aa79ac94e2d1d633c9ac7953978506f1437239c8d55a33a2691e3184fb5ca5a1

Analysis

max time kernel
95s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
11-12-2024 00:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

empyrean-main/install_python.bat
Size

686B
MD5

f30718a354e7cc104ea553ce5ae2d486
SHA1

3876134e6b92da57a49d868013ed35b5d946f8fd
SHA256

94008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966
SHA512

601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874

Score

8^/10

discovery execution

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
7	3500	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
3500	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation	python-installer.exe

Executes dropped EXE 3 IoCs

pid	Process
2212	python-installer.exe
1788	python-installer.exe
2572	python-3.10.9-amd64.exe

Loads dropped DLL 1 IoCs

pid	Process
1788	python-installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.10.9-amd64.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e6cf55ff94a5976e0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e6cf55ff0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e6cf55ff000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de6cf55ff000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e6cf55ff00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3500	powershell.exe
3500	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	3500	powershell.exe
Token: SeBackupPrivilege	1956	vssvc.exe
Token: SeRestorePrivilege	1956	vssvc.exe
Token: SeAuditPrivilege	1956	vssvc.exe
Token: SeBackupPrivilege	3556	srtasks.exe
Token: SeRestorePrivilege	3556	srtasks.exe
Token: SeSecurityPrivilege	3556	srtasks.exe
Token: SeTakeOwnershipPrivilege	3556	srtasks.exe
Token: SeBackupPrivilege	3556	srtasks.exe
Token: SeRestorePrivilege	3556	srtasks.exe
Token: SeSecurityPrivilege	3556	srtasks.exe
Token: SeTakeOwnershipPrivilege	3556	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1788	python-installer.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 4672 wrote to memory of 3556	4672	cmd.exe	84
PID 4672 wrote to memory of 3556	4672	cmd.exe	84
PID 3556 wrote to memory of 3500	3556	cmd.exe	85
PID 3556 wrote to memory of 3500	3556	cmd.exe	85
PID 4672 wrote to memory of 4208	4672	cmd.exe	86
PID 4672 wrote to memory of 4208	4672	cmd.exe	86
PID 4672 wrote to memory of 2212	4672	cmd.exe	88
PID 4672 wrote to memory of 2212	4672	cmd.exe	88
PID 4672 wrote to memory of 2212	4672	cmd.exe	88
PID 2212 wrote to memory of 1788	2212	python-installer.exe	93
PID 2212 wrote to memory of 1788	2212	python-installer.exe	93
PID 2212 wrote to memory of 1788	2212	python-installer.exe	93
PID 1788 wrote to memory of 2572	1788	python-installer.exe	95
PID 1788 wrote to memory of 2572	1788	python-installer.exe	95
PID 1788 wrote to memory of 2572	1788	python-installer.exe	95

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\empyrean-main\install_python.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4672
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3556
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:3500
- C:\Windows\system32\curl.exe
  curl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.9/python-3.10.9-amd64.exe
  2⤵
  PID:4208
- C:\Users\Admin\AppData\Local\Temp\empyrean-main\python-installer.exe
  python-installer.exe /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\Temp\{DDF3FB84-423E-4E4A-A64D-C0CC6AE4BFD5}\.cr\python-installer.exe
    "C:\Windows\Temp\{DDF3FB84-423E-4E4A-A64D-C0CC6AE4BFD5}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\empyrean-main\python-installer.exe" -burn.filehandle.attached=548 -burn.filehandle.self=544 /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\Temp\{01A0565E-1340-4748-BD81-335A54D59BAC}\.be\python-3.10.9-amd64.exe
      "C:\Windows\Temp\{01A0565E-1340-4748-BD81-335A54D59BAC}\.be\python-3.10.9-amd64.exe" -q -burn.elevated BurnPipe.{6FD09ECC-4035-4FA3-AABD-4742B9E38C30} {5CDDC47E-B3F6-45A8-9A7E-0C33E74A6F86} 1788
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:2572

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1956

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3556

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_glo5zknc.l2b.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\empyrean-main\python-installer.exe

Filesize
27.6MB

MD5
dce578fe177892488cadb6c34aea58ee

SHA1
e562807ddd0bc8366d936ce72684ce2b6630e297

SHA256
b8c707fb7a3a80f49af5a51c94f428525a3ad4331c7b9e3b2e321caf5cb56d7d

SHA512
8858aa7e82ca8cf559eeb25c14d86d24637a86e64c8db7465c99d05558ce3c67cea18d68abdfbe3df08cdbedfca5f819aa7fd8e57beae2054a7f7a8a64c04b41

Download Submit
C:\Windows\Temp\{01A0565E-1340-4748-BD81-335A54D59BAC}\.ba\PythonBA.dll

Filesize
650KB

MD5
64d1e3b44bfce17b6a43e9ca200bfaa2

SHA1
2617a95208a578c63653b76506b27e36a1ee6bba

SHA256
c016025b6e3c1335eef8f544cb88a948d7c785fd5247b994c8ec91a4fce5f899

SHA512
002fcb10e7aec037eee5acdbdc20719f10147917330f769943e4342d99a9596df5f09c039be5a8daa871062bf4c7263ae4d6582f971ced570c85abcbea87cc77

Download Submit
C:\Windows\Temp\{01A0565E-1340-4748-BD81-335A54D59BAC}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{DDF3FB84-423E-4E4A-A64D-C0CC6AE4BFD5}\.cr\python-installer.exe

Filesize
849KB

MD5
d988448411dc7548332378f7f61508a4

SHA1
34989539914256ea9f6d691236039d806be6f7ca

SHA256
ae5f3d9aaf871d4cf62b3106a7babb66a5c52fdf5ea9b93467c45bd047319c66

SHA512
eb631c340bebb6ce3a6100383fe5e5bd8d2b700ca2c9cd07c1bff4decb8b72a9223596786ef0e8040097135765d7af479f3bfa10957abba32143fc9c9b51ce97

Download Submit
memory/3500-0-0x00007FFC61BE3000-0x00007FFC61BE5000-memory.dmp

Filesize
8KB

Download
memory/3500-1-0x000001C16A590000-0x000001C16A5B2000-memory.dmp

Filesize
136KB

Download
memory/3500-11-0x00007FFC61BE0000-0x00007FFC626A1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-12-0x00007FFC61BE0000-0x00007FFC626A1000-memory.dmp

Filesize
10.8MB

Download
memory/3500-15-0x00007FFC61BE0000-0x00007FFC626A1000-memory.dmp

Filesize
10.8MB

Download