6b36cbee9046f1787d6372219ae2aca744781134fdfc84ea927af797408e9f88

General

Target

KeyLooger.ps1
Size

716B
MD5

0da54facd2360ee34329873e8a33c1fa
SHA1

5029da7428ac63ff823d865658b9a3311a78b2aa
SHA256

6b36cbee9046f1787d6372219ae2aca744781134fdfc84ea927af797408e9f88
SHA512

44e82d490223b908a50da632bb95d81b91878ddafab6885a07cbfbbd3a41bdecd5220befb9bc37b1b7d9697f4fc64619ce1cdfa3eef465fc57cea9f356187742

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
4	2692	powershell.exe
47	2692	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
4	2692	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	python-installer.exe

Executes dropped EXE 3 IoCs

pid	Process
4140	python-installer.exe
828	python-installer.exe
3296	python-3.13.1-amd64.exe

Loads dropped DLL 1 IoCs

pid	Process
828	python-installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
46	drive.google.com
47	drive.google.com

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
2692	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.13.1-amd64.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2692	powershell.exe
2692	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	2692	powershell.exe
Token: SeBackupPrivilege	4816	vssvc.exe
Token: SeRestorePrivilege	4816	vssvc.exe
Token: SeAuditPrivilege	4816	vssvc.exe
Token: SeBackupPrivilege	1320	srtasks.exe
Token: SeRestorePrivilege	1320	srtasks.exe
Token: SeSecurityPrivilege	1320	srtasks.exe
Token: SeTakeOwnershipPrivilege	1320	srtasks.exe
Token: SeBackupPrivilege	1320	srtasks.exe
Token: SeRestorePrivilege	1320	srtasks.exe
Token: SeSecurityPrivilege	1320	srtasks.exe
Token: SeTakeOwnershipPrivilege	1320	srtasks.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2692 wrote to memory of 4140	2692	powershell.exe	94
PID 2692 wrote to memory of 4140	2692	powershell.exe	94
PID 2692 wrote to memory of 4140	2692	powershell.exe	94
PID 4140 wrote to memory of 828	4140	python-installer.exe	95
PID 4140 wrote to memory of 828	4140	python-installer.exe	95
PID 4140 wrote to memory of 828	4140	python-installer.exe	95
PID 828 wrote to memory of 3296	828	python-installer.exe	96
PID 828 wrote to memory of 3296	828	python-installer.exe	96
PID 828 wrote to memory of 3296	828	python-installer.exe	96

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\KeyLooger.ps1
1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2692
- C:\Users\Admin\AppData\Local\Temp\python-installer.exe
  "C:\Users\Admin\AppData\Local\Temp\python-installer.exe" /quiet InstallAllUsers=1 PrependPath=1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4140
- - C:\Windows\Temp\{7553E00E-B6F0-4F49-BAC1-4BEB43D66DC2}\.cr\python-installer.exe
    "C:\Windows\Temp\{7553E00E-B6F0-4F49-BAC1-4BEB43D66DC2}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=556 -burn.filehandle.self=700 /quiet InstallAllUsers=1 PrependPath=1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\Temp\{31B1FFC7-5BFD-4864-B80C-14888F6B0872}\.be\python-3.13.1-amd64.exe
      "C:\Windows\Temp\{31B1FFC7-5BFD-4864-B80C-14888F6B0872}\.be\python-3.13.1-amd64.exe" -q -burn.elevated BurnPipe.{8FAE1E4E-2FCA-4272-A535-F60228BD8412} {85205697-53CE-4DA7-954D-C228B56C1D24} 828
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3296

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4816

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1320

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_yrorlxlv.wib.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\python-installer.exe

Filesize
27.4MB

MD5
90176c0cfa29327ab08c6083dcdcc210

SHA1
cc0bcf37414be313526d63ef708fc85da3b693b1

SHA256
6b33fa9a439a86f553f9f60e538ccabc857d2f308bc77c477c04a46552ade81f

SHA512
5940aae44386f3622dee3f32e6a98073851a9f646da6bf3e04f050b9a9239e0ddf50b26e5e125154edc5bbebce7353d273950f1111e4ca5f2b4e2e4a7ac7cf92

Download Submit
C:\Windows\Temp\{31B1FFC7-5BFD-4864-B80C-14888F6B0872}\.ba\PythonBA.dll

Filesize
692KB

MD5
e8cd5641cae8ae7e9f98b8a3b7096808

SHA1
dd587894cad3122c1719def17f8377bb2bbbc05e

SHA256
898474ad4074571813416e58667a3b8a233e12e656579726c178ec71f794b268

SHA512
53034732df45527389362c2cc53d3ba0390bc4c1a7700b7d61d774d1eecdfed43381311c63b38861215813a674eb3fe865821cb352606522987fb2cfed2856e1

Download Submit
C:\Windows\Temp\{31B1FFC7-5BFD-4864-B80C-14888F6B0872}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
C:\Windows\Temp\{7553E00E-B6F0-4F49-BAC1-4BEB43D66DC2}\.cr\python-installer.exe

Filesize
878KB

MD5
9bc2cfce73fe043e69c909fb1546dbbf

SHA1
8ee81917775b4bd60ea0592b2203d2219dc98cfa

SHA256
ba89d23a7c937c05feba316a927773faaf7becfb2279d9edac6cc11e31205e29

SHA512
4243b3923b998b21ed386750b179bf29bda164d6154e2f5cd744b361963c4e1025ed3d6d557f1cad672818a909cc8a5036cf14ccf4f5bdd1284db24156ad58e7

Download Submit
memory/2692-0-0x00007FFA29163000-0x00007FFA29165000-memory.dmp

Filesize
8KB

Download
memory/2692-6-0x000001CE9C710000-0x000001CE9C732000-memory.dmp

Filesize
136KB

Download
memory/2692-11-0x00007FFA29160000-0x00007FFA29C21000-memory.dmp

Filesize
10.8MB

Download
memory/2692-12-0x00007FFA29160000-0x00007FFA29C21000-memory.dmp

Filesize
10.8MB

Download
memory/2692-13-0x00007FFA29163000-0x00007FFA29165000-memory.dmp

Filesize
8KB

Download
memory/2692-14-0x00007FFA29160000-0x00007FFA29C21000-memory.dmp

Filesize
10.8MB

Download
memory/2692-105-0x00007FFA29160000-0x00007FFA29C21000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads