95e91194f77629c85910453738594c8650ba80de108da9a9938088418fd4b554

Resubmissions

10-11-2024 20:59

241110-zs1ydsvgqh 10

10-11-2024 20:57

241110-zrswdsvjev 8

Analysis

max time kernel
33s
max time network
36s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
10-11-2024 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

python-3.10.11-amd64.exe
Size

27.7MB
MD5

a55e9c1e6421c84a4bd8b4be41492f51
SHA1

bd8b24ec02138327f70f6a3179f6991cfc007a6f
SHA256

d8dede5005564b408ba50317108b765ed9c3c510342a598f9fd42681cbe0648b
SHA512

5cbb831d4513dc4db247732d10fc4e75f5491229d9495378074b086835b938a86f9ded4528ae630bd8bfc35dfd881cad0d449f7705f1fc9b0d914fdc82393e6d
SSDEEP

786432:MnqDB0QNdwI+4JQcZ9eI1ThRYYYAm7FF8KTUnM6HuB:n08+IXJBZ9eIGvhuC

Score

6^/10

discovery persistence

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\{a10fbb63-03ff-4b8c-a176-f5fd355f715b} = "\"C:\\Users\\Admin\\AppData\\Local\\Package Cache\\{a10fbb63-03ff-4b8c-a176-f5fd355f715b}\\python-3.10.11-amd64.exe\" /burn.runonce"	python-3.10.11-amd64.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
33	2936	msiexec.exe
34	2936	msiexec.exe

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	python-3.10.11-amd64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 27 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57d5d2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d5d3.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6DBAD419-6A71-4996-912C-E783E21B46AA}	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d5dd.msi	msiexec.exe
File created	C:\Windows\Installer\e57d5e1.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d5e2.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d5ce.msi	msiexec.exe
File created	C:\Windows\Installer\e57d5e2.msi	msiexec.exe
File created	C:\Windows\Installer\e57d5dc.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{6532871D-1F76-408C-ABD0-63C732137351}	msiexec.exe
File created	C:\Windows\Installer\e57d5ce.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{F8AA714D-9073-4CC3-AD61-743E85488839}	msiexec.exe
File created	C:\Windows\Installer\e57d5d8.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{D59C7C1D-92A7-4836-B90F-2F50BE301EE1}	msiexec.exe
File created	C:\Windows\Installer\e57d5dd.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI5CB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSID9D5.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\e57d5d3.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIE159.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIEE6A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIDC86.tmp	msiexec.exe
File created	C:\Windows\Installer\e57d5d7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57d5d8.msi	msiexec.exe
File created	C:\Windows\Installer\SourceHash{A057AC8D-8770-4890-A721-E6F7368BC9D0}	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Executes dropped EXE 2 IoCs

pid	Process
3372	python-3.10.11-amd64.exe
3320	python-3.10.11-amd64.exe

Loads dropped DLL 1 IoCs

pid	Process
3372	python-3.10.11-amd64.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.10.11-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.10.11-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.10.11-amd64.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001d4141155d34ac580000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001d4141150000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001d414115000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1d414115000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001d41411500000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 36 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\CPython-3.10	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{F8AA714D-9073-4CC3-AD61-743E85488839}\Dependents\{a10fbb63-03ff-4b8c-a176-f5fd355f715b}	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{6532871D-1F76-408C-ABD0-63C732137351}\ = "{6532871D-1F76-408C-ABD0-63C732137351}"	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{D59C7C1D-92A7-4836-B90F-2F50BE301EE1}\Dependents\{a10fbb63-03ff-4b8c-a176-f5fd355f715b}	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{F8AA714D-9073-4CC3-AD61-743E85488839}\Version = "3.10.11150.0"	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{6532871D-1F76-408C-ABD0-63C732137351}\Version = "3.10.11150.0"	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{A057AC8D-8770-4890-A721-E6F7368BC9D0}\ = "{A057AC8D-8770-4890-A721-E6F7368BC9D0}"	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\CPython-3.10\Dependents	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{F8AA714D-9073-4CC3-AD61-743E85488839}	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{6DBAD419-6A71-4996-912C-E783E21B46AA}\Dependents\{a10fbb63-03ff-4b8c-a176-f5fd355f715b}	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{6DBAD419-6A71-4996-912C-E783E21B46AA}\Dependents	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{6532871D-1F76-408C-ABD0-63C732137351}	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{A057AC8D-8770-4890-A721-E6F7368BC9D0}	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{F8AA714D-9073-4CC3-AD61-743E85488839}\DisplayName = "Python 3.10.11 Executables (64-bit)"	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{6532871D-1F76-408C-ABD0-63C732137351}\Dependents	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\CPython-3.10\ = "{a10fbb63-03ff-4b8c-a176-f5fd355f715b}"	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\CPython-3.10\Dependents\{a10fbb63-03ff-4b8c-a176-f5fd355f715b}	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{D59C7C1D-92A7-4836-B90F-2F50BE301EE1}	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{6DBAD419-6A71-4996-912C-E783E21B46AA}\ = "{6DBAD419-6A71-4996-912C-E783E21B46AA}"	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\CPython-3.10\DisplayName = "Python 3.10.11 (64-bit)"	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{F8AA714D-9073-4CC3-AD61-743E85488839}\Dependents	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{6DBAD419-6A71-4996-912C-E783E21B46AA}	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{6DBAD419-6A71-4996-912C-E783E21B46AA}\DisplayName = "Python 3.10.11 Development Libraries (64-bit)"	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{A057AC8D-8770-4890-A721-E6F7368BC9D0}\Version = "3.10.11150.0"	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\CPython-3.10\Version = "3.10.11150.0"	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{D59C7C1D-92A7-4836-B90F-2F50BE301EE1}\DisplayName = "Python 3.10.11 Core Interpreter (64-bit)"	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{D59C7C1D-92A7-4836-B90F-2F50BE301EE1}\Dependents	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{F8AA714D-9073-4CC3-AD61-743E85488839}\ = "{F8AA714D-9073-4CC3-AD61-743E85488839}"	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{6532871D-1F76-408C-ABD0-63C732137351}\DisplayName = "Python 3.10.11 Standard Library (64-bit)"	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{D59C7C1D-92A7-4836-B90F-2F50BE301EE1}\ = "{D59C7C1D-92A7-4836-B90F-2F50BE301EE1}"	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{D59C7C1D-92A7-4836-B90F-2F50BE301EE1}\Version = "3.10.11150.0"	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{6DBAD419-6A71-4996-912C-E783E21B46AA}\Version = "3.10.11150.0"	python-3.10.11-amd64.exe
Key created	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{6532871D-1F76-408C-ABD0-63C732137351}\Dependents\{a10fbb63-03ff-4b8c-a176-f5fd355f715b}	python-3.10.11-amd64.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000_Classes\Installer\Dependencies\{A057AC8D-8770-4890-A721-E6F7368BC9D0}\DisplayName = "Python 3.10.11 Test Suite (64-bit)"	python-3.10.11-amd64.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2936	msiexec.exe
2936	msiexec.exe
2936	msiexec.exe
2936	msiexec.exe
2936	msiexec.exe
2936	msiexec.exe
2936	msiexec.exe
2936	msiexec.exe
2936	msiexec.exe
2936	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeBackupPrivilege	2068	vssvc.exe
Token: SeRestorePrivilege	2068	vssvc.exe
Token: SeAuditPrivilege	2068	vssvc.exe
Token: SeShutdownPrivilege	3372	python-3.10.11-amd64.exe
Token: SeIncreaseQuotaPrivilege	3372	python-3.10.11-amd64.exe
Token: SeSecurityPrivilege	2936	msiexec.exe
Token: SeCreateTokenPrivilege	3372	python-3.10.11-amd64.exe
Token: SeAssignPrimaryTokenPrivilege	3372	python-3.10.11-amd64.exe
Token: SeLockMemoryPrivilege	3372	python-3.10.11-amd64.exe
Token: SeIncreaseQuotaPrivilege	3372	python-3.10.11-amd64.exe
Token: SeMachineAccountPrivilege	3372	python-3.10.11-amd64.exe
Token: SeTcbPrivilege	3372	python-3.10.11-amd64.exe
Token: SeSecurityPrivilege	3372	python-3.10.11-amd64.exe
Token: SeTakeOwnershipPrivilege	3372	python-3.10.11-amd64.exe
Token: SeLoadDriverPrivilege	3372	python-3.10.11-amd64.exe
Token: SeSystemProfilePrivilege	3372	python-3.10.11-amd64.exe
Token: SeSystemtimePrivilege	3372	python-3.10.11-amd64.exe
Token: SeProfSingleProcessPrivilege	3372	python-3.10.11-amd64.exe
Token: SeIncBasePriorityPrivilege	3372	python-3.10.11-amd64.exe
Token: SeCreatePagefilePrivilege	3372	python-3.10.11-amd64.exe
Token: SeCreatePermanentPrivilege	3372	python-3.10.11-amd64.exe
Token: SeBackupPrivilege	3372	python-3.10.11-amd64.exe
Token: SeRestorePrivilege	3372	python-3.10.11-amd64.exe
Token: SeShutdownPrivilege	3372	python-3.10.11-amd64.exe
Token: SeDebugPrivilege	3372	python-3.10.11-amd64.exe
Token: SeAuditPrivilege	3372	python-3.10.11-amd64.exe
Token: SeSystemEnvironmentPrivilege	3372	python-3.10.11-amd64.exe
Token: SeChangeNotifyPrivilege	3372	python-3.10.11-amd64.exe
Token: SeRemoteShutdownPrivilege	3372	python-3.10.11-amd64.exe
Token: SeUndockPrivilege	3372	python-3.10.11-amd64.exe
Token: SeSyncAgentPrivilege	3372	python-3.10.11-amd64.exe
Token: SeEnableDelegationPrivilege	3372	python-3.10.11-amd64.exe
Token: SeManageVolumePrivilege	3372	python-3.10.11-amd64.exe
Token: SeImpersonatePrivilege	3372	python-3.10.11-amd64.exe
Token: SeCreateGlobalPrivilege	3372	python-3.10.11-amd64.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe
Token: SeTakeOwnershipPrivilege	2936	msiexec.exe
Token: SeRestorePrivilege	2936	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3372	python-3.10.11-amd64.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3212 wrote to memory of 3372	3212	python-3.10.11-amd64.exe	85
PID 3212 wrote to memory of 3372	3212	python-3.10.11-amd64.exe	85
PID 3212 wrote to memory of 3372	3212	python-3.10.11-amd64.exe	85
PID 3372 wrote to memory of 3320	3372	python-3.10.11-amd64.exe	92
PID 3372 wrote to memory of 3320	3372	python-3.10.11-amd64.exe	92
PID 3372 wrote to memory of 3320	3372	python-3.10.11-amd64.exe	92

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\python-3.10.11-amd64.exe
"C:\Users\Admin\AppData\Local\Temp\python-3.10.11-amd64.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3212
- C:\Windows\Temp\{D8863157-9FB7-45AE-B03C-25ED63011807}\.cr\python-3.10.11-amd64.exe
  "C:\Windows\Temp\{D8863157-9FB7-45AE-B03C-25ED63011807}\.cr\python-3.10.11-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-3.10.11-amd64.exe" -burn.filehandle.attached=556 -burn.filehandle.self=552
  2⤵
  - Adds Run key to start application
  - Checks computer location settings
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\Temp\{BFAAD370-F35A-4582-9EBD-A5080A60514E}\.be\python-3.10.11-amd64.exe
    "C:\Windows\Temp\{BFAAD370-F35A-4582-9EBD-A5080A60514E}\.be\python-3.10.11-amd64.exe" -q -burn.elevated BurnPipe.{BB94C729-4668-463B-9AF2-7BCBBE73BFE9} {E80208DC-5109-4F47-B313-D1AE8B8A80EA} 3372
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:3320

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2068

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3760

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
PID:4516

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57d5d1.rbs

Filesize
8KB

MD5
653aa977b12ae7924c09b68e57433d98

SHA1
be78dba525626906ca73da0295fd54c98c49a930

SHA256
2b1457fd78573b4a53dd712784c2e8eecd50e3841ff117382175d9f5f2c4b7ee

SHA512
a5ab576363661fc31c74ab7f691322fb272dd8ed126c1e6d300d8664584718e986cf92bdfa845740046ef15582d5da6f9ac0e9144c5e436d418f7636b6d30639

Download Submit
C:\Config.Msi\e57d5d6.rbs

Filesize
12KB

MD5
0dda6e2fb16229ee2538cac3a9372494

SHA1
126aa94ae52a235d18d065e4a88ac23bebc5e35f

SHA256
6b3cc979e1f2d92dbc9eeed6c6207e3239a0035a35f4adfc03590eccf4d5c683

SHA512
b67985c4602a86f8b7f65433cbc96f73bee8713561c33a393dcf0f6f55759e3ca4f9e4b0be4f3a5e3a3489994e88b487d67d766f7c31591a382c7e4753c0889f

Download Submit
C:\Config.Msi\e57d5db.rbs

Filesize
40KB

MD5
36389b0b255873e9e0712407b17d9f83

SHA1
38932e418e18da73d0f19e0eca95f6347ce969ae

SHA256
13450d88554117c5591fb1a0839927030cb8b8b44d8ac0b42cfb924b05b2ca3e

SHA512
4f5d460c0d23f0d2025278df187ad2dba1a88dbbc7e2390cae887f73ca51ebc4843683519cf04bb6e3c6a40b0dd0345a26250d98830fa3e74f62c9d472a8ba57

Download Submit
C:\Config.Msi\e57d5e0.rbs

Filesize
179KB

MD5
e82c0adc3d2938be8ef0e81353e5254f

SHA1
ef15898a02d90482d00230614d837fa9eb4e719b

SHA256
8f70766ce610e20e1a855f31df12f0b15b49e7432c00fac838b3a336dd0c14d3

SHA512
7f425d93057174a574e715e11be784956d72a4704e3ef24bd3c61e92d1692ba876a1e41af07b87329969b1938c52119b704eb7f970dc7af3e81150d26c942727

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\doc_JustForMe

Filesize
9.0MB

MD5
9f4049ce25dd9b3ffc138d4b4ae7ce7a

SHA1
6940dfe1673df597ade83ab5197d3ce95b2305d9

SHA256
5e6192dc3ba55cc4fe14f7289cb7e0f0894efb779f167808639d775767e7aca3

SHA512
73cdac6080893144310fd06cf878c2c6085b3bd745262bc1818602edce71598eb811c2c530b161e1f9e6d527315c90a6d5a63c74c60e0aea6740c45f646c4ec8

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\lib_JustForMe

Filesize
8.1MB

MD5
49a8a90d71c0f787f564de727b88ab7c

SHA1
2edc80a57490342825e502708fedee9260ebe85f

SHA256
6f16ec2506dd3d0b269ef6d367b97795214da5f9e1eec77108122f86d36c59c3

SHA512
8cce197607154658cb6627e553c88d670aed337f9c571f71130e6f2d39cee6a664fa4a83fa2a39829c5933e6580e4b905594275d4ff4c19e23af3105ec886cbc

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\.unverified\tcltk_JustForMe

Filesize
3.4MB

MD5
08052ecef719914d78a77083e72379c7

SHA1
af2fd58c1f3b5b9857a2b52cf63dd0306fd8fe54

SHA256
bbecb15644bb7af8e1ae4688b545e8890ce06865a55902eddff085b31d810c6a

SHA512
169a2a6a3261b804b8f2b06d87648f0fca5d1fbe4aa0ae52b4d45062b0e635a7058dec3174545ed7319e70d9351e21726e2e121670797035d6a4b99865da6aac

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{6DBAD419-6A71-4996-912C-E783E21B46AA}v3.10.11150.0\dev.msi

Filesize
300KB

MD5
59472eba1513ab2fe26e2a06ee21881b

SHA1
2093bd14e86126c7e688832d92036fec0cdb888a

SHA256
14a1a8586c55f03325497fd50bc5a34489958d496712af0fd4c5e7c62dcfb5cb

SHA512
f710d1ebcf348dc05eeb3f55da305d7ef0a3fb85438dcfb5663b91c86abcd7d7f9c99b9b58bcdc80aab6041cb1c003c26ab00a99807c48528d2c278c7d6ca345

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{A057AC8D-8770-4890-A721-E6F7368BC9D0}v3.10.11150.0\test.msi

Filesize
3.6MB

MD5
713174dd19f104b74345869d8abb7665

SHA1
8e676bdfc1cbf9d31052f24e861bdc5d5e358827

SHA256
537ff6dcb2086a6a3b7a3e9ba51d5bc7177ef3ce15e9f638800f721b1de59378

SHA512
e6faef52c292781e59b74d5936d87d3711249e5533183131ad3443d7efb704a945d42cc2d488c264631f475677492feeaa502a4ac14568f21153062aa308e1d1

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{D59C7C1D-92A7-4836-B90F-2F50BE301EE1}v3.10.11150.0\core.msi

Filesize
1.6MB

MD5
9fbb91b082feb7e5b71625e05cb6804b

SHA1
7ca5131ed1e4b79442260fe56c248f247e8df35c

SHA256
c5dece7fb0f13b86a7ac721ef1575992a6a6d076ffaa0b6b6ba7de120b2e64f4

SHA512
1345f551e56744b3b2e6ef5d4f717576b90aa5ccce9677b9cfb93996e8d6531e7210054483521b8533f8f5bf164613cb0e40ee895ce4a1c309b6bacb62d0ba03

Download Submit
C:\Users\Admin\AppData\Local\Package Cache\{F8AA714D-9073-4CC3-AD61-743E85488839}v3.10.11150.0\exe.msi

Filesize
604KB

MD5
836f11402ad3c117b12aed8e50886dd7

SHA1
b20f0356c9dc1fd49f864d170687e6f8063e627b

SHA256
b3a9f745aa598c1773923a45dcc4aa5b4c906f55d5559b568069f74e04cd4808

SHA512
3a23d5302c09521f0ccd11d21b560c533e18daee31f29e8da73169dbbb52e4d61ffbee5808452156f5762a24adea5e85afa089e34801d257589d2cd1f3f9944e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.11 (64-bit)_20241110205854_000_core_JustForMe.log

Filesize
1KB

MD5
e07c5284db250a08d735fc97133d02a3

SHA1
f0c34d117152841d2ffa63b198dcc21a6b78c6fb

SHA256
8e8f8843fc74955730f442eb33c257f06df3e07b6893098ec3776bd8336c1b75

SHA512
7f9fbb0094fda7229652cbd1371a93062fcd175ede4fb98c2736e63d65bd57ef81c4bfc53895dcff598d9aeb3a09cbc54ab25e98edecf8a1baedef49706c37c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.11 (64-bit)_20241110205854_001_exe_JustForMe.log

Filesize
1KB

MD5
7c91365ef291a19988988886820af3f5

SHA1
0c4379295d7a69cee865c1b87f94a5b094432d12

SHA256
f829631bf8b878b1adb685ac203be8bc34a65578bd3efa57b15eeca109e14f3e

SHA512
d170dc3d65a6cf97c0116de76694cae2377ae29dc7a9f8d450ba05a9ed4c659655915dd8b7d1fc1246d02ddb8122d27bf9b8d39eca8c3ffa58414a1c587a8e13

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.11 (64-bit)_20241110205854_002_dev_JustForMe.log

Filesize
1KB

MD5
c1d8726aae659904b5e723009830ed5a

SHA1
49495600cec742cfd60e89684b4856da47a9694e

SHA256
4cd031f8dac967f879a0fe69da6d9676a7b000347d71b32605996dceaa2c15dc

SHA512
6b4ac3f1abc0950c87e6ce288cda88962009079243c36f9231802e73a25c1ae5c902020de4bf90095e8a3616fd33b919ba6726c9be9ecc40150558214e43d969

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.11 (64-bit)_20241110205854_003_lib_JustForMe.log

Filesize
1KB

MD5
5de9410ffb6e96f0b81f0e24c53abc03

SHA1
c6146eb1e711aaae015c235e622bee44f4c827f2

SHA256
13148cc54140ab34c958ad430cd527bf21a72c7ae26c01ed69641996593c06d2

SHA512
353531b3a4182bff7903f92bf76e8461e28d6e0a439bb039a820b0e3e3abefb2f55aa69186ea1c64f8054cb7cfeed0a1e5a38e72acfdf247cd386fe60b532c90

Download Submit
C:\Users\Admin\AppData\Local\Temp\Python 3.10.11 (64-bit)_20241110205854_004_test_JustForMe.log

Filesize
1KB

MD5
a3a23ca9446078221a2bf829e1b57b94

SHA1
612acd89211f5079bde1778d26a27fbe869dfbc4

SHA256
3d7b23e2d7528103835404fc2ffc94af296c54be0fa90969d03b9c705f51dfc5

SHA512
0846dac84e7ac1aac7073de246c3f576d630c68cb3500cbc0653dfb7fce9df082aa722bdf9241af07316f724b859c2bd8122f3c928a8049b8a60a66680afb7e1

Download Submit
C:\Windows\Temp\{BFAAD370-F35A-4582-9EBD-A5080A60514E}\.ba\PythonBA.dll

Filesize
666KB

MD5
d2c34631c10e65e1b37615e2de9b52a1

SHA1
86068610f9bc7fed5fa6c8fafa87639dbccb18d6

SHA256
1329125ce976c3867a1539e858553d94dd6992d7f78be49bcdb798ad29c5ccc0

SHA512
a9dbd0c82ffc2729468861ec246a46f2092195019a3cb774d6db1e15e6d4079095948ea99e6c2beb25f8430df9c73769627b75af25ae4c616b7eed7740bc9cef

Download Submit
C:\Windows\Temp\{BFAAD370-F35A-4582-9EBD-A5080A60514E}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{BFAAD370-F35A-4582-9EBD-A5080A60514E}\launcher_AllUsers

Filesize
516KB

MD5
cc8b5b9ec099c6b88ef9fe7a76b3391e

SHA1
1e36e855acd9947172d540b28c268b35ee85d4b4

SHA256
2b9b7eb8940108d6b370ebe7783faf93aa39cee3d2ff909612d59dd074482c10

SHA512
7792743ba688157db065f9b01dbfce6c81245e2bb50ef0d768cffcc44ce4026065784021b7d0f1bfb33dbc87f065acc8d97bbfd4c73a686261ee42266449cdde

Download Submit
C:\Windows\Temp\{BFAAD370-F35A-4582-9EBD-A5080A60514E}\tools_JustForMe

Filesize
212KB

MD5
f0a9081b5ddbb8a0923c90ef05b4818a

SHA1
8c56bdecdbfaeb3f1784ca623d4316b678867226

SHA256
ec10e88bff1d9718e0533f4421294d87aacb9aa5ddcf02f9b52dee751aea9d7c

SHA512
de45161bd73c7d6f489c79b352fac6e21d8a24942b90c21036756c80511d9ee465a43cea44e2dfddb890b82727a72c73466f6ceb476d280d121c5f3d2893b104

Download Submit
C:\Windows\Temp\{D8863157-9FB7-45AE-B03C-25ED63011807}\.cr\python-3.10.11-amd64.exe

Filesize
854KB

MD5
581579e12151962c8fc30eb7a5b556f1

SHA1
a7ab14d01c752cedb2e7b540bcaf4dcf7a54bde6

SHA256
c9fad5d3030a2e8540b99a704fef27495db3ea7c70cd38e426078649668a0d3c

SHA512
ba1d296efcc46f5a82bb24936c73878f3116ab81f141d4c0bab94dbef2279ae56ab7f9be30f502264668347bd00d919b61c8caf1cc0027078076bd0409198c1d

Download Submit