c766263f5e7a70f0f77c53571d7fd10f7434df7d0a9d93139ef4655553840273

Analysis

max time kernel
118s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TheBigTool-main/Settings/Program/Discord-Bot-Invite-To-Id.py
Size

1KB
MD5

a8bc88ae8ea00ebaf985a2fb48c50f4a
SHA1

cff677f2f4f7d138e4c599ad9de8cd971b2d000a
SHA256

07def6585d3e38c08e616f3e20c911515eded258af23439c2093ce72719d7383
SHA512

037ddea274727fb23cd1e36cef8935cfa88c3940ea26f88c2509bf811b7598dbfd716544fba358c871ce3c472de28bafe1dc772452cfe2c37e6e26ea6d525bf2

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2852	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2852	AcroRd32.exe
2852	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2176 wrote to memory of 3020	2176	cmd.exe	31
PID 2176 wrote to memory of 3020	2176	cmd.exe	31
PID 2176 wrote to memory of 3020	2176	cmd.exe	31
PID 3020 wrote to memory of 2852	3020	rundll32.exe	32
PID 3020 wrote to memory of 2852	3020	rundll32.exe	32
PID 3020 wrote to memory of 2852	3020	rundll32.exe	32
PID 3020 wrote to memory of 2852	3020	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TheBigTool-main\Settings\Program\Discord-Bot-Invite-To-Id.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2176
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\TheBigTool-main\Settings\Program\Discord-Bot-Invite-To-Id.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3020
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TheBigTool-main\Settings\Program\Discord-Bot-Invite-To-Id.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
841144243a59becb85feb68c95da5068

SHA1
1ef5b92bb8158df246fff3fb9179eec41847351f

SHA256
cc03f33283fc52b6ca1200ec80b2d0b1ddd48a934f7f842fa4a04a2853a9c217

SHA512
2db7cc696311fcf189d21a764688c576254c9500a7f9f4ec927aa1025ff5332a8755165e9ce8b29c1cf5821d1d0ee207e11e24f5e8e9f39c75265f94b36de66d

Download Submit