9af320fdea6b3377958112d106e21edaab089a5dafb76c692870473e3eca48f7

General

Target

empyrean-grabber.zip
Size

448KB
MD5

9fd27fed7b347ada443b5d323f1cc2a7
SHA1

2ae86247a6c29eafeb07a6e783a1afd347c67fd2
SHA256

9af320fdea6b3377958112d106e21edaab089a5dafb76c692870473e3eca48f7
SHA512

b83b54e0b7b1961d7731b51a8b01afb22bcb3918544804177717d143ac8345849ffba8e2eb5a7149f69465bd9669470d36bdd4c5577549ff6bd52764d9fe9d8a
SSDEEP

12288:jTvZhjGirlqv8zvLSe35qPPKWl52Eyfg4N:PBhyvvJe652xI4N

Score

1^/10

Malware Config

Signatures

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3835819470-2031661444-2626789713-1000_Classes\Local Settings	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeRestorePrivilege	2160	7zG.exe
Token: 35	2160	7zG.exe
Token: SeSecurityPrivilege	2160	7zG.exe
Token: SeSecurityPrivilege	2160	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2160	7zG.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4712	OpenWith.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1460 wrote to memory of 2660	1460	cmd.exe	91
PID 1460 wrote to memory of 2660	1460	cmd.exe	91
PID 1460 wrote to memory of 2660	1460	cmd.exe	91
PID 4780 wrote to memory of 1268	4780	cmd.exe	94
PID 4780 wrote to memory of 1268	4780	cmd.exe	94
PID 4780 wrote to memory of 1268	4780	cmd.exe	94
PID 1424 wrote to memory of 2484	1424	cmd.exe	97
PID 1424 wrote to memory of 2484	1424	cmd.exe	97
PID 1424 wrote to memory of 2484	1424	cmd.exe	97
PID 1208 wrote to memory of 1652	1208	cmd.exe	100
PID 1208 wrote to memory of 1652	1208	cmd.exe	100
PID 1208 wrote to memory of 1652	1208	cmd.exe	100
PID 1792 wrote to memory of 1656	1792	cmd.exe	103
PID 1792 wrote to memory of 1656	1792	cmd.exe	103
PID 1792 wrote to memory of 1656	1792	cmd.exe	103
PID 2488 wrote to memory of 3948	2488	cmd.exe	106
PID 2488 wrote to memory of 3948	2488	cmd.exe	106
PID 2488 wrote to memory of 3948	2488	cmd.exe	106
PID 5016 wrote to memory of 3040	5016	cmd.exe	109
PID 5016 wrote to memory of 3040	5016	cmd.exe	109
PID 5016 wrote to memory of 3040	5016	cmd.exe	109
PID 4364 wrote to memory of 4236	4364	cmd.exe	112
PID 4364 wrote to memory of 4236	4364	cmd.exe	112
PID 4364 wrote to memory of 4236	4364	cmd.exe	112

C:\Windows\Explorer.exe
C:\Windows\Explorer.exe /idlist,,C:\Users\Admin\AppData\Local\Temp\empyrean-grabber.zip
1⤵
PID:2332

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3684

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\" -an -ai#7zMap24000:90:7zEvent5476
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2160

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\empyrean-grabber\build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1460
- C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
  python main.py
  2⤵
  PID:2660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\empyrean-grabber\build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4780
- C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
  python main.py
  2⤵
  PID:1268

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\empyrean-grabber\build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
  python main.py
  2⤵
  PID:2484

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\empyrean-grabber\build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
  python main.py
  2⤵
  PID:1652

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\empyrean-grabber\build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:1792
- C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
  python main.py
  2⤵
  PID:1656

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\empyrean-grabber\build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:2488
- C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
  python main.py
  2⤵
  PID:3948

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\empyrean-grabber\build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:5016
- C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
  python main.py
  2⤵
  PID:3040

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\Desktop\empyrean-grabber\build.bat" "
1⤵
- Suspicious use of WriteProcessMemory
PID:4364
- C:\Program Files\WindowsApps\Microsoft.DesktopAppInstaller_1.0.42251.0_x64__8wekyb3d8bbwe\AppInstallerPythonRedirector.exe
  python main.py
  2⤵
  PID:4236

C:\Windows\System32\NOTEPAD.EXE
"C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\Desktop\empyrean-grabber\build.bat
1⤵
PID:4964

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:4712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
974B

MD5
f4e5b4649ab3f8a369ba717cff8302d0

SHA1
458de7bb899bbc56b6623212fcb881be76ac0a53

SHA256
fec0d0a3864d72967f6270341da6d9bfef35fbdc720fcc4c8d91baa5a5714bea

SHA512
5c72eaddbe0fdebf246c78b26e6473209556e561477a6395b45e6b2ec53228dda844a3b3f42940315f6d27221f75ab76df9327bf34a24453dadb4486fc46b361

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
1KB

MD5
7facf6e639590b6290e6447da118cf54

SHA1
731c303e6300a6b21ede38e4c27d5dad6618e1d7

SHA256
b8e9e19dc2d53706d765b65eb1cf9c39b6e20f8fccadd0124f04b1b78929acbc

SHA512
bfd32a15ac5c8cd3fb3b8340d200a66416e8530413164daa2456627299dd04bf5556db3f419b1ddb14e29f86c068b42b1a5c47abb8595dcdf28b7fd24f813594

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
1KB

MD5
33c8c2c043c64836f6a72f4221b88f6f

SHA1
4beb456509950e3623e0267a6cfe68b121219a8d

SHA256
60f7ef7f30527f16261e5552e3aa1e85b54238eec7506ea144f084bc50b984dc

SHA512
3502c8c667ee209256b35fac89e0e139da0517f089859cc34590b9603bc5b440dc3c58e3cc3c05aaec9c65927e5db180f4c375be4ad7cd0273a916d2953414ce

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
2KB

MD5
c2ca497bd4a503799c8fbba3d82cd76e

SHA1
aeb556899a10543c54c2a51b944215dfdbb0746a

SHA256
0428e5e2af30a18564ab22a9fdf49a60d73a037e5375254f9b0bb7240b53f4e7

SHA512
b8d69b76df37928abd125d1f9c155a4d31169fea423ee3bae121315237928f0525302809a6b2f1ae11878d49d9a44927561cee2d767abca97010848dd67d9485

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
2KB

MD5
b088c18fe702c92f7fd4e9e10cb73cd2

SHA1
4a839042f2e2cf5168310189ff1be0b6d24b0b2c

SHA256
591ca4d29b5741d2ead0b5092bb0aa76d15b19eb94325fab071c856830b98adf

SHA512
f9bb93f1a0593129ff900b47674fc889122ec0cddf00c586fdd0ba124bc25fedecf9f740266fcc3f96b20b8923739958c3ef7d7e61efbd47235aeb5e58a849b6

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
3KB

MD5
62ff161dbd13bf2b2479333c66cf652b

SHA1
f1b543b5589c150a6bcb449f9dd24f5fdc7bc19f

SHA256
c33384fd4963a6ea22550468df6669920017be72bd65bf37bf8b2ee5cbaddd2d

SHA512
d0c5276edc3d1e67b8067c179a3ae813c6a4a9edfd704d472887a47b201e955505115deac85e2690f4f4567d4764155782b4faa9d80acc9838e79552241d88bf

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.DesktopAppInstaller_8wekyb3d8bbwe\TempState\AILog.txt

Filesize
3KB

MD5
9da4fbf99b1edc91b1ea43b8499a2a54

SHA1
033842d91b39e85ad1a773fefa00cf9405567f98

SHA256
00b4a06d1599c7008f483353d8f4fe1c832bcee9cc057b8762a2b01ac454e2dd

SHA512
57b7040150f5ccce151ad34249a21c75a1242c33e95c201a024d87487604b9705078725cd5b208e54eb7b5016a1a35083457f8089e4c3a1c45f23baf8c50c636

Download Submit
C:\Users\Admin\Desktop\empyrean-grabber\build.bat

Filesize
14B

MD5
92a6f2af2e2bf7d6e64b7821f5400d1c

SHA1
ee3e35bf31da9e6616c1c6a663fd19b4d745a279

SHA256
89b15dd343075c7271ec08f848803709a915526e81831af0a9df53577b5155b5

SHA512
57ebb186b961d2e73bfe554f247b53558cd358bba5716578c355a85caf783087495ca15e981bed2c049e4485bb3d5edf413d90b0e16f68ba95bbdc7f26f5b29f

Download Submit

Analysis

Sharing