Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
105s -
max time network
131s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
-
submitted
14/03/2025, 16:01
General
-
Target
install_python.bat
-
Size
686B
-
MD5
f30718a354e7cc104ea553ce5ae2d486
-
SHA1
3876134e6b92da57a49d868013ed35b5d946f8fd
-
SHA256
94008c8135d149fecd29ca62aded487f0fbfa6af893596ffc3e4b621a0fe4966
-
SHA512
601b2256ea709a885741f1dec5c97dda6fb7fd4e485b4afac3503af1aefe73472e5bc5529c144814a3defbc0b51ac4b50e02a50dccc69b41ee5d87a3f4282874
Malware Config
Signatures
-
Blocklisted process makes network request 2 IoCs
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Powershell Invoke Web Request.
-
Downloads MZ/PE file 1 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 3 IoCs
-
Loads dropped DLL 1 IoCs
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in Windows directory 17 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies registry class 24 IoCs
-
Suspicious behavior: EnumeratesProcesses 10 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 15 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\install_python.bat"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"3⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\curl.execurl -L -o python-installer.exe https://www.python.org/ftp/python/3.10.9/python-3.10.9-amd64.exe2⤵
- Downloads MZ/PE file
-
-
C:\Users\Admin\AppData\Local\Temp\python-installer.exepython-installer.exe /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=02⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{7D17C3ED-3F3F-495D-A92A-FA63E3037216}\.cr\python-installer.exe"C:\Windows\Temp\{7D17C3ED-3F3F-495D-A92A-FA63E3037216}\.cr\python-installer.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\python-installer.exe" -burn.filehandle.attached=528 -burn.filehandle.self=552 /quiet /passive InstallAllUsers=0 PrependPath=1 Include_test=0 Include_pip=1 Include_doc=03⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{4CDDCF53-62C3-434F-9402-BD2BE3695784}\.be\python-3.10.9-amd64.exe"C:\Windows\Temp\{4CDDCF53-62C3-434F-9402-BD2BE3695784}\.be\python-3.10.9-amd64.exe" -q -burn.elevated BurnPipe.{46DAA184-D4E7-4337-8CB1-F50825934B19} {B683CE2F-23E9-4B3E-AE50-58B4AB9E3E30} 19044⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1904 -s 17684⤵
- Program crash
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 356 -p 1904 -ip 19041⤵
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
8KB
MD5eb0f4c9b96266f14c6ec17cd291128ec
SHA1fde787e343c12840adf276de4a070448b1bb0991
SHA256dfc39a2dad324d2c51b643dec61a3bcac9a0ebd7efae32d782f43fed3e55dd5e
SHA512469d58cbfee1a421104a0a8c018e0ea9eb06fd8a9f989ff4d7d1d0f2312b4e5c8d0c5609a7027202356ce2311ac52835f7a50322cf649ebe7eece8ce4c2d3539
-
Filesize
12KB
MD5c4ef9525fabe70bfa66a9a76dda607a4
SHA1d80f798da8224b316529ac69d592c4d8fcafc9c0
SHA256f23e9cc62b4165a2f2ca208f72b00ad15357f1af028942b15003647748b058f2
SHA5129f08378572fa5fd59e91cfec8ee9fa699a1f4236b11093f00c7ed5599e5777681e3c65d24c5ed04d5cdf12799bf39cfb49f86d46fab6358ba75e76fed8cc1d57
-
Filesize
8.0MB
MD50894766b66bc93a0494a5a7073042a42
SHA1ecda108f9f845c245d3e660fe075737ce7b1fb3c
SHA25682863adf2f36198611da2238991d9c8032c6cf59c3d2dd125658358b6672f3ce
SHA5123d1c9476e075eb2707e48cb957a0c428a467a3e6d84a31872bf6d88b8767006446ac2fa8c65194465301be9b25376343cd84db9ac729ad1b46c7727851dce5b1
-
Filesize
3.4MB
MD578e6e0e8b315a0d7448bf5cb6de7dc09
SHA16a73d7443c4d220736a2700e71e14b8e0e9a3518
SHA256eaf03e94a9f3421a69b9fd8a1f0723ebc4e59884f6c5b93f330d7fbc98d8940f
SHA5129666c116423a2574d20cab637d6501d283292d87518836d449d1752929ba60296e10b1335f277e4e2108cb06ea564be70022c1828d1f2e207e1b59326b3e6516
-
Filesize
1.6MB
MD5c531b4b6d0c44f4f718302f94bdc0de5
SHA1f8a6d02012fad3b1f8cfaacca4eb6e068383bcee
SHA256107453ad1bb2d97c4947ba12d91738e7e7aa43470f9a8f954383fa6eb483b707
SHA5124b85223166679385b0bc788caa2a70052ee39e5ce8a775195e7a8803c9ba9f350a3a4f78d340b3f041e330396e587714d88a6d855e14c925bb73f9be0923beae
-
Filesize
300KB
MD581ee9f87cc68e3b0a376a51a0c8d5ea0
SHA187e6aa14efad2ca0e175b3d1a4b5b86c91c769cf
SHA256068163c992a1e372c8e23d69f8ad13e2a9e01be2649c9845d450aad5a7a6eff9
SHA512d5aa43bdd4ab2edf39750b8714351a2bca3c59766d7e8c57454062f49d5026f376ca40b531ca07ece23f609a7fa02a99b208a8680d20bc1bdbb92c521c825053
-
Filesize
608KB
MD5742a4d07c915d5883454e8e87ce61566
SHA16425542f956cf785ac0db084afe6d2ddcbbe2dbd
SHA2567a6715deb76123241816c77c6cc5dc4e6a881bb8de846c454f0d5cd833305cb2
SHA5126a5929985dfa1cc3580ca1bd94a94887b092693d976026fc866a9d99558b886b8454398c420d635dccf65f42639f37c3539196da2560482eb04857a4c393602c
-
Filesize
1KB
MD55cd5ba459ffff6d4c10318facb26114f
SHA18a3c3bdee598122972ec9e22bcd33fc11a879f52
SHA256561fa973dc83c86af2dc35e3d112f8546e7a5bf2ba005235b57a010042829a24
SHA512aa4cd6c782f690b1a6afeb58a87a540a748d97911dba2653796030f52320e6f79e3c96fd7158e6bade0e2dff599ab8bb04ceacc87011a53cbdb3119393de4a7d
-
Filesize
1KB
MD5e70bf021182e27ae4b4b15b6e91cb2bb
SHA1348df80d4dd672cb8603bc3e97c7953a4cbed3c0
SHA25657f29334c231ff308d12866f11e097fc97869bd32510051df53946e7925b3689
SHA51215558690d6e8a538a676c3df93c03ae967f286515a11264d9e0b9bfcd06a626f28c078f32a4855cfa7d19fed093db205a9ed7367816f2799f87e1114fa5b87d6
-
Filesize
1KB
MD5aab5e1c99996ac1cfb06c631cb2660bc
SHA1ec22fb31dc06d31566991c66c4b193271d0a6ae4
SHA2565efca32111aca669bb4ae772b055d456576150e51e65df81f625dc879b448d86
SHA512befc7f2d3af069d3985863a2929660fed93ac6fbafc855c294ba037e427f853a25757908d172a32868bc77841995adbb4afb770be154d8ce822a252df1293bb9
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
27.6MB
MD5dce578fe177892488cadb6c34aea58ee
SHA1e562807ddd0bc8366d936ce72684ce2b6630e297
SHA256b8c707fb7a3a80f49af5a51c94f428525a3ad4331c7b9e3b2e321caf5cb56d7d
SHA5128858aa7e82ca8cf559eeb25c14d86d24637a86e64c8db7465c99d05558ce3c67cea18d68abdfbe3df08cdbedfca5f819aa7fd8e57beae2054a7f7a8a64c04b41
-
Filesize
650KB
MD564d1e3b44bfce17b6a43e9ca200bfaa2
SHA12617a95208a578c63653b76506b27e36a1ee6bba
SHA256c016025b6e3c1335eef8f544cb88a948d7c785fd5247b994c8ec91a4fce5f899
SHA512002fcb10e7aec037eee5acdbdc20719f10147917330f769943e4342d99a9596df5f09c039be5a8daa871062bf4c7263ae4d6582f971ced570c85abcbea87cc77
-
Filesize
50KB
MD5888eb713a0095756252058c9727e088a
SHA1c14f69f2bef6bc3e2162b4dd78e9df702d94cdb4
SHA25679434bd1368f47f08acf6db66638531d386bf15166d78d9bfea4da164c079067
SHA5127c59f4ada242b19c2299b6789a65a1f34565fed78730c22c904db16a9872fe6a07035c6d46a64ee94501fbcd96de586a8a5303ca22f33da357d455c014820ca0
-
Filesize
516KB
MD5a6d0b9692be2bb42031d8dd3293c6fed
SHA13de1ce4eb9df47d40639ec24d740dae74f58ba1d
SHA256d557952fdea4a50bd4901cf6152e17e46168fedb663080aaf438da80926921b7
SHA512df4e7b9a0fcff4f6b29e1184ffc18a8eebd010dd500402f8d5d6e61a8d011ef2ae82bcac86355142b4f292105f878938e6f3673d108925611650561aa08ccfb4
-
Filesize
849KB
MD5d988448411dc7548332378f7f61508a4
SHA134989539914256ea9f6d691236039d806be6f7ca
SHA256ae5f3d9aaf871d4cf62b3106a7babb66a5c52fdf5ea9b93467c45bd047319c66
SHA512eb631c340bebb6ce3a6100383fe5e5bd8d2b700ca2c9cd07c1bff4decb8b72a9223596786ef0e8040097135765d7af479f3bfa10957abba32143fc9c9b51ce97
-
Filesize
8KB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
10.8MB
-
Filesize
136KB
