Analysis
-
max time kernel
117s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system -
submitted
23/01/2023, 17:23
Static task
static1
Behavioral task
behavioral1
Sample
Python_Installer/Python_Launcher.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Python_Installer/Python_Launcher.exe
Resource
win10v2004-20220812-en
General
-
Target
Python_Installer/Python_Launcher.exe
-
Size
680.1MB
-
MD5
ed7c41cd8998c25583d99fb81d1969c1
-
SHA1
b3b8922108351583f78d4210429bec2759cd03ea
-
SHA256
1626ffa2f441e7d85c1de5a59979eb5c2732f126918813a92de6e5d81b1ce3ed
-
SHA512
384889f6fa2c0f1fa5605aa241dee6dbfbb23893e008668b514a671cedd38e1a0953f67c9b293312ca6d6cbe4372ddb4893367f832ea7b619cea3b6625cb023c
-
SSDEEP
49152:sv21srHHBlsTmcTR/IlhudZcJiWxZhpOgKsXuXdUG66ykRqsjfj:RWrHhlEXTR/MKZbMZhpOWup6/gj
Malware Config
Extracted
aurora
79.137.206.138:8081
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 696 yeahprogov.exe 1924 yeahprogov.exe -
Loads dropped DLL 1 IoCs
pid Process 696 yeahprogov.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Python_Launcher.exe Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Python_Launcher.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 696 set thread context of 1924 696 yeahprogov.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 964 powershell.exe 1184 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 964 powershell.exe Token: SeDebugPrivilege 1184 powershell.exe Token: SeDebugPrivilege 696 yeahprogov.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1460 wrote to memory of 696 1460 Python_Launcher.exe 26 PID 1460 wrote to memory of 696 1460 Python_Launcher.exe 26 PID 1460 wrote to memory of 696 1460 Python_Launcher.exe 26 PID 1460 wrote to memory of 696 1460 Python_Launcher.exe 26 PID 696 wrote to memory of 964 696 yeahprogov.exe 27 PID 696 wrote to memory of 964 696 yeahprogov.exe 27 PID 696 wrote to memory of 964 696 yeahprogov.exe 27 PID 696 wrote to memory of 964 696 yeahprogov.exe 27 PID 696 wrote to memory of 468 696 yeahprogov.exe 29 PID 696 wrote to memory of 468 696 yeahprogov.exe 29 PID 696 wrote to memory of 468 696 yeahprogov.exe 29 PID 696 wrote to memory of 468 696 yeahprogov.exe 29 PID 468 wrote to memory of 1184 468 cmd.exe 31 PID 468 wrote to memory of 1184 468 cmd.exe 31 PID 468 wrote to memory of 1184 468 cmd.exe 31 PID 468 wrote to memory of 1184 468 cmd.exe 31 PID 696 wrote to memory of 1924 696 yeahprogov.exe 32 PID 696 wrote to memory of 1924 696 yeahprogov.exe 32 PID 696 wrote to memory of 1924 696 yeahprogov.exe 32 PID 696 wrote to memory of 1924 696 yeahprogov.exe 32 PID 696 wrote to memory of 1924 696 yeahprogov.exe 32 PID 696 wrote to memory of 1924 696 yeahprogov.exe 32 PID 696 wrote to memory of 1924 696 yeahprogov.exe 32 PID 696 wrote to memory of 1924 696 yeahprogov.exe 32 PID 696 wrote to memory of 1924 696 yeahprogov.exe 32 PID 696 wrote to memory of 1924 696 yeahprogov.exe 32 PID 696 wrote to memory of 1924 696 yeahprogov.exe 32 PID 696 wrote to memory of 1924 696 yeahprogov.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:1460 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:696 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA3AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:964
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==3⤵
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1184
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe3⤵
- Executes dropped EXE
PID:1924
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
364.9MB
MD5b8f4d297ca8d6fd0c502d13477a0c02a
SHA108ac6d6451698354f9204a2ac80751e7572f0e0e
SHA25662ee6a526bf001a942c8af9c4afb3b4ec243b1d566fd0b83c950dcdf02ff836d
SHA512497633af662c117eadb373ce055a72b91412ee861355321a63ea14712b34c56752c4ecfd423ee3705d02288f14f9fcfb11243876dd5335852d8ea4009ffef1b1
-
Filesize
364.9MB
MD5b8f4d297ca8d6fd0c502d13477a0c02a
SHA108ac6d6451698354f9204a2ac80751e7572f0e0e
SHA25662ee6a526bf001a942c8af9c4afb3b4ec243b1d566fd0b83c950dcdf02ff836d
SHA512497633af662c117eadb373ce055a72b91412ee861355321a63ea14712b34c56752c4ecfd423ee3705d02288f14f9fcfb11243876dd5335852d8ea4009ffef1b1
-
Filesize
314.2MB
MD5fdf84889ede11790b8346860b64c9f3c
SHA1e569c3f9df2fcdd8c6cdc51fa026f580056fc81b
SHA256418a26c31966d3a0b09ecf226bc26ad99932b088be7473c8003e828770c02611
SHA512b29ff020a441c98381036e51e57f7665dd97b9969c4305ae0d9bff1555c1776143295ebb8c5f28a583d90cdbcf0151bb801ac71f2f1e6e6dbf15dbbe3a8e1401
-
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms
Filesize7KB
MD5fe090f8245267da02b2b1d5af4b7ec1f
SHA1d36d9f594491353f2e476aa00b56aa89089145e9
SHA256cbfd1a1a9ec718fc6c18e629c13a59c106ecfee2c9b3d8b42a239c39540be821
SHA512b464a670fa1357e73e3f2e549ef08d9c5c8475c2fc8254ea476e019518844563f4c15e4c62dd8c18e5421da75939bb5ad046c333e91eb30e2f9c11ff50bc18f2
-
Filesize
314.5MB
MD5878eaac3fb76b3685c0a798881eed6ff
SHA196697d97ec7e8a40c12b824aeb43fa66647d2915
SHA256a5f4786186fd47ac552d99aa6acc34996313cc45f4f09514953aadab4aa4f5a8
SHA512ffab6cd5bc820df2d46d69110952475f705ed206408e784d74b97f55a4f9abe38e8928de1d7172a1d6f93acd327002df409e8b8bbeb1b261b2710cf672bc22b3