838b27b272e687aa997515c0aa7ef5c3081643e51f03a4437191f81c39cbdfcd

Analysis

max time kernel
121s
max time network
121s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
09-02-2025 18:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

empyrean-grabber-fixed-main/src/components/browsers.py
Size

16KB
MD5

1fa5ec2594e7dc5ba902baa17c26c396
SHA1

9cc476e8f5068edde04fb74b8d553b9920bb7e22
SHA256

fcc7ce278bc39a6f36772e45ca5a9c52bc1457bbcb451587c8812fe090fe0e37
SHA512

57ff299400b36ad38fb04728c6416c3b45decc88f6258a5df66bf6bd388575c7ccee5837e0903f44bfb90ff319a9bf6cee046ea316a8f50f365e9418e888b922
SSDEEP

384:ljE+Bs45wvwmzwCN903g6YeNlO3+B73Rk:BE+SYrCN903g6PNlO3+B7K

Score

3^/10

discovery

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AcroRd32.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000_Classes\Local Settings	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2652	AcroRd32.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2652	AcroRd32.exe
2652	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2476 wrote to memory of 2180	2476	cmd.exe	32
PID 2476 wrote to memory of 2180	2476	cmd.exe	32
PID 2476 wrote to memory of 2180	2476	cmd.exe	32
PID 2180 wrote to memory of 2652	2180	rundll32.exe	33
PID 2180 wrote to memory of 2652	2180	rundll32.exe	33
PID 2180 wrote to memory of 2652	2180	rundll32.exe	33
PID 2180 wrote to memory of 2652	2180	rundll32.exe	33

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\empyrean-grabber-fixed-main\src\components\browsers.py
1⤵
- Suspicious use of WriteProcessMemory
PID:2476
- C:\Windows\system32\rundll32.exe
  "C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\empyrean-grabber-fixed-main\src\components\browsers.py
  2⤵
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
    "C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\empyrean-grabber-fixed-main\src\components\browsers.py"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2652

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents

Filesize
3KB

MD5
2204a2ee6f0648e7ea5bcee2f99d75d6

SHA1
7a4016f45a80cda7a7182a825654b71bc5365905

SHA256
ebb43a8538549122b3a2bc7a9d31326e642efb7beb46e175a6100a099f952958

SHA512
cc06cf84e378ea24fe1dd6c6fd0b9c6164c8a5fc4fe1bfccf49c030fcd6efb502cf7c680157408d0627c0c5274a48db3ec40b22a02428ed2134d8985900896ef

Download Submit