15f5346f636fa7879882f23611d46da7d7fab3e03cf75366f8721fe54804f8fd

Analysis

max time kernel
133s
max time network
130s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

empyrean-main.zip
Size

458KB
MD5

6535abdad3ba947fa280b8d5f836751b
SHA1

5c7d20d35bcd2049fea5c07ad4d83e4e0e2fb494
SHA256

15f5346f636fa7879882f23611d46da7d7fab3e03cf75366f8721fe54804f8fd
SHA512

5edc1bac7c636d2488578d97544cedd18f61124f2a732b49ffd891aeac00a19af6dc4c42e8e4c9e52f5ae0e908f059219f0ceae698d9084453335877bea132a1
SSDEEP

12288:oHl1OgPc6NQpZZbzYQqKevezSE3l52fsl:oH26CpZNUvezH52w

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2856	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 9 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\py_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\py_auto_file\	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.py\ = "py_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\py_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\.py	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\py_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\py_auto_file\shell	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2856	powershell.exe
2368	7zFM.exe
2368	7zFM.exe
2368	7zFM.exe
2368	7zFM.exe
2368	7zFM.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2368	7zFM.exe
400	rundll32.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2368	7zFM.exe
Token: 35	2368	7zFM.exe
Token: SeSecurityPrivilege	2368	7zFM.exe
Token: SeDebugPrivilege	2856	powershell.exe
Token: SeSecurityPrivilege	2368	7zFM.exe
Token: SeSecurityPrivilege	2368	7zFM.exe
Token: SeSecurityPrivilege	2368	7zFM.exe

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
2368	7zFM.exe
2368	7zFM.exe
2368	7zFM.exe
2368	7zFM.exe
2368	7zFM.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
1772	AcroRd32.exe
1772	AcroRd32.exe
1332	AcroRd32.exe
1332	AcroRd32.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2428	2368	7zFM.exe	31
PID 2368 wrote to memory of 2428	2368	7zFM.exe	31
PID 2368 wrote to memory of 2428	2368	7zFM.exe	31
PID 2368 wrote to memory of 2428	2368	7zFM.exe	31
PID 2368 wrote to memory of 2428	2368	7zFM.exe	31
PID 2428 wrote to memory of 980	2428	cmd.exe	33
PID 2428 wrote to memory of 980	2428	cmd.exe	33
PID 2428 wrote to memory of 980	2428	cmd.exe	33
PID 980 wrote to memory of 2856	980	cmd.exe	34
PID 980 wrote to memory of 2856	980	cmd.exe	34
PID 980 wrote to memory of 2856	980	cmd.exe	34
PID 2368 wrote to memory of 1864	2368	7zFM.exe	35
PID 2368 wrote to memory of 1864	2368	7zFM.exe	35
PID 2368 wrote to memory of 1864	2368	7zFM.exe	35
PID 1864 wrote to memory of 2796	1864	cmd.exe	37
PID 1864 wrote to memory of 2796	1864	cmd.exe	37
PID 1864 wrote to memory of 2796	1864	cmd.exe	37
PID 2368 wrote to memory of 400	2368	7zFM.exe	38
PID 2368 wrote to memory of 400	2368	7zFM.exe	38
PID 2368 wrote to memory of 400	2368	7zFM.exe	38
PID 400 wrote to memory of 1772	400	rundll32.exe	39
PID 400 wrote to memory of 1772	400	rundll32.exe	39
PID 400 wrote to memory of 1772	400	rundll32.exe	39
PID 400 wrote to memory of 1772	400	rundll32.exe	39
PID 2368 wrote to memory of 1332	2368	7zFM.exe	41
PID 2368 wrote to memory of 1332	2368	7zFM.exe	41
PID 2368 wrote to memory of 1332	2368	7zFM.exe	41
PID 2368 wrote to memory of 1332	2368	7zFM.exe	41

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-main.zip"
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zO049B1378\install_python.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2428
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:980
  - - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
      powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
      4⤵
      Command and Scripting Interpreter: PowerShell
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2856
- C:\Windows\system32\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\7zO04951848\build.bat" "
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1864
- - C:\Windows\system32\mode.com
    mode con: cols=100 lines=30
    3⤵
    PID:2796
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\7zO049660A8\main.py
  2⤵
  - Modifies registry class
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of WriteProcessMemory
  PID:400
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zO049660A8\main.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    PID:1772
- C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
  "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\7zO049DED88\main.py"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  PID:1332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\7zO04951848\build.bat

Filesize
634B

MD5
947b2de91d99e17ff1bd006f0cb2ec58

SHA1
1058ab07fcef83998f420ff322c1cb08fb4ce0c0

SHA256
2158894b4803edf23d2fe3988fce3ffcd190106204596e38b205c013ac317778

SHA512
7a6356453e1547866fa5db754bda156eeefe4f824daeb7e5961292a047abe443cb0e8d21794016173458d029770d2062fad6c9794b9bc040549a5d24e319fc54

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO049660A8\main.py

Filesize
1KB

MD5
ba1fda5f75f9c66d0cc0c0b8c765f3b5

SHA1
24910918fea9ce6fea7e5fb8789c0af5269d867a

SHA256
babf25f3a055d02fae10d5b68b909bd60cfbb7772eb726bd7d617c488db221d0

SHA512
d9cc84eabd33bafcf0348f2bd9c421baa1559a0a6aa871c66826645fc01fba19491647b93a54baedc6f3e1da1c88546455d0e99b045837a6464494c2953de025

Download Submit
C:\Users\Admin\AppData\Local\Temp\7zO049B1378\install_python.bat

Filesize
686B

MD5
f30718a354e7cc104ea553ce5ae2d486

SHA1
3876134e6b92da57a49d868013ed35b5d946f8fd

SHA256
94008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966

SHA512
601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874

Download Submit
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
3212c92075a0d2c35a74900696c4fb70

SHA1
20f8ac4a134041a04b93c841944f37b0fb5b0caf

SHA256
5e3d8c22d2484c9a6b5625c63253416f1c77abcbb9ee4f21fc0b929c33f9e909

SHA512
3de2cc47be18eeaa867a4d5c38817edfbe412c3a730550a899ea9ebb0032d10196b1067163836735004debf7e24006ebf072644304fc6b23187cec3c3be7c85b

Download Submit
memory/2856-21-0x000000001B680000-0x000000001B962000-memory.dmp

Filesize
2.9MB

Download
memory/2856-22-0x0000000001D90000-0x0000000001D98000-memory.dmp

Filesize
32KB

Download