fc294389bcc9151093540f5daff2ac4f200adbce93e0d19c526f5fbf1edee593

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/02/2025, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Black-Grabber-V3-main/Black-Grabber-V3/options/Defender.py
Size

1KB
MD5

4de8523dd66d1921b5f5ffcecab9bdde
SHA1

68f77d081dfac56b170397832fec81ff9b427603
SHA256

07db516f4cd689e9a41bca5877bc321a65db04bbe657c8cd24152eb521973b8d
SHA512

19fc818fe330f8b55e1a21029a8df765af880e2b70d53511eb2b29524ec36b617aa6c0b725bef3532b16086c93924f4e8815a4334f89246851b3f17c6afd34fd

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2276	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2276	AcroRd32.exe
2276	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2112 wrote to memory of 3016	2112	cmd.exe	31
PID 2112 wrote to memory of 3016	2112	cmd.exe	31
PID 2112 wrote to memory of 3016	2112	cmd.exe	31
PID 3016 wrote to memory of 2276	3016	rundll32.exe	33
PID 3016 wrote to memory of 2276	3016	rundll32.exe	33
PID 3016 wrote to memory of 2276	3016	rundll32.exe	33
PID 3016 wrote to memory of 2276	3016	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Black-Grabber-V3-main\Black-Grabber-V3\options\Defender.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2112
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Black-Grabber-V3-main\Black-Grabber-V3\options\Defender.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:3016
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Black-Grabber-V3-main\Black-Grabber-V3\options\Defender.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2276

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
de879a054558bf5beafe9dd62551fd8e

SHA1
fad3c7cb126ec3ca85928733405e09bd6fce9afe

SHA256
45ab660725b13be30fb1dd89a1a3d81dfba3dd7dec640dc752b18aa2b4d05496

SHA512
addbd39481b7c9d247f68c4afb1073c9c5c5d08083041fb46c42bf1ac36ad07439f1620865a9fd2b41f7ea06eb2669d4e7b382b67bdc4d892969264e7c8d19f8

Download Submit