Overview

overview

8

Static

static

3

setup.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    33s
  • max time network
    30s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240426-en
  • resource tags

    arch:x64arch:x86image:win11-20240426-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    23-05-2024 12:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    setup.exe

  • Size

    175KB

  • MD5

    b3768470e51d8b2704eea4635010a966

  • SHA1

    3fb6e9a56093e0b8d4c0606e791d0401606b4d82

  • SHA256

    93d3ba4221355395fceeb89476ea92bf1c575440e0b6cf37ff86a8691c03a2bf

  • SHA512

    c0d24260e3829dc1a87376e6ba181989a51689c3398a161fdc4adb8217bdba81787f2f7d24ed4ec68c59158c8249659296cd17adb330907cb15da38152acff43

  • SSDEEP

    3072:ZahKyd2n31b5GWp1icKAArDZz4N9GhbkrNEkdnSsR:ZahOXp0yN90QEA

Score
8/10
discoverypersistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 13 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 45 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Adds Run key to start application
    • Suspicious use of WriteProcessMemory
    PID:4984
    • C:\Windows\SYSTEM32\cmd.exe
      cmd.exe /c "payload.bat"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:768
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /c wmic path Win32_PointingDevice get PNPDeviceID /value | find "PNPDeviceID"
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:900
        • C:\Windows\System32\Wbem\WMIC.exe
          wmic path Win32_PointingDevice get PNPDeviceID /value
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:4692
        • C:\Windows\system32\find.exe
          find "PNPDeviceID"
          4⤵
            PID:1612
        • C:\Windows\system32\curl.exe
          curl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.0/python-3.10.0rc2-amd64.exe --insecure --silent
          3⤵
            PID:4328
          • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\python-installer.exe
            python-installer.exe /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
            3⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:4320
            • C:\Windows\Temp\{9E36A967-9947-427B-8525-BFC78D3EA507}\.cr\python-installer.exe
              "C:\Windows\Temp\{9E36A967-9947-427B-8525-BFC78D3EA507}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\python-installer.exe" -burn.filehandle.attached=576 -burn.filehandle.self=584 /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
              4⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Adds Run key to start application
              • Modifies registry class
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of WriteProcessMemory
              PID:3028
              • C:\Windows\Temp\{00DE3B76-C385-4578-B1D3-3B641F3A16A7}\.be\python-3.10.0rc2-amd64.exe
                "C:\Windows\Temp\{00DE3B76-C385-4578-B1D3-3B641F3A16A7}\.be\python-3.10.0rc2-amd64.exe" -q -burn.elevated BurnPipe.{3CCA9C62-70B2-4351-A472-07387F2D4D7E} {3E694C7A-0F3A-455D-9199-9C5FB6A04971} 3028
                5⤵
                • Executes dropped EXE
                PID:2600
      • C:\Windows\System32\rundll32.exe
        C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
        1⤵
          PID:2736
        • C:\Windows\System32\NOTEPAD.EXE
          "C:\Windows\System32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\payload.bat
          1⤵
          • Opens file in notepad (likely ransom note)
          PID:3964
        • C:\Windows\system32\vssvc.exe
          C:\Windows\system32\vssvc.exe
          1⤵
          • Checks SCSI registry key(s)
          • Suspicious use of AdjustPrivilegeToken
          PID:3900
        • C:\Windows\system32\srtasks.exe
          C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
          1⤵
            PID:2956
          • C:\Windows\system32\msiexec.exe
            C:\Windows\system32\msiexec.exe /V
            1⤵
              PID:2692

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe
              Filesize

              2.7MB

              MD5

              08a6ad56eacf033d24ff8a24ba4a5fad

              SHA1

              d6455f86114281f08e62065f96787f67b2a1b9a6

              SHA256

              8f992d059540419568ff5d0782cb9420b957db681d6af5de55a3921708a01049

              SHA512

              9f997ec6bc9a412bfaa69461675381bd1621ded797dc20364fcd988ad6a795bbba2e0904285b45f5a18520a5e40af1fcc0aeec278f7ccae7b0c58de8453b226a

              Download Submit

            • C:\Users\Admin\AppData\Local\Package Cache\{08EB09E1-A204-4355-BD6C-FF39E37DFF53}v3.10.122.0\lib.msi
              Filesize

              2.2MB

              MD5

              7c811119d1787eedb34e9fdafd7e8030

              SHA1

              588c64ac760393a98dcd25f20d599f26bc064e79

              SHA256

              36c26b3251b1575397cbcbc2655e8e4c31d1bde40b07e3c6ae9b159426831247

              SHA512

              d99b02379f4bc51472e6ecb027113475a74fab13afa447d21c5bbf3983a9a1fcf8a663e6d3507a4b345e113828d39487153b9aa4b1d9b7c070194a38adc6ac04

              Download Submit

            • C:\Users\Admin\AppData\Local\Package Cache\{C4124B16-F1F2-49FE-A1FD-96655345B465}v3.10.122.0\core.msi
              Filesize

              1.2MB

              MD5

              c3ba454eab32da13577d7dfe802dfc9b

              SHA1

              0eaf8c4a403cab7b8c9f36917dfb7e95f6a59b6a

              SHA256

              4ad00dcfc10bf99302e4a5f5fec95440b1ee0cad26f94004203b509ebd710da2

              SHA512

              a50b692965533165bf8b96896b8f7a67e06674e2fcbcc922d5adcb204eecda458ca237d8b0d87d5dc44bc0eda6f2f08ccc4852be6b911e8d58b87ea3c1af7339

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\payload.bat
              Filesize

              860B

              MD5

              dd42b5725727794a95d0b2ebf6173c6f

              SHA1

              19b4ae25bc054258f2e8053f1cf855d85876c0c7

              SHA256

              27151a9e7094b2219e27a151b40ec95b8e36ba5fbaa2ec093dbc8be1afa07e0a

              SHA512

              118077c247388ebb4d9c9cc1c2b350cb7f6341bfd50aee4afa662c5fa363f8ba99c0a4290c3028235b982e13f5b6ec76e3a363a93f6be833e9d2225fc7eab4a5

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\python-installer.exe
              Filesize

              27.0MB

              MD5

              b49614e82253d9ffe3f75f35aefff7eb

              SHA1

              4b4ee8581bc631af17f35917ddf8acdcb2246d38

              SHA256

              801e8bc283caeee8b86b43886adf6043c5933b61b4f09e43fd475f28e48b410b

              SHA512

              31b621f9f8bc6d5dfe85183f193fcdb126276a5fa24335e46af86e8732d12c7e38c0b47df561130b2987020914e18c5c0b49304e43d81f51c8e14bcaec94a958

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Python 3.10.0rc2 (64-bit)_20240523125410_000_core_JustForMe.log
              Filesize

              3KB

              MD5

              de43d43021693b280f351110b20f98bb

              SHA1

              15ae61b2586d7cdde2d7656801f93ff31f0c59b2

              SHA256

              4adcf487cd806d9b4ef6995dfbae37bacbc09a9838060f4bdaeeda778728786b

              SHA512

              fb825f3432e9e2adb88808789f2c827e54775e400477f2264d293e69842edafd23869a7c79801e41887ed206f8ed04864079a1d751acf551b24f754a0bf62702

              Download Submit

            • C:\Windows\Temp\{00DE3B76-C385-4578-B1D3-3B641F3A16A7}\.ba\PythonBA.dll
              Filesize

              617KB

              MD5

              baa3c76cca5bd6ab209d88fc7c840077

              SHA1

              99cd3ca4596243c40751de8d3e64e970eabde93e

              SHA256

              505f8dfb7e99ad904609d7f0e06e5a247ba83c0be11359c9929f10a71e56ea0f

              SHA512

              8ef58ad25e1efe2ded48434a58fac4c88eefdbef2c379b66cbe916b00193e2e6d08476c2a00019810ec4ac056d14a6d86ec978ac2b27bb9c21accef27cf17207

              Download Submit

            • C:\Windows\Temp\{00DE3B76-C385-4578-B1D3-3B641F3A16A7}\.ba\SideBar.png
              Filesize

              56KB

              MD5

              ca62a92ad5b307faeac640cd5eb460ed

              SHA1

              5edf8b5fc931648f77a2a131e4c733f1d31b548e

              SHA256

              f3109977125d4a3a3ffa17462cfc31799589f466a51d226d1d1f87df2f267627

              SHA512

              f7b3001a957f393298b0ff2aa08b400f8639f2f0487a34ac2a0e8d9519765ac92249185ebe45f907bc9d2f8556fdd39095c52f890330a35edf71ae49df32e27a

              Download Submit

            • C:\Windows\Temp\{00DE3B76-C385-4578-B1D3-3B641F3A16A7}\launcher_AllUsers
              Filesize

              504KB

              MD5

              31a88bce4fd280fb879b9c0cd244b725

              SHA1

              9356c19b94a1f82f13bd6e1f359540b45ca76a7d

              SHA256

              190f5065bdc696be47d3efa2ca8bcf564104175901b0253f833355e5b38832a9

              SHA512

              79440c8402e480552d95efc51ad7267d1fefef5156ae51bbe4a88ec51346c50f0947cdc9a10bf81cef911c835d98558ac99a71a689a579f58891b3ca81758c59

              Download Submit

            • C:\Windows\Temp\{9E36A967-9947-427B-8525-BFC78D3EA507}\.cr\python-installer.exe
              Filesize

              846KB

              MD5

              833d7b73767607cd76c0c81dcc1c5f75

              SHA1

              6ad561dcfcdea749d2f7d3fc96fca99d7f6fe592

              SHA256

              abb2e915cae562e527cd773e5b399d993634331ad29bea029cc2048ae239fbda

              SHA512

              33dbf44e6dd06fdf114628d8c34fb7eea13f5cfe3a1a461b76dc0ae0dfde7ba4b17e0835d75fd6a5990893c541f2f3d3781bd80449c42a8a894a1eeb10bda7d1

              Download Submit