Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    24/01/2025, 13:52 UTC

General

  • Target

    net8.0-windows/install-python.bat

  • Size

    683B

  • MD5

    d2582c98db5aad03be0d391a265f861b

  • SHA1

    bb545f83d8d69c8a1a08cd773ddcb53689e8f57c

  • SHA256

    44d62021bd4fa1870a45fc9f1b9bb978196987452688060a87ee97e4626fa4af

  • SHA512

    268a5a71c70081ee8d6aa34d0a9158740712e174a70a0fac2972bd8fa812c34107ba2859d2f31391cc4b27f3f81a986160d9feb14880bdf02fe0c43567b2afbe

Score
8/10

Malware Config

Signatures

  • Downloads MZ/PE file 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of WriteProcessMemory 13 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\net8.0-windows\install-python.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2836
    • C:\Windows\system32\curl.exe
      curl -L -o python-3.12.2-amd64.exe https://www.python.org/ftp/python/3.12.2/python-3.12.2-amd64.exe
      2⤵
      • Downloads MZ/PE file
      PID:4828
    • C:\Users\Admin\AppData\Local\Temp\net8.0-windows\python-3.12.2-amd64.exe
      python-3.12.2-amd64.exe /quiet InstallAllUsers=1 PrependPath=1 Include_test=0
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2152
      • C:\Windows\Temp\{09EF196C-FEDD-4DBC-ADD9-4A4B41A425AD}\.cr\python-3.12.2-amd64.exe
        "C:\Windows\Temp\{09EF196C-FEDD-4DBC-ADD9-4A4B41A425AD}\.cr\python-3.12.2-amd64.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\net8.0-windows\python-3.12.2-amd64.exe" -burn.filehandle.attached=568 -burn.filehandle.self=564 /quiet InstallAllUsers=1 PrependPath=1 Include_test=0
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:5068
        • C:\Windows\Temp\{E8EC24EC-0CDF-490C-8240-5A90D30B4A38}\.be\python-3.12.2-amd64.exe
          "C:\Windows\Temp\{E8EC24EC-0CDF-490C-8240-5A90D30B4A38}\.be\python-3.12.2-amd64.exe" -q -burn.elevated BurnPipe.{433118BB-7CD2-4ABC-A355-EF29F868719D} {D6B6EF45-B84D-4E6E-8900-2254F333C422} 5068
          4⤵
          • Executes dropped EXE
          • System Location Discovery: System Language Discovery
          PID:1220
    • C:\Windows\system32\curl.exe
      curl -L -o get-pip.py https://bootstrap.pypa.io/get-pip.py
      2⤵
        PID:4640
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
      • Checks SCSI registry key(s)
      • Suspicious use of AdjustPrivilegeToken
      PID:2408
    • C:\Windows\system32\srtasks.exe
      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:4464

    Network

    • flag-us
      DNS
      58.55.71.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      58.55.71.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      8.8.8.8.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      8.8.8.8.in-addr.arpa
      IN PTR
      Response
      8.8.8.8.in-addr.arpa
      IN PTR
      dnsgoogle
    • flag-us
      DNS
      www.python.org
      curl.exe
      Remote address:
      8.8.8.8:53
      Request
      www.python.org
      IN A
      Response
      www.python.org
      IN CNAME
      dualstack.python.map.fastly.net
      dualstack.python.map.fastly.net
      IN A
      151.101.0.223
      dualstack.python.map.fastly.net
      IN A
      151.101.192.223
      dualstack.python.map.fastly.net
      IN A
      151.101.64.223
      dualstack.python.map.fastly.net
      IN A
      151.101.128.223
    • flag-us
      GET
      https://www.python.org/ftp/python/3.12.2/python-3.12.2-amd64.exe
      curl.exe
      Remote address:
      151.101.0.223:443
      Request
      GET /ftp/python/3.12.2/python-3.12.2-amd64.exe HTTP/1.1
      Host: www.python.org
      User-Agent: curl/7.55.1
      Accept: */*
      Response
      HTTP/1.1 200 OK
      Connection: keep-alive
      Content-Length: 26667456
      server: nginx
      etag: "65c2b5a6-196e9c0"
      last-modified: Tue, 06 Feb 2024 22:41:42 GMT
      content-type: application/octet-stream
      x-clacks-overhead: GNU Terry Pratchett
      via: 1.1 varnish, 1.1 varnish, 1.1 varnish
      Accept-Ranges: bytes
      Age: 237295
      Date: Fri, 24 Jan 2025 13:52:41 GMT
      X-Served-By: cache-lga21944-LGA, cache-lga21940-LGA, cache-lcy-eglc8600085-LCY
      X-Cache: MISS, HIT, HIT
      X-Cache-Hits: 0, 71, 0
      X-Timer: S1737726761.283000,VS0,VE1
      Strict-Transport-Security: max-age=63072000; includeSubDomains; preload
    • flag-us
      DNS
      223.0.101.151.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      223.0.101.151.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.210.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.210.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.66.101.151.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.66.101.151.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      133.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      133.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      188.77.23.2.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      188.77.23.2.in-addr.arpa
      IN PTR
      Response
      188.77.23.2.in-addr.arpa
      IN PTR
      a2-23-77-188deploystaticakamaitechnologiescom
    • flag-us
      DNS
      bootstrap.pypa.io
      curl.exe
      Remote address:
      8.8.8.8:53
      Request
      bootstrap.pypa.io
      IN A
      Response
      bootstrap.pypa.io
      IN CNAME
      dualstack.c.ssl.global.fastly.net
      dualstack.c.ssl.global.fastly.net
      IN A
      151.101.192.175
      dualstack.c.ssl.global.fastly.net
      IN A
      151.101.128.175
      dualstack.c.ssl.global.fastly.net
      IN A
      151.101.0.175
      dualstack.c.ssl.global.fastly.net
      IN A
      151.101.64.175
    • flag-us
      GET
      https://bootstrap.pypa.io/get-pip.py
      curl.exe
      Remote address:
      151.101.192.175:443
      Request
      GET /get-pip.py HTTP/1.1
      Host: bootstrap.pypa.io
      User-Agent: curl/7.55.1
      Accept: */*
      Response
      HTTP/1.1 200 OK
      Connection: keep-alive
      Content-Length: 2275758
      Content-Type: text/x-python
      Last-Modified: Mon, 18 Nov 2024 17:04:16 GMT
      ETag: "673b7390-22b9ae"
      Strict-Transport-Security: max-age=31536000; includeSubDomains
      Via: 1.1 varnish, 1.1 varnish
      Accept-Ranges: bytes
      Date: Fri, 24 Jan 2025 13:52:59 GMT
      Age: 3810
      X-Served-By: cache-iad-kcgs7200050-IAD, cache-lcy-eglc8600074-LCY
      X-Cache: HIT, HIT
      X-Cache-Hits: 78, 1
      X-Timer: S1737726780.601882,VS0,VE4
    • flag-us
      DNS
      167.57.26.184.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      167.57.26.184.in-addr.arpa
      IN PTR
      Response
      167.57.26.184.in-addr.arpa
      IN PTR
      a184-26-57-167deploystaticakamaitechnologiescom
    • flag-us
      DNS
      175.192.101.151.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      175.192.101.151.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      241.150.49.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      241.150.49.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      197.87.175.4.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      197.87.175.4.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.31.95.13.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.31.95.13.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      181.129.81.91.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      181.129.81.91.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      172.214.232.199.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      172.214.232.199.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      9.173.189.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      9.173.189.20.in-addr.arpa
      IN PTR
      Response
    • 151.101.0.223:443
      https://www.python.org/ftp/python/3.12.2/python-3.12.2-amd64.exe
      tls, http
      curl.exe
      487.9kB
      27.5MB
      10332
      19708

      HTTP Request

      GET https://www.python.org/ftp/python/3.12.2/python-3.12.2-amd64.exe

      HTTP Response

      200
    • 151.101.192.175:443
      https://bootstrap.pypa.io/get-pip.py
      tls, http
      curl.exe
      49.1kB
      2.4MB
      1004
      1700

      HTTP Request

      GET https://bootstrap.pypa.io/get-pip.py

      HTTP Response

      200
    • 8.8.8.8:53
      58.55.71.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      58.55.71.13.in-addr.arpa

    • 8.8.8.8:53
      8.8.8.8.in-addr.arpa
      dns
      66 B
      90 B
      1
      1

      DNS Request

      8.8.8.8.in-addr.arpa

    • 8.8.8.8:53
      www.python.org
      dns
      curl.exe
      60 B
      169 B
      1
      1

      DNS Request

      www.python.org

      DNS Response

      151.101.0.223
      151.101.192.223
      151.101.64.223
      151.101.128.223

    • 8.8.8.8:53
      223.0.101.151.in-addr.arpa
      dns
      72 B
      132 B
      1
      1

      DNS Request

      223.0.101.151.in-addr.arpa

    • 8.8.8.8:53
      172.210.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.210.232.199.in-addr.arpa

    • 8.8.8.8:53
      133.66.101.151.in-addr.arpa
      dns
      73 B
      133 B
      1
      1

      DNS Request

      133.66.101.151.in-addr.arpa

    • 8.8.8.8:53
      133.32.126.40.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      133.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      188.77.23.2.in-addr.arpa
      dns
      70 B
      133 B
      1
      1

      DNS Request

      188.77.23.2.in-addr.arpa

    • 8.8.8.8:53
      bootstrap.pypa.io
      dns
      curl.exe
      63 B
      174 B
      1
      1

      DNS Request

      bootstrap.pypa.io

      DNS Response

      151.101.192.175
      151.101.128.175
      151.101.0.175
      151.101.64.175

    • 8.8.8.8:53
      167.57.26.184.in-addr.arpa
      dns
      72 B
      137 B
      1
      1

      DNS Request

      167.57.26.184.in-addr.arpa

    • 8.8.8.8:53
      175.192.101.151.in-addr.arpa
      dns
      74 B
      134 B
      1
      1

      DNS Request

      175.192.101.151.in-addr.arpa

    • 8.8.8.8:53
      241.150.49.20.in-addr.arpa
      dns
      72 B
      158 B
      1
      1

      DNS Request

      241.150.49.20.in-addr.arpa

    • 8.8.8.8:53
      197.87.175.4.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      197.87.175.4.in-addr.arpa

    • 8.8.8.8:53
      18.31.95.13.in-addr.arpa
      dns
      70 B
      144 B
      1
      1

      DNS Request

      18.31.95.13.in-addr.arpa

    • 8.8.8.8:53
      181.129.81.91.in-addr.arpa
      dns
      72 B
      147 B
      1
      1

      DNS Request

      181.129.81.91.in-addr.arpa

    • 8.8.8.8:53
      172.214.232.199.in-addr.arpa
      dns
      74 B
      128 B
      1
      1

      DNS Request

      172.214.232.199.in-addr.arpa

    • 8.8.8.8:53
      9.173.189.20.in-addr.arpa
      dns
      71 B
      157 B
      1
      1

      DNS Request

      9.173.189.20.in-addr.arpa

    • 8.8.8.8:53

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\net8.0-windows\get-pip.py

      Filesize

      2.2MB

      MD5

      f342256ee74ff8d8dfc95fdef9325a2f

      SHA1

      1bae613f32a12fc4dac9698d81048407a87db430

      SHA256

      96e58b5962f307566141ea9b393e136cbdf811db9f02968dc5bc88f43989345c

      SHA512

      6cb415947bd8d55a1e5fa76e35c394196048679533015ce64db05804599415837cfe4f490503cd467eadfc3475cca951941a5baba1ecca998b1d15e1f4053b58

    • C:\Users\Admin\AppData\Local\Temp\net8.0-windows\python-3.12.2-amd64.exe

      Filesize

      25.4MB

      MD5

      44abfae489d87cc005d50a9267b5d58d

      SHA1

      af778548383c17cb154530f1c06344c9cced9272

      SHA256

      b9314802f9efbf0f20a8e2cb4cacc4d5cfb0110dac2818d94e770e1ba5137c65

      SHA512

      e955f0bee350cd8f7e4da6a8e8f02db40e477b7465a77c8ecab46a54338c0a9d8acf3d22d524af2c45c25685df2468970ea1b70b83321c7f8e3fae230f3c7f16

    • C:\Windows\Temp\{09EF196C-FEDD-4DBC-ADD9-4A4B41A425AD}\.cr\python-3.12.2-amd64.exe

      Filesize

      858KB

      MD5

      ab21a1bea9e3eaab64a2c062ab613221

      SHA1

      310b1f7921af8edf125eacba71944b6e5356acdf

      SHA256

      1474dbd6a33da8f2f0b50007ba48f0c1ddb3e0e6f8c969722eed1e683a9af68a

      SHA512

      b39b5a24bb7b2d3ead8aed284452c94280398a9e4855f17a8e3593fe718e9b3573e88b15f1dd4659030827e754b17e7f918ba24803e4d522ad9601167fb70df4

    • C:\Windows\Temp\{E8EC24EC-0CDF-490C-8240-5A90D30B4A38}\.ba\PythonBA.dll

      Filesize

      675KB

      MD5

      8294dc8850dd596d0ce8455167496832

      SHA1

      5c75c685c95bee8c1a39187da8af46b6c7892757

      SHA256

      565f03893da383e5bec8c6eaa7c8fbb3e6db0b9bddd5a1399b0dec66fa44d64d

      SHA512

      21015ca201b64e3316f3d1ee32e4c562d0142111c1ed576f03aa078619fe656c56848b5998313af23aabb97293c5452be0e27d5c44878be5d90ac2d2d2f05851

    • C:\Windows\Temp\{E8EC24EC-0CDF-490C-8240-5A90D30B4A38}\.ba\SideBar.png

      Filesize

      50KB

      MD5

      888eb713a0095756252058c9727e088a

      SHA1

      c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

      SHA256

      79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

      SHA512

      7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.