Analysis
-
max time kernel
599s -
max time network
607s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
23/01/2023, 17:23
Static task
static1
Behavioral task
behavioral1
Sample
Python_Installer/Python_Launcher.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
Python_Installer/Python_Launcher.exe
Resource
win10v2004-20220812-en
General
-
Target
Python_Installer/Python_Launcher.exe
-
Size
680.1MB
-
MD5
ed7c41cd8998c25583d99fb81d1969c1
-
SHA1
b3b8922108351583f78d4210429bec2759cd03ea
-
SHA256
1626ffa2f441e7d85c1de5a59979eb5c2732f126918813a92de6e5d81b1ce3ed
-
SHA512
384889f6fa2c0f1fa5605aa241dee6dbfbb23893e008668b514a671cedd38e1a0953f67c9b293312ca6d6cbe4372ddb4893367f832ea7b619cea3b6625cb023c
-
SSDEEP
49152:sv21srHHBlsTmcTR/IlhudZcJiWxZhpOgKsXuXdUG66ykRqsjfj:RWrHhlEXTR/MKZbMZhpOWup6/gj
Malware Config
Extracted
aurora
79.137.206.138:8081
Signatures
-
Executes dropped EXE 2 IoCs
pid Process 1248 yeahprogov.exe 4220 yeahprogov.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000\Control Panel\International\Geo\Nation yeahprogov.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Key created \REGISTRY\MACHINE\Software\Microsoft\Windows\CurrentVersion\RunOnce Python_Launcher.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" Python_Launcher.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1248 set thread context of 4220 1248 yeahprogov.exe 94 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 3964 powershell.exe 3964 powershell.exe 4808 powershell.exe 4808 powershell.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3964 powershell.exe Token: SeDebugPrivilege 1248 yeahprogov.exe Token: SeDebugPrivilege 4808 powershell.exe -
Suspicious use of WriteProcessMemory 23 IoCs
description pid Process procid_target PID 952 wrote to memory of 1248 952 Python_Launcher.exe 79 PID 952 wrote to memory of 1248 952 Python_Launcher.exe 79 PID 952 wrote to memory of 1248 952 Python_Launcher.exe 79 PID 1248 wrote to memory of 3964 1248 yeahprogov.exe 87 PID 1248 wrote to memory of 3964 1248 yeahprogov.exe 87 PID 1248 wrote to memory of 3964 1248 yeahprogov.exe 87 PID 1248 wrote to memory of 2200 1248 yeahprogov.exe 91 PID 1248 wrote to memory of 2200 1248 yeahprogov.exe 91 PID 1248 wrote to memory of 2200 1248 yeahprogov.exe 91 PID 2200 wrote to memory of 4808 2200 cmd.exe 93 PID 2200 wrote to memory of 4808 2200 cmd.exe 93 PID 2200 wrote to memory of 4808 2200 cmd.exe 93 PID 1248 wrote to memory of 4220 1248 yeahprogov.exe 94 PID 1248 wrote to memory of 4220 1248 yeahprogov.exe 94 PID 1248 wrote to memory of 4220 1248 yeahprogov.exe 94 PID 1248 wrote to memory of 4220 1248 yeahprogov.exe 94 PID 1248 wrote to memory of 4220 1248 yeahprogov.exe 94 PID 1248 wrote to memory of 4220 1248 yeahprogov.exe 94 PID 1248 wrote to memory of 4220 1248 yeahprogov.exe 94 PID 1248 wrote to memory of 4220 1248 yeahprogov.exe 94 PID 1248 wrote to memory of 4220 1248 yeahprogov.exe 94 PID 1248 wrote to memory of 4220 1248 yeahprogov.exe 94 PID 1248 wrote to memory of 4220 1248 yeahprogov.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe"C:\Users\Admin\AppData\Local\Temp\Python_Installer\Python_Launcher.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:952 -
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1248 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ENC cwB0AGEAcgB0AC0AcwBsAGUAZQBwACAALQBzAGUAYwBvAG4AZABzACAAMwA3AA==3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3964
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c powershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==3⤵
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exepowershell -ENC cwBlAHQALQBtAHAAcAByAGUAZgBlAHIAZQBuAGMAZQAgAC0AZQB4AGMAbAB1AHMAaQBvAG4AcABhAHQAaAAgAEMAOgBcAA==4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4808
-
-
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\yeahprogov.exe3⤵
- Executes dropped EXE
PID:4220
-
-
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD56195a91754effb4df74dbc72cdf4f7a6
SHA1aba262f5726c6d77659fe0d3195e36a85046b427
SHA2563254495a5513b37a2686a876d0040275414699e7ce760e7b5ee05e41a54b96f5
SHA512ed723d15de267390dc93263538428e2c881be3494c996a810616b470d6df7d5acfcc8725687d5c50319ebef45caef44f769bfc32e0dc3abd249dacff4a12cc89
-
Filesize
53KB
MD506ad34f9739c5159b4d92d702545bd49
SHA19152a0d4f153f3f40f7e606be75f81b582ee0c17
SHA256474813b625f00710f29fa3b488235a6a22201851efb336bddf60d7d24a66bfba
SHA512c272cd28ae164d465b779163ba9eca6a28261376414c6bbdfbd9f2128adb7f7ff1420e536b4d6000d0301ded2ec9036bc5c657588458bff41f176bdce8d74f92
-
Filesize
16KB
MD5ac3ad4ad47f85e3a95919ee24659a31a
SHA1f30d6d945a5367419abea40bc9c2f79279b26234
SHA25649c6d777967bb3424a6302ce176534cb7e6091ac42108e615a0ae1e69def2bfa
SHA5125b32bc4f35c0abd913551bfbc96fa08d69e067826530fc902b624accb88af3c0efa752364ecb813a5cbf9e06c0e77f38bfa17e3407305bfafac83d3344d98512
-
Filesize
364.9MB
MD5b8f4d297ca8d6fd0c502d13477a0c02a
SHA108ac6d6451698354f9204a2ac80751e7572f0e0e
SHA25662ee6a526bf001a942c8af9c4afb3b4ec243b1d566fd0b83c950dcdf02ff836d
SHA512497633af662c117eadb373ce055a72b91412ee861355321a63ea14712b34c56752c4ecfd423ee3705d02288f14f9fcfb11243876dd5335852d8ea4009ffef1b1
-
Filesize
364.9MB
MD5b8f4d297ca8d6fd0c502d13477a0c02a
SHA108ac6d6451698354f9204a2ac80751e7572f0e0e
SHA25662ee6a526bf001a942c8af9c4afb3b4ec243b1d566fd0b83c950dcdf02ff836d
SHA512497633af662c117eadb373ce055a72b91412ee861355321a63ea14712b34c56752c4ecfd423ee3705d02288f14f9fcfb11243876dd5335852d8ea4009ffef1b1
-
Filesize
364.9MB
MD5b8f4d297ca8d6fd0c502d13477a0c02a
SHA108ac6d6451698354f9204a2ac80751e7572f0e0e
SHA25662ee6a526bf001a942c8af9c4afb3b4ec243b1d566fd0b83c950dcdf02ff836d
SHA512497633af662c117eadb373ce055a72b91412ee861355321a63ea14712b34c56752c4ecfd423ee3705d02288f14f9fcfb11243876dd5335852d8ea4009ffef1b1