cb2df937017a3f2168c8ee37ab57279ac3fc76727884b2b083335024176b7fd8

Resubmissions

06/09/2024, 20:54

240906-zp7lrsxgka 10

06/09/2024, 20:52

240906-zn3w7axfqa 10

Analysis

max time kernel
102s
max time network
103s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
06/09/2024, 20:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

discord_token_grabber.pyc
Size

17KB
MD5

e523026b612006e580e96bd9e2a8882c
SHA1

03b9938701f7eff11a0c3632ed805e8188598c88
SHA256

8ae6baddc552f9a47c488760a3d3b04f217f7c999dbffc1a548bb09532e6bf77
SHA512

a0f15f5edecbab4894aa3b85092fc2bde34b76f6048b198ce387d59a56d6c74969201cc43d19cd27a9ff0a6ab72268884a90ef206f0be34a5707a7f6ea24a853
SSDEEP

384:cGllyAavwS9F0RW807PPQviowoYbCj+Mo8WWIc02a8:cIlytvX9iRW8inQ6owoYOyM0d2a8

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\I:	unregmp2.exe
File opened (read-only)	\??\N:	unregmp2.exe
File opened (read-only)	\??\P:	unregmp2.exe
File opened (read-only)	\??\Y:	unregmp2.exe
File opened (read-only)	\??\B:	wmplayer.exe
File opened (read-only)	\??\O:	wmplayer.exe
File opened (read-only)	\??\U:	wmplayer.exe
File opened (read-only)	\??\A:	unregmp2.exe
File opened (read-only)	\??\Y:	wmplayer.exe
File opened (read-only)	\??\V:	wmplayer.exe
File opened (read-only)	\??\T:	unregmp2.exe
File opened (read-only)	\??\E:	wmplayer.exe
File opened (read-only)	\??\K:	wmplayer.exe
File opened (read-only)	\??\S:	unregmp2.exe
File opened (read-only)	\??\M:	unregmp2.exe
File opened (read-only)	\??\X:	unregmp2.exe
File opened (read-only)	\??\S:	wmplayer.exe
File opened (read-only)	\??\K:	unregmp2.exe
File opened (read-only)	\??\G:	wmplayer.exe
File opened (read-only)	\??\I:	wmplayer.exe
File opened (read-only)	\??\J:	wmplayer.exe
File opened (read-only)	\??\Q:	wmplayer.exe
File opened (read-only)	\??\W:	unregmp2.exe
File opened (read-only)	\??\Q:	unregmp2.exe
File opened (read-only)	\??\R:	unregmp2.exe
File opened (read-only)	\??\U:	unregmp2.exe
File opened (read-only)	\??\V:	unregmp2.exe
File opened (read-only)	\??\Z:	unregmp2.exe
File opened (read-only)	\??\H:	wmplayer.exe
File opened (read-only)	\??\H:	unregmp2.exe
File opened (read-only)	\??\G:	unregmp2.exe
File opened (read-only)	\??\L:	wmplayer.exe
File opened (read-only)	\??\N:	wmplayer.exe
File opened (read-only)	\??\R:	wmplayer.exe
File opened (read-only)	\??\W:	wmplayer.exe
File opened (read-only)	\??\B:	unregmp2.exe
File opened (read-only)	\??\M:	wmplayer.exe
File opened (read-only)	\??\T:	wmplayer.exe
File opened (read-only)	\??\Z:	wmplayer.exe
File opened (read-only)	\??\J:	unregmp2.exe
File opened (read-only)	\??\L:	unregmp2.exe
File opened (read-only)	\??\O:	unregmp2.exe
File opened (read-only)	\??\A:	wmplayer.exe
File opened (read-only)	\??\P:	wmplayer.exe
File opened (read-only)	\??\X:	wmplayer.exe
File opened (read-only)	\??\E:	unregmp2.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Roaming\Microsoft\UPnP Device Host\upnphost\udhisapi.dll	svchost.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2040	3612	WerFault.exe	84

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wmplayer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	unregmp2.exe

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-131918955-2378418313-883382443-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1036	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3612	wmplayer.exe
Token: SeCreatePagefilePrivilege	3612	wmplayer.exe
Token: SeShutdownPrivilege	2820	unregmp2.exe
Token: SeCreatePagefilePrivilege	2820	unregmp2.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3612	wmplayer.exe

Suspicious use of SetWindowsHookEx 13 IoCs

pid	Process
1036	OpenWith.exe
1036	OpenWith.exe
1036	OpenWith.exe
1036	OpenWith.exe
1036	OpenWith.exe
1036	OpenWith.exe
1036	OpenWith.exe
1036	OpenWith.exe
1036	OpenWith.exe
1036	OpenWith.exe
1036	OpenWith.exe
1036	OpenWith.exe
1036	OpenWith.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1036 wrote to memory of 3612	1036	OpenWith.exe	84
PID 1036 wrote to memory of 3612	1036	OpenWith.exe	84
PID 1036 wrote to memory of 3612	1036	OpenWith.exe	84
PID 3612 wrote to memory of 1252	3612	wmplayer.exe	87
PID 3612 wrote to memory of 1252	3612	wmplayer.exe	87
PID 3612 wrote to memory of 1252	3612	wmplayer.exe	87
PID 1252 wrote to memory of 2820	1252	unregmp2.exe	88
PID 1252 wrote to memory of 2820	1252	unregmp2.exe	88

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc
1⤵
- Modifies registry class
PID:4916

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1036
- C:\Program Files (x86)\Windows Media Player\wmplayer.exe
  "C:\Program Files (x86)\Windows Media Player\wmplayer.exe" /Play "C:\Users\Admin\AppData\Local\Temp\discord_token_grabber.pyc"
  2⤵
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3612
- - C:\Windows\SysWOW64\unregmp2.exe
    "C:\Windows\System32\unregmp2.exe" /AsyncFirstLogon
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1252
  - - C:\Windows\system32\unregmp2.exe
      "C:\Windows\SysNative\unregmp2.exe" /AsyncFirstLogon /REENTRANT
      4⤵
      Enumerates connected drives
      Suspicious use of AdjustPrivilegeToken
      PID:2820
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3612 -s 2220
    3⤵
    - Program crash
    PID:2040

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s upnphost
1⤵
- Drops file in Windows directory
PID:5052

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 3612 -ip 3612
1⤵
PID:4524

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
384KB

MD5
f8463b14a6866c7f8970e134fb19a1cd

SHA1
ffa614c78162cb3c40c6b1679b87b2d0d54d5f2a

SHA256
125750bed180e3b65dcf7756bfa52f4902e355f2fa0b1adc63c9c87b1b523448

SHA512
6d13aaea308c171cc698c64ed2d77d20dbd33a185a9cf4e5a6059f4396b3cca0d5cb2a4ab7b534bb2b338567fee6a51dcd532261dd7d148a6d460a04676f733b

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Media Player\CurrentDatabase_400.wmdb

Filesize
1024KB

MD5
66f931038a3bf101621ff1d421498764

SHA1
b159f4361ae0de23983b6c8f7188114f28cabb34

SHA256
d67f33e2dcec8eef01f9026ad5bb89b43c9803f435434386ce2cd3eab4c1c0f9

SHA512
b30cfabc42be1ca608693973f790c615dc087f6fd9ed541561db4e67b1abdd7a93464c9f99104f3232a1a90a0748ea19336b6992a52ba6daf2706543f8ab5002

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.DTD

Filesize
498B

MD5
90be2701c8112bebc6bd58a7de19846e

SHA1
a95be407036982392e2e684fb9ff6602ecad6f1e

SHA256
644fbcdc20086e16d57f31c5bad98be68d02b1c061938d2f5f91cbe88c871fbf

SHA512
d618b473b68b48d746c912ac5fc06c73b047bd35a44a6efc7a859fe1162d68015cf69da41a5db504dcbc4928e360c095b32a3b7792fcc6a38072e1ebd12e7cbe

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows Media\12.0\WMSDKNS.XML.bak

Filesize
9KB

MD5
7050d5ae8acfbe560fa11073fef8185d

SHA1
5bc38e77ff06785fe0aec5a345c4ccd15752560e

SHA256
cb87767c4a384c24e4a0f88455f59101b1ae7b4fb8de8a5adb4136c5f7ee545b

SHA512
a7a295ac8921bb3dde58d4bcde9372ed59def61d4b7699057274960fa8c1d1a1daff834a93f7a0698e9e5c16db43af05e9fd2d6d7c9232f7d26ffcff5fc5900b

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmsetup.log

Filesize
1KB

MD5
cefcf7dec604d5a085a37c6e368d1e84

SHA1
4cae1a623c792f701a5838bfcafe64b901dfe76f

SHA256
582906e2af5c0028d7f1a081ef96456027638d0b343afee1a7247fc95d6e2158

SHA512
19669a3f0b9f2db6314e902036abec408a0c653cac674b3ee52f51518f65f2f48f066e259b8f9326dacfa007cbfa60eb70dd4b92b045ec7029f0e6881c9a61a8

Download Submit