Overview
overview
10Static
static
10decompiler...or.exe
windows7-x64
7decompiler...or.exe
windows10-2004-x64
7decompiler...obf.py
windows7-x64
3decompiler...obf.py
windows10-2004-x64
3decompiler...ben.py
windows7-x64
3decompiler...ben.py
windows10-2004-x64
3decompiler...ank.py
windows7-x64
3decompiler...ank.py
windows10-2004-x64
3decompiler...ean.py
windows7-x64
3decompiler...ean.py
windows10-2004-x64
3decompiler...una.py
windows7-x64
3decompiler...una.py
windows10-2004-x64
3decompiler...obf.py
windows7-x64
3decompiler...obf.py
windows10-2004-x64
3decompiler...her.py
windows7-x64
3decompiler...her.py
windows10-2004-x64
3decompiler...er.jar
windows7-x64
1decompiler...er.jar
windows10-2004-x64
7decompiler...pycdas
ubuntu-22.04-amd64
1decompiler...as.exe
windows7-x64
1decompiler...as.exe
windows10-2004-x64
1decompiler.../pycdc
ubuntu-24.04-amd64
1decompiler...dc.exe
windows7-x64
1decompiler...dc.exe
windows10-2004-x64
1decompiler...in/upx
ubuntu-24.04-amd64
1decompiler...px.exe
windows7-x64
7decompiler...px.exe
windows10-2004-x64
7decompiler...fig.py
windows7-x64
3decompiler...fig.py
windows10-2004-x64
3decompiler...ile.py
windows7-x64
3decompiler...ile.py
windows10-2004-x64
3decompiler...ion.py
windows7-x64
3Analysis
-
max time kernel
122s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
01-06-2024 13:54
Behavioral task
behavioral1
Sample
decompiler for malware/GeFrost Exucutor.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
decompiler for malware/GeFrost Exucutor.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
decompiler for malware/Grabbers-Deobfuscator-main/deobf.py
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
decompiler for malware/Grabbers-Deobfuscator-main/deobf.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/ben.py
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/ben.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/blank.py
Resource
win7-20240508-en
Behavioral task
behavioral8
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/blank.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/empyrean.py
Resource
win7-20240221-en
Behavioral task
behavioral10
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/empyrean.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral11
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/luna.py
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/luna.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/notobf.py
Resource
win7-20240220-en
Behavioral task
behavioral14
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/notobf.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral15
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/other.py
Resource
win7-20240221-en
Behavioral task
behavioral16
Sample
decompiler for malware/Grabbers-Deobfuscator-main/methods/other.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral17
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/fernflower.jar
Resource
win7-20240221-en
Behavioral task
behavioral18
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/fernflower.jar
Resource
win10v2004-20240426-en
Behavioral task
behavioral19
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdas
Resource
ubuntu2204-amd64-20240522.1-en
Behavioral task
behavioral20
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdas.exe
Resource
win7-20240221-en
Behavioral task
behavioral21
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdas.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral22
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdc
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral23
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdc.exe
Resource
win7-20240508-en
Behavioral task
behavioral24
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/pycdc.exe
Resource
win10v2004-20240508-en
Behavioral task
behavioral25
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/upx
Resource
ubuntu2404-amd64-20240523-en
Behavioral task
behavioral26
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/upx.exe
Resource
win7-20240508-en
Behavioral task
behavioral27
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/bin/upx.exe
Resource
win10v2004-20240426-en
Behavioral task
behavioral28
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/config.py
Resource
win7-20240220-en
Behavioral task
behavioral29
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/config.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral30
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/decompile.py
Resource
win7-20231129-en
Behavioral task
behavioral31
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/decompile.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral32
Sample
decompiler for malware/Grabbers-Deobfuscator-main/utils/deobfuscation.py
Resource
win7-20240221-en
General
-
Target
decompiler for malware/Grabbers-Deobfuscator-main/utils/deobfuscation.py
-
Size
2KB
-
MD5
1c8aa7595dfdeb287c7dd57e7a67b71a
-
SHA1
f724297b4405e425bbe0888a6ebf3be3b99ded70
-
SHA256
74db49437d60d5cbb6299c02c42bb496dd65a2b3f0b9fc51c2cebb54d9177ccb
-
SHA512
8f23e1bb13654f8588b6d3700ef469ea141d4a4abaa76005e941ee1c8dbc75425c7e6880248964b88f3c94d4714f62cf623ca01869d03fcec52b78f3b4ddb67a
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.py rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2656 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2656 AcroRd32.exe 2656 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 112 wrote to memory of 2588 112 cmd.exe rundll32.exe PID 112 wrote to memory of 2588 112 cmd.exe rundll32.exe PID 112 wrote to memory of 2588 112 cmd.exe rundll32.exe PID 2588 wrote to memory of 2656 2588 rundll32.exe AcroRd32.exe PID 2588 wrote to memory of 2656 2588 rundll32.exe AcroRd32.exe PID 2588 wrote to memory of 2656 2588 rundll32.exe AcroRd32.exe PID 2588 wrote to memory of 2656 2588 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\deobfuscation.py"1⤵
- Suspicious use of WriteProcessMemory
PID:112 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\deobfuscation.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\decompiler for malware\Grabbers-Deobfuscator-main\utils\deobfuscation.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2656
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD522c3f087fdd9a1031c5aa30985be54eb
SHA1f0385818cbb6340af27dd4977ece4dde1fddeff8
SHA2560eac9358d43f49b7c8d5cac64db61904a090925869f4b42ad827ddeae24583a8
SHA51258b175d6987237d30f6ff4465f205d16adacbf0334cae5a493e2592a17b38103909c1866039616f1afe4b4bf66aaa1fe4fe9596e308f2768f3f3213faafa2e8c