Overview

overview

10

Static

static

10

empyrean-m...ld.bat

windows10-1703-x64

1

empyrean-m...ain.py

windows10-1703-x64

3

empyrean-m...ild.py

windows10-1703-x64

3

empyrean-m...fig.py

windows10-1703-x64

3

empyrean-m...env.py

windows10-1703-x64

3

empyrean-m...ate.py

windows10-1703-x64

3

empyrean-m...fig.py

windows10-1703-x64

3

empyrean-m...on.bat

windows10-1703-x64

8

empyrean-m...bug.py

windows10-1703-x64

3

empyrean-m...ers.py

windows10-1703-x64

3

empyrean-m...ken.py

windows10-1703-x64

3

empyrean-m...ion.py

windows10-1703-x64

3

empyrean-m...tup.py

windows10-1703-x64

3

empyrean-m...nfo.py

windows10-1703-x64

3

empyrean-m...fig.py

windows10-1703-x64

3

empyrean-m...ain.py

windows10-1703-x64

3

Analysis

  • max time kernel
    316s
  • max time network
    1576s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    25-08-2024 22:36

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    empyrean-main/src/components/browsers.py

  • Size

    11KB

  • MD5

    720067bf62202ab20bd0bdce2404b294

  • SHA1

    7c60970fd79957309b84b4265671ee7ebe7161c0

  • SHA256

    38ddcdaa3f2ac2bbac94d7b34cc708449aec108fd2065f3555053e8916544b77

  • SHA512

    20f10bd12ecac1f3197b7611a4911ce7f232a16432b465bc5346dd1e5c288de56042c6144104d54bc2ee53acc0bf9c98d2baf972a4b4b9aa9ce655080462f0e8

  • SSDEEP

    192:Yo1etBr/e8k03E5YYul25ZXIbHYsq5w/wVbPRfwmbd5NcbtU03vbt2w79G+R5:gzEhFsq5w/wPfwCN903Uw73R5

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 3 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-main\src\components\browsers.py
    1⤵
    • Modifies registry class
    PID:1980
  • C:\Windows\system32\OpenWith.exe
    C:\Windows\system32\OpenWith.exe -Embedding
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of SetWindowsHookEx
    PID:1384
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:5076
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.0.684109777\348977850" -parentBuildID 20221007134813 -prefsHandle 1704 -prefMapHandle 1692 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {3aac6faa-6a79-4d5c-ad53-b923c7e308cc} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 1780 251d66ced58 gpu
        3⤵
          PID:3104
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.1.2074385776\1906505073" -parentBuildID 20221007134813 -prefsHandle 2124 -prefMapHandle 2120 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {2db91eaa-7d88-414b-98d7-705fd58c1395} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 2136 251c4372e58 socket
          3⤵
          • Checks processor information in registry
          PID:3744
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.2.965135030\584936405" -childID 1 -isForBrowser -prefsHandle 2936 -prefMapHandle 2920 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {42e597cf-33b9-4df7-8404-b2c57e8db2b3} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 2948 251da6b6a58 tab
          3⤵
            PID:5020
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.3.125133502\125830641" -childID 2 -isForBrowser -prefsHandle 3444 -prefMapHandle 3428 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {a73d789d-0787-45c5-83e6-338b10177bde} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 3476 251dab4e758 tab
            3⤵
              PID:1628
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.4.1474999588\966732574" -childID 3 -isForBrowser -prefsHandle 4268 -prefMapHandle 4300 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {db9b0612-a04f-491a-839b-085d213c7ab8} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 3880 251dc6d7a58 tab
              3⤵
                PID:1696
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.5.44974372\694377132" -childID 4 -isForBrowser -prefsHandle 4752 -prefMapHandle 4724 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {b59fb6fc-aef9-4736-8072-1077ba4bf76f} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 4736 251dcce8b58 tab
                3⤵
                  PID:1168
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.6.760087973\1169226602" -childID 5 -isForBrowser -prefsHandle 4920 -prefMapHandle 4924 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {aa3b06fd-9677-4f0c-b90c-018cd06c1008} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 4912 251dcce7058 tab
                  3⤵
                    PID:1344
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.7.1738915502\1604140265" -childID 6 -isForBrowser -prefsHandle 5108 -prefMapHandle 5112 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {f331de02-95d2-4b6f-91f1-45b00bed25ad} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5096 251dd38d158 tab
                    3⤵
                      PID:212
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="4844.8.1326221208\814702686" -childID 7 -isForBrowser -prefsHandle 5300 -prefMapHandle 5304 -prefsLen 26249 -prefMapSize 233444 -jsInitHandle 1312 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {5247354f-e0dc-4829-94d2-0339b5c4c9cf} 4844 "\\.\pipe\gecko-crash-server-pipe.4844" 5164 251de6b3558 tab
                      3⤵
                        PID:2316

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    2KB

                    MD5

                    5bd15502361a77d029ab3702cbfe17f7

                    SHA1

                    cf1c5e4aa2871d31da1a9fecff76cee2d4f28dd0

                    SHA256

                    736cae0d3ffc8453cbf2c62fbe707453913c64702094ca9d952b79b98b3bd770

                    SHA512

                    e24090809a46baa2c553a8125af5e73d1bfd6120b35d67da5a609a32a91a770ffaa192d19e2f4a66b785d6e6a6b672037ce97d1e9d7ef9999096253e1150efaf

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\66928568-d7be-4dcc-b663-afca3a29a903
                    Filesize

                    10KB

                    MD5

                    865a86d01a19c8a88505e485f034def9

                    SHA1

                    7dff9bc9f2e0ecc128c9a1f9366496a8bfe13826

                    SHA256

                    696fbcdd54bcd2c526cb22bbf38101865bf99fe4e5c69d41b3c4782f17f49ceb

                    SHA512

                    8f45514b6cce0f86cdc920af4a75a2672cce4856fa2c1c1c7b262f08e81940f4467002cedbb1ca633d5bda99e8db3f60c04fd93044745defb54b469b830e6260

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\datareporting\glean\pending_pings\da92c9d5-b52e-4450-a369-58faaaac19bc
                    Filesize

                    746B

                    MD5

                    08681c5553fcdee6581f1152d3c915af

                    SHA1

                    79c74ab00c68665354e642a0989f27d9fb5853b3

                    SHA256

                    0df7c5822a9f656d1de6eef0b181aea244e237c4c77a5f383a013ed7b7c97c02

                    SHA512

                    135bc4866f19b57469413da428a6a2e033e4ecbf949282a85ebe30fd48dfee26423d0734a254134bfeedab88f585c6eab8e779473cecd2090d1574f56e90a15d

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    4397be94ea044844d46e3464cd39171b

                    SHA1

                    3d92c7a9d21aded9eb0553ad4d69151100c41b88

                    SHA256

                    fa06c17c9f95ff10aca1a0b288c79d2f215fea68dc3212cd5ee1e3774da20a88

                    SHA512

                    c6bffa51bd1d86e61349ec21a3b0a7492f8419048520e5d59278d18e891bc5c2e2b1efd7f6cdc991b9d34dca87b5f5ed0a7e4f8e398a2b584d73e97551488f92

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    3KB

                    MD5

                    133e5c85c77c6744f0bc1aa5704d60d6

                    SHA1

                    546c90676e32af94e45cd7861ebecda2f4117f10

                    SHA256

                    2e18c5a87458b58e6a01bdc43b42a68825b103955f412fea52a746584419dad9

                    SHA512

                    b5ccad2764a8f67405c4f274904947cd1c47fcf5f9787f44aa4249b3c20f11b4224df72d99d6c8a8d74d53616da03afe71e3ee6c84970d2a1fbd4589ae19d27a

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\sessionstore.jsonlz4
                    Filesize

                    4KB

                    MD5

                    a27119cf2ec2abea27f9b8269c69bcf4

                    SHA1

                    8412a2825466fb4f56a3b54dc80739ab5c027637

                    SHA256

                    25d8a4b22c29b54d2611d2b469a96fd861e1c73d177d28a55cb6709f94064f08

                    SHA512

                    81135d51721cdd68155bfbbf7138d2ded1a9d6c59f944cd33efd482c6ffceab408776a7acc9c8ae1c2a102f7903f2c1ebe135262776f07cdf4d661a423e69412

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wtg1s5j6.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                    Filesize

                    184KB

                    MD5

                    0d0013d9708d9fef539adc917f5b87f6

                    SHA1

                    5e071e6b4d8abf007c8bb78ee948caf5bb0439e1

                    SHA256

                    f416d29cdbaa66b7d04483831d2a593a735316fafb643414a12df78da0ab054b

                    SHA512

                    851e9965a0fed9e0f5195ce655635cf13687d18678e4a9df807ab22cbc53c02cd2006fd65d93cd80b2a06d709e59122ea9933ba5cec551c6d51f5e9b4c175388

                    Download Submit