Overview

overview

10

Static

static

1

python-3.1...64.exe

windows10-1703-x64

4

python-3.1...64.exe

windows10-2004-x64

10

python-3.1...64.exe

windows11-21h2-x64

10

Analysis

  • max time kernel
    314s
  • max time network
    376s
  • platform
    windows10-1703_x64
  • resource
    win10-20240404-en
  • resource tags

    arch:x64arch:x86image:win10-20240404-enlocale:en-usos:windows10-1703-x64system
  • submitted
    28-08-2024 01:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    python-3.12.5-amd64.exe

  • Size

    25.3MB

  • MD5

    bbcb2fcf9d739f776fb6414afc12c80d

  • SHA1

    2d78877db5a8da134ab54ed952b961a7e750ec7d

  • SHA256

    44810512af577ca70b3269b8570b10825ec2ace2b86e4297e767a0f4c0ee8bfd

  • SHA512

    0572c6345f6a4f7f3e5c2ff858e3ca7ca54ae4478f3d59d8e18cb0f596e61dcf12aef579db229e83d63b30f15d6684ee6bb3feaea9413e5e636a503933057678

  • SSDEEP

    786432:jKEO2c6viGKJXI95MB6K3qtY9a3YiVTfwtzWo2CB8:XHiRuVKCY9a3YiRws6B8

Score
4/10
discovery

Malware Config

Signatures

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 8 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\python-3.12.5-amd64.exe
    "C:\Users\Admin\AppData\Local\Temp\python-3.12.5-amd64.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:500
    • C:\Windows\Temp\{F71AB88E-09C4-4812-8037-B890D3B0DEA6}\.cr\python-3.12.5-amd64.exe
      "C:\Windows\Temp\{F71AB88E-09C4-4812-8037-B890D3B0DEA6}\.cr\python-3.12.5-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-3.12.5-amd64.exe" -burn.filehandle.attached=524 -burn.filehandle.self=532
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      PID:5044
  • C:\Program Files\Mozilla Firefox\firefox.exe
    "C:\Program Files\Mozilla Firefox\firefox.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4584
    • C:\Program Files\Mozilla Firefox\firefox.exe
      "C:\Program Files\Mozilla Firefox\firefox.exe"
      2⤵
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:632
      • C:\Program Files\Mozilla Firefox\firefox.exe
        "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.0.1633449770\1227205992" -parentBuildID 20221007134813 -prefsHandle 1728 -prefMapHandle 1704 -prefsLen 20747 -prefMapSize 233444 -appDir "C:\Program Files\Mozilla Firefox\browser" - {fda71460-7427-4f88-a59b-99571a65558c} 632 "\\.\pipe\gecko-crash-server-pipe.632" 1808 205a2fd6158 gpu
        3⤵
          PID:1356
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.1.1982920495\715932537" -parentBuildID 20221007134813 -prefsHandle 2152 -prefMapHandle 2148 -prefsLen 20828 -prefMapSize 233444 -win32kLockedDown -appDir "C:\Program Files\Mozilla Firefox\browser" - {0ebdca97-3e95-4de4-9cff-ef8f8b7f5613} 632 "\\.\pipe\gecko-crash-server-pipe.632" 2164 205a2efad58 socket
          3⤵
          • Checks processor information in registry
          PID:204
        • C:\Program Files\Mozilla Firefox\firefox.exe
          "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.2.895387021\1758922731" -childID 1 -isForBrowser -prefsHandle 2880 -prefMapHandle 2680 -prefsLen 20931 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2309f49c-d12b-4101-ad06-2b27923e7415} 632 "\\.\pipe\gecko-crash-server-pipe.632" 2856 205a2f5b458 tab
          3⤵
            PID:3308
          • C:\Program Files\Mozilla Firefox\firefox.exe
            "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.3.986054480\574663988" -childID 2 -isForBrowser -prefsHandle 3512 -prefMapHandle 3508 -prefsLen 26109 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {7ebc2023-94b3-42b2-b3b4-1e3ae82a1e18} 632 "\\.\pipe\gecko-crash-server-pipe.632" 3524 20590d62558 tab
            3⤵
              PID:3796
            • C:\Program Files\Mozilla Firefox\firefox.exe
              "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.4.1626208219\1617274761" -childID 3 -isForBrowser -prefsHandle 4208 -prefMapHandle 4204 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {355b8ef5-60dd-44e6-88f2-854a60f82557} 632 "\\.\pipe\gecko-crash-server-pipe.632" 4220 205a8ff6958 tab
              3⤵
                PID:748
              • C:\Program Files\Mozilla Firefox\firefox.exe
                "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.5.1358584345\1201355811" -childID 4 -isForBrowser -prefsHandle 4620 -prefMapHandle 4672 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {4ef9f517-4ede-4485-9ca2-f9b489517310} 632 "\\.\pipe\gecko-crash-server-pipe.632" 4680 20590d62858 tab
                3⤵
                  PID:1600
                • C:\Program Files\Mozilla Firefox\firefox.exe
                  "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.6.748108104\198678381" -childID 5 -isForBrowser -prefsHandle 4816 -prefMapHandle 4820 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {2a418f7d-db6c-4029-8bfc-6106a57f1e7e} 632 "\\.\pipe\gecko-crash-server-pipe.632" 4900 205a9332358 tab
                  3⤵
                    PID:3448
                  • C:\Program Files\Mozilla Firefox\firefox.exe
                    "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.7.476163657\1604442667" -childID 6 -isForBrowser -prefsHandle 5008 -prefMapHandle 5012 -prefsLen 26168 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bb9115e3-eda2-4aac-a76a-567957f7b743} 632 "\\.\pipe\gecko-crash-server-pipe.632" 5092 205a9bd3c58 tab
                    3⤵
                      PID:4568
                    • C:\Program Files\Mozilla Firefox\firefox.exe
                      "C:\Program Files\Mozilla Firefox\firefox.exe" -contentproc --channel="632.8.884026708\24423689" -childID 7 -isForBrowser -prefsHandle 5484 -prefMapHandle 5488 -prefsLen 26328 -prefMapSize 233444 -jsInitHandle 1108 -jsInitLen 246848 -a11yResourceId 64 -parentBuildID 20221007134813 -appDir "C:\Program Files\Mozilla Firefox\browser" - {bcd1b85b-ff45-41b5-b2aa-892e36494168} 632 "\\.\pipe\gecko-crash-server-pipe.632" 3444 205a9331d58 tab
                      3⤵
                        PID:2256

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\db\data.safe.bin
                    Filesize

                    9KB

                    MD5

                    1798aa60e6f29812b53f7d97ffd83690

                    SHA1

                    3b9e6c161cf3fec33ef2953fe2a3801a61309acb

                    SHA256

                    d4e1497d28b33f6c6da6ddb4857dc1be55e0beb9f819ff603920d9bae4ea73cf

                    SHA512

                    4b264483375e89a578027dde08881060b1c2a762da7fca5d1c882cce1f34f9c25c41282b8a855acb4820100b11d9b6358a1f23947f6453bd9b54281e733e13d9

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\datareporting\glean\pending_pings\3bc598a8-6933-4d96-a459-e4b67650c64e
                    Filesize

                    734B

                    MD5

                    6e37929bae6af41ea29036462bb146bb

                    SHA1

                    af1c25dc2579765a05677c1d7bfa154062c5d792

                    SHA256

                    f897c763df14277228f2f3e48f7a091b133ff6064d1e06df2a126b077a2cf5e3

                    SHA512

                    0f8236a63b58182d12f3f0087b01eaa9381e5d4de068ce73a369fbee25e4583f81f213339bd50fd7df0a782352c0f78b5ff90956da8d0328cc5bc98465b97db2

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs-1.js
                    Filesize

                    6KB

                    MD5

                    b1af24569894aae9c91cf24c693a39af

                    SHA1

                    0e94a3ebb68472046bf1cbaa6add445eab093559

                    SHA256

                    5a0b4cfd248ea55826cfb3746474ca400d4f5883cae2bb0a5c8d452adab50fb0

                    SHA512

                    b631159ed90a964a56fe0ca3604b1b9cefdae0fc536027ec6fc68d099a61fb7feca5fac0c5689120709dc69e3db20cb92e8698abf0481372b8e53d7a78a730d4

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    4aaf2a9934c2fb8e9d972351a7997bdc

                    SHA1

                    8bd8a097a093ba55d402fafec9c4456c031df379

                    SHA256

                    1749962f2617c0d62d1210d27345d4280e5c194681ee5fe68ff8552487cf0896

                    SHA512

                    8605a652f28563edb240fd8d840c856105d89e940cc0249105c9e85ae4d9a8b840b384460938453a59a543a769ff9cfc562ad1af61db894521e6534030b2dad5

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\prefs.js
                    Filesize

                    6KB

                    MD5

                    83b49b2dbce57129c7f6530af1c3ddea

                    SHA1

                    2719a423ebb29a71d80c8f16105fcfb3ec235bec

                    SHA256

                    e7df7cf667ad2550d7a1558e9f7fb515c09ca233caed34ea49d3f9e73ad75a3d

                    SHA512

                    7c0ce18960070a264d92cbe9f16b4dcc8da80bf68221b44a74e03ef834722c1606a95e145773589d9ef74e58f4bc0585cf2a5d79f717ee4b27769dc5ccea9d27

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore-backups\recovery.jsonlz4
                    Filesize

                    3KB

                    MD5

                    8bea8e1ad8c81311d9c0222a8762785a

                    SHA1

                    52cba260d4dfb7b6ca20fc6db2dc41d82a3c649b

                    SHA256

                    8defc0d3ecda59aca8540826c53022cd03975c9b3c434236d398a9504df69107

                    SHA512

                    40cede401fa52b9c734241b9acedba81ff49846b4f7236d3fe71379eb4a3715a61af7d7096cfcc4c7615501eb30adaf4f09eaf67d099a17c8ea2f8a97447fe6e

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\sessionstore.jsonlz4
                    Filesize

                    4KB

                    MD5

                    16a6a9006976332cbea3ecf4d2dd56f7

                    SHA1

                    044654c2f6bce36ff0cdedee838b474637fcb89a

                    SHA256

                    ab9e07ae52862b7b4c5d53322429855682cd048b74162bbdaa25d2edc274496c

                    SHA512

                    9568e516e083a99dee1e0e1f0e7ef28661008d728bb2865d42c7fc989bc8f4ee7ebc7800ff0da51065d852c91377b5fa4d0a3581c366a16dcdf29e02ec942329

                    Download Submit

                  • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\wjyk7j4u.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite
                    Filesize

                    184KB

                    MD5

                    e7d901ad03d22078f4c42ecc83c3bd45

                    SHA1

                    13ffe2ced2026e6b99c39a96d006c7832a72ba17

                    SHA256

                    fddee54013f830a84e74dce5679f6e4c3c71b4c5c51ecdf58bcef7e27eba4f17

                    SHA512

                    8e7373116183db845f03c74e28effbe85b53c6c109f0a1a867fc4daa2944c099846644c5b6ecfa6408091d097a08b3f1b8cedcbeffbdcfaa14147f6b76663ec9

                    Download Submit

                  • C:\Windows\Temp\{3BBC82BE-E4E6-4844-907A-14327358907D}\.ba\SideBar.png
                    Filesize

                    50KB

                    MD5

                    888eb713a0095756252058c9727e088a

                    SHA1

                    c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

                    SHA256

                    79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

                    SHA512

                    7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

                    Download Submit

                  • C:\Windows\Temp\{F71AB88E-09C4-4812-8037-B890D3B0DEA6}\.cr\python-3.12.5-amd64.exe
                    Filesize

                    858KB

                    MD5

                    7d3c4418445bbdc0b7c521a747ec014c

                    SHA1

                    bff06746ba8d31cfc34637bac0b86158bc2de7ba

                    SHA256

                    f268a252ca87e394a9b653a05a9ce715e1808ccf480fb84197ebf8fbc4482146

                    SHA512

                    033ab1141c1edd39ae5b713b9b20bededf2cb9fef493d93d46c87e2f40b9f0cbe73cba7cb7c6b0f5613fa058bd67ad400aecc358bd4f544470aa8a1ca193e91a

                    Download Submit

                  • \Windows\Temp\{3BBC82BE-E4E6-4844-907A-14327358907D}\.ba\PythonBA.dll
                    Filesize

                    675KB

                    MD5

                    de16adbe53c3cc500dd01a5ee9ebc813

                    SHA1

                    f4b99bd3c79bfa5c3693e37a0d649bb595422dbd

                    SHA256

                    e297b802136b33aa53b31b68183f01d421ece30dc5cc3519e45f0bcf4a47752f

                    SHA512

                    1733e6fda19be026a062585e225f4b14017fea34589e3f3fe48b0e9f69aecff772c44f4d962096b3e0c295374e79692cbc711ef3b7e4c4c4a8544c56de49c2a7

                    Download Submit