c21c305b162d9468ab329b9323cbeb711d6a5da1af613e4a1ebc5eae23fb18f0

General

Target

KeyLoogerinst.ps1
Size

1KB
MD5

41f22eb766372b2df43ee0404c380a8b
SHA1

9198c7b6762cda3c4a2ec69ba9aa9d8633ee5d42
SHA256

c21c305b162d9468ab329b9323cbeb711d6a5da1af613e4a1ebc5eae23fb18f0
SHA512

6b6d155a4739b213295d3ca5cda3cd61c4f4bb4e4221dddf382fccf6ef960648d2450b9f013daf7e1daf6e4676a0cc6647489a206051a7809e829fbdfe3d2caf

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
6	4416	powershell.exe
45	4416	powershell.exe

Downloads MZ/PE file 1 IoCs

flow	pid	Process
6	4416	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation	python-installer.exe

Executes dropped EXE 3 IoCs

pid	Process
4572	python-installer.exe
1788	python-installer.exe
3820	python-3.13.1-amd64.exe

Loads dropped DLL 1 IoCs

pid	Process
1788	python-installer.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs

Web Service

T1102

flow	ioc
44	drive.google.com
45	drive.google.com

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Using powershell.exe command.

execution

PowerShell

T1059.001

pid	Process
4416	powershell.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-installer.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	python-3.13.1-amd64.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 0000000004000000e3c1c56297b3270b0000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff000000002701010000080000e3c1c5620000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff000000000700010000680900e3c1c562000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1de3c1c562000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff000000000000000000000000e3c1c56200000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4416	powershell.exe
4416	powershell.exe

Suspicious use of AdjustPrivilegeToken 12 IoCs

description	pid	Process
Token: SeDebugPrivilege	4416	powershell.exe
Token: SeBackupPrivilege	4616	vssvc.exe
Token: SeRestorePrivilege	4616	vssvc.exe
Token: SeAuditPrivilege	4616	vssvc.exe
Token: SeBackupPrivilege	220	srtasks.exe
Token: SeRestorePrivilege	220	srtasks.exe
Token: SeSecurityPrivilege	220	srtasks.exe
Token: SeTakeOwnershipPrivilege	220	srtasks.exe
Token: SeBackupPrivilege	220	srtasks.exe
Token: SeRestorePrivilege	220	srtasks.exe
Token: SeSecurityPrivilege	220	srtasks.exe
Token: SeTakeOwnershipPrivilege	220	srtasks.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4416 wrote to memory of 4572	4416	powershell.exe	92
PID 4416 wrote to memory of 4572	4416	powershell.exe	92
PID 4416 wrote to memory of 4572	4416	powershell.exe	92
PID 4572 wrote to memory of 1788	4572	python-installer.exe	93
PID 4572 wrote to memory of 1788	4572	python-installer.exe	93
PID 4572 wrote to memory of 1788	4572	python-installer.exe	93
PID 1788 wrote to memory of 3820	1788	python-installer.exe	94
PID 1788 wrote to memory of 3820	1788	python-installer.exe	94
PID 1788 wrote to memory of 3820	1788	python-installer.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\KeyLoogerinst.ps1
1⤵
- Blocklisted process makes network request
- Downloads MZ/PE file
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4416
- C:\Users\Admin\AppData\Local\Temp\python-installer.exe
  "C:\Users\Admin\AppData\Local\Temp\python-installer.exe" /quiet InstallAllUsers=1 PrependPath=1
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:4572
- - C:\Windows\Temp\{89DB60B6-9E1D-4579-B835-855F9FADFC4B}\.cr\python-installer.exe
    "C:\Windows\Temp\{89DB60B6-9E1D-4579-B835-855F9FADFC4B}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=540 -burn.filehandle.self=700 /quiet InstallAllUsers=1 PrependPath=1
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1788
  - - C:\Windows\Temp\{EB64B658-E38C-4D8F-8F07-70AA34107E25}\.be\python-3.13.1-amd64.exe
      "C:\Windows\Temp\{EB64B658-E38C-4D8F-8F07-70AA34107E25}\.be\python-3.13.1-amd64.exe" -q -burn.elevated BurnPipe.{32263317-17FF-4FB5-ACDF-1D8FDEC66F66} {BF142620-457F-414D-8F4C-2C75F87EB5E6} 1788
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      PID:3820

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4616

C:\Windows\system32\srtasks.exe
C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:220

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

3

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Web Service

1

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_afjk3wa0.yk4.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\python-installer.exe

Filesize
27.4MB

MD5
90176c0cfa29327ab08c6083dcdcc210

SHA1
cc0bcf37414be313526d63ef708fc85da3b693b1

SHA256
6b33fa9a439a86f553f9f60e538ccabc857d2f308bc77c477c04a46552ade81f

SHA512
5940aae44386f3622dee3f32e6a98073851a9f646da6bf3e04f050b9a9239e0ddf50b26e5e125154edc5bbebce7353d273950f1111e4ca5f2b4e2e4a7ac7cf92

Download Submit
C:\Windows\Temp\{89DB60B6-9E1D-4579-B835-855F9FADFC4B}\.cr\python-installer.exe

Filesize
878KB

MD5
9bc2cfce73fe043e69c909fb1546dbbf

SHA1
8ee81917775b4bd60ea0592b2203d2219dc98cfa

SHA256
ba89d23a7c937c05feba316a927773faaf7becfb2279d9edac6cc11e31205e29

SHA512
4243b3923b998b21ed386750b179bf29bda164d6154e2f5cd744b361963c4e1025ed3d6d557f1cad672818a909cc8a5036cf14ccf4f5bdd1284db24156ad58e7

Download Submit
C:\Windows\Temp\{EB64B658-E38C-4D8F-8F07-70AA34107E25}\.ba\PythonBA.dll

Filesize
692KB

MD5
e8cd5641cae8ae7e9f98b8a3b7096808

SHA1
dd587894cad3122c1719def17f8377bb2bbbc05e

SHA256
898474ad4074571813416e58667a3b8a233e12e656579726c178ec71f794b268

SHA512
53034732df45527389362c2cc53d3ba0390bc4c1a7700b7d61d774d1eecdfed43381311c63b38861215813a674eb3fe865821cb352606522987fb2cfed2856e1

Download Submit
C:\Windows\Temp\{EB64B658-E38C-4D8F-8F07-70AA34107E25}\.ba\SideBar.png

Filesize
50KB

MD5
888eb713a0095756252058c9727e088a

SHA1
c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4

SHA256
79434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067

SHA512
7c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0

Download Submit
memory/4416-11-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

Filesize
10.8MB

Download
memory/4416-14-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

Filesize
10.8MB

Download
memory/4416-15-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

Filesize
10.8MB

Download
memory/4416-13-0x00007FF92BD93000-0x00007FF92BD95000-memory.dmp

Filesize
8KB

Download
memory/4416-12-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

Filesize
10.8MB

Download
memory/4416-0-0x00007FF92BD93000-0x00007FF92BD95000-memory.dmp

Filesize
8KB

Download
memory/4416-6-0x000002CC87500000-0x000002CC87522000-memory.dmp

Filesize
136KB

Download
memory/4416-106-0x00007FF92BD90000-0x00007FF92C851000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads