hxxps://inspector[.]pypi[.]io/project/colorlibs/0[.]0[.]1/packages/8d/c6/12aead7bfe92588f4114754a0a9b5b8a4927747bc5108c877fc2142122b9/colorlibs-0[.]0[.]1-py3-none-any[.]whl/colorlibs/color[.]py

Analysis

max time kernel
1800s
max time network
1693s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
01-04-2023 22:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

https://inspector.pypi.io/project/colorlibs/0.0.1/packages/8d/c6/12aead7bfe92588f4114754a0a9b5b8a4927747bc5108c877fc2142122b9/colorlibs-0.0.1-py3-none-any.whl/colorlibs/color.py

Score

1^/10

Malware Config

Signatures

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName	chrome.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	chrome.exe

Modifies data under HKEY_USERS 2 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\Cryptography\TPM\Telemetry	chrome.exe
Set value (int)	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Cryptography\TPM\Telemetry\TraceTimeLast = "133248689694147029"	chrome.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4408	chrome.exe
4408	chrome.exe
2372	chrome.exe
2372	chrome.exe

Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 2 IoCs

pid	Process
4408	chrome.exe
4408	chrome.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe
Token: SeShutdownPrivilege	4408	chrome.exe
Token: SeCreatePagefilePrivilege	4408	chrome.exe

Suspicious use of FindShellTrayWindow 26 IoCs

pid	Process
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe

Suspicious use of SendNotifyMessage 24 IoCs

pid	Process
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe
4408	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4408 wrote to memory of 4820	4408	chrome.exe	86
PID 4408 wrote to memory of 4820	4408	chrome.exe	86
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 1628	4408	chrome.exe	87
PID 4408 wrote to memory of 4908	4408	chrome.exe	88
PID 4408 wrote to memory of 4908	4408	chrome.exe	88
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89
PID 4408 wrote to memory of 5076	4408	chrome.exe	89

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" "--simulate-outdated-no-au='Tue, 31 Dec 2099 23:59:59 GMT'" https://inspector.pypi.io/project/colorlibs/0.0.1/packages/8d/c6/12aead7bfe92588f4114754a0a9b5b8a4927747bc5108c877fc2142122b9/colorlibs-0.0.1-py3-none-any.whl/colorlibs/color.py
1⤵
- Enumerates system info in registry
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4408
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Google\Chrome\User Data" --url=https://clients2.google.com/cr/report --annotation=channel= --annotation=plat=Win64 --annotation=prod=Chrome --annotation=ver=106.0.5249.119 --initial-client-data=0xfc,0x100,0x104,0xd8,0x108,0x7ffd9ab99758,0x7ffd9ab99768,0x7ffd9ab99778
  2⤵
  PID:4820
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1780 --field-trial-handle=1852,i,9007715758521814248,18232531055305105174,131072 /prefetch:2
  2⤵
  PID:1628
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2164 --field-trial-handle=1852,i,9007715758521814248,18232531055305105174,131072 /prefetch:8
  2⤵
  PID:4908
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=1244 --field-trial-handle=1852,i,9007715758521814248,18232531055305105174,131072 /prefetch:8
  2⤵
  PID:5076
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --first-renderer-process --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=6 --mojo-platform-channel-handle=3064 --field-trial-handle=1852,i,9007715758521814248,18232531055305105174,131072 /prefetch:1
  2⤵
  PID:224
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --lang=en-US --device-scale-factor=1 --num-raster-threads=2 --enable-main-frame-before-activation --renderer-client-id=5 --mojo-platform-channel-handle=3084 --field-trial-handle=1852,i,9007715758521814248,18232531055305105174,131072 /prefetch:1
  2⤵
  PID:116
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.ProcessorMetrics --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=4968 --field-trial-handle=1852,i,9007715758521814248,18232531055305105174,131072 /prefetch:8
  2⤵
  PID:2588
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3776 --field-trial-handle=1852,i,9007715758521814248,18232531055305105174,131072 /prefetch:8
  2⤵
  PID:4980
- C:\Program Files\Google\Chrome\Application\chrome.exe
  "C:\Program Files\Google\Chrome\Application\chrome.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=5140 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=4320 --field-trial-handle=1852,i,9007715758521814248,18232531055305105174,131072 /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:2372

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
PID:4900

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Code Cache\js\index-dir\the-real-index

Filesize
72B

MD5
9adc1bd2293c7d55fc95829c0241a6bf

SHA1
0607c448b8ef3a37de5ac55e4d2d3a01fc4137ee

SHA256
598edf138a6b61fc5838791810d0da791973475704c9878723a33edeea9ceb31

SHA512
08e5749429139a01254cb1b7346db8f4b28cbcd9e7aa83eeb6f450e5dff4c4a097404a1d3e223fd38cc64ad53f3e4054de5f1a66655823aaec2f9bfe960388be

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
f5667ea4d1af63b7faeb50741e31a8c4

SHA1
9aac9e4f68813d6e4542aee34f826f4b01e88b24

SHA256
d5acc80fd8efcb3fbe55a4acc48de968f9adf249e36834fb69f3d4e916fa56c6

SHA512
55bcc81c8bcadac50c9bf3a3b287d5a4b27079325fee8cc1de3cf954f2506ddc65fc6f212a8f5f226fa8f2026b230914f6264dc11a61d3e2fb4ade07b95e7122

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
fe1d3b72714fc378e2b53cafa338b4f9

SHA1
79c64d2b42d7f46865b343cf0e9c8806deb15a5e

SHA256
308149afe6d1577d09b5451905a0618c47e171d4d5443197bf6a2152dc292660

SHA512
05155dbac105d9e912272ee281d62589dbffb01b6198775c511bab2da19ac36e48d80d480620d44af0a251ecba119c180e241208a583557f1c4df00dc45a812f

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
4KB

MD5
6e8cfe2cdd4ba5d93b62d3111d73226e

SHA1
fdbea3a14000b92ab10b61def6fb326725520efb

SHA256
3b02827fb6873dcc9f9e70d365171ca3c4d82c35dd861e6542b1d262d8798ebd

SHA512
cdf8a5aa680dbdaac1f8312d36867d6ea0d7663c0c4b5de1a2a54ca8caf37aacc6fd9e46f1b08233b48fa069fb8c6542f626736a0b3afc1334ca988f3d42f29c

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Local State

Filesize
173KB

MD5
b5cf5cba808ea652197f97d0457bf022

SHA1
90794d6f18290396f1fcf605115aa4a1ccf61691

SHA256
0bbdfa8090f0cf13bcda1e06423d28bbaaaf5dd2ec543db27cbd343658866867

SHA512
5c76b395562cc5ee10ccb94f5a8281d55574ee6146e6daf05c25ca4f55d281791d6fa6af9b780829d20c2a194d261a8aa48ddc0647d0c2662cf7898bdaab5d97

Download Submit