Overview
overview
10Static
static
10decompiler...or.exe
windows7-x64
7decompiler...or.exe
windows10-2004-x64
7decompiler...obf.py
windows7-x64
3decompiler...obf.py
windows10-2004-x64
3decompiler...ben.py
windows7-x64
3decompiler...ben.py
windows10-2004-x64
3decompiler...ank.py
windows7-x64
3decompiler...ank.py
windows10-2004-x64
3decompiler...ean.py
windows7-x64
3decompiler...ean.py
windows10-2004-x64
3decompiler...una.py
windows7-x64
3decompiler...una.py
windows10-2004-x64
3decompiler...obf.py
windows7-x64
3decompiler...obf.py
windows10-2004-x64
3decompiler...her.py
windows7-x64
3decompiler...her.py
windows10-2004-x64
3decompiler...er.jar
windows7-x64
1decompiler...er.jar
windows10-2004-x64
7decompiler...pycdas
ubuntu-22.04-amd64
1decompiler...as.exe
windows7-x64
1decompiler...as.exe
windows10-2004-x64
1decompiler.../pycdc
ubuntu-24.04-amd64
1decompiler...dc.exe
windows7-x64
1decompiler...dc.exe
windows10-2004-x64
1decompiler...in/upx
ubuntu-24.04-amd64
1decompiler...px.exe
windows7-x64
7decompiler...px.exe
windows10-2004-x64
7decompiler...fig.py
windows7-x64
3decompiler...fig.py
windows10-2004-x64
3decompiler...ile.py
windows7-x64
3decompiler...ile.py
windows10-2004-x64
3decompiler...ion.py
windows7-x64
3Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 13:54
Behavioral task
behavioral1
Sample
decompiler for malware/GeFrost Exucutor.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
decompiler for malware/GeFrost Exucutor.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
decompiler for malware/Grabbers-Deobfuscator-main/deobf.py
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
decompiler for malware/Grabbers-Deobfuscator-main/deobf.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/ben.py
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/ben.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/blank.py
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/blank.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/empyrean.py
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/empyrean.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/luna.py
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/luna.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/notobf.py
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/notobf.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/other.py
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/other.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/fernflower.jar
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/fernflower.jar
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdas
Resource
ubuntu2204-amd64-20240522.1-en
Behavioral task
behavioral20
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdas.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdas.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdc
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral23
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdc.exe
Resource
win7-20240508-en
Behavioral task
behavioral24
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/upx
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral26
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/upx.exe
Resource
win7-20240508-en
Behavioral task
behavioral27
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/upx.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral28
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/config.py
Resource
win7-20240220-en
Behavioral task
behavioral29
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/config.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral30
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/decompile.py
Resource
win7-20231129-en
Behavioral task
behavioral31
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/decompile.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral32
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/deobfuscation.py
Resource
win7-20240221-en
General
-
Target
decompiler for malware/Grabbers-Deobfuscator-main/methods/luna.py
-
Size
628B
-
MD5
4dc7c6571eed771eb45ab42fa8f0d99d
-
SHA1
c294ac5dfbbffb249ab374a401e1ab6e7e7f8ee2
-
SHA256
25d160d57794eedd7af90d815a508e78bec72cc418b5e0720c51f4499d6bdeb8
-
SHA512
a1073f0dd0d0ce2e0aa8b0d03f2ce0302c20439d51d90c3c0f5ae2c8154253e10c09a8dced9f355d6508014a69311bce02c1d5c18ad97b6b53089d0ddbd9cdc8
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.py rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000_CLASSES\py_auto_file\shell rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2632 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2632 AcroRd32.exe 2632 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2896 wrote to memory of 2584 2896 cmd.exe rundll32.exe PID 2896 wrote to memory of 2584 2896 cmd.exe rundll32.exe PID 2896 wrote to memory of 2584 2896 cmd.exe rundll32.exe PID 2584 wrote to memory of 2632 2584 rundll32.exe AcroRd32.exe PID 2584 wrote to memory of 2632 2584 rundll32.exe AcroRd32.exe PID 2584 wrote to memory of 2632 2584 rundll32.exe AcroRd32.exe PID 2584 wrote to memory of 2632 2584 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\luna.py"1⤵
- Suspicious use of WriteProcessMemory
PID:2896 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\luna.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2584 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\methods\luna.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2632
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5bffa72203655fdb18e7e271291613987
SHA19752a3f664bbd13d0786559160508d444cf12009
SHA2564f473e61efbf71a54b18ad77ae9187832463aa37d2503f5cc5125f07a73f5243
SHA512164897d3257480b23fadc24bcf79e0112fdfa88e6c0ef7f16b7c3d235302c13c14602bdce03e95cdb0201f924651ca5b993177075fba1f34387da3e991e11747