fc294389bcc9151093540f5daff2ac4f200adbce93e0d19c526f5fbf1edee593

Analysis

max time kernel
121s
max time network
123s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
07/02/2025, 16:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Black-Grabber-V3-main/Black-Grabber-V3/options/Injection.py
Size

1KB
MD5

5cd1c3372c37c6c29d5d201778f9c5ef
SHA1

d81adf407ea173e68cc9efa9da2002f65624afcc
SHA256

c0f99318ca9ee00a6a4b841c19aef35a84fe9f62bb97d19a14bc091beb2c5a93
SHA512

284d4144f66117a4fe4253ce4816939a1cb2520538b86f526b773157af8896523a5bb9f99ada6457ce39130c716e1b9c50345b63e65eb997858e4ca5e108eaa4

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3063565911-2056067323-3330884624-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2840	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2840	AcroRd32.exe
2840	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2520 wrote to memory of 2336	2520	cmd.exe	31
PID 2520 wrote to memory of 2336	2520	cmd.exe	31
PID 2520 wrote to memory of 2336	2520	cmd.exe	31
PID 2336 wrote to memory of 2840	2336	rundll32.exe	32
PID 2336 wrote to memory of 2840	2336	rundll32.exe	32
PID 2336 wrote to memory of 2840	2336	rundll32.exe	32
PID 2336 wrote to memory of 2840	2336	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\Black-Grabber-V3-main\Black-Grabber-V3\options\Injection.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2520
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\Black-Grabber-V3-main\Black-Grabber-V3\options\Injection.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2336
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\Black-Grabber-V3-main\Black-Grabber-V3\options\Injection.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2840

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f72a984f93c341d742f932f153077d84

SHA1
ba4a6e77b4eec8c87dfb92a0e14def150ab92d6e

SHA256
75e3eaf0cc6cf242fc59463932e399bd93e5f076044999efa2d7d7ed874b8ab7

SHA512
7058e18c9affe3fc17bf895f439d42b10892dfc14e2ab44bda3ae32c505d1c3e613de4a94f0042b01fb5e9096d84ea3eae1d16a60ab3d172966824a85cd473f4

Download Submit