Analysis
-
max time kernel
118s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
30-06-2024 22:01
Behavioral task
behavioral1
Sample
TyrantGrabberInstaller.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
TyrantGrabberInstaller.exe
Resource
win10v2004-20240611-en
Behavioral task
behavioral3
Sample
TyrantGrabberInstaller.pyc
Resource
win7-20240611-en
Behavioral task
behavioral4
Sample
TyrantGrabberInstaller.pyc
Resource
win10v2004-20240508-en
General
-
Target
TyrantGrabberInstaller.pyc
-
Size
74KB
-
MD5
515bfcc258935bf398c60fdbffbb903c
-
SHA1
c155700f640e50cba218fedd9d2b20846099453e
-
SHA256
74327fcc2d900b611c739c4f33846e17fea25135eeec5a16c189f9cda0c1f559
-
SHA512
1f0a3f05e9126c1642ba95408ffc72a0d9cc6fe2e66ed8f01c0871e9f49c8a99cc1c30c5e7128d12325ce4e4734b5ceedf9d6194f0ebf0e34d68be3f47c69b5c
-
SSDEEP
1536:CKjZq1Wa/hYx/Ys/A/ki5wD66lbcaMrW5N0Y:CAZkWa/WdCsi5ku6D
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell\Read rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.pyc rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.pyc\ = "pyc_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell\Read\command rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2816 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2816 AcroRd32.exe 2816 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2436 wrote to memory of 2640 2436 cmd.exe rundll32.exe PID 2436 wrote to memory of 2640 2436 cmd.exe rundll32.exe PID 2436 wrote to memory of 2640 2436 cmd.exe rundll32.exe PID 2640 wrote to memory of 2816 2640 rundll32.exe AcroRd32.exe PID 2640 wrote to memory of 2816 2640 rundll32.exe AcroRd32.exe PID 2640 wrote to memory of 2816 2640 rundll32.exe AcroRd32.exe PID 2640 wrote to memory of 2816 2640 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\TyrantGrabberInstaller.pyc1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\TyrantGrabberInstaller.pyc2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TyrantGrabberInstaller.pyc"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEventsFilesize
3KB
MD5ee021c7a1eb283da2692078c978d0d3c
SHA1c59b72af7758839afc54840ef7f2249491f2c9a3
SHA25674e2f8f2e452395ca4e208011bc8bcb616c3189a8dde3b2243348d71c0599ac9
SHA51236088f842aacf214c1b85435a4f7a7c84673cc78663c0a50a410e72f9012969444e9b3dfccc9bc1fe81b85e1169603209eec136f9322094d92d9a500a954534d