4466985b39f37a15db0b29f35ca28dc81f4e33687605fa67884bcae6e70c45d2

Analysis

max time kernel
18s
max time network
18s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/09/2024, 14:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Discord-Microsoft-Scam-main/config.py
Size

47B
MD5

c7257632f9e6e2cc97fc261bc3df08cb
SHA1

3efb0b15b583eef0d31155fb58cc81f27c291998
SHA256

b116c545c527ce3b3b8763ed6d8aa5451213dededc418720fd568cbbb4a0c59c
SHA512

ba78240e5559ab662a2b969e75a8e788eac98804ab423d83766de7f7031f379f5c1655d6d6431ef5bc1d2a3e86e6cefd7dd64da1f3eff921019e0a0c3cf20577

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-457978338-2990298471-2379561640-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2736	AcroRd32.exe
2736	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2468 wrote to memory of 2212	2468	cmd.exe	30
PID 2468 wrote to memory of 2212	2468	cmd.exe	30
PID 2468 wrote to memory of 2212	2468	cmd.exe	30
PID 2212 wrote to memory of 2736	2212	rundll32.exe	31
PID 2212 wrote to memory of 2736	2212	rundll32.exe	31
PID 2212 wrote to memory of 2736	2212	rundll32.exe	31
PID 2212 wrote to memory of 2736	2212	rundll32.exe	31

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Discord-Microsoft-Scam-main\config.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2468
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Discord-Microsoft-Scam-main\config.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Discord-Microsoft-Scam-main\config.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:2736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f3651202fe9056b6131970901aa87fbb

SHA1
68b608b158a08e0f90734112e3f030e736d5d3db

SHA256
3b2df598411a828189b0868c1d8cf2bfddb7bdce27730ecde0af33c4146aaf14

SHA512
a0d809d268917733b0e40fddb360a66bdcd60c6d3b6f585fdc187f425954e89f7abd71d0b7fd09e63fe9f72113713290f520e1f22c531d0ea7512fbe54531e9f

Download Submit