c62bf66fbefa93ed91e76e92d0ac1f46a1307260f07dbc4f8da2dc1d9d9ed1e0

Analysis

max time kernel
255s
max time network
274s
platform
windows10-ltsc 2021_x64
resource
win10ltsc2021-20241211-en
resource tags

arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system
submitted
18-12-2024 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

rel/data/install-python.bat
Size

4KB
MD5

05525205f01645c56a9429dac23e9901
SHA1

b5e490ed908b263b9a89ef7305b4e20585f6aaa0
SHA256

c3a0c979f4f3f3c2dca28ff6cd584c3a0af7c6e3026864b7013f76bcff084b99
SHA512

4e66775e5caadd914d744330f5ea1ca65a7638b0e12f37bb8bbcf5410aa51c338edd9d8b13b2521e066b73075a896850abd2709b23e31d53f0051701fd1f45e2
SSDEEP

96:Wy0OhxKWYpV8TCKzCpzTqd2L0VhZEjAoN2bj:Zf1K7L0aZc

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file

Loads dropped DLL 1 IoCs

pid	Process
4280	MsiExec.exe

Blocklisted process makes network request 2 IoCs

flow	pid	Process
26	2104	msiexec.exe
28	2104	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe

Drops file in System32 directory 1 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\python27.dll	msiexec.exe

Drops file in Windows directory 20 IoCs

description	ioc	Process
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241218173543232.0	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB5A0.tmp	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241218173543138.0\msvcr90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241218173543232.0\9.0.21022.8.cat	msiexec.exe
File opened for modification	C:\Windows\WinSxS\InstallTemp\20241218173543138.0	msiexec.exe
File created	C:\Windows\Installer\SourceHash{C3CC4DF5-39A5-4027-B136-2B3E1F5AB6E2}	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241218173543138.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.cat	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241218173543138.0\msvcp90.dll	msiexec.exe
File opened for modification	C:\Windows\Installer\{C3CC4DF5-39A5-4027-B136-2B3E1F5AB6E2}\python_icon.exe	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241218173543138.0\msvcm90.dll	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241218173543232.0\9.0.21022.8.policy	msiexec.exe
File created	C:\Windows\Installer\e58b188.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB418.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\WinSxS\InstallTemp\20241218173543138.0\x86_Microsoft.VC90.CRT_1fc8b3b9a1e18e3b_9.0.21022.8_x-ww_d08d0375.manifest	msiexec.exe
File created	C:\Windows\Installer\e58b18c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e58b188.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File created	C:\Windows\Installer\{C3CC4DF5-39A5-4027-B136-2B3E1F5AB6E2}\python_icon.exe	msiexec.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000a535500cd53f9d610000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000a535500c0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900a535500c000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1da535500c000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000a535500c00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\26\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\26	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\27	msiexec.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.py\Content Type = "text/plain"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\ = "Python File"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\SourceList\Net	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shellex\DropHandler	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5FD4CC3C5A9372041B63B2E3F1A56B2E\Documentation = "DefaultFeature"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\SourceList\LastUsedSource = "n;1;C:\\Users\\Admin\\AppData\\Local\\Temp\\rel\\data\\"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.NoConFile\shell\Edit with IDLE\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shellex	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.pyw	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\Edit with IDLE\command	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shellex	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shellex	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\SourceList	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shellex\DropHandler	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shellex\DropHandler	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shellex\DropHandler\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shellex\DropHandler\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\Assignment = "1"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\.py	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\UpgradeCodes\84ED6E56853AD434AAF4A47FD24B17F8\5FD4CC3C5A9372041B63B2E3F1A56B2E	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\SourceList\Media\3099 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5FD4CC3C5A9372041B63B2E3F1A56B2E	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\DefaultIcon\ = "C:\\Python27\\DLLs\\pyc.ico"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\.py	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shell\open\command\ = "\"C:\\Python27\\python.exe\" \"%1\" %*"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.File\shell\Edit with IDLE\command	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\ = "Compiled Python File"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\SourceList\Media\3112 = ";"	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\Edit with IDLE	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.CompiledFile\shellex\DropHandler	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shell\open\command	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.File	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shellex	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\SourceList\PackageName = "python-2.7.6.msi"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\open	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\AuthorizedLUAApp = "0"	msiexec.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\Clients = 3a0000000000	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5FD4CC3C5A9372041B63B2E3F1A56B2E\DefaultFeature	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shellex	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.CompiledFile\shell\open	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5FD4CC3C5A9372041B63B2E3F1A56B2E\Extensions = "DefaultFeature"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Features\5FD4CC3C5A9372041B63B2E3F1A56B2E\TclTk = "DefaultFeature"	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\DeploymentFlags = "3"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.pyo\ = "Python.CompiledFile"	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\open\command\ = "\"C:\\Python27\\pythonw.exe\" \"%1\" %*"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.CompiledFile\shell\open\command	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shell\Edit with IDLE\command\ = "\"C:\\Python27\\pythonw.exe\" \"C:\\Python27\\Lib\\idlelib\\idle.pyw\" -e \"%1\""	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.File\shellex\DropHandler	msiexec.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\shellex\DropHandler\ = "{60254CA5-953B-11CF-8C96-00AA00B8708C}"	msiexec.exe
Key created	\REGISTRY\MACHINE\Software\Classes\Python.NoConFile\shellex\DropHandler	msiexec.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\Version = "34019334"	msiexec.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Installer\Products\5FD4CC3C5A9372041B63B2E3F1A56B2E\SourceList\Media	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.NoConFile\shellex\DropHandler	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File\DefaultIcon	msiexec.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Python.File	msiexec.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2104	msiexec.exe
2104	msiexec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1672	msiexec.exe
Token: SeSecurityPrivilege	2104	msiexec.exe
Token: SeCreateTokenPrivilege	1672	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	1672	msiexec.exe
Token: SeLockMemoryPrivilege	1672	msiexec.exe
Token: SeIncreaseQuotaPrivilege	1672	msiexec.exe
Token: SeMachineAccountPrivilege	1672	msiexec.exe
Token: SeTcbPrivilege	1672	msiexec.exe
Token: SeSecurityPrivilege	1672	msiexec.exe
Token: SeTakeOwnershipPrivilege	1672	msiexec.exe
Token: SeLoadDriverPrivilege	1672	msiexec.exe
Token: SeSystemProfilePrivilege	1672	msiexec.exe
Token: SeSystemtimePrivilege	1672	msiexec.exe
Token: SeProfSingleProcessPrivilege	1672	msiexec.exe
Token: SeIncBasePriorityPrivilege	1672	msiexec.exe
Token: SeCreatePagefilePrivilege	1672	msiexec.exe
Token: SeCreatePermanentPrivilege	1672	msiexec.exe
Token: SeBackupPrivilege	1672	msiexec.exe
Token: SeRestorePrivilege	1672	msiexec.exe
Token: SeShutdownPrivilege	1672	msiexec.exe
Token: SeDebugPrivilege	1672	msiexec.exe
Token: SeAuditPrivilege	1672	msiexec.exe
Token: SeSystemEnvironmentPrivilege	1672	msiexec.exe
Token: SeChangeNotifyPrivilege	1672	msiexec.exe
Token: SeRemoteShutdownPrivilege	1672	msiexec.exe
Token: SeUndockPrivilege	1672	msiexec.exe
Token: SeSyncAgentPrivilege	1672	msiexec.exe
Token: SeEnableDelegationPrivilege	1672	msiexec.exe
Token: SeManageVolumePrivilege	1672	msiexec.exe
Token: SeImpersonatePrivilege	1672	msiexec.exe
Token: SeCreateGlobalPrivilege	1672	msiexec.exe
Token: SeBackupPrivilege	3920	vssvc.exe
Token: SeRestorePrivilege	3920	vssvc.exe
Token: SeAuditPrivilege	3920	vssvc.exe
Token: SeBackupPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe
Token: SeTakeOwnershipPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe
Token: SeTakeOwnershipPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe
Token: SeTakeOwnershipPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe
Token: SeTakeOwnershipPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe
Token: SeTakeOwnershipPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe
Token: SeTakeOwnershipPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe
Token: SeTakeOwnershipPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe
Token: SeTakeOwnershipPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe
Token: SeTakeOwnershipPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe
Token: SeTakeOwnershipPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe
Token: SeTakeOwnershipPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe
Token: SeTakeOwnershipPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe
Token: SeTakeOwnershipPrivilege	2104	msiexec.exe
Token: SeRestorePrivilege	2104	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1672	msiexec.exe
1672	msiexec.exe

Suspicious use of WriteProcessMemory 23 IoCs

description	pid	Process	procid_target
PID 2044 wrote to memory of 712	2044	cmd.exe	90
PID 2044 wrote to memory of 712	2044	cmd.exe	90
PID 2044 wrote to memory of 1672	2044	cmd.exe	92
PID 2044 wrote to memory of 1672	2044	cmd.exe	92
PID 2104 wrote to memory of 728	2104	msiexec.exe	97
PID 2104 wrote to memory of 728	2104	msiexec.exe	97
PID 2104 wrote to memory of 4280	2104	msiexec.exe	100
PID 2104 wrote to memory of 4280	2104	msiexec.exe	100
PID 2104 wrote to memory of 4280	2104	msiexec.exe	100
PID 2044 wrote to memory of 4332	2044	cmd.exe	105
PID 2044 wrote to memory of 4332	2044	cmd.exe	105
PID 2044 wrote to memory of 1756	2044	cmd.exe	106
PID 2044 wrote to memory of 1756	2044	cmd.exe	106
PID 2044 wrote to memory of 4540	2044	cmd.exe	107
PID 2044 wrote to memory of 4540	2044	cmd.exe	107
PID 2044 wrote to memory of 5104	2044	cmd.exe	108
PID 2044 wrote to memory of 5104	2044	cmd.exe	108
PID 2044 wrote to memory of 3716	2044	cmd.exe	109
PID 2044 wrote to memory of 3716	2044	cmd.exe	109
PID 2044 wrote to memory of 1440	2044	cmd.exe	110
PID 2044 wrote to memory of 1440	2044	cmd.exe	110
PID 2044 wrote to memory of 3088	2044	cmd.exe	111
PID 2044 wrote to memory of 3088	2044	cmd.exe	111

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

cURL User-Agent 5 IoCs

Uses User-Agent string associated with cURL utility.

description	flow	ioc
HTTP User-Agent header	8	curl/8.7.1
HTTP User-Agent header	12	curl/8.7.1
HTTP User-Agent header	35	curl/8.7.1
HTTP User-Agent header	40	curl/8.7.1
HTTP User-Agent header	60	curl/8.7.1

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\rel\data\install-python.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2044
- C:\Windows\system32\curl.exe
  curl -L -O http://python.org/ftp/python/2.7.6/python-2.7.6.msi
  2⤵
  PID:712
- C:\Windows\system32\msiexec.exe
  msiexec.exe /qb /i python-2.7.6.msi ALLUSERS=1 ADDLOCAL=ALL
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:1672
- C:\Windows\system32\reg.exe
  reg add "HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment" /f /v PATH /t REG_EXPAND_SZ /d "C:\Program Files (x86)\Common Files\Oracle\Java\javapath;C:\Windows\system32;C:\Windows;C:\Windows\System32\Wbem;C:\Windows\System32\WindowsPowerShell\v1.0\;C:\Windows\System32\OpenSSH\;C:\Program Files\dotnet\;C:\Users\Admin\AppData\Local\Microsoft\WindowsApps;;c:\Python27;c:\Python27\Scripts"
  2⤵
  PID:4332
- C:\Windows\system32\reg.exe
  reg add "HKLM\System\CurrentControlSet\Control\Session Manager\Environment" /f /v LOCALAPPDATA /t REG_SZ /d "c:\Python27\AppData"
  2⤵
  PID:1756
- C:\Windows\system32\curl.exe
  curl -L -O "http://downloads.sourceforge.net/project/pywin32/pywin32/Build%20218/pywin32-218.win32-py2.7.exe"
  2⤵
  PID:4540
- C:\Windows\system32\curl.exe
  curl -O https://bitbucket.org/pypa/setuptools/raw/bootstrap/ez_setup.py
  2⤵
  PID:5104
- C:\Windows\system32\curl.exe
  curl -O https://raw.github.com/pypa/pip/master/contrib/get-pip.py
  2⤵
  PID:3716
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /S /D /c" echo y"
  2⤵
  PID:1440
- C:\Windows\system32\cacls.exe
  cacls c:\Python27\Lib\site-packages\*.* /T /E /G BUILTIN\Users:R
  2⤵
  PID:3088

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=4200,i,18033710974209630210,2205953364507939555,262144 --variations-seed-version --mojo-platform-channel-handle=4248 /prefetch:8
1⤵
PID:688

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:4
  2⤵
  PID:728
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 52BB664FA0FED88D3567BD434FF49FC2
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:4280

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3920

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --string-annotations=is-enterprise-managed=no --field-trial-handle=4252,i,18033710974209630210,2205953364507939555,262144 --variations-seed-version --mojo-platform-channel-handle=4212 /prefetch:8
1⤵
PID:3796

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\rel\data\python-2.7.6.msi

Filesize
15.5MB

MD5
ac54e14f7ba180253b9bae6635d822ea

SHA1
c5d71f339f7edd70ecd54b50e97356191347d355

SHA256
cfa801a6596206ec7476e9bc2687fcd331c514b3dd92ffc3cd7d63e749ba0b2f

SHA512
81d673386382e27a9a479972b28102ff183e7c07891ee9cb44b9df1325a15ec9963a4c52c329c447fa861874da78355cc7168acb836742e3b426970ac25704a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\rel\data\pywin32-218.win32-py2.7.exe

Filesize
6.4MB

MD5
16e178ac18b49fa0d27ba0be90f460af

SHA1
af2e516431269806084694e0d48aff9438e2c263

SHA256
dd665cca88cb059fec960516ed5f29474b33fce50fcb2633d397d4a3aa705c16

SHA512
e12082f75ae3198625b48197f57efde4369e0f2aab3ba4d229617520002c336512b48bc2cc73c01f5b06e86c309e4e14c0f1ff99d0080abce4f6a6d798304958

Download Submit
C:\Windows\Installer\MSIB418.tmp

Filesize
40KB

MD5
8a3e5fbee27198975884d25e5df7a69b

SHA1
8e389374594ecceeea547825a83cd397339acdcf

SHA256
9356b41a0129c4de9257c659a5c70fa2c66dcafadf5785b18eece45b792b5857

SHA512
4ea8570cef7fe45cb5b9c28f95819a7ee827a83888d3cbac2eda8e27d7bdb389fe6691af8dca8bce15529e7d14f056f404b0243c8bbd4d29b6f20eebe867d729

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.9MB

MD5
685d6b5fd7affaa2ec27a84b853bd649

SHA1
b149e44f35375f6d70f36381b20d3de2678c5547

SHA256
dd50173dfc6bc6a0d8f1019107b87291eef659aa2180f700afd986de50eb81c3

SHA512
8f43a8defb7e555f6fe0b4e554f0cedfae17d6ec85d7f29184528cd9ab4bc50007eedd85e94020e953b2e08a4e2cdbad461d357b2d88f702945e88fd82da280c

Download Submit
\??\Volume{0c5035a5-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{d886b6fc-205f-403f-bf89-b6dedff243ea}_OnDiskSnapshotProp

Filesize
6KB

MD5
8b620d56b2b9b8387d31cf58d781c83e

SHA1
b36f2753ad571e1ee83bc1a08ff6329520f90f01

SHA256
fe74ebe4019f15b5fc4862e5bce8e56d3d8003ec827215f9cefbb67eec9bc011

SHA512
7a813175b68f816d2c76caaa61b772d1cd02225b4ccba494982db520a4d9de9960552e6a8c1c25bb426b1ce6627a6bdf3c0ffde6091cb362ea7bc0e7a3816a2f

Download Submit