| File name: | setup.bat |
| Full analysis: | https://app.any.run/tasks/97995ac1-75c5-4613-92f0-99eeaf742d08 |
| Verdict: | Malicious activity |
| Threats: | A loader is malicious software that infiltrates devices to deliver malicious payloads. This malware is capable of infecting victims’ computers, analyzing their system information, and installing other types of threats, such as trojans or stealers. Criminals usually deliver loaders through phishing emails and links by relying on social engineering to trick users into downloading and running their executables. Loaders employ advanced evasion and persistence tactics to avoid detection. |
| Analysis date: | March 05, 2025, 07:35:15 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Tags: | |
| Indicators: | |
| MIME: | text/x-msdos-batch |
| File info: | DOS batch file, ASCII text, with CRLF line terminators |
| MD5: | 9AF92FBD14F72271CB922C60D405C205 |
| SHA1: | 1805018470A85781FFE10B6A6ABEF44C70F0975E |
| SHA256: | 89CB50E165F636C2A6320711E4379B3697463B585E30BA7AE7AEEC6C49CFDC5A |
| SSDEEP: | 48:Lw1pRhoI8BndM3Ybld9cs6bKGVKgWZ+5oIJ4cKFclXEwdCHeHjEFw47+uGgjOhXE:OeI8h63YbDuXKjH0KW5EwdC+yw47HGgP |
MALICIOUS
Changes the autorun value in the registry
- python-installer.exe (PID: 7376)
SUSPICIOUS
Executing commands from a ".bat" file
- wscript.exe (PID: 7668)
Starts CMD.EXE for commands execution
- wscript.exe (PID: 7668)
The process executes VB scripts
- cmd.exe (PID: 7560)
Uses ICACLS.EXE to modify access control lists
- cmd.exe (PID: 7560)
- cmd.exe (PID: 7880)
Runs shell command (SCRIPT)
- wscript.exe (PID: 7668)
Starts POWERSHELL.EXE for commands execution
- cmd.exe (PID: 7880)
Downloads file from URI via Powershell
- powershell.exe (PID: 8012)
Searches for installed software
- python-installer.exe (PID: 7376)
- dllhost.exe (PID: 1672)
Executable content was dropped or overwritten
- python-installer.exe (PID: 7152)
- python-installer.exe (PID: 7376)
- python-3.11.4-amd64.exe (PID: 6456)
Reads security settings of Internet Explorer
- python-installer.exe (PID: 7376)
Creates a software uninstall entry
- python-installer.exe (PID: 7376)
Starts itself from another location
- python-installer.exe (PID: 7376)
Executes as Windows Service
- VSSVC.exe (PID: 516)
The process drops C-runtime libraries
- python-installer.exe (PID: 7376)
- python-3.11.4-amd64.exe (PID: 6456)
- msiexec.exe (PID: 7728)
Process drops legitimate windows executable
- python-installer.exe (PID: 7376)
- python-3.11.4-amd64.exe (PID: 6456)
- msiexec.exe (PID: 7728)
Reads the Windows owner or organization settings
- msiexec.exe (PID: 7728)
There is functionality for taking screenshot (YARA)
- python-installer.exe (PID: 7376)
Process drops python dynamic module
- msiexec.exe (PID: 7728)
INFO
Disables trace logs
- powershell.exe (PID: 8012)
Checks proxy server information
- powershell.exe (PID: 8012)
The sample compiled with english language support
- python-installer.exe (PID: 7152)
- python-installer.exe (PID: 7376)
- python-3.11.4-amd64.exe (PID: 6456)
- msiexec.exe (PID: 7728)
Checks supported languages
- python-installer.exe (PID: 7376)
- python-installer.exe (PID: 7152)
- python-3.11.4-amd64.exe (PID: 6456)
- msiexec.exe (PID: 7728)
Reads the computer name
- python-installer.exe (PID: 7376)
- python-3.11.4-amd64.exe (PID: 6456)
- msiexec.exe (PID: 7728)
Create files in a temporary directory
- python-installer.exe (PID: 7376)
Manages system restore points
- SrTasks.exe (PID: 7576)
Mutex for Python MSI log
- python-3.11.4-amd64.exe (PID: 6456)
- msiexec.exe (PID: 7728)
Process checks computer location settings
- python-installer.exe (PID: 7376)
Reads the software policy settings
- msiexec.exe (PID: 7728)
- slui.exe (PID: 2904)
Reads the machine GUID from the registry
- msiexec.exe (PID: 7728)
- python-3.11.4-amd64.exe (PID: 6456)
Executable content was dropped or overwritten
- msiexec.exe (PID: 7728)
Creates a software uninstall entry
- msiexec.exe (PID: 7728)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
Total processes
150
Monitored processes
18
Malicious processes
6
Suspicious processes
2
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 516 | C:\WINDOWS\system32\vssvc.exe | C:\Windows\System32\VSSVC.exe | — | services.exe | |||||||||||
User: SYSTEM Company: Microsoft Corporation Integrity Level: SYSTEM Description: Microsoft® Volume Shadow Copy Service Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1672 | C:\WINDOWS\system32\DllHost.exe /Processid:{F32D97DF-E3E5-4CB9-9E3E-0EB5B4E49801} | C:\Windows\System32\dllhost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: COM Surrogate Exit code: 0 Version: 10.0.19041.3636 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2904 | C:\WINDOWS\System32\slui.exe -Embedding | C:\Windows\System32\slui.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Activation Client Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 6456 | "C:\WINDOWS\Temp\{BE4DD50B-C22D-45C8-BB44-E4C783F79AA0}\.be\python-3.11.4-amd64.exe" -q -burn.elevated BurnPipe.{E1A81A29-9E83-430B-A7E0-51A276FFE3D6} {5C9B2703-96E2-4582-AE1E-9877CCD647AF} 7376 | C:\Windows\Temp\{BE4DD50B-C22D-45C8-BB44-E4C783F79AA0}\.be\python-3.11.4-amd64.exe | python-installer.exe | ||||||||||||
User: admin Company: Python Software Foundation Integrity Level: HIGH Description: Python 3.11.4 (64-bit) Version: 3.11.4150.0 Modules
| |||||||||||||||
| 7152 | python-installer.exe /quiet InstallAllUsers=1 PrependPath=1 | C:\Users\admin\Desktop\python-installer.exe | cmd.exe | ||||||||||||
User: admin Company: Python Software Foundation Integrity Level: HIGH Description: Python 3.11.4 (64-bit) Version: 3.11.4150.0 Modules
| |||||||||||||||
| 7376 | "C:\WINDOWS\Temp\{DC397CF1-E625-4E21-A4C6-1D0BB8EA5C37}\.cr\python-installer.exe" -burn.clean.room="C:\Users\admin\Desktop\python-installer.exe" -burn.filehandle.attached=540 -burn.filehandle.self=536 /quiet InstallAllUsers=1 PrependPath=1 | C:\Windows\Temp\{DC397CF1-E625-4E21-A4C6-1D0BB8EA5C37}\.cr\python-installer.exe | python-installer.exe | ||||||||||||
User: admin Company: Python Software Foundation Integrity Level: HIGH Description: Python 3.11.4 (64-bit) Version: 3.11.4150.0 Modules
| |||||||||||||||
| 7560 | C:\WINDOWS\system32\cmd.exe /c ""C:\Users\admin\Desktop\setup.bat" " | C:\Windows\System32\cmd.exe | — | explorer.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Command Processor Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7568 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | cmd.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7572 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | SrTasks.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 7576 | C:\WINDOWS\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:11 | C:\Windows\System32\SrTasks.exe | — | dllhost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft® Windows System Protection background tasks. Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
25 832
Read events
22 612
Write events
3 165
Delete events
55
Modification events
| (PID) Process: | (7560) cmd.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\FileExts\.vbs\OpenWithProgids |
| Operation: | write | Name: | VBSFile |
Value: | |||
| (PID) Process: | (7668) wscript.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\WINDOWS\System32\cmd.exe.FriendlyAppName |
Value: Windows Command Processor | |||
| (PID) Process: | (7668) wscript.exe | Key: | HKEY_CLASSES_ROOT\Local Settings\Software\Microsoft\Windows\Shell\MuiCache |
| Operation: | write | Name: | C:\WINDOWS\System32\cmd.exe.ApplicationCompany |
Value: Microsoft Corporation | |||
| (PID) Process: | (6456) python-3.11.4-amd64.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SystemRestore |
| Operation: | write | Name: | SrCreateRp (Enter) |
Value: 4000000000000000CAE02046A18DDB013819000048110000D5070000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1672) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Enter) |
Value: 48000000000000007C452346A18DDB018806000060160000D20700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1672) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Leave) |
Value: 4800000000000000B57A5C46A18DDB018806000060160000D10700000100000000000000010000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1672) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppGetSnapshots (Leave) |
Value: 4800000000000000D8295A46A18DDB018806000060160000D20700000100000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1672) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppEnumGroups (Enter) |
Value: 4800000000000000D8295A46A18DDB018806000060160000D10700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1672) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\VSS\Diag\SPP |
| Operation: | write | Name: | SppCreate (Enter) |
Value: 4800000000000000FD436146A18DDB018806000060160000D00700000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 | |||
| (PID) Process: | (1672) dllhost.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\SPP |
| Operation: | write | Name: | LastIndex |
Value: 11 | |||
Executable files
77
Suspicious files
123
Text files
1 452
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 1672 | dllhost.exe | C:\System Volume Information\SPP\metadata-2 | — | |
MD5:— | SHA256:— | |||
| 7376 | python-installer.exe | C:\Windows\Temp\{BE4DD50B-C22D-45C8-BB44-E4C783F79AA0}\lib_AllUsers | — | |
MD5:— | SHA256:— | |||
| 7376 | python-installer.exe | C:\Windows\Temp\{BE4DD50B-C22D-45C8-BB44-E4C783F79AA0}\doc_AllUsers | — | |
MD5:— | SHA256:— | |||
| 7376 | python-installer.exe | C:\Windows\Temp\{BE4DD50B-C22D-45C8-BB44-E4C783F79AA0}\.ba\PythonBA.dll | executable | |
MD5:6382CA6E9024097C5B662B0147C67E7C | SHA256:CBAC589B8142D3C1DF2353471E928B2823F59B66E06E521619052DBE6385055C | |||
| 7376 | python-installer.exe | C:\Windows\Temp\{BE4DD50B-C22D-45C8-BB44-E4C783F79AA0}\.ba\Default.thm | xml | |
MD5:4A006BB0FD949404E628D26F833C994B | SHA256:BE2BAED45BCFB013E914E9D5BF6BC7C77A311F6F1723AFBB7EB1FAA7DA497E1B | |||
| 7376 | python-installer.exe | C:\Windows\Temp\{BE4DD50B-C22D-45C8-BB44-E4C783F79AA0}\.be\python-3.11.4-amd64.exe | executable | |
MD5:73084CDC98F16F144AEAA7CE8966A76A | SHA256:6846E876B507121739C7325D83C6CEF655748113F0EF1CB61759552DD76C9DB4 | |||
| 7376 | python-installer.exe | C:\Windows\Temp\{BE4DD50B-C22D-45C8-BB44-E4C783F79AA0}\.ba\SideBar.png | image | |
MD5:888EB713A0095756252058C9727E088A | SHA256:79434BD1368F47F08ACF6DB66638531D386BF15166D78D9BFEA4DA164C079067 | |||
| 1672 | dllhost.exe | C:\System Volume Information\SPP\snapshot-2 | binary | |
MD5:4CCF5B47A3B28DD3303242576322B28D | SHA256:D1F4D19F077797943FFDF96A02C353DDF6410216995F37341FAEA64F23149FB3 | |||
| 7376 | python-installer.exe | C:\Users\admin\AppData\Local\Package Cache\{3d45edf4-44bb-483f-9e08-43c38c81e118}\python-3.11.4-amd64.exe | executable | |
MD5:73084CDC98F16F144AEAA7CE8966A76A | SHA256:6846E876B507121739C7325D83C6CEF655748113F0EF1CB61759552DD76C9DB4 | |||
| 1672 | dllhost.exe | C:\System Volume Information\SPP\OnlineMetadataCache\{335c8ff2-041b-497b-a7eb-ad075badd264}_OnDiskSnapshotProp | binary | |
MD5:4CCF5B47A3B28DD3303242576322B28D | SHA256:D1F4D19F077797943FFDF96A02C353DDF6410216995F37341FAEA64F23149FB3 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
6
TCP/UDP connections
22
DNS requests
5
Threats
4
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
7728 | msiexec.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBSRXerF0eFeSWRripTgTkcJWMm7iQQUaDfg67Y7%2BF8Rhvv%2BYXsIiGX0TkICEAcfFBuLMA0l8xTrIwzQ0d0%3D | unknown | — | — | whitelisted |
7728 | msiexec.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBT3xL4LQLXDRDM9P665TW442vrsUQQUReuir%2FSSy4IxLVGLp6chnfNtyA8CEA6bGI750C3n79tQ4ghAGFo%3D | unknown | — | — | whitelisted |
7728 | msiexec.exe | GET | 200 | 184.30.131.245:80 | http://ocsp.digicert.com/MFEwTzBNMEswSTAJBgUrDgMCGgUABBTfIs%2BLjDtGwQ09XEB1Yeq%2BtX%2BBgQQU7NfjgtJxXWRM3y5nP%2Be6mK4cD08CEAitQLJg0pxMn17Nqb2Trtk%3D | unknown | — | — | whitelisted |
— | — | GET | 200 | 151.101.64.223:443 | https://www.python.org/ftp/python/3.11.4/python-3.11.4-amd64.exe | unknown | executable | 24.2 Mb | whitelisted |
— | — | POST | 500 | 40.91.76.224:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
— | — | POST | 500 | 20.83.72.98:443 | https://activation-v2.sls.microsoft.com/SLActivateProduct/SLActivateProduct.asmx?configextension=Retail | unknown | xml | 512 b | whitelisted |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
— | — | 20.73.194.208:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
— | — | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
2104 | svchost.exe | 51.104.136.2:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
8012 | powershell.exe | 151.101.192.223:443 | www.python.org | FASTLY | US | whitelisted |
7336 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
7728 | msiexec.exe | 184.30.131.245:80 | ocsp.digicert.com | AKAMAI-AS | US | whitelisted |
2904 | slui.exe | 20.83.72.98:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
settings-win.data.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
www.python.org |
| whitelisted |
activation-v2.sls.microsoft.com |
| whitelisted |
ocsp.digicert.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | Not Suspicious Traffic | ET INFO Windows Powershell User-Agent Usage |
— | — | Misc activity | ET INFO Packed Executable Download |
— | — | Potential Corporate Privacy Violation | ET INFO PE EXE or DLL Windows file download HTTP |
— | — | Misc activity | ET INFO Request for EXE via Powershell |