328a257f189cb500606bb26ab0fbdd298ed0e05d8c36540a322a1744f489a0a0

Analysis

max time kernel
28s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
13/06/2023, 19:59

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

python-3.8.6-amd64.exe
Size

26.8MB
MD5

2acba3117582c5177cdd28b91bbe9ac9
SHA1

ef21b38eb1d3aa1d9e2a7b75d18109cfa8d41038
SHA256

328a257f189cb500606bb26ab0fbdd298ed0e05d8c36540a322a1744f489a0a0
SHA512

f5a0726fb9fb02755f02f13f83617d200d8fdc9a00e431e3a6a2e27388faa94b83a8713eba59ddda8bbc217b346dc557a1a7f88307bcf444bbd1dea01021b9ea
SSDEEP

393216:fx1WmX4/PvCjYdQdoqQkENQJPS6OYb0H5y3TE3j/AWfGPgcelBsyjyMcKk3Xmhrf:fHlkyYdOohXF6xbmyDEz/bGcjyPmhOfa

Score

4^/10

discovery

Malware Config

Signatures

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Executes dropped EXE 1 IoCs

pid	Process
1488	python-3.8.6-amd64.exe

Loads dropped DLL 2 IoCs

pid	Process
1316	python-3.8.6-amd64.exe
1488	python-3.8.6-amd64.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1316 wrote to memory of 1488	1316	python-3.8.6-amd64.exe	28
PID 1316 wrote to memory of 1488	1316	python-3.8.6-amd64.exe	28
PID 1316 wrote to memory of 1488	1316	python-3.8.6-amd64.exe	28
PID 1316 wrote to memory of 1488	1316	python-3.8.6-amd64.exe	28
PID 1316 wrote to memory of 1488	1316	python-3.8.6-amd64.exe	28
PID 1316 wrote to memory of 1488	1316	python-3.8.6-amd64.exe	28
PID 1316 wrote to memory of 1488	1316	python-3.8.6-amd64.exe	28

C:\Users\Admin\AppData\Local\Temp\python-3.8.6-amd64.exe
"C:\Users\Admin\AppData\Local\Temp\python-3.8.6-amd64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1316
- C:\Windows\Temp\{05A258B6-546A-440B-805D-211B591BC3E1}\.cr\python-3.8.6-amd64.exe
  "C:\Windows\Temp\{05A258B6-546A-440B-805D-211B591BC3E1}\.cr\python-3.8.6-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-3.8.6-amd64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:1488

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{05A258B6-546A-440B-805D-211B591BC3E1}\.cr\python-3.8.6-amd64.exe

Filesize
841KB

MD5
a1a8f622d1aa8873d290f7cc77667ae9

SHA1
a15f822d2040dc136d8012792981c2631ac5a73a

SHA256
b28ddf5c646babbd2da14a9a930d6115ccbaa4b9c948342b1821468e2b53fc79

SHA512
e244937a3c81d2b6332fbd669120b6b1af318b5b52e2a0a4fad64bb6b4c8c23431d2705c1c359d9fe0903e63af225d17eb04a4dba72cfca7d6bd32ddc1a4adff

Download Submit
C:\Windows\Temp\{05A258B6-546A-440B-805D-211B591BC3E1}\.cr\python-3.8.6-amd64.exe

Filesize
841KB

MD5
a1a8f622d1aa8873d290f7cc77667ae9

SHA1
a15f822d2040dc136d8012792981c2631ac5a73a

SHA256
b28ddf5c646babbd2da14a9a930d6115ccbaa4b9c948342b1821468e2b53fc79

SHA512
e244937a3c81d2b6332fbd669120b6b1af318b5b52e2a0a4fad64bb6b4c8c23431d2705c1c359d9fe0903e63af225d17eb04a4dba72cfca7d6bd32ddc1a4adff

Download Submit
C:\Windows\Temp\{DFD04BD6-77BD-460E-986B-1AE4587E8AC0}\.ba\SideBar.png

Filesize
56KB

MD5
ca62a92ad5b307faeac640cd5eb460ed

SHA1
5edf8b5fc931648f77a2a131e4c733f1d31b548e

SHA256
f3109977125d4a3a3ffa17462cfc31799589f466a51d226d1d1f87df2f267627

SHA512
f7b3001a957f393298b0ff2aa08b400f8639f2f0487a34ac2a0e8d9519765ac92249185ebe45f907bc9d2f8556fdd39095c52f890330a35edf71ae49df32e27a

Download Submit
\Windows\Temp\{05A258B6-546A-440B-805D-211B591BC3E1}\.cr\python-3.8.6-amd64.exe

Filesize
841KB

MD5
a1a8f622d1aa8873d290f7cc77667ae9

SHA1
a15f822d2040dc136d8012792981c2631ac5a73a

SHA256
b28ddf5c646babbd2da14a9a930d6115ccbaa4b9c948342b1821468e2b53fc79

SHA512
e244937a3c81d2b6332fbd669120b6b1af318b5b52e2a0a4fad64bb6b4c8c23431d2705c1c359d9fe0903e63af225d17eb04a4dba72cfca7d6bd32ddc1a4adff

Download Submit
\Windows\Temp\{DFD04BD6-77BD-460E-986B-1AE4587E8AC0}\.ba\PythonBA.dll

Filesize
601KB

MD5
c877db675510da9101f183318877b1df

SHA1
aade2b7fb2b35f84e9964b90c66c4c7baf543ea2

SHA256
74de5491b4c112010a677efa53b0ce05cc7587dad9dbebe1c27c29a0269ca9d3

SHA512
c69be9c1cc90494fc9c06a0bdeaea502136cd9420fbce61581dd92adb94b895b6353a3e1b3481c55a76a91b20dac553a5a68dc9decb93af92f320c10c0b6bd2d

Download Submit