b2c2a9c32a27fe5c3872a0a96f96fad6597e4f8f5242ec90a7c2b69a1b409bb0

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
21/02/2024, 01:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

empyrean-main/install_python.bat
Size

686B
MD5

f30718a354e7cc104ea553ce5ae2d486
SHA1

3876134e6b92da57a49d868013ed35b5d946f8fd
SHA256

94008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966
SHA512

601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874

Score

8^/10

discovery persistence

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
8	1296	powershell.exe
67	4968	msiexec.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\Control Panel\International\Geo\Nation	python-installer.exe

Executes dropped EXE 3 IoCs

pid	Process
4004	python-installer.exe
2144	python-installer.exe
896	python-3.10.9-amd64.exe

Loads dropped DLL 1 IoCs

pid	Process
2144	python-installer.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{e8531749-5517-4937-a722-a4052cb2d75e} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{e8531749-5517-4937-a722-a4052cb2d75e}\\python-3.10.9-amd64.exe\" /burn.runonce"	python-installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\e591b87.msi	msiexec.exe
File created	C:\Windows\Installer\e591b8b.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{0CBB496F-1D15-42F1-AA45-C01C95196EC8}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{1F097B66-81E9-46FB-BBAC-315C5F50CF94}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{92CFA54C-9CE5-4284-83FD-1D0B8AB2AB69}	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\e591b8c.msi	msiexec.exe
File created	C:\Windows\Installer\e591b96.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e591b82.msi	msiexec.exe
File created	C:\Windows\Installer\e591b86.msi	msiexec.exe
File created	C:\Windows\Installer\e591b95.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e591b7d.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\e591b91.msi	msiexec.exe
File created	C:\Windows\Installer\e591b82.msi	msiexec.exe
File created	C:\Windows\Installer\e591b90.msi	msiexec.exe
File created	C:\Windows\Installer\e591b8c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CEE.tmp	msiexec.exe
File created	C:\Windows\Installer\e591b81.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F115E5B8-9719-4BDF-8B0D-551809BB677D}	msiexec.exe
File created	C:\Windows\Installer\e591b87.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2BFA.tmp	msiexec.exe
File created	C:\Windows\Installer\e591b91.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI9A37.tmp	msiexec.exe
File created	C:\Windows\Installer\e591b7d.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{9802C929-A3F0-480D-A4B2-DAD129F2236E}	msiexec.exe
File created	C:\Windows\Installer\SourceHash{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}	msiexec.exe
File opened for modification	C:\Windows\Installer\e591b96.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAEF8.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI2030.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI23DB.tmp	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000008bec060def88e6600000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800008bec060d0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809008bec060d000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d8bec060d000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000008bec060d00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 43 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{9802C929-A3F0-480D-A4B2-DAD129F2236E}\ = "{9802C929-A3F0-480D-A4B2-DAD129F2236E}"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{F115E5B8-9719-4BDF-8B0D-551809BB677D}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{F115E5B8-9719-4BDF-8B0D-551809BB677D}\ = "{F115E5B8-9719-4BDF-8B0D-551809BB677D}"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{F115E5B8-9719-4BDF-8B0D-551809BB677D}\Dependents	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}\ = "{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}\Dependents	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\CPython-3.10	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\CPython-3.10\DisplayName = "Python 3.10.9 (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{1F097B66-81E9-46FB-BBAC-315C5F50CF94}\Dependents\{e8531749-5517-4937-a722-a4052cb2d75e}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{92CFA54C-9CE5-4284-83FD-1D0B8AB2AB69}\DisplayName = "Python 3.10.9 Tcl/Tk Support (64-bit)"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{0CBB496F-1D15-42F1-AA45-C01C95196EC8}\Version = "3.10.9150.0"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{9802C929-A3F0-480D-A4B2-DAD129F2236E}\Version = "3.10.9150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{9802C929-A3F0-480D-A4B2-DAD129F2236E}\Dependents\{e8531749-5517-4937-a722-a4052cb2d75e}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{9802C929-A3F0-480D-A4B2-DAD129F2236E}\Dependents	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{F115E5B8-9719-4BDF-8B0D-551809BB677D}\Dependents\{e8531749-5517-4937-a722-a4052cb2d75e}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}\Version = "3.10.9150.0"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}\DisplayName = "Python 3.10.9 Development Libraries (64-bit)"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{1F097B66-81E9-46FB-BBAC-315C5F50CF94}\Version = "3.10.9150.0"	python-installer.exe
Key created	\Registry\User\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\CPython-3.10	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{92CFA54C-9CE5-4284-83FD-1D0B8AB2AB69}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{1F097B66-81E9-46FB-BBAC-315C5F50CF94}\ = "{1F097B66-81E9-46FB-BBAC-315C5F50CF94}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\CPython-3.10\ = "{e8531749-5517-4937-a722-a4052cb2d75e}"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{0CBB496F-1D15-42F1-AA45-C01C95196EC8}\Dependents\{e8531749-5517-4937-a722-a4052cb2d75e}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{1F097B66-81E9-46FB-BBAC-315C5F50CF94}\Dependents	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{92CFA54C-9CE5-4284-83FD-1D0B8AB2AB69}\ = "{92CFA54C-9CE5-4284-83FD-1D0B8AB2AB69}"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\CPython-3.10\Dependents\{e8531749-5517-4937-a722-a4052cb2d75e}	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}\Dependents\{e8531749-5517-4937-a722-a4052cb2d75e}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{F115E5B8-9719-4BDF-8B0D-551809BB677D}\Version = "3.10.9150.0"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{0CBB496F-1D15-42F1-AA45-C01C95196EC8}\ = "{0CBB496F-1D15-42F1-AA45-C01C95196EC8}"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{1F097B66-81E9-46FB-BBAC-315C5F50CF94}\DisplayName = "Python 3.10.9 Utility Scripts (64-bit)"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\CPython-3.10\Version = "3.10.9150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{9802C929-A3F0-480D-A4B2-DAD129F2236E}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{F115E5B8-9719-4BDF-8B0D-551809BB677D}\DisplayName = "Python 3.10.9 Executables (64-bit)"	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{0CBB496F-1D15-42F1-AA45-C01C95196EC8}\DisplayName = "Python 3.10.9 Standard Library (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\CPython-3.10\Dependents	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{9802C929-A3F0-480D-A4B2-DAD129F2236E}\DisplayName = "Python 3.10.9 Core Interpreter (64-bit)"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{0CBB496F-1D15-42F1-AA45-C01C95196EC8}\Dependents	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{1F097B66-81E9-46FB-BBAC-315C5F50CF94}	python-installer.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{92CFA54C-9CE5-4284-83FD-1D0B8AB2AB69}\Version = "3.10.9150.0"	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer	python-installer.exe
Key created	\REGISTRY\USER\S-1-5-21-1815711207-1844170477-3539718864-1000_Classes\Installer\Dependencies\{0CBB496F-1D15-42F1-AA45-C01C95196EC8}	python-installer.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
1296	powershell.exe
1296	powershell.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe
4968	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1296	powershell.exe
Token: SeBackupPrivilege	1804	vssvc.exe
Token: SeRestorePrivilege	1804	vssvc.exe
Token: SeAuditPrivilege	1804	vssvc.exe
Token: SeShutdownPrivilege	2144	python-installer.exe
Token: SeIncreaseQuotaPrivilege	2144	python-installer.exe
Token: SeSecurityPrivilege	4968	msiexec.exe
Token: SeCreateTokenPrivilege	2144	python-installer.exe
Token: SeAssignPrimaryTokenPrivilege	2144	python-installer.exe
Token: SeLockMemoryPrivilege	2144	python-installer.exe
Token: SeIncreaseQuotaPrivilege	2144	python-installer.exe
Token: SeMachineAccountPrivilege	2144	python-installer.exe
Token: SeTcbPrivilege	2144	python-installer.exe
Token: SeSecurityPrivilege	2144	python-installer.exe
Token: SeTakeOwnershipPrivilege	2144	python-installer.exe
Token: SeLoadDriverPrivilege	2144	python-installer.exe
Token: SeSystemProfilePrivilege	2144	python-installer.exe
Token: SeSystemtimePrivilege	2144	python-installer.exe
Token: SeProfSingleProcessPrivilege	2144	python-installer.exe
Token: SeIncBasePriorityPrivilege	2144	python-installer.exe
Token: SeCreatePagefilePrivilege	2144	python-installer.exe
Token: SeCreatePermanentPrivilege	2144	python-installer.exe
Token: SeBackupPrivilege	2144	python-installer.exe
Token: SeRestorePrivilege	2144	python-installer.exe
Token: SeShutdownPrivilege	2144	python-installer.exe
Token: SeDebugPrivilege	2144	python-installer.exe
Token: SeAuditPrivilege	2144	python-installer.exe
Token: SeSystemEnvironmentPrivilege	2144	python-installer.exe
Token: SeChangeNotifyPrivilege	2144	python-installer.exe
Token: SeRemoteShutdownPrivilege	2144	python-installer.exe
Token: SeUndockPrivilege	2144	python-installer.exe
Token: SeSyncAgentPrivilege	2144	python-installer.exe
Token: SeEnableDelegationPrivilege	2144	python-installer.exe
Token: SeManageVolumePrivilege	2144	python-installer.exe
Token: SeImpersonatePrivilege	2144	python-installer.exe
Token: SeCreateGlobalPrivilege	2144	python-installer.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe
Token: SeRestorePrivilege	4968	msiexec.exe
Token: SeTakeOwnershipPrivilege	4968	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2144	python-installer.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2572 wrote to memory of 1772	2572	cmd.exe	85
PID 2572 wrote to memory of 1772	2572	cmd.exe	85
PID 1772 wrote to memory of 1296	1772	cmd.exe	86
PID 1772 wrote to memory of 1296	1772	cmd.exe	86
PID 2572 wrote to memory of 1920	2572	cmd.exe	87
PID 2572 wrote to memory of 1920	2572	cmd.exe	87
PID 2572 wrote to memory of 4004	2572	cmd.exe	96
PID 2572 wrote to memory of 4004	2572	cmd.exe	96
PID 2572 wrote to memory of 4004	2572	cmd.exe	96
PID 4004 wrote to memory of 2144	4004	python-installer.exe	97
PID 4004 wrote to memory of 2144	4004	python-installer.exe	97
PID 4004 wrote to memory of 2144	4004	python-installer.exe	97
PID 2144 wrote to memory of 896	2144	python-installer.exe	98
PID 2144 wrote to memory of 896	2144	python-installer.exe	98
PID 2144 wrote to memory of 896	2144	python-installer.exe	98

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\empyrean-main\install_python.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2572
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1772
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
    3⤵
    - Blocklisted process makes network request
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1296
- C:\Windows\system32\curl.exe
  curl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.9/python-3.10.9-amd64.exe
  2⤵
  PID:1920
- C:\Users\Admin\AppData\Local\Temp\empyrean-main\python-installer.exe
  python-installer.exe /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
  2⤵
  - Executes dropped EXE
  - Suspicious use of WriteProcessMemory
  PID:4004
- - C:\Windows\Temp\{92526E03-9F85-4BEE-8A5B-1B61949C8B74}\.cr\python-installer.exe
    "C:\Windows\Temp\{92526E03-9F85-4BEE-8A5B-1B61949C8B74}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\empyrean-main\python-installer.exe" -burn.filehandle.attached=544 -burn.filehandle.self=552 /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2144
  - - C:\Windows\Temp\{FED743D6-A0B7-4AD2-8D3A-F06E7D88609A}\.be\python-3.10.9-amd64.exe
      "C:\Windows\Temp\{FED743D6-A0B7-4AD2-8D3A-F06E7D88609A}\.be\python-3.10.9-amd64.exe" -q -burn.elevated BurnPipe.{073C7B96-A884-49C0-8944-5A5A6CC2A308} {E8AECA8D-332E-4FAD-BCC3-809A395E6D50} 2144
      4⤵
      Executes dropped EXE
      PID:896

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1804

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:2176

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4968

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e591b80.rbs

Filesize
8KB

MD5
708de12b79eba4ef198ddbb7ed2567b9

SHA1
8eb0ca3f1a0fd2da0d494696cac1bc29ce864ab4

SHA256
dc767d8a7249897b8a542927b9700a4fcbc2ff0ee833e67517adc5569ca758c4

SHA512
688e8d720bb02d4394f13b0f78ad8a7229a75a53c5eddf6d126bfb8ddd0aaf31e751a974c0c105215630a60769c21f30017401780785d95afceddd5557cb0854

Download Submit
C:\Config.Msi\e591b85.rbs

Filesize
12KB

MD5
0145f2d90d817be775fe72fd4e713c1d

SHA1
7d3893cfe401ec35bf4797f62824104302c6b413

SHA256
b334f7e591578b397f67efe0a3d5c094405b9dfdec22b107b2831869f314748b

SHA512
cd81ee14debe548739746ec0ea7f85182e6fb87d49da8d5127198cd355124547d94a165c7ec8587ec7db9cd20633cb3c3e2d78fdb6c48614caa254a287406e63

Download Submit
C:\Config.Msi\e591b8a.rbs

Filesize
40KB

MD5
8404759e85892a00382dd5f7bd44d5a0

SHA1
4506278a154f4ecce96979c444d422fa254cac14

SHA256
49aa958c6f7dbdbcd7f95dd6de4e703e4ae29136a288fbb3ff27b249e97fe82e

SHA512
df5940f1427f7706b5d216502bd2fc306935d4b30227ec989d8f04d00b2cb549c2c670b43e58f01057217c43f13988a06db49bb78632355ea9e2d3938b7dd934

Download Submit
C:\Config.Msi\e591b8f.rbs

Filesize
179KB

MD5
9e29defceb226a8d183c342f99b32fb5

SHA1
f9bd64ea00b9adc7efd7eaab3c7e7e45ecf21835

SHA256
025c98efa7e5e82f3f1330ee42622ada0a7a3b5589bdfa1fa9aa15e10a680ff2

SHA512
8e445baaeb9da890840528cd0c5a50b499880bdda5ce34d971eeea5b3511d8a0bf08f90128348a23add01ad19d7c830f66e0176e82a1f41d6ee8f46eea1f9368

Download Submit
C:\Config.Msi\e591b94.rbs

Filesize
29KB

MD5
e7f13145b96ee4aef4b2166f6acaef04

SHA1
82194083fdd24ba75458423f80ce373a9e2a77a6

SHA256
42c8611c001cb40ea0bbf85df5a0b75042d3d017f8f82d49d0a1730aaae64a2f

SHA512
33801c6ac91a17288e79315c1cc917e370cfa1101742125c19e9dd043f172d958c6bc5bf999e8578c1091fbee351e6f631072aa3bf4559971257add07c85b278

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
5.6MB

MD5
6b3b447980583fe904b5ce579226df1b

SHA1
1dd87f0317936044b6d2b65035ed8feeff13ef07

SHA256
1dd504a18537419e81fe8eacd2e6f3cb8e3aea70689be216be64db673f25c2c0

SHA512
7dada16b6668483db5249eb68795efca7f0ece0cc335098dde777d8e7c54db3fd3255af7cf61c86aaf26ea70afb33e0fa798972b27fd0a51b08526f103cfad2a

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
3.4MB

MD5
78e6e0e8b315a0d7448bf5cb6de7dc09

SHA1
6a73d7443c4d220736a2700e71e14b8e0e9a3518

SHA256
eaf03e94a9f3421a69b9fd8a1f0723ebc4e59884f6c5b93f330d7fbc98d8940f

SHA512
9666c116423a2574d20cab637d6501d283292d87518836d449d1752929ba60296e10b1335f277e4e2108cb06ea564be70022c1828d1f2e207e1b59326b3e6516

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{0CBB496F-1D15-42F1-AA45-C01C95196EC8}v3.10.9150.0\lib.msi

Filesize
8.0MB

MD5
0894766b66bc93a0494a5a7073042a42

SHA1
ecda108f9f845c245d3e660fe075737ce7b1fb3c

SHA256
82863adf2f36198611da2238991d9c8032c6cf59c3d2dd125658358b6672f3ce

SHA512
3d1c9476e075eb2707e48cb957a0c428a467a3e6d84a31872bf6d88b8767006446ac2fa8c65194465301be9b25376343cd84db9ac729ad1b46c7727851dce5b1

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{1F097B66-81E9-46FB-BBAC-315C5F50CF94}v3.10.9150.0\tools.msi

Filesize
212KB

MD5
b71361f364fb14a1983257ac93a1c9b7

SHA1
2209de01d5f1f3c3c1fdbbc2d7959631dfd1d2b5

SHA256
0c32783b07c04ffb8a923ecd9c097061a693a9e882dfbb7cc9aedad7be486f76

SHA512
96b1ce7e72b791aeaa113ec6157364a60862a6a5097c96dbb8a9d3ac717e978dc8e41b36cc1723dcaf2ded54e25c638f83fee7995921d3588d2a5c5b65051843

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{9802C929-A3F0-480D-A4B2-DAD129F2236E}v3.10.9150.0\core.msi

Filesize
1.6MB

MD5
c531b4b6d0c44f4f718302f94bdc0de5

SHA1
f8a6d02012fad3b1f8cfaacca4eb6e068383bcee

SHA256
107453ad1bb2d97c4947ba12d91738e7e7aa43470f9a8f954383fa6eb483b707

SHA512
4b85223166679385b0bc788caa2a70052ee39e5ce8a775195e7a8803c9ba9f350a3a4f78d340b3f041e330396e587714d88a6d855e14c925bb73f9be0923beae

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{E2BC2EBD-7260-458B-A42C-3322DCB0B82F}v3.10.9150.0\dev.msi

Filesize
300KB

MD5
81ee9f87cc68e3b0a376a51a0c8d5ea0

SHA1
87e6aa14efad2ca0e175b3d1a4b5b86c91c769cf

SHA256
068163c992a1e372c8e23d69f8ad13e2a9e01be2649c9845d450aad5a7a6eff9

SHA512
d5aa43bdd4ab2edf39750b8714351a2bca3c59766d7e8c57454062f49d5026f376ca40b531ca07ece23f609a7fa02a99b208a8680d20bc1bdbb92c521c825053

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{F115E5B8-9719-4BDF-8B0D-551809BB677D}v3.10.9150.0\exe.msi

Filesize
608KB

MD5
742a4d07c915d5883454e8e87ce61566

SHA1
6425542f956cf785ac0db084afe6d2ddcbbe2dbd

SHA256
7a6715deb76123241816c77c6cc5dc4e6a881bb8de846c454f0d5cd833305cb2

SHA512
6a5929985dfa1cc3580ca1bd94a94887b092693d976026fc866a9d99558b886b8454398c420d635dccf65f42639f37c3539196da2560482eb04857a4c393602c

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.9 (64-bit)_20240221015048_000_core_JustForMe.log

Filesize
1KB

MD5
4693de3b26d19476622285ec89f543a3

SHA1
7f3e26eae2ec7b6add3b63b63c2b682946fb91b6

SHA256
eaf013966aa4e97304cde36a06e2caa6ef4884fe2f17dd55777eaf1bcdc253c0

SHA512
af98ab49a5330c89fb71e84ebd28a15169282c179d270363f48cee7da4807f426dd1d6b2ccea489adb893614fbc5eff847914294d4575cbfb9b5cb4646586d3d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.9 (64-bit)_20240221015048_001_exe_JustForMe.log

Filesize
1KB

MD5
e1d7a9706181139df8c47e96d6c7a04f

SHA1
091649ca156b91c42567842599811c1ea6a889f0

SHA256
d5cba27a174f65e8ecc3485e91ec063ede9b374f44fab720489c0d86a0f326d7

SHA512
c72d02ad90604064296bed67713bafb0b04b5f2c4e0258436faec5ab9bd2a05c6f158a21192e95e955812e9a539eb59416d2e5deecda74db5c53b01d10e806e7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.9 (64-bit)_20240221015048_002_dev_JustForMe.log

Filesize
1KB

MD5
a96bf3a25ffa8072fd6116dd2a12090f

SHA1
97fca4bc54b1a34b4094fa5f0c9dff8f3863e7c7

SHA256
d91cb200a2b37f33e4a6b96fc737192b4c86ade3c162c3d2926ecda2ec949e1b

SHA512
3c2099751f13238935b404419c30f395f5f5300853789b8c15ae29548ac9be0989f576a30a958a2dac55fc7157e22551beb11b5167655374ef845062ff1b4467

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.9 (64-bit)_20240221015048_003_lib_JustForMe.log

Filesize
1KB

MD5
4ef5053ae714545b074f8c23aa6d7bc0

SHA1
84928d7046dd4c72961d29ffba9123ece8e0f53e

SHA256
1c55d96669b53b50c870a8e55afe89b042c3f38d80cb7a36a7bd46c9eb5b8a5e

SHA512
2d73a8fb21a85bac7a6dfe750effb1bb5d15c6de964fcdaed7cc8b79ec6a4c83acc8f309a24d2d7f73979439bd3361c1fb69714f3c7e345544e185f31b3271f8

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.9 (64-bit)_20240221015048_004_tools_JustForMe.log

Filesize
1KB

MD5
42382a17e402371cfa2491392ca81722

SHA1
ff4aa1baadf8ca02c7b56afd9c0acf09e0efcd2c

SHA256
622cf54f2fcf8e861eac88836c18cd76086f242b87265ac34138bceace7e2fc0

SHA512
9f39e5157075b058732bb5c132a8f1f0c9696ba8ef65e8d760ea5b45919638e7dd8a515fbeff5d2398d6142d572d4f83dbf7c59dc081cd08c630a21c3229cbf4

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.9 (64-bit)_20240221015048_005_tcltk_JustForMe.log

Filesize
1KB

MD5
395ed8ad1008b616e3254f89b0226d79

SHA1
83d730b7b2f3fb0343e5fe06b898e54cd649ca65

SHA256
5a5faffab523ebf909f0d34ebf7227797d54e2f3e3c49766fe09a2c071a482f9

SHA512
957d91e7742aa0837f519f5b511fcb7c11312760e2fac530afdf55835a83be0b5e4ac4ad30d3c1b680f0b5b36c8f39e3544c2f500a0742ad7c8b161fe32314ec

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2xxsmj13.1ok.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\empyrean-main\python-installer.exe

Filesize
6.4MB

MD5
8d352d5207427cab69b5ce18a9a0fa1e

SHA1
241525d40491f928caf89b6ee4d4118b48c397e5

SHA256
fd8bfdbee12083104e3d8957a939a2ca7d80942ab8a8c7f4a85055bc096c4ecc

SHA512
a3749b73ec8e4887e64273a9624d54c27684dc1dce61636a82e4dad85099c8232677136dad9347434b1045805b3813976dd0ca6d16f56aecd46d2a9ffcd98698

Download Submit
C:\Users\Admin\AppData\Local\Temp\empyrean-main\python-installer.exe

Filesize
3.7MB

MD5
1243558d7a5324020b6ff13e38dfeffc

SHA1
6a405d875b0fe9a3a3d992faa67ce875f6634a44

SHA256
0518bc345b19fff4b993290b3245b787812f1faac4092bb5326d3b22aa730c4b

SHA512
3daaf96ed8a008bc1ac831f94f90d7d64eae1e1f4ce6e0522a244060cc8e069f003f5eae1493ed380a47280ef9707174cf88a1c047d93339e2d488cc571c9aa7

Download Submit
C:\Windows\Temp\{92526E03-9F85-4BEE-8A5B-1B61949C8B74}\.cr\python-installer.exe

Filesize
528KB

MD5
93ace35f549fc7cdffda30db9fc3483f

SHA1
e5c9483eca0b6d6b14a80c99dce586dab621f0ce

SHA256
c5c4eb096a6c2a26d93baacd21f24430db25abf21aa00dce5a4ac8997f3b2e96

SHA512
a88a0dbcc82a4d809d9741bae7de7e5fede2831c3e24ed91dee60c3183ea70648af02fd4266ec23c1d1776bff41da8e7652b1ae2c28474af091ad448e44d38ae

Download Submit
C:\Windows\Temp\{92526E03-9F85-4BEE-8A5B-1B61949C8B74}\.cr\python-installer.exe

Filesize
183KB

MD5
9778c1766b81157399a138b05d2dc606

SHA1
6a3d61d2670a53ac778d1400c1196bb47c40dd88

SHA256
2588b4ee0f22c4ae231f1db9725cc33184480694c36b5e96e7550cf807fea41a

SHA512
1c7e81048f475d5a16a7703422c459b529ad975378ad7ecc281a0da2a15de977c2655744a9db4ea2884fe503c105159b99659942c1de416128308d8c1cd2601c

Download Submit
C:\Windows\Temp\{FED743D6-A0B7-4AD2-8D3A-F06E7D88609A}\.ba\PythonBA.dll

Filesize
650KB

MD5
64d1e3b44bfce17b6a43e9ca200bfaa2

SHA1
2617a95208a578c63653b76506b27e36a1ee6bba

SHA256
c016025b6e3c1335eef8f544cb88a948d7c785fd5247b994c8ec91a4fce5f899

SHA512
002fcb10e7aec037eee5acdbdc20719f10147917330f769943e4342d99a9596df5f09c039be5a8daa871062bf4c7263ae4d6582f971ced570c85abcbea87cc77

Download Submit
C:\Windows\Temp\{FED743D6-A0B7-4AD2-8D3A-F06E7D88609A}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{FED743D6-A0B7-4AD2-8D3A-F06E7D88609A}\.be\python-3.10.9-amd64.exe

Filesize
849KB

MD5
d988448411dc7548332378f7f61508a4

SHA1
34989539914256ea9f6d691236039d806be6f7ca

SHA256
ae5f3d9aaf871d4cf62b3106a7babb66a5c52fdf5ea9b93467c45bd047319c66

SHA512
eb631c340bebb6ce3a6100383fe5e5bd8d2b700ca2c9cd07c1bff4decb8b72a9223596786ef0e8040097135765d7af479f3bfa10957abba32143fc9c9b51ce97

Download Submit
C:\Windows\Temp\{FED743D6-A0B7-4AD2-8D3A-F06E7D88609A}\launcher_AllUsers

Filesize
516KB

MD5
a6d0b9692be2bb42031d8dd3293c6fed

SHA1
3de1ce4eb9df47d40639ec24d740dae74f58ba1d

SHA256
d557952fdea4a50bd4901cf6152e17e46168fedb663080aaf438da80926921b7

SHA512
df4e7b9a0fcff4f6b29e1184ffc18a8eebd010dd500402f8d5d6e61a8d011ef2ae82bcac86355142b4f292105f878938e6f3673d108925611650561aa08ccfb4

Download Submit
memory/1296-14-0x00007FF9616D0000-0x00007FF962191000-memory.dmp

Filesize
10.8MB

Download
memory/1296-11-0x000001A523710000-0x000001A523720000-memory.dmp

Filesize
64KB

Download
memory/1296-10-0x00007FF9616D0000-0x00007FF962191000-memory.dmp

Filesize
10.8MB

Download
memory/1296-9-0x000001A5258C0000-0x000001A5258E2000-memory.dmp

Filesize
136KB

Download