15f5346f636fa7879882f23611d46da7d7fab3e03cf75366f8721fe54804f8fd

Analysis

max time kernel
118s
max time network
123s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
17-11-2024 13:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

empyrean-main/src/components/systeminfo.py
Size

6KB
MD5

dacc6629a93a629f2e5e8dd6e6ac8752
SHA1

f0b8436cf7d2e9fcc3d84da50955b82b9817eef4
SHA256

e4aa53a74dbe1a23ddd6b678ef982cb1ce680e50385dba761f5e4971944abf8d
SHA512

5ba2c0a24cb45f306bcc5d91be69f5e2ca90bccae0988874491a5e6018858e0a90f5c5b292365f6662c2f812d156e8dac71297afe395ec813a28a75c577c7e2a
SSDEEP

96:o62a5Q8kjqXmBHyCOMHdpvlGa4sVV2iHhhrqZb+zadcTP9eTnSIf:PQRyGTka/T2oOZazaaL9erj

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2884	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2884	AcroRd32.exe
2884	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2808 wrote to memory of 2696	2808	cmd.exe	31
PID 2808 wrote to memory of 2696	2808	cmd.exe	31
PID 2808 wrote to memory of 2696	2808	cmd.exe	31
PID 2696 wrote to memory of 2884	2696	rundll32.exe	32
PID 2696 wrote to memory of 2884	2696	rundll32.exe	32
PID 2696 wrote to memory of 2884	2696	rundll32.exe	32
PID 2696 wrote to memory of 2884	2696	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-main\src\components\systeminfo.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2808
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\empyrean-main\src\components\systeminfo.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2696
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-main\src\components\systeminfo.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2884

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
1400dbceabe7197e003e2f53c25f8ebc

SHA1
2c7d58f3ccaab0439166c0f0cf04e70083196f31

SHA256
898128e3f06202a8d40cbe9d97a0a5295ea9d360977bb34dba776bbc445cb750

SHA512
6d10e2b32ce0a7e8ccc28373b8f86524d6a71bbde50e6f8bd7963619630c4a59d7bd0dd4e6e5ba27710266c87e24733408fe9cb10c01e33ac400f315bb7fa82d

Download Submit