a89c38247751952b13c88e72116b2b461723de6dada0c6e14107daf6323636e1

Analysis

max time kernel
15s
max time network
16s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-01-2025 23:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windows.exe
Size

28.7MB
MD5

4f4f456bdcfdf304686c49f0443b2a65
SHA1

cea44f32f127584ad8c3cb0e016e4ea94df894a1
SHA256

a89c38247751952b13c88e72116b2b461723de6dada0c6e14107daf6323636e1
SHA512

7ef9ba91c56c9b8b3ec6c395dd8bab2fe2c816ac427844af30dbbb95e51ef424ff2614b08f3f69b62bcdc3424cb17f67d5dbf87bef4de1fa9560b69b6c239d85
SSDEEP

786432:uXsDZi5xxMJNTYPCkC7wnZKx2xaa0aW6rm0Qn24s:uXsk58Z8S7wZKBe7m0s24s

Score

7^/10

discovery

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\windows update.lnk	cscript.exe

Executes dropped EXE 3 IoCs

pid	Process
1784	pythonw.exe
1972	pythonw.exe
2160	pythonw.exe

Loads dropped DLL 6 IoCs

pid	Process
1508	cmd.exe
1708	cmd.exe
2804	cmd.exe
1784	pythonw.exe
1972	pythonw.exe
2160	pythonw.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	windows.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cscript.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Suspicious use of WriteProcessMemory 56 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 3008	2752	windows.exe	31
PID 2752 wrote to memory of 3008	2752	windows.exe	31
PID 2752 wrote to memory of 3008	2752	windows.exe	31
PID 2752 wrote to memory of 3008	2752	windows.exe	31
PID 3008 wrote to memory of 2376	3008	cmd.exe	33
PID 3008 wrote to memory of 2376	3008	cmd.exe	33
PID 3008 wrote to memory of 2376	3008	cmd.exe	33
PID 3008 wrote to memory of 2376	3008	cmd.exe	33
PID 2376 wrote to memory of 2784	2376	cmd.exe	35
PID 2376 wrote to memory of 2784	2376	cmd.exe	35
PID 2376 wrote to memory of 2784	2376	cmd.exe	35
PID 2376 wrote to memory of 2784	2376	cmd.exe	35
PID 2376 wrote to memory of 2000	2376	cmd.exe	36
PID 2376 wrote to memory of 2000	2376	cmd.exe	36
PID 2376 wrote to memory of 2000	2376	cmd.exe	36
PID 2376 wrote to memory of 2000	2376	cmd.exe	36
PID 2376 wrote to memory of 1792	2376	cmd.exe	38
PID 2376 wrote to memory of 1792	2376	cmd.exe	38
PID 2376 wrote to memory of 1792	2376	cmd.exe	38
PID 2376 wrote to memory of 1792	2376	cmd.exe	38
PID 2376 wrote to memory of 2756	2376	cmd.exe	40
PID 2376 wrote to memory of 2756	2376	cmd.exe	40
PID 2376 wrote to memory of 2756	2376	cmd.exe	40
PID 2376 wrote to memory of 2756	2376	cmd.exe	40
PID 2756 wrote to memory of 2416	2756	cmd.exe	43
PID 2756 wrote to memory of 2416	2756	cmd.exe	43
PID 2756 wrote to memory of 2416	2756	cmd.exe	43
PID 2756 wrote to memory of 2416	2756	cmd.exe	43
PID 2000 wrote to memory of 1708	2000	cmd.exe	46
PID 2000 wrote to memory of 1708	2000	cmd.exe	46
PID 2000 wrote to memory of 1708	2000	cmd.exe	46
PID 2000 wrote to memory of 1708	2000	cmd.exe	46
PID 1792 wrote to memory of 1508	1792	cmd.exe	47
PID 1792 wrote to memory of 1508	1792	cmd.exe	47
PID 1792 wrote to memory of 1508	1792	cmd.exe	47
PID 1792 wrote to memory of 1508	1792	cmd.exe	47
PID 2784 wrote to memory of 2804	2784	cmd.exe	50
PID 2784 wrote to memory of 2804	2784	cmd.exe	50
PID 2784 wrote to memory of 2804	2784	cmd.exe	50
PID 2784 wrote to memory of 2804	2784	cmd.exe	50
PID 2416 wrote to memory of 1968	2416	cmd.exe	52
PID 2416 wrote to memory of 1968	2416	cmd.exe	52
PID 2416 wrote to memory of 1968	2416	cmd.exe	52
PID 2416 wrote to memory of 1968	2416	cmd.exe	52
PID 1508 wrote to memory of 1784	1508	cmd.exe	53
PID 1508 wrote to memory of 1784	1508	cmd.exe	53
PID 1508 wrote to memory of 1784	1508	cmd.exe	53
PID 1508 wrote to memory of 1784	1508	cmd.exe	53
PID 1708 wrote to memory of 1972	1708	cmd.exe	54
PID 1708 wrote to memory of 1972	1708	cmd.exe	54
PID 1708 wrote to memory of 1972	1708	cmd.exe	54
PID 1708 wrote to memory of 1972	1708	cmd.exe	54
PID 2804 wrote to memory of 2160	2804	cmd.exe	55
PID 2804 wrote to memory of 2160	2804	cmd.exe	55
PID 2804 wrote to memory of 2160	2804	cmd.exe	55
PID 2804 wrote to memory of 2160	2804	cmd.exe	55

C:\Users\Admin\AppData\Local\Temp\windows.exe
"C:\Users\Admin\AppData\Local\Temp\windows.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Roaming\windows\run.bat" /verysilent"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Roaming\windows\run.bat" min
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2376
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K b.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2784
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\windows\b.bat"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2804
      - C:\Users\Admin\AppData\Roaming\windows\pythonw.exe
        
        pythonw.exe ca.pyw
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:2160
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K c.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2000
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\windows\c.bat"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1708
      - C:\Users\Admin\AppData\Roaming\windows\pythonw.exe
        
        pythonw.exe ro.pyw
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1972
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K n.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1792
    - - C:\Windows\SysWOW64\cmd.exe
        
        C:\Windows\system32\cmd.exe /K "C:\Users\Admin\AppData\Roaming\windows\n.bat"
        5⤵
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:1508
      - C:\Users\Admin\AppData\Roaming\windows\pythonw.exe
        
        pythonw.exe ba.pyw
        6⤵
        Executes dropped EXE
        Loads dropped DLL
        
        PID:1784
  - - C:\Windows\SysWOW64\cmd.exe
      C:\Windows\system32\cmd.exe /K startup.bat
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2756
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c startup.bat min
        5⤵
        System Location Discovery: System Language Discovery
        Suspicious use of WriteProcessMemory
        
        PID:2416
      - C:\Windows\SysWOW64\cscript.exe
        
        cscript //nologo C:\Users\Admin\AppData\Local\Temp\CreateShortcut.vbs
        6⤵
        Drops startup file
        System Location Discovery: System Language Discovery
        
        PID:1968

C:\Windows\explorer.exe
"C:\Windows\explorer.exe"
1⤵
PID:2620

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\CreateShortcut.vbs

Filesize
287B

MD5
ac70c01957eb45c9487a49b02c26da5b

SHA1
d0e4fcd33eef1ddd4ef56bcab51b85315d7b6d3f

SHA256
e7476b83f04d06800103169363f8c69098d8f092ed72a5e4754cfb77c95d914b

SHA512
5848cb47492da631d5c66e7a158e062f3a55cae862c0f8d242e2ef6dd1f26f5334215db77c033ffd437ef3a9484c0076fa138040e865f1ec804f77a441f0098f

Download Submit
C:\Users\Admin\AppData\Roaming\windows\Lib\site-packages\cryptography\hazmat\primitives\asymmetric\__init__.py

Filesize
180B

MD5
fce95ff49e7ad344d9381226ee6f5b90

SHA1
c00c73d5fb997fc6a8e19904b909372824304c27

SHA256
b3da0a090db2705757a0445d4b58a669fb9e4a406c2fd92f6f27e085a6ae67d6

SHA512
a1e8e1788bd96057e2dbef14e48dd5ea620ae0753dbc075d1a0397fbb7a36b1beb633d274081300914a80c95922cf6eab0f5e709b709158645e17b16583233dd

Download Submit
C:\Users\Admin\AppData\Roaming\windows\Lib\site-packages\pip-24.3.1.dist-info\INSTALLER

Filesize
4B

MD5
365c9bfeb7d89244f2ce01c1de44cb85

SHA1
d7a03141d5d6b1e88b6b59ef08b6681df212c599

SHA256
ceebae7b8927a3227e5303cf5e0f1f7b34bb542ad7250ac03fbcde36ec2f1508

SHA512
d220d322a4053d84130567d626a9f7bb2fb8f0b854da1621f001826dc61b0ed6d3f91793627e6f0ac2ac27aea2b986b6a7a63427f05fe004d8a2adfbdadc13c1

Download Submit
C:\Users\Admin\AppData\Roaming\windows\Lib\test\cjkencodings\shift_jis-utf8.txt

Filesize
1KB

MD5
cc34bcc252d8014250b2fbc0a7880ead

SHA1
89a79425e089c311137adcdcf0a11dfa9d8a4e58

SHA256
a6bbfb8ecb911d13581f7713391f8c0ceea1edd41537fdb300bbb4d62dd72e9b

SHA512
c6fb4a793870993a9f1310ce59697397e5334dbb92031ab49a3ecc33c55e84737e626e815754c5ddbe7835b15d3817bf07d2b4c80ea5fd956792b4db96c18c2f

Download Submit
C:\Users\Admin\AppData\Roaming\windows\Lib\test\test_importlib\extension\__init__.py

Filesize
147B

MD5
c3239b95575b0ad63408b8e633f9334d

SHA1
7dbb42dfa3ca934fb86b8e0e2268b6b793cbccdc

SHA256
6546a8ef1019da695edeca7c68103a1a8e746d88b89faf7d5297a60753fd1225

SHA512
5685131ad55f43ab73afccbef69652d03bb64e6135beb476bc987f316afe0198157507203b9846728bc7ea25bc88f040e7d2cb557c9480bac72f519d6ba90b25

Download Submit
C:\Users\Admin\AppData\Roaming\windows\Lib\test\test_importlib\extension\__main__.py

Filesize
62B

MD5
47878c074f37661118db4f3525b2b6cb

SHA1
9671e2ef6e3d9fa96e7450bcee03300f8d395533

SHA256
b4dc0b48d375647bcfab52d235abf7968daf57b6bbdf325766f31ce7752d7216

SHA512
13c626ada191848c31321c74eb7f0f1fde5445a82d34282d69e2b086ba6b539d8632c82bba61ff52185f75fec2514dad66139309835e53f5b09a3c5a2ebecff5

Download Submit
C:\Users\Admin\AppData\Roaming\windows\Lib\test\test_pydoc\__init__.py

Filesize
138B

MD5
4a7dba3770fec2986287b3c790e6ae46

SHA1
8c7a8f21c1bcdb542f4ce798ba7e97f61bee0ea0

SHA256
88db4157a69ee31f959dccbb6fbad3891ba32ad2467fe24858e36c6daccdba4d

SHA512
4596824f4c06b530ef378c88c7b4307b074f922e10e866a1c06d5a86356f88f1dad54c380791d5cfda470918235b6ead9514b49bc99c2371c1b14dc9b6453210

Download Submit
C:\Users\Admin\AppData\Roaming\windows\Scripts\pip3.13.exe

Filesize
105KB

MD5
c57b460754dd057959bf578ffe17cbd8

SHA1
d5c47aef550b8f3d98b853c4a6d390033fc95ba5

SHA256
51919297bd9010695df2d29dadaab427dade1acd0969c72bcee16a247311b652

SHA512
bb4928502050eb760ce55317cbe5836d463b9a5c35522b40a9b314f9b7b18ce5028134cd4b41cde1ca337581e64edfd0444ead0dee31d09698d17c0984345372

Download Submit
C:\Users\Admin\AppData\Roaming\windows\b.bat

Filesize
115B

MD5
cc1352d4de148ca2f81bd72f5a9c310a

SHA1
8f3829329e679ac657fb80fc9ddee79329971700

SHA256
e3a5e4f4a8177b57e93fc682bb7ded40c4af30cd678a0fb15faaec3f79b1e3bb

SHA512
a495ce7a6fc44e13cee41a9aeebefcfe3060cec582a17f80d9e876d844a56efaff803981112dec88ae056aea3457c4de756569c5a2aa9ddd2aeafe30f4a6a2c5

Download Submit
C:\Users\Admin\AppData\Roaming\windows\c.bat

Filesize
117B

MD5
586d2cec8f5dba3c333522b3efee949a

SHA1
3dfcecfd6b83c35018e8370d7ec59fb0e3c429e1

SHA256
216cddb0ddf3001f6987e440fcf504969348a50b0961bbd6f2b838dd0460d1c0

SHA512
d91989ca6c3e91dea0bd43b6f448b4afba7085eeba1d19d41c40cd7b5e4eb30728b94c9ff95156f7a21900eff0aeb803ac8a05b504570cbd0389a1132205c4e3

Download Submit
C:\Users\Admin\AppData\Roaming\windows\n.bat

Filesize
115B

MD5
95d20d399ffd27aec6abd102aee1fdd0

SHA1
6224de81851ac34fc74bfe916bdca7a61b8b0c90

SHA256
bc42fc4d1473f7af60de3468d8d673de3d15a02b1021b32f1764ed52feca2fff

SHA512
1371e116a336fd7b15b76a208738e26d5c2fc8efe7767f21a7dc2480402cee754d495eef9142535023cf937d18049308b44c58c7467bbdb74e6afbf85fc242a6

Download Submit
C:\Users\Admin\AppData\Roaming\windows\python313.dll

Filesize
5.8MB

MD5
3aad23292404a7038eb07ce5a6348256

SHA1
35cac5479699b28549ebe36c1d064bfb703f0857

SHA256
78b1dd211c0e66a0603df48da2c9b67a915ab3258701b9285d3faa255ed8dc25

SHA512
f5b6ef04e744d2c98c1ef9402d7a8ce5cda3b008837cf2c37a8b6d0cd1b188ca46585a40b2db7acf019f67e6ced59eff5bc86e1aaf48d3c3b62fecf37f3aec6b

Download Submit
C:\Users\Admin\AppData\Roaming\windows\pythonw.exe

Filesize
101KB

MD5
056bbb3b6a33ec7aaca9ce4b66ab3ad9

SHA1
79db6e4ab606feff849aa37a0602cf50b945bade

SHA256
2bea4fc941b7d9436afa1be8cb46551c0694deed23b3fec87b969054238be099

SHA512
f3ca8d6731ddc781c1a4ddfa87c16a96ed12a1f8e9ff53627670d83186583ace93d3c0870c5ac0157dd936156cbf9ec982777a3a60381fe1f60698777eab04cb

Download Submit
C:\Users\Admin\AppData\Roaming\windows\run.bat

Filesize
156B

MD5
821bffd900a752bd9bc4a24cd405f17d

SHA1
18c44863315136c992980443bfaf3ffee19a2efe

SHA256
6aa9dd321d98a9b547482b8ae6d5090d81d9405a173d3b76cbefa594665e0078

SHA512
f2cc98d8bf59843b62a8a28cb5938da004c2248e9ad3079752c4b9c58a8fadfff3ba146990661e3994c51b64da6690950738caa8388f32a6fcc4fd58494bd685

Download Submit
C:\Users\Admin\AppData\Roaming\windows\start.bat

Filesize
111B

MD5
0a9fc98e846844cd71caece930b3ff11

SHA1
cf71a7188e1a5911b1235dba9be6e2e60a092936

SHA256
cac8e289d18623e60b6297fa6c3c3dc360ef499431577e356f8db7870cbfd53a

SHA512
24014ba69f91a8a39649c6ac8c8c3e24ddb2334e6c93929d7046a9bfdf3a5ea2412016e0aa4eaa6e99148f0c8cfb17dec930932f071bca5edcd765f3c33f69a2

Download Submit
C:\Users\Admin\AppData\Roaming\windows\startup.bat

Filesize
671B

MD5
e357b2026769b476e069ae06f81e0da5

SHA1
c2048b569aafcb4eccb02d9b87cb87d91404690b

SHA256
0bc8dc431e9578744f5ed7aa55e401c8c4e9a3261d56b30a4d5c04d68a6f6be6

SHA512
c8a9eca486664b30ca4909be5d101502446feb0025e64d4b968e9a298d00836ba752300c8440a328d899a89d22536829038132011eb5898f892ef5e63e9b73d7

Download Submit