fc294389bcc9151093540f5daff2ac4f200adbce93e0d19c526f5fbf1edee593

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/02/2025, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Black-Grabber-V3-main/Black-Grabber-V3/options/CommonFiles.py
Size

2KB
MD5

b353e5de3cba26130e975ad68f5f3101
SHA1

1aa66593f9970c9c0d8586310d1f9a89ad768741
SHA256

c7f836fdf1b08617032556dba562249ac2933638c24eaba3cc82badacb18830f
SHA512

d012433a24fbbf77c38168c9fbf9bf75e5bebfb580a334370bb2c05705480ab7e4108628528b176d0b132f391d96809615cd231f8175b91a531a9f7d277282d8

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2612	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2612	AcroRd32.exe
2612	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2076 wrote to memory of 2604	2076	cmd.exe	31
PID 2076 wrote to memory of 2604	2076	cmd.exe	31
PID 2076 wrote to memory of 2604	2076	cmd.exe	31
PID 2604 wrote to memory of 2612	2604	rundll32.exe	32
PID 2604 wrote to memory of 2612	2604	rundll32.exe	32
PID 2604 wrote to memory of 2612	2604	rundll32.exe	32
PID 2604 wrote to memory of 2612	2604	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Black-Grabber-V3-main\Black-Grabber-V3\options\CommonFiles.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2076
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Black-Grabber-V3-main\Black-Grabber-V3\options\CommonFiles.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Black-Grabber-V3-main\Black-Grabber-V3\options\CommonFiles.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2612

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
6702b247c4efb8aa437b8cfb1d5d5656

SHA1
43072ffb5b1c37e475726d9011769348dd2f0879

SHA256
d052ff88c902e1cad30683f0f2e0304fab231cfb6dbce61ed712f46efad80cc1

SHA512
86335e8a4557ecf91d60c4e776c250e532d43addef6e856508430ad8e4aa2c1148114362dbf2b581646445e80e133e2af45081b6ae2575dbe197166a1d29b792

Download Submit