c5453351b8ee2b103ac723e6eedbef2867e18c11ed795ac203ae776857b71607

General

Target

1.png
Size

197KB
MD5

3fa12f4d09daa5481a3dd4f7f1cc7222
SHA1

bd196c1a875e7f5fc65977c3146d32f2d4c97b2d
SHA256

c5453351b8ee2b103ac723e6eedbef2867e18c11ed795ac203ae776857b71607
SHA512

1540e170f939ed220b599e1463b73c7e3d9914a96058a65a7534e8f22eeffff0ca2a74cc73380048729b61869dce32b7d7de8187079e92bed332cf1ea5e2b3f8
SSDEEP

6144:yDoZ67vCSu42MzVzl0suNGYQlDom5tkXeCiz6jooo/Ur:yDw6DXuMzVQNf6EikX7ikr

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2708	python-3.12.0-amd64.exe

Loads dropped DLL 2 IoCs

pid	Process
1660	python-3.12.0-amd64.exe
2708	python-3.12.0-amd64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1456	rundll32.exe
1456	rundll32.exe
1456	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1660 wrote to memory of 2708	1660	python-3.12.0-amd64.exe	66
PID 1660 wrote to memory of 2708	1660	python-3.12.0-amd64.exe	66
PID 1660 wrote to memory of 2708	1660	python-3.12.0-amd64.exe	66
PID 1660 wrote to memory of 2708	1660	python-3.12.0-amd64.exe	66
PID 1660 wrote to memory of 2708	1660	python-3.12.0-amd64.exe	66
PID 1660 wrote to memory of 2708	1660	python-3.12.0-amd64.exe	66
PID 1660 wrote to memory of 2708	1660	python-3.12.0-amd64.exe	66

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy WMI provider
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe "C:\Program Files\Windows Photo Viewer\PhotoViewer.dll", ImageView_Fullscreen C:\Users\Admin\AppData\Local\Temp\1.png
1⤵
- Suspicious use of FindShellTrayWindow
PID:1456

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=8 --mojo-platform-channel-handle=3416 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:1
1⤵
PID:1212

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3444 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:1988

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3568 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:2540

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3704 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:2900

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=3812 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:788

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3480 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:2320

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=14 --mojo-platform-channel-handle=3500 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:1
1⤵
PID:1232

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2456 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:792

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2524 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:948

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=2596 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:1
1⤵
PID:1760

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2488 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:3032

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=19 --mojo-platform-channel-handle=2632 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:1
1⤵
PID:2480

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=2484 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:1
1⤵
PID:572

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1844 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:2748

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4060 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:1744

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4056 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:1600

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=24 --mojo-platform-channel-handle=3912 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:1
1⤵
PID:2704

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4132 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:2800

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=26 --mojo-platform-channel-handle=4288 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:1
1⤵
PID:2812

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4440 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:2940

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4128 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:1736

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --mojo-platform-channel-handle=4184 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:1624

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=renderer --display-capture-permissions-policy-allowed --enable-chrome-cart --disable-gpu-compositing --lang=en-US --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=30 --mojo-platform-channel-handle=4684 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:1
1⤵
PID:1964

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=quarantine.mojom.Quarantine --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=3272 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:2040

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=4400 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:2388

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilReadIcon --lang=en-US --service-sandbox-type=icon_reader --mojo-platform-channel-handle=2488 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:2756

C:\Users\Admin\Downloads\python-3.12.0-amd64.exe
"C:\Users\Admin\Downloads\python-3.12.0-amd64.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1660
- C:\Windows\Temp\{74147146-33F8-4082-9F5F-CE4E59144ACB}\.cr\python-3.12.0-amd64.exe
  "C:\Windows\Temp\{74147146-33F8-4082-9F5F-CE4E59144ACB}\.cr\python-3.12.0-amd64.exe" -burn.clean.room="C:\Users\Admin\Downloads\python-3.12.0-amd64.exe" -burn.filehandle.attached=180 -burn.filehandle.self=188
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  PID:2708

C:\Program Files\Google\Chrome\Application\chrome.exe
"C:\Program Files\Google\Chrome\Application\chrome.exe" --type=utility --utility-sub-type=chrome.mojom.UtilWin --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=1848 --field-trial-handle=1208,i,13529397318490646745,14786085333927096554,131072 /prefetch:8
1⤵
PID:1284

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Temp\{74147146-33F8-4082-9F5F-CE4E59144ACB}\.cr\python-3.12.0-amd64.exe

Filesize
858KB

MD5
c2cb26b35a28e60c89496481cf488845

SHA1
52e1808b67c16848a865e8fa60dd698e79ad0739

SHA256
8b670ed69431d112c0786dc4bf8e44a0b42b9f635ee4fbd46c49976837686dbc

SHA512
eb28325fe4b37f99796ce18d8ddc3bc2f8be2003a94e844397b4361f2f93f5b287530ab98d7ef6117f86788d12e0798bfcea071bb60915a6b1d5b52096d2f115

Download Submit
C:\Windows\Temp\{74147146-33F8-4082-9F5F-CE4E59144ACB}\.cr\python-3.12.0-amd64.exe

Filesize
858KB

MD5
c2cb26b35a28e60c89496481cf488845

SHA1
52e1808b67c16848a865e8fa60dd698e79ad0739

SHA256
8b670ed69431d112c0786dc4bf8e44a0b42b9f635ee4fbd46c49976837686dbc

SHA512
eb28325fe4b37f99796ce18d8ddc3bc2f8be2003a94e844397b4361f2f93f5b287530ab98d7ef6117f86788d12e0798bfcea071bb60915a6b1d5b52096d2f115

Download Submit
C:\Windows\Temp\{E82DDCAD-A391-42AC-9B50-0C9411574BCA}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
\Windows\Temp\{74147146-33F8-4082-9F5F-CE4E59144ACB}\.cr\python-3.12.0-amd64.exe

Filesize
858KB

MD5
c2cb26b35a28e60c89496481cf488845

SHA1
52e1808b67c16848a865e8fa60dd698e79ad0739

SHA256
8b670ed69431d112c0786dc4bf8e44a0b42b9f635ee4fbd46c49976837686dbc

SHA512
eb28325fe4b37f99796ce18d8ddc3bc2f8be2003a94e844397b4361f2f93f5b287530ab98d7ef6117f86788d12e0798bfcea071bb60915a6b1d5b52096d2f115

Download Submit
\Windows\Temp\{E82DDCAD-A391-42AC-9B50-0C9411574BCA}\.ba\PythonBA.dll

Filesize
674KB

MD5
0a0ccca07cc97cd3b02946469379240e

SHA1
0802d171427bea137afc8aac4d9a4b471c3bd7cb

SHA256
12a0bb777cd7ee658394fc3452ba06e715d9328d7f2c2c3ee5b8fbb5c51e661f

SHA512
ee877e73b835f8c5af18eb047f66b9d704a1cbd598cd50058617f1b65bc4d9b9f54a30d4b1f8eabf911c2ba0dd15ad6b36cfb092a539961dd8c9002b0d5a22d6

Download Submit
memory/1456-0-0x0000000001B30000-0x0000000001B31000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing