Overview
overview
10Static
static
10Robux Hacker.exe
windows7-x64
7Robux Hacker.exe
windows10-2004-x64
9discord_to...er.pyc
windows7-x64
3discord_to...er.pyc
windows10-2004-x64
3get_cookies.pyc
windows7-x64
3get_cookies.pyc
windows10-2004-x64
3misc.pyc
windows7-x64
3misc.pyc
windows10-2004-x64
3passwords_grabber.pyc
windows7-x64
3passwords_grabber.pyc
windows10-2004-x64
3source_prepared.pyc
windows7-x64
3source_prepared.pyc
windows10-2004-x64
3Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
25-05-2024 16:09
Behavioral task
behavioral1
Sample
Robux Hacker.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
Robux Hacker.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
discord_token_grabber.pyc
Resource
win7-20240215-en
Behavioral task
behavioral4
Sample
discord_token_grabber.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
get_cookies.pyc
Resource
win7-20240220-en
Behavioral task
behavioral6
Sample
get_cookies.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral7
Sample
misc.pyc
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
misc.pyc
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
passwords_grabber.pyc
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
passwords_grabber.pyc
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
source_prepared.pyc
Resource
win7-20240419-en
Behavioral task
behavioral12
Sample
source_prepared.pyc
Resource
win10v2004-20240508-en
General
-
Target
get_cookies.pyc
-
Size
10KB
-
MD5
b38f506528b3d6d5dbd851426c347b95
-
SHA1
e91bf4ef42128267934e21be0176e552480f5977
-
SHA256
85a7c34afad2c270ca690a5b4c30cc8bf16967e623fc77f4de4497901030a93b
-
SHA512
ab110dc92eba564fd0ec6c6a75e779f588518dc1aa461f072ab02b96bc11fbe25e09faa6a556dc6a127c3e8826382697b72037a0cefbdaf32fd70a723e746295
-
SSDEEP
192:TzOCIeinQfUF9LdwOEVOFc1mNe47+o+zEzzzzz1zz+HoowAE:TzOUiQccEe4KoOIAE
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2464 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2464 AcroRd32.exe 2464 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2008 wrote to memory of 2652 2008 cmd.exe rundll32.exe PID 2008 wrote to memory of 2652 2008 cmd.exe rundll32.exe PID 2008 wrote to memory of 2652 2008 cmd.exe rundll32.exe PID 2652 wrote to memory of 2464 2652 rundll32.exe AcroRd32.exe PID 2652 wrote to memory of 2464 2652 rundll32.exe AcroRd32.exe PID 2652 wrote to memory of 2464 2652 rundll32.exe AcroRd32.exe PID 2652 wrote to memory of 2464 2652 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\get_cookies.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5d8d06f6d501851012a0174b3032c3930
SHA1ecf0fb0619a3445026762c2b2c05d8bfe0d2ea63
SHA2562f62844afd845b6ced641c3f26299722ced967433abbc1f71ad5723715d7f81d
SHA512a2638d92d9064fbca6bb952b7f49880e489856236cfdc2cbb8889217bcb958588d20f6a0a39550acb7c2ac9f666b756050cca01896363921572d9bfcdf6fbc66