Overview
overview
10Static
static
10source_prepared.exe
windows7-x64
source_prepared.exe
windows10-2004-x64
7discord_to...er.pyc
windows7-x64
3discord_to...er.pyc
windows10-2004-x64
3get_cookies.pyc
windows7-x64
3get_cookies.pyc
windows10-2004-x64
3misc.pyc
windows7-x64
3misc.pyc
windows10-2004-x64
3passwords_grabber.pyc
windows7-x64
3passwords_grabber.pyc
windows10-2004-x64
3source_prepared.pyc
windows7-x64
3source_prepared.pyc
windows10-2004-x64
3Analysis
-
max time kernel
44s -
max time network
47s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
12-12-2024 19:12
Behavioral task
behavioral1
Sample
source_prepared.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
source_prepared.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
discord_token_grabber.pyc
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral4
Sample
discord_token_grabber.pyc
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
get_cookies.pyc
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
get_cookies.pyc
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
misc.pyc
Resource
win7-20241023-en
windows7-x64
Behavioral task
behavioral8
Sample
misc.pyc
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
passwords_grabber.pyc
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral10
Sample
passwords_grabber.pyc
Resource
win10v2004-20241007-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
source_prepared.pyc
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral12
Sample
source_prepared.pyc
Resource
win10v2004-20241007-en
windows10-2004-x64
Errors
General
-
Target
source_prepared.exe
-
Size
29.5MB
-
MD5
b4beb1395d4eb44354e4fad7e86db45b
-
SHA1
57f67abc48bb85870fe239268bc97499c1ba028b
-
SHA256
d4c3fbfb5473d53dadcad0744eab84834cbdfa4836c97f476c58d4b2edf83437
-
SHA512
9ed3749a39bc1f2d991b7d077bc7da4b0941159f0f4979692883a5ab3d028ca0b1e38e420ab79d16833221aa4f737ea705dcffc2be4fef7e79e3640725e67c35
-
SSDEEP
786432:nmMlhONW8G8m1NxOpl8dPXB6BYeBL3qW+CxeD6mp3a:ndlhsW/8mxElmPxaYeBzl46W
Malware Config
Signatures
-
Loads dropped DLL 1 IoCs
pid Process 2800 source_prepared.exe -
resource yara_rule behavioral1/files/0x0003000000020997-1154.dat upx behavioral1/memory/2800-1156-0x000007FEF53F0000-0x000007FEF5A55000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 27 IoCs
pid Process 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 1620 ehshell.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2896 taskmgr.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2896 taskmgr.exe Token: SeDebugPrivilege 1620 ehshell.exe -
Suspicious use of FindShellTrayWindow 52 IoCs
pid Process 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe -
Suspicious use of SendNotifyMessage 52 IoCs
pid Process 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe 2896 taskmgr.exe -
Suspicious use of WriteProcessMemory 3 IoCs
description pid Process procid_target PID 1892 wrote to memory of 2800 1892 source_prepared.exe 30 PID 1892 wrote to memory of 2800 1892 source_prepared.exe 30 PID 1892 wrote to memory of 2800 1892 source_prepared.exe 30 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:1892 -
C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"C:\Users\Admin\AppData\Local\Temp\source_prepared.exe"2⤵
- Loads dropped DLL
PID:2800
-
-
C:\Windows\system32\taskmgr.exe"C:\Windows\system32\taskmgr.exe" /41⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2896
-
C:\Windows\eHome\ehshell.exe"C:\Windows\eHome\ehshell.exe" /prefetch:1003 "C:\Users\Admin\Desktop\UnpublishReset.DVR"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1620
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x01⤵PID:1992
-
C:\Windows\system32\LogonUI.exe"LogonUI.exe" /flags:0x11⤵PID:1960
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.8MB
MD513e0653e90a091bde333f7e652ac6f8b
SHA1130f3271120487b4aac482af56f4de6673aaaeda
SHA256a89f9220c5afcb81b9a91f00b3bea9ed21ebd2cbae00785cbc2db264d90c862c
SHA512ad513df8f9a53cb3a8e5bc430a977c4079e7d7547fce43fe29288988ee458ff2ea922eb979582fe4c276e58cd6ef8d771bf6535170554b82c5d54d87caaf5366