5647b77efb32d2aa156141f4b19f4c430d171ec8b5a41f68c7bcb38802786f20

Analysis

max time kernel
98s
max time network
141s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20250113-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20250113-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
26/01/2025, 02:39 UTC

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

passwords_grabber.pyc
Size

8KB
MD5

1ca5633be35a5db415bc83be9852bf0e
SHA1

710a4da76579449bb0b45eecedd42aea82ba6b35
SHA256

07a93aa41dbdcd8962b2ad1fcbd7c1bf661130c1cf050a5a4ef6821d30893099
SHA512

9ac14821d21d9c7345b6cf51d9e1c31f908590fadca061ed4f5c50ea7cd28c92b169aa7985873876989e7108946090695a4c782d8251f5061d27cea7c2f35ccb
SSDEEP

192:+CE34EAL/GFf/PoXdLO23NsDmqFUhkxNivLI9dRvL:Y4EAL/AfsFO8NsxuOxNn

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-1898866115-3160784972-1217720036-1000_Classes\Local Settings	cmd.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
880	OpenWith.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\passwords_grabber.pyc
1⤵
- Modifies registry class
PID:700

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:880

Network

DNS

217.106.137.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

217.106.137.52.in-addr.arpa

IN PTR

Response
DNS

172.214.232.199.in-addr.arpa

Remote address:

8.8.8.8:53

Request

172.214.232.199.in-addr.arpa

IN PTR

Response
DNS

67.31.126.40.in-addr.arpa

Remote address:

8.8.8.8:53

Request

67.31.126.40.in-addr.arpa

IN PTR

Response
DNS

5.114.82.104.in-addr.arpa

Remote address:

8.8.8.8:53

Request

5.114.82.104.in-addr.arpa

IN PTR

Response

5.114.82.104.in-addr.arpa

IN PTR

a104-82-114-5deploystaticakamaitechnologiescom
DNS

241.150.49.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

241.150.49.20.in-addr.arpa

IN PTR

Response
DNS

fd.api.iris.microsoft.com

Remote address:

8.8.8.8:53

Request

fd.api.iris.microsoft.com

IN A

Response

fd.api.iris.microsoft.com

IN CNAME

fd-api-iris.trafficmanager.net

fd-api-iris.trafficmanager.net

IN CNAME

iris-de-prod-azsc-v2-weu-b.westeurope.cloudapp.azure.com

iris-de-prod-azsc-v2-weu-b.westeurope.cloudapp.azure.com

IN A

20.31.169.57
GET

https://fd.api.iris.microsoft.com/v4/api/selection?&asid=CB323FA4C9D342F5B10802815DC3E5E2&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1736775495&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A46A438C4-46A0-7F35-243E-F4714CDC52CF&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=20479&lo=18061&tsu=18061

Remote address:

20.31.169.57:443

Request

GET /v4/api/selection?&asid=CB323FA4C9D342F5B10802815DC3E5E2&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1736775495&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A46A438C4-46A0-7F35-243E-F4714CDC52CF&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=20479&lo=18061&tsu=18061 HTTP/2.0
host: fd.api.iris.microsoft.com
accept-encoding: gzip, deflate
x-sdk-hw-token: t=EwDoAppeBAAUGoFunEzxzyai/T0i5tnZAAR1eX0AAXjqJIB8ig9mDvchGugnKUXZFuzD9DrTNgmyG33YmY+FYArc1KJjrrcaIunGMRwKKusUavbSe+81b/sZzasMA8flC+D9DUmrzBjXix8QH9XgtkBDpKdlNXhDHPytQuU51xM3qHNWHtqI3qja/6nqojcqe700bMPwE84j45CPPxxfQ9meIlSswMY11x3M1iFPFMClfh1e9mZ7w78f69PRp1eunj+1HALDkACNtQSLpdjfRqFSzsTuGlGb+vCX3RU5TaBq9YhBHNkInNYMj1uWPYCONY9uoc936JRF50i4idT/2KX5m2MQsmyoN5feYrWp2RBmHF9jyW4Z/YbzjrUf5aoQZgAAEGHFFwgER+a6qBVoKhOoeFKwAbpLNSd3BpxW9xw/rnT/q1nYU4ilKX+cXshNiUd7GMPG2mjAPegAV7D9+Kr/5BwMF8dR0YDxyTN7PrtoDOXWLEDHXz2h0sgO8lmhq6YeSRTWmDOUHatn4k5HsQECR3FHJ7XhZAtlBu5/9V+M7VZKODiQVbKgyDXpI/83yjpSFAnFEYXVW2mbH3ioEDzfytq2INUBeXIemXzBJrB2DRhG6mATKU3XFF6XgLwndrsLgBfdD86hxDnxHPBRdtkxEPRHm8Zi2VVrYy/jnSWzX1P4CyIR9F/TISxXuvROFrk/nyMMdr1TeHxgD7BR8ItQZZKv1zRWKtOoOExava5MWSO/pUp9YYINVaobNcEz+udsPOcvkP1nJOdG3QDrgYkU3JUSkNMWiqoeQ2Li7EXxTkexKV82HOU/QrNdVzU9N2rJ7XK21Y45xmAxaqGEAqSwEe/wRhTI/wQ5KDRbS8NAuUT8ny4cex/KEPm3qx3kpXQ/yS3oe/t7s3ulNI+yHSuC6cCtPpS4uGP3GK6/NAaYQjm7hNTloikSY1yfnpIq6YqRzDFsr8ebhbyH6SHzV/gY0BoZgdoB&p=

Response

HTTP/2.0 200

cache-control: no-store, no-cache
pragma: no-cache
content-length: 131
content-type: application/json; charset=utf-8
expires: Mon, 01 Jan 0001 00:00:00 GMT
server: Microsoft-IIS/10.0
arc-rsp-dbg: [{"DcoPlusDebug":"Status: Ok"},{"OPTOUTSTATE":"256"},{"REGIONALPOLICY":"0"}]
accept-ch: UA, UA-Arch, UA-Full-Version, UA-Mobile, UA-Model, UA-Platform, UA-Platform-Version
x-aspnet-version: 4.0.30319
x-powered-by: ASP.NET
strict-transport-security: max-age=31536000; includeSubDomains
date: Sun, 26 Jan 2025 02:40:43 GMT
DNS

53.210.109.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

53.210.109.20.in-addr.arpa

IN PTR

Response
DNS

57.169.31.20.in-addr.arpa

Remote address:

8.8.8.8:53

Request

57.169.31.20.in-addr.arpa

IN PTR

Response
DNS

15.164.165.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

15.164.165.52.in-addr.arpa

IN PTR

Response
DNS

138.136.73.23.in-addr.arpa

Remote address:

8.8.8.8:53

Request

138.136.73.23.in-addr.arpa

IN PTR

Response

138.136.73.23.in-addr.arpa

IN PTR

a23-73-136-138deploystaticakamaitechnologiescom
DNS

30.243.111.52.in-addr.arpa

Remote address:

8.8.8.8:53

Request

30.243.111.52.in-addr.arpa

IN PTR

Response

20.31.169.57:443

https://fd.api.iris.microsoft.com/v4/api/selection?&asid=CB323FA4C9D342F5B10802815DC3E5E2&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1736775495&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A46A438C4-46A0-7F35-243E-F4714CDC52CF&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=20479&lo=18061&tsu=18061

tls, http2

2.7kB
7.5kB
19
14

HTTP Request

GET https://fd.api.iris.microsoft.com/v4/api/selection?&asid=CB323FA4C9D342F5B10802815DC3E5E2&nct=1&placement=88000677&bcnt=30&country=US&locale=en-US&poptin=0&fmt=json&clr=cdmlite&arch=AMD64&concp=0&d3dfl=D3D_FEATURE_LEVEL_12_1&devfam=Windows.Desktop&devosver=10.0.19044.4529&dinst=1736775495&dmret=0&drgng=244&flightbranch=&flightring=Retail&localid=w%3A46A438C4-46A0-7F35-243E-F4714CDC52CF&osbranch=vb_release&oslocale=en-US&osret=1&ossku=EnterpriseS&osskuid=125&prccn=2&prccs=4192&prcmf=AuthenticAMD&procm=Intel%20Core%20Processor%20%28Broadwell%29&ram=4095&tinst=Client&tl=1&pat=0&smc=0&sac=0&disphorzres=1280&dispsize=14.7&dispvertres=720&ldisphorzres=1280&ldispvertres=720&moncnt=1&cpdsk=241361&frdsk=20479&lo=18061&tsu=18061

HTTP Response

200

8.8.8.8:53

217.106.137.52.in-addr.arpa

dns

73 B
147 B
1
1

DNS Request

217.106.137.52.in-addr.arpa
8.8.8.8:53

172.214.232.199.in-addr.arpa

dns

74 B
128 B
1
1

DNS Request

172.214.232.199.in-addr.arpa
8.8.8.8:53

67.31.126.40.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

67.31.126.40.in-addr.arpa
8.8.8.8:53

5.114.82.104.in-addr.arpa

dns

71 B
135 B
1
1

DNS Request

5.114.82.104.in-addr.arpa
8.8.8.8:53

241.150.49.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

241.150.49.20.in-addr.arpa
8.8.8.8:53

fd.api.iris.microsoft.com

dns

71 B
198 B
1
1

DNS Request

fd.api.iris.microsoft.com

DNS Response

20.31.169.57
8.8.8.8:53

53.210.109.20.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

53.210.109.20.in-addr.arpa
8.8.8.8:53

57.169.31.20.in-addr.arpa

dns

71 B
157 B
1
1

DNS Request

57.169.31.20.in-addr.arpa
8.8.8.8:53

15.164.165.52.in-addr.arpa

dns

72 B
146 B
1
1

DNS Request

15.164.165.52.in-addr.arpa
8.8.8.8:53

138.136.73.23.in-addr.arpa

dns

72 B
137 B
1
1

DNS Request

138.136.73.23.in-addr.arpa
8.8.8.8:53

30.243.111.52.in-addr.arpa

dns

72 B
158 B
1
1

DNS Request

30.243.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Windows 7 deprecation

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

Loading Replay Monitor...

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

HTTP Request

HTTP Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

DNS Response

DNS Request

DNS Request

DNS Request

DNS Request

DNS Request

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

We care about your privacy.