Grabber\env\Scripts\build\Built.exe\PYZ-00.pyz"
    3⤵
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2380

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
58b759c7d4a03c3f3b1abb57a1e41d14

SHA1
dde6d5282cfb4d75c30f57bc44e5614d4d9e3392

SHA256
2e82e91f2339f37d2923b73745dd9ec1f5f9e9858c0eb17844970e6ec371ed20

SHA512
d9229f7d42d23ac5c31234f8e1037180f8b3aaa580249ac508d2f4741a5334d727dad328bb85c55aacd127e03183a907fcafa02ac5dcc0a4e5a5d238192eede5

Download Submit