488791938a891c2a68efffa2958a1e9da2899c40bd8dde2a81614517a3e15945

Analysis

max time kernel
118s
max time network
124s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
30-06-2024 22:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

TyrantGrabberInstaller.pyc
Size

74KB
MD5

515bfcc258935bf398c60fdbffbb903c
SHA1

c155700f640e50cba218fedd9d2b20846099453e
SHA256

74327fcc2d900b611c739c4f33846e17fea25135eeec5a16c189f9cda0c1f559
SHA512

1f0a3f05e9126c1642ba95408ffc72a0d9cc6fe2e66ed8f01c0871e9f49c8a99cc1c30c5e7128d12325ce4e4734b5ceedf9d6194f0ebf0e34d68be3f47c69b5c
SSDEEP

1536:CKjZq1Wa/hYx/Ys/A/ki5wD66lbcaMrW5N0Y:CAZkWa/WdCsi5ku6D

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell\Read	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.pyc	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\.pyc\ = "pyc_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000_CLASSES\pyc_auto_file\shell\Read\command	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

AcroRd32.exe

pid process

2816 AcroRd32.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

AcroRd32.exe

pid process

2816 AcroRd32.exe
2816 AcroRd32.exe

pid	process
2816	AcroRd32.exe

pid	process
2816	AcroRd32.exe
2816	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2436 wrote to memory of 2640	2436	cmd.exe	rundll32.exe
PID 2436 wrote to memory of 2640	2436	cmd.exe	rundll32.exe
PID 2436 wrote to memory of 2640	2436	cmd.exe	rundll32.exe
PID 2640 wrote to memory of 2816	2640	rundll32.exe	AcroRd32.exe
PID 2640 wrote to memory of 2816	2640	rundll32.exe	AcroRd32.exe
PID 2640 wrote to memory of 2816	2640	rundll32.exe	AcroRd32.exe
PID 2640 wrote to memory of 2816	2640	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\TyrantGrabberInstaller.pyc
1⤵
- Suspicious use of WriteProcessMemory
PID:2436

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\TyrantGrabberInstaller.pyc
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2640

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\TyrantGrabberInstaller.pyc"
3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2816

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Adobe\Acrobat\9.0\SharedDataEvents
Filesize
3KB

MD5
ee021c7a1eb283da2692078c978d0d3c

SHA1
c59b72af7758839afc54840ef7f2249491f2c9a3

SHA256
74e2f8f2e452395ca4e208011bc8bcb616c3189a8dde3b2243348d71c0599ac9

SHA512
36088f842aacf214c1b85435a4f7a7c84673cc78663c0a50a410e72f9012969444e9b3dfccc9bc1fe81b85e1169603209eec136f9322094d92d9a500a954534d

Download Submit