e6f27d0e9530edd04a6343618eb98ea1cd748625f42aa0a7ea87b73a8bd886f7

Resubmissions

04-10-2024 13:58

241004-q9w64axfpp 10

04-10-2024 13:13

04-10-2024 13:07

04-10-2024 02:09

03-10-2024 16:57

03-10-2024 14:11

03-10-2024 01:23

02-10-2024 22:37

Analysis

max time kernel
91s
max time network
128s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
04-10-2024 13:58

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

empyrean-main/install_python.bat
Size

686B
MD5

f30718a354e7cc104ea553ce5ae2d486
SHA1

3876134e6b92da57a49d868013ed35b5d946f8fd
SHA256

94008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966
SHA512

601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
2	3052	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3052	powershell.exe

Downloads MZ/PE file

Executes dropped EXE 3 IoCs

pid	Process
2184	python-installer.exe
2808	python-installer.exe
2712	python-3.10.9-amd64.exe

Loads dropped DLL 1 IoCs

pid	Process
2808	python-installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.10.9-amd64.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000b63f186ec435d5ff0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000b63f186e0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900b63f186e000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1db63f186e000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000b63f186e00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3052	powershell.exe
3052	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3052	powershell.exe
Token: SeBackupPrivilege	328	vssvc.exe
Token: SeRestorePrivilege	328	vssvc.exe
Token: SeAuditPrivilege	328	vssvc.exe
Token: SeBackupPrivilege	3424	srtasks.exe
Token: SeRestorePrivilege	3424	srtasks.exe
Token: SeSecurityPrivilege	3424	srtasks.exe
Token: SeTakeOwnershipPrivilege	3424	srtasks.exe
Token: SeBackupPrivilege	3424	srtasks.exe
Token: SeRestorePrivilege	3424	srtasks.exe
Token: SeSecurityPrivilege	3424	srtasks.exe
Token: SeTakeOwnershipPrivilege	3424	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2808	python-installer.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4500 wrote to memory of 452	4500	cmd.exe	79
PID 4500 wrote to memory of 452	4500	cmd.exe	79
PID 452 wrote to memory of 3052	452	cmd.exe	80
PID 452 wrote to memory of 3052	452	cmd.exe	80
PID 4500 wrote to memory of 4012	4500	cmd.exe	81
PID 4500 wrote to memory of 4012	4500	cmd.exe	81
PID 4500 wrote to memory of 2184	4500	cmd.exe	82
PID 4500 wrote to memory of 2184	4500	cmd.exe	82
PID 4500 wrote to memory of 2184	4500	cmd.exe	82
PID 2184 wrote to memory of 2808	2184	python-installer.exe	83
PID 2184 wrote to memory of 2808	2184	python-installer.exe	83
PID 2184 wrote to memory of 2808	2184	python-installer.exe	83
PID 2808 wrote to memory of 2712	2808	python-installer.exe	84
PID 2808 wrote to memory of 2712	2808	python-installer.exe	84
PID 2808 wrote to memory of 2712	2808	python-installer.exe	84

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\empyrean-main\install_python.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4500
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:452
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3052
- C:\Windows\system32\curl.exe
  curl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.9/python-3.10.9-amd64.exe
  2⤵
  PID:4012
- C:\Users\Admin\AppData\Local\Temp\empyrean-main\python-installer.exe
  python-installer.exe /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2184
- - C:\Windows\Temp\{C67C7E4D-0FA8-4D84-A1B4-D3C7296DD740}\.cr\python-installer.exe
    "C:\Windows\Temp\{C67C7E4D-0FA8-4D84-A1B4-D3C7296DD740}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\empyrean-main\python-installer.exe" -burn.filehandle.attached=576 -burn.filehandle.self=584 /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:2808
  - - C:\Windows\Temp\{B63AC8AA-8BC2-4546-8974-9D6B05D8016E}\.be\python-3.10.9-amd64.exe
      "C:\Windows\Temp\{B63AC8AA-8BC2-4546-8974-9D6B05D8016E}\.be\python-3.10.9-amd64.exe" -q -burn.elevated BurnPipe.{084EFAC0-9E40-4E41-B525-5639BE110FC8} {1D6702F9-C892-42FD-BEDF-E714BFB662C4} 2808
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2712

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:328

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3424

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_bn5kpyax.j3p.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\empyrean-main\python-installer.exe

Filesize
27.6MB

MD5
dce578fe177892488cadb6c34aea58ee

SHA1
e562807ddd0bc8366d936ce72684ce2b6630e297

SHA256
b8c707fb7a3a80f49af5a51c94f428525a3ad4331c7b9e3b2e321caf5cb56d7d

SHA512
8858aa7e82ca8cf559eeb25c14d86d24637a86e64c8db7465c99d05558ce3c67cea18d68abdfbe3df08cdbedfca5f819aa7fd8e57beae2054a7f7a8a64c04b41

Download Submit
C:\Windows\Temp\{B63AC8AA-8BC2-4546-8974-9D6B05D8016E}\.ba\PythonBA.dll

Filesize
650KB

MD5
64d1e3b44bfce17b6a43e9ca200bfaa2

SHA1
2617a95208a578c63653b76506b27e36a1ee6bba

SHA256
c016025b6e3c1335eef8f544cb88a948d7c785fd5247b994c8ec91a4fce5f899

SHA512
002fcb10e7aec037eee5acdbdc20719f10147917330f769943e4342d99a9596df5f09c039be5a8daa871062bf4c7263ae4d6582f971ced570c85abcbea87cc77

Download Submit
C:\Windows\Temp\{B63AC8AA-8BC2-4546-8974-9D6B05D8016E}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{C67C7E4D-0FA8-4D84-A1B4-D3C7296DD740}\.cr\python-installer.exe

Filesize
849KB

MD5
d988448411dc7548332378f7f61508a4

SHA1
34989539914256ea9f6d691236039d806be6f7ca

SHA256
ae5f3d9aaf871d4cf62b3106a7babb66a5c52fdf5ea9b93467c45bd047319c66

SHA512
eb631c340bebb6ce3a6100383fe5e5bd8d2b700ca2c9cd07c1bff4decb8b72a9223596786ef0e8040097135765d7af479f3bfa10957abba32143fc9c9b51ce97

Download Submit
memory/3052-0-0x00007FF9C6323000-0x00007FF9C6325000-memory.dmp

Filesize
8KB

Download
memory/3052-9-0x00007FF9C6320000-0x00007FF9C6DE2000-memory.dmp

Filesize
10.8MB

Download
memory/3052-10-0x0000022CD3E90000-0x0000022CD3EB2000-memory.dmp

Filesize
136KB

Download
memory/3052-11-0x00007FF9C6320000-0x00007FF9C6DE2000-memory.dmp

Filesize
10.8MB

Download
memory/3052-12-0x00007FF9C6320000-0x00007FF9C6DE2000-memory.dmp

Filesize
10.8MB

Download
memory/3052-15-0x00007FF9C6320000-0x00007FF9C6DE2000-memory.dmp

Filesize
10.8MB

Download