ceecefcf9cdd5c58e5b934ae568c241986f85df3ba4648dc925fc93b2243cbf8

Analysis

max time kernel
46s
max time network
17s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:28

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

plpscripts_freeV2/auto_setup_install.bat
Size

2KB
MD5

bdba7ddafbddca1a9bd0ed4646819426
SHA1

9a69db7ab775800ce12e7c05e0193046b6d9ee04
SHA256

160184eb890d9d25418bba37efb2fabedb93b333de9a1fd291e233e750344a15
SHA512

7d46bc1c8723a43fe0b9a8bce21be3abad96b6bba9558bc564b9e6adfc8eebd5c94bae8839f1d4d46654a15a46398ada29aad33d18fc49efe8468d8841c69898

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.python.org/ftp/python/3.10.5/python-3.10.5-amd64.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://developer.download.nvidia.com/compute/cuda/12.2.0/network_installers/cuda_12.2.0_windows_network.exe

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

5 2512 powershell.exe
6 2512 powershell.exe
9 2532 powershell.exe
10 2532 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2512 powershell.exe
2532 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2552 timeout.exe
3028 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2136 tasklist.exe
2828 tasklist.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2512 powershell.exe
2532 powershell.exe

flow	pid	process
5	2512	powershell.exe
6	2512	powershell.exe
9	2532	powershell.exe
10	2532	powershell.exe

pid	process
2512	powershell.exe
2532	powershell.exe

pid	process
2552	timeout.exe
3028	timeout.exe

pid	process
2136	tasklist.exe
2828	tasklist.exe

pid	process
2512	powershell.exe
2532	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exetasklist.exepowershell.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	2512	powershell.exe
Token: SeDebugPrivilege	2136	tasklist.exe
Token: SeDebugPrivilege	2532	powershell.exe
Token: SeDebugPrivilege	2828	tasklist.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 2848 wrote to memory of 2820	2848	cmd.exe	cacls.exe
PID 2848 wrote to memory of 2820	2848	cmd.exe	cacls.exe
PID 2848 wrote to memory of 2820	2848	cmd.exe	cacls.exe
PID 2848 wrote to memory of 2512	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 2512	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 2512	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 2552	2848	cmd.exe	timeout.exe
PID 2848 wrote to memory of 2552	2848	cmd.exe	timeout.exe
PID 2848 wrote to memory of 2552	2848	cmd.exe	timeout.exe
PID 2848 wrote to memory of 2136	2848	cmd.exe	tasklist.exe
PID 2848 wrote to memory of 2136	2848	cmd.exe	tasklist.exe
PID 2848 wrote to memory of 2136	2848	cmd.exe	tasklist.exe
PID 2848 wrote to memory of 2924	2848	cmd.exe	find.exe
PID 2848 wrote to memory of 2924	2848	cmd.exe	find.exe
PID 2848 wrote to memory of 2924	2848	cmd.exe	find.exe
PID 2848 wrote to memory of 2532	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 2532	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 2532	2848	cmd.exe	powershell.exe
PID 2848 wrote to memory of 3028	2848	cmd.exe	timeout.exe
PID 2848 wrote to memory of 3028	2848	cmd.exe	timeout.exe
PID 2848 wrote to memory of 3028	2848	cmd.exe	timeout.exe
PID 2848 wrote to memory of 2828	2848	cmd.exe	tasklist.exe
PID 2848 wrote to memory of 2828	2848	cmd.exe	tasklist.exe
PID 2848 wrote to memory of 2828	2848	cmd.exe	tasklist.exe
PID 2848 wrote to memory of 1768	2848	cmd.exe	find.exe
PID 2848 wrote to memory of 1768	2848	cmd.exe	find.exe
PID 2848 wrote to memory of 1768	2848	cmd.exe	find.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\plpscripts_freeV2\auto_setup_install.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2848

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:2820

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://www.python.org/ftp/python/3.10.5/python-3.10.5-amd64.exe', 'C:\Users\Admin\AppData\Local\Temp\python_installer.exe')"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
2⤵
- Delays execution with timeout.exe
PID:2552

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2136

C:\Windows\system32\find.exe
find /i "python_installer.exe"
2⤵
PID:2924

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://developer.download.nvidia.com/compute/cuda/12.2.0/network_installers/cuda_12.2.0_windows_network.exe', 'C:\Users\Admin\AppData\Local\Temp\cuda_installer.exe')"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
2⤵
- Delays execution with timeout.exe
PID:3028

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2828

C:\Windows\system32\find.exe
find /i "cuda_installer.exe"
2⤵
PID:1768

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Process Discovery

T1057

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms

Filesize
7KB

MD5
4c785891f1a7e4261f1920b4e6ae2cb6

SHA1
6fec0e82db0ced15d3d5e76f11e7d317c641b96c

SHA256
a77398be4f08113ba0380047e97b40b87e06014604e0702fc7ac7269c46831e0

SHA512
e409079966b6454a9584645b66c044d23790f990a0e889bc8244f568c7f638ee7a9baeb49ae4a3f59555129edd50489bfc31d92db8e99be6cc443a37b1b4b0ae

Download Submit
memory/2512-4-0x000007FEF5C5E000-0x000007FEF5C5F000-memory.dmp

Filesize
4KB

Download
memory/2512-5-0x000000001B630000-0x000000001B912000-memory.dmp

Filesize
2.9MB

Download
memory/2512-6-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2512-7-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

Filesize
9.6MB

Download
memory/2512-8-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

Filesize
9.6MB

Download
memory/2512-9-0x000007FEF59A0000-0x000007FEF633D000-memory.dmp

Filesize
9.6MB

Download
memory/2532-15-0x000000001B530000-0x000000001B812000-memory.dmp

Filesize
2.9MB

Download
memory/2532-16-0x00000000027B0000-0x00000000027B8000-memory.dmp

Filesize
32KB

Download