Overview
overview
10Static
static
10decompiler...or.exe
windows7-x64
7decompiler...or.exe
windows10-2004-x64
7decompiler...obf.py
windows7-x64
3decompiler...obf.py
windows10-2004-x64
3decompiler...ben.py
windows7-x64
3decompiler...ben.py
windows10-2004-x64
3decompiler...ank.py
windows7-x64
3decompiler...ank.py
windows10-2004-x64
3decompiler...ean.py
windows7-x64
3decompiler...ean.py
windows10-2004-x64
3decompiler...una.py
windows7-x64
3decompiler...una.py
windows10-2004-x64
3decompiler...obf.py
windows7-x64
3decompiler...obf.py
windows10-2004-x64
3decompiler...her.py
windows7-x64
3decompiler...her.py
windows10-2004-x64
3decompiler...er.jar
windows7-x64
1decompiler...er.jar
windows10-2004-x64
7decompiler...pycdas
ubuntu-22.04-amd64
1decompiler...as.exe
windows7-x64
1decompiler...as.exe
windows10-2004-x64
1decompiler.../pycdc
ubuntu-24.04-amd64
1decompiler...dc.exe
windows7-x64
1decompiler...dc.exe
windows10-2004-x64
1decompiler...in/upx
ubuntu-24.04-amd64
1decompiler...px.exe
windows7-x64
7decompiler...px.exe
windows10-2004-x64
7decompiler...fig.py
windows7-x64
3decompiler...fig.py
windows10-2004-x64
3decompiler...ile.py
windows7-x64
3decompiler...ile.py
windows10-2004-x64
3decompiler...ion.py
windows7-x64
3Analysis
-
max time kernel
117s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 13:54
Behavioral task
behavioral1
Sample
decompiler for malware/GeFrost Exucutor.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
decompiler for malware/GeFrost Exucutor.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
decompiler for malware/Grabbers-Deobfuscator-main/deobf.py
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
decompiler for malware/Grabbers-Deobfuscator-main/deobf.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/ben.py
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/ben.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/blank.py
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/blank.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/empyrean.py
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/empyrean.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/luna.py
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/luna.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/notobf.py
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/notobf.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/other.py
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/other.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/fernflower.jar
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/fernflower.jar
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdas
Resource
ubuntu2204-amd64-20240522.1-en
Behavioral task
behavioral20
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdas.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdas.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdc
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral23
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdc.exe
Resource
win7-20240508-en
Behavioral task
behavioral24
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/upx
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral26
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/upx.exe
Resource
win7-20240508-en
Behavioral task
behavioral27
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/upx.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral28
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/config.py
Resource
win7-20240220-en
Behavioral task
behavioral29
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/config.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral30
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/decompile.py
Resource
win7-20231129-en
Behavioral task
behavioral31
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/decompile.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral32
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/deobfuscation.py
Resource
win7-20240221-en
General
-
Target
decompiler for malware/Grabbers-Deobfuscator-main/deobf.py
-
Size
6KB
-
MD5
95a87ab36477b9ddb04e1a8de347b88b
-
SHA1
030928f4e8ef389eed7add5d53d7b6ede3208aa1
-
SHA256
1ba5cfee353c0dcca44b739868d6e90a9cfa8436fbb5cfa4dbdaf03e8e9fc5eb
-
SHA512
69bb8691ba371ce2faea4f2a5079c05c6694eb2e353f7dad9ff29d0ccd0ccd7597d08ae119b70d6c1173b92a317c10aeb84fe738a489634272a7df5cef342917
-
SSDEEP
96:AbzxTlCdC+JU8H7s6pd9rng/mpVt/NSMA8RixUb8RisEP5fAoKqRqhp9:AhZ8bvBgmpHTrBsRqRip9
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2512 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2512 AcroRd32.exe 2512 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2772 wrote to memory of 2556 2772 cmd.exe rundll32.exe PID 2772 wrote to memory of 2556 2772 cmd.exe rundll32.exe PID 2772 wrote to memory of 2556 2772 cmd.exe rundll32.exe PID 2556 wrote to memory of 2512 2556 rundll32.exe AcroRd32.exe PID 2556 wrote to memory of 2512 2556 rundll32.exe AcroRd32.exe PID 2556 wrote to memory of 2512 2556 rundll32.exe AcroRd32.exe PID 2556 wrote to memory of 2512 2556 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\deobf.py"1⤵
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\deobf.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\deobf.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2512
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5ab1f4136fb88305b9923b2892f7111ce
SHA1273e11522f5f2b5e7f9d53ee5e0906090dcf6891
SHA256aac22fea6ed8418ebabdca9c974c88d1d4cecf3ce4f9e89a086d3d53d0417b40
SHA5124639ce946697ef7896700ccea8890b0699b1e6b6134293d2c526a1917cb6be0263a76f81f43ede4419d339aee1e8e1af60fa8cd57e239bed33a2f26336dbd80b