434f9d4a2a7a5088aa393b47ad8e957a15481cd3078f10b3c0f7ec6fe5f497c2

Analysis

max time kernel
26s
max time network
30s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
31-05-2023 18:56

Target

install_python.bat
Size

687B
MD5

821f007d1c56bb3f4511bab928ce8f63
SHA1

a22b0d76f5ef0e145629dded82e195486675774a
SHA256

434f9d4a2a7a5088aa393b47ad8e957a15481cd3078f10b3c0f7ec6fe5f497c2
SHA512

f1db8db20e25d8d06828ead22e70a28411bf32faa7dd14816ef833efe548a046e9383cb51aa100d49555f2cc9c1f74bf10aef871a0e6724da5f96c690770dd4d

Score

1^/10

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1916	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1916	powershell.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1196 wrote to memory of 908	1196	cmd.exe	28
PID 1196 wrote to memory of 908	1196	cmd.exe	28
PID 1196 wrote to memory of 908	1196	cmd.exe	28
PID 908 wrote to memory of 1916	908	cmd.exe	29
PID 908 wrote to memory of 1916	908	cmd.exe	29
PID 908 wrote to memory of 1916	908	cmd.exe	29

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\install_python.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:908
- - C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
    powershell -Command "Invoke-WebRequest https://www.python.org/ftp/python/ -UseBasicParsing | Select-String -Pattern '3.10.[0-9]{1,2}' -AllMatches | Select-Object -ExpandProperty Matches | Select-Object -ExpandProperty Value | Sort-Object -Descending -Unique | Select-Object -First 1"
    3⤵
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:1916

memory/1916-58-0x0000000002710000-0x0000000002790000-memory.dmp

Filesize
512KB

Download
memory/1916-59-0x000000001B160000-0x000000001B442000-memory.dmp

Filesize
2.9MB

Download
memory/1916-60-0x0000000001E60000-0x0000000001E68000-memory.dmp

Filesize
32KB

Download
memory/1916-61-0x0000000002714000-0x0000000002717000-memory.dmp

Filesize
12KB

Download
memory/1916-62-0x000000000271B000-0x0000000002752000-memory.dmp

Filesize
220KB

Download