c766263f5e7a70f0f77c53571d7fd10f7434df7d0a9d93139ef4655553840273

Analysis

max time kernel
118s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
19/09/2024, 02:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TheBigTool-main/Settings/Program/Discord-Token-House-Changer.py
Size

2KB
MD5

ee0d7bcbe350d2894d07916bfa259492
SHA1

093bf0e2f608b960695bb81246ff93f1149e2fdc
SHA256

cfa3b4e81380b2262e0001027873c9818bed89c07f69049868094978fe6ab4f1
SHA512

1f29b8ca24e077cf03ccd683461b9aff89e83e9207ae76e34f4770977c3d333f784a41c4ccb286c6c5e814bbeb01c10b41ba844821eba380ba78a2f461cc4600

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.py	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2800	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2800	AcroRd32.exe
2800	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 620 wrote to memory of 2780	620	cmd.exe	31
PID 620 wrote to memory of 2780	620	cmd.exe	31
PID 620 wrote to memory of 2780	620	cmd.exe	31
PID 2780 wrote to memory of 2800	2780	rundll32.exe	32
PID 2780 wrote to memory of 2800	2780	rundll32.exe	32
PID 2780 wrote to memory of 2800	2780	rundll32.exe	32
PID 2780 wrote to memory of 2800	2780	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TheBigTool-main\Settings\Program\Discord-Token-House-Changer.py
1⤵
- Suspicious use of WriteProcessMemory
PID:620
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\TheBigTool-main\Settings\Program\Discord-Token-House-Changer.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2780
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TheBigTool-main\Settings\Program\Discord-Token-House-Changer.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2800

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
0a56cdfcfd81064e8e9f9f666f594219

SHA1
41183db3863c62dbfc029ae4dc8ef2a932ade23d

SHA256
8d28a7b128675c261748f32cf51277bd7216afe2543e7b27b258cc47fa320709

SHA512
592ab5c4478bcaaed3b3f8f338a3d28091a8b3e29af8ceefefa8f341ff0e4a9eb33cf16d6027177abc135c18082ca7f6088d70d1012987e20797f30a65fc777f

Download Submit