f7110ae75ffe30c4d84780385ea584d7acf7bea83b24b27ab2cd8d83c7799ad6

General

Target

Stealerium/install_python.bat
Size

687B
MD5

821f007d1c56bb3f4511bab928ce8f63
SHA1

a22b0d76f5ef0e145629dded82e195486675774a
SHA256

434f9d4a2a7a5088aa393b47ad8e957a15481cd3078f10b3c0f7ec6fe5f497c2
SHA512

f1db8db20e25d8d06828ead22e70a28411bf32faa7dd14816ef833efe548a046e9383cb51aa100d49555f2cc9c1f74bf10aef871a0e6724da5f96c690770dd4d

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 1 IoCs

flow	pid	Process
5	2864	powershell.exe

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Powershell Invoke Web Request.

execution

PowerShell

T1059.001

pid	Process
2864	powershell.exe

Downloads MZ/PE file

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	python-installer.exe

Executes dropped EXE 3 IoCs

pid	Process
4168	python-installer.exe
3824	python-installer.exe
1468	python-3.10.9-amd64.exe

Loads dropped DLL 1 IoCs

pid	Process
3824	python-installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.10.9-amd64.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2864	powershell.exe
2864	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeBackupPrivilege	1644	vssvc.exe
Token: SeRestorePrivilege	1644	vssvc.exe
Token: SeAuditPrivilege	1644	vssvc.exe
Token: SeBackupPrivilege	4940	srtasks.exe
Token: SeRestorePrivilege	4940	srtasks.exe
Token: SeSecurityPrivilege	4940	srtasks.exe
Token: SeTakeOwnershipPrivilege	4940	srtasks.exe
Token: SeBackupPrivilege	4940	srtasks.exe
Token: SeRestorePrivilege	4940	srtasks.exe
Token: SeSecurityPrivilege	4940	srtasks.exe
Token: SeTakeOwnershipPrivilege	4940	srtasks.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3824	python-installer.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 4524	2524	cmd.exe	83
PID 2524 wrote to memory of 4524	2524	cmd.exe	83
PID 4524 wrote to memory of 2864	4524	cmd.exe	84
PID 4524 wrote to memory of 2864	4524	cmd.exe	84
PID 2524 wrote to memory of 2544	2524	cmd.exe	85
PID 2524 wrote to memory of 2544	2524	cmd.exe	85
PID 2524 wrote to memory of 4168	2524	cmd.exe	94
PID 2524 wrote to memory of 4168	2524	cmd.exe	94
PID 2524 wrote to memory of 4168	2524	cmd.exe	94
PID 4168 wrote to memory of 3824	4168	python-installer.exe	95
PID 4168 wrote to memory of 3824	4168	python-installer.exe	95
PID 4168 wrote to memory of 3824	4168	python-installer.exe	95
PID 3824 wrote to memory of 1468	3824	python-installer.exe	96
PID 3824 wrote to memory of 1468	3824	python-installer.exe	96
PID 3824 wrote to memory of 1468	3824	python-installer.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Stealerium\install_python.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
    3⤵
    - Blocklisted process makes network request
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2864
- C:\Windows\system32\curl.exe
  curl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.9/python-3.10.9-amd64.exe
  2⤵
  PID:2544
- C:\Users\Admin\AppData\Local\Temp\Stealerium\python-installer.exe
  python-installer.exe /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4168
- - C:\Windows\Temp\{20AA212D-1E14-435C-A1B7-CB22EF261A78}\.cr\python-installer.exe
    "C:\Windows\Temp\{20AA212D-1E14-435C-A1B7-CB22EF261A78}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\Stealerium\python-installer.exe" -burn.filehandle.attached=560 -burn.filehandle.self=556 /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=0
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of WriteProcessMemory
    PID:3824
  - - C:\Windows\Temp\{FEF74E6D-4A5D-4259-A427-91E35E0C12FE}\.be\python-3.10.9-amd64.exe
      "C:\Windows\Temp\{FEF74E6D-4A5D-4259-A427-91E35E0C12FE}\.be\python-3.10.9-amd64.exe" -q -burn.elevated BurnPipe.{3EE3F4F8-A199-4BAA-9D42-116ABE4524F6} {8A331752-D324-4C7D-9C68-C14D1CD21A36} 3824
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1468

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:1644

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Stealerium\python-installer.exe

Filesize
27.6MB

MD5
dce578fe177892488cadb6c34aea58ee

SHA1
e562807ddd0bc8366d936ce72684ce2b6630e297

SHA256
b8c707fb7a3a80f49af5a51c94f428525a3ad4331c7b9e3b2e321caf5cb56d7d

SHA512
8858aa7e82ca8cf559eeb25c14d86d24637a86e64c8db7465c99d05558ce3c67cea18d68abdfbe3df08cdbedfca5f819aa7fd8e57beae2054a7f7a8a64c04b41

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_vgaqe1tw.fuy.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Windows\Temp\{20AA212D-1E14-435C-A1B7-CB22EF261A78}\.cr\python-installer.exe

Filesize
849KB

MD5
d988448411dc7548332378f7f61508a4

SHA1
34989539914256ea9f6d691236039d806be6f7ca

SHA256
ae5f3d9aaf871d4cf62b3106a7babb66a5c52fdf5ea9b93467c45bd047319c66

SHA512
eb631c340bebb6ce3a6100383fe5e5bd8d2b700ca2c9cd07c1bff4decb8b72a9223596786ef0e8040097135765d7af479f3bfa10957abba32143fc9c9b51ce97

Download Submit
C:\Windows\Temp\{FEF74E6D-4A5D-4259-A427-91E35E0C12FE}\.ba\PythonBA.dll

Filesize
650KB

MD5
64d1e3b44bfce17b6a43e9ca200bfaa2

SHA1
2617a95208a578c63653b76506b27e36a1ee6bba

SHA256
c016025b6e3c1335eef8f544cb88a948d7c785fd5247b994c8ec91a4fce5f899

SHA512
002fcb10e7aec037eee5acdbdc20719f10147917330f769943e4342d99a9596df5f09c039be5a8daa871062bf4c7263ae4d6582f971ced570c85abcbea87cc77

Download Submit
C:\Windows\Temp\{FEF74E6D-4A5D-4259-A427-91E35E0C12FE}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
memory/2864-0-0x00007FFF96F53000-0x00007FFF96F55000-memory.dmp

Filesize
8KB

Download
memory/2864-10-0x0000024FD7060000-0x0000024FD7082000-memory.dmp

Filesize
136KB

Download
memory/2864-11-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

Filesize
10.8MB

Download
memory/2864-12-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

Filesize
10.8MB

Download
memory/2864-15-0x00007FFF96F50000-0x00007FFF97A11000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads