838b27b272e687aa997515c0aa7ef5c3081643e51f03a4437191f81c39cbdfcd

Analysis

max time kernel
122s
max time network
127s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
09-02-2025 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

empyrean-grabber-fixed-main/src/config.py
Size

197B
MD5

f9db0f9a37e5d0b737dd22c3a0473d6d
SHA1

21b489d27337761e2dd5d6c50f4114ad73777800
SHA256

dc3606aa2b6342da0fe23a0a5859cf2f2be3d4bc0ec49f0dd4c79201db68c541
SHA512

12b32a522d848c76b984182f9827d22aea2e7c282b0f03db7b5d78e121157de6b67ee0e6031a44067c59efa146f1d5515514f9e27232778a56720582b7ec7d1d

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2632	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2632	AcroRd32.exe
2632	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2848 wrote to memory of 2952	2848	cmd.exe	31
PID 2848 wrote to memory of 2952	2848	cmd.exe	31
PID 2848 wrote to memory of 2952	2848	cmd.exe	31
PID 2952 wrote to memory of 2632	2952	rundll32.exe	32
PID 2952 wrote to memory of 2632	2952	rundll32.exe	32
PID 2952 wrote to memory of 2632	2952	rundll32.exe	32
PID 2952 wrote to memory of 2632	2952	rundll32.exe	32

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber-fixed-main\src\config.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2848
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\empyrean-grabber-fixed-main\src\config.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2952
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber-fixed-main\src\config.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2632

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
f3c913dbe0917c8cd883e5c8a6774b54

SHA1
159c767da096fbef95c817cb4c88a1e794781841

SHA256
a25ac9d465191be9ab8adb56bc59c3c0df6d8e2604faac78e909485769ceda0c

SHA512
410a68080bae61b0ba86d85f1a2069fcb4cd5d443a45d217dbd82ef646a47d07249d0be4bc3021a348697234ce51a688e38e5e27ba3c7d905cd71ff5d6dd4140

Download Submit