Analysis
-
max time kernel
119s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20241023-en -
resource tags
arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system -
submitted
27-10-2024 17:13
Behavioral task
behavioral1
Sample
DiscordBruteForcer.exe
Resource
win7-20241023-en
Behavioral task
behavioral2
Sample
DiscordBruteForcer.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
main.pyc
Resource
win7-20241023-en
Behavioral task
behavioral4
Sample
main.pyc
Resource
win10v2004-20241007-en
General
-
Target
main.pyc
-
Size
11KB
-
MD5
1aea483e58eb70297feb6b6ecac88e81
-
SHA1
1609066c7f3b194a56b669ffd5aebfd288823d57
-
SHA256
044e2a346a252989c2c9e437b2e67e3df128b0acb704f7343adf33331f48e29e
-
SHA512
0d8088291c50963a2b025c99f162a0c83075ee1c87c944d88aa267809e6ee85c9e0b3c8e7b88cd2fe5d9f25b54afa708e660a41619ebe1602872e8ae45c007dd
-
SSDEEP
192:uaFkr2ncxHTbyTgUtPfpTvn018Nm1an3Fx3d/ZjiHCDjzQ:W6ncAJfpznei3d/ZiYjzQ
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AcroRd32.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-1163522206-1469769407-485553996-1000_Classes\Local Settings rundll32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 2852 AcroRd32.exe 2852 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1268 wrote to memory of 2636 1268 cmd.exe 32 PID 1268 wrote to memory of 2636 1268 cmd.exe 32 PID 1268 wrote to memory of 2636 1268 cmd.exe 32 PID 2636 wrote to memory of 2852 2636 rundll32.exe 33 PID 2636 wrote to memory of 2852 2636 rundll32.exe 33 PID 2636 wrote to memory of 2852 2636 rundll32.exe 33 PID 2636 wrote to memory of 2852 2636 rundll32.exe 33
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\main.pyc1⤵
- Suspicious use of WriteProcessMemory
PID:1268 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\main.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\main.pyc"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
PID:2852
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD583834552531d84b5cceec90439b1afb4
SHA12ac522ebce5c6427613883cbc70a8b75cc2e1760
SHA256cd777c71ef699b01a68734b196236e1884253ddaf01ea20f0a8cbd71364bc8c1
SHA512ed3169d0f0e2a6312c51f3c4dc18f94cb5749eb5f65e952f56269e83f07e5e71b5def848eccff777ebd5240f5bdddbf99d48d5b749f78b16662bda302b20d50d