cf0b47eafa7787a698bc8dbb62d18f1d16d0659ff7bd7e6312ccb50b08b754b6

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
24/01/2025, 13:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

net8.0-windows/install-python.bat
Size

683B
MD5

d2582c98db5aad03be0d391a265f861b
SHA1

bb545f83d8d69c8a1a08cd773ddcb53689e8f57c
SHA256

44d62021bd4fa1870a45fc9f1b9bb978196987452688060a87ee97e4626fa4af
SHA512

268a5a71c70081ee8d6aa34d0a9158740712e174a70a0fac2972bd8fa812c34107ba2859d2f31391cc4b27f3f81a986160d9feb14880bdf02fe0c43567b2afbe

Score

8^/10

discovery

Malware Config

Signatures

Downloads MZ/PE file 1 IoCs

flow	pid	Process
8	4828	curl.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	python-3.12.2-amd64.exe

Executes dropped EXE 3 IoCs

pid	Process
2152	python-3.12.2-amd64.exe
5068	python-3.12.2-amd64.exe
1220	python-3.12.2-amd64.exe

Loads dropped DLL 1 IoCs

pid	Process
5068	python-3.12.2-amd64.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.2-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.2-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.12.2-amd64.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000001397c7f967de25740000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800001397c7f90000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff0000000007000100006809001397c7f9000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d1397c7f9000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000001397c7f900000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious use of AdjustPrivilegeToken 11 IoCs

description	pid	Process
Token: SeBackupPrivilege	2408	vssvc.exe
Token: SeRestorePrivilege	2408	vssvc.exe
Token: SeAuditPrivilege	2408	vssvc.exe
Token: SeBackupPrivilege	4464	srtasks.exe
Token: SeRestorePrivilege	4464	srtasks.exe
Token: SeSecurityPrivilege	4464	srtasks.exe
Token: SeTakeOwnershipPrivilege	4464	srtasks.exe
Token: SeBackupPrivilege	4464	srtasks.exe
Token: SeRestorePrivilege	4464	srtasks.exe
Token: SeSecurityPrivilege	4464	srtasks.exe
Token: SeTakeOwnershipPrivilege	4464	srtasks.exe

Suspicious use of WriteProcessMemory 13 IoCs

description	pid	Process	procid_target
PID 2836 wrote to memory of 4828	2836	cmd.exe	83
PID 2836 wrote to memory of 4828	2836	cmd.exe	83
PID 2836 wrote to memory of 2152	2836	cmd.exe	84
PID 2836 wrote to memory of 2152	2836	cmd.exe	84
PID 2836 wrote to memory of 2152	2836	cmd.exe	84
PID 2152 wrote to memory of 5068	2152	python-3.12.2-amd64.exe	85
PID 2152 wrote to memory of 5068	2152	python-3.12.2-amd64.exe	85
PID 2152 wrote to memory of 5068	2152	python-3.12.2-amd64.exe	85
PID 5068 wrote to memory of 1220	5068	python-3.12.2-amd64.exe	86
PID 5068 wrote to memory of 1220	5068	python-3.12.2-amd64.exe	86
PID 5068 wrote to memory of 1220	5068	python-3.12.2-amd64.exe	86
PID 2836 wrote to memory of 4640	2836	cmd.exe	100
PID 2836 wrote to memory of 4640	2836	cmd.exe	100

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\net8.0-windows\install-python.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2836
- C:\Windows\system32\curl.exe
  curl -L -o python-3.12.2-amd64.exe https://www.python.org/ftp/python/3.12.2/python-3.12.2-amd64.exe
  2⤵
  - Downloads MZ/PE file
  PID:4828
- C:\Users\Admin\AppData\Local\Temp\net8.0-windows\python-3.12.2-amd64.exe
  python-3.12.2-amd64.exe /quiet InstallAllUsers=1 PrependPath=1 Include_test=0
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2152
- - C:\Windows\Temp\{09EF196C-FEDD-4DBC-ADD9-4A4B41A425AD}\.cr\python-3.12.2-amd64.exe
    "C:\Windows\Temp\{09EF196C-FEDD-4DBC-ADD9-4A4B41A425AD}\.cr\python-3.12.2-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\net8.0-windows\python-3.12.2-amd64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=564 /quiet InstallAllUsers=1 PrependPath=1 Include_test=0
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:5068
  - - C:\Windows\Temp\{E8EC24EC-0CDF-490C-8240-5A90D30B4A38}\.be\python-3.12.2-amd64.exe
      "C:\Windows\Temp\{E8EC24EC-0CDF-490C-8240-5A90D30B4A38}\.be\python-3.12.2-amd64.exe" -q -burn.elevated BurnPipe.{433118BB-7CD2-4ABC-A355-EF29F868719D} {D6B6EF45-B84D-4E6E-8900-2254F333C422} 5068
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:1220
- C:\Windows\system32\curl.exe
  curl -L -o get-pip.py https://bootstrap.pypa.io/get-pip.py
  2⤵
  PID:4640

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2408

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\net8.0-windows\get-pip.py

Filesize
2.2MB

MD5
f342256ee74ff8d8dfc95fdef9325a2f

SHA1
1bae613f32a12fc4dac9698d81048407a87db430

SHA256
96e58b5962f307566141ea9b393e136cbdf811db9f02968dc5bc88f43989345c

SHA512
6cb415947bd8d55a1e5fa76e35c394196048679533015ce64db05804599415837cfe4f490503cd467eadfc3475cca951941a5baba1ecca998b1d15e1f4053b58

Download Submit
C:\Users\Admin\AppData\Local\Temp\net8.0-windows\python-3.12.2-amd64.exe

Filesize
25.4MB

MD5
44abfae489d87cc005d50a9267b5d58d

SHA1
af778548383c17cb154530f1c06344c9cced9272

SHA256
b9314802f9efbf0f20a8e2cb4cacc4d5cfb0110dac2818d94e770e1ba5137c65

SHA512
e955f0bee350cd8f7e4da6a8e8f02db40e477b7465a77c8ecab46a54338c0a9d8acf3d22d524af2c45c25685df2468970ea1b70b83321c7f8e3fae230f3c7f16

Download Submit
C:\Windows\Temp\{09EF196C-FEDD-4DBC-ADD9-4A4B41A425AD}\.cr\python-3.12.2-amd64.exe

Filesize
858KB

MD5
ab21a1bea9e3eaab64a2c062ab613221

SHA1
310b1f7921af8edf125eacba71944b6e5356acdf

SHA256
1474dbd6a33da8f2f0b50007ba48f0c1ddb3e0e6f8c969722eed1e683a9af68a

SHA512
b39b5a24bb7b2d3ead8aed284452c94280398a9e4855f17a8e3593fe718e9b3573e88b15f1dd4659030827e754b17e7f918ba24803e4d522ad9601167fb70df4

Download Submit
C:\Windows\Temp\{E8EC24EC-0CDF-490C-8240-5A90D30B4A38}\.ba\PythonBA.dll

Filesize
675KB

MD5
8294dc8850dd596d0ce8455167496832

SHA1
5c75c685c95bee8c1a39187da8af46b6c7892757

SHA256
565f03893da383e5bec8c6eaa7c8fbb3e6db0b9bddd5a1399b0dec66fa44d64d

SHA512
21015ca201b64e3316f3d1ee32e4c562d0142111c1ed576f03aa078619fe656c56848b5998313af23aabb97293c5452be0e27d5c44878be5d90ac2d2d2f05851

Download Submit
C:\Windows\Temp\{E8EC24EC-0CDF-490C-8240-5A90D30B4A38}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads