Overview
overview
10Static
static
3plpscripts...ll.bat
windows7-x64
10plpscripts...ll.bat
windows10-2004-x64
10plpscripts...bot.py
windows7-x64
3plpscripts...bot.py
windows10-2004-x64
3plpscripts...ain.py
windows7-x64
3plpscripts...ain.py
windows10-2004-x64
3plpscripts...ev2.py
windows7-x64
3plpscripts...ev2.py
windows10-2004-x64
3plpscripts...t__.py
windows7-x64
3plpscripts...t__.py
windows10-2004-x64
3plpscripts...me.dll
windows7-x64
1plpscripts...me.dll
windows10-2004-x64
1plpscripts...rt.bat
windows7-x64
1plpscripts...rt.bat
windows10-2004-x64
1Analysis
-
max time kernel
139s -
max time network
162s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
23-05-2024 01:28
Static task
static1
Behavioral task
behavioral1
Sample
plpscripts_freeV2/auto_setup_install.bat
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
plpscripts_freeV2/auto_setup_install.bat
Resource
win10v2004-20240508-en
Behavioral task
behavioral3
Sample
plpscripts_freeV2/plpscripts free ai aimbot/aimbot.py
Resource
win7-20240419-en
Behavioral task
behavioral4
Sample
plpscripts_freeV2/plpscripts free ai aimbot/aimbot.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral5
Sample
plpscripts_freeV2/plpscripts free ai aimbot/main.py
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
plpscripts_freeV2/plpscripts free ai aimbot/main.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
plpscripts_freeV2/plpscripts free ai aimbot/plpscripts_freev2.py
Resource
win7-20240221-en
Behavioral task
behavioral8
Sample
plpscripts_freeV2/plpscripts free ai aimbot/plpscripts_freev2.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
plpscripts_freeV2/plpscripts free ai aimbot/pyarmor_runtime_000000/__init__.py
Resource
win7-20240220-en
Behavioral task
behavioral10
Sample
plpscripts_freeV2/plpscripts free ai aimbot/pyarmor_runtime_000000/__init__.py
Resource
win10v2004-20240226-en
Behavioral task
behavioral11
Sample
plpscripts_freeV2/plpscripts free ai aimbot/pyarmor_runtime_000000/pyarmor_runtime.dll
Resource
win7-20240215-en
Behavioral task
behavioral12
Sample
plpscripts_freeV2/plpscripts free ai aimbot/pyarmor_runtime_000000/pyarmor_runtime.dll
Resource
win10v2004-20240508-en
Behavioral task
behavioral13
Sample
plpscripts_freeV2/plpscripts free ai aimbot/start.bat
Resource
win7-20240508-en
Behavioral task
behavioral14
Sample
plpscripts_freeV2/plpscripts free ai aimbot/start.bat
Resource
win10v2004-20240508-en
General
-
Target
plpscripts_freeV2/plpscripts free ai aimbot/pyarmor_runtime_000000/__init__.py
-
Size
103B
-
MD5
b531b298be665224d9033ce2cc9f8e66
-
SHA1
92f4036fe8225e2b35631b49e8fff4fd72b180b1
-
SHA256
7072222a776c768ede0d208609b9948e13b99c3c666085f924f0bf7064e449cf
-
SHA512
717dcb8ce03b46ee2d98fc3359a859593e8cf783a1904c57aea84640dabaf058b9d5060019046a056e2d9740ebbfa06556232fed4f24b38acf3e953574de69f6
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 14 IoCs
Processes:
OpenWith.execmd.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\py_auto_file\shell\open\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\py_auto_file\shell\edit OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\py_auto_file\shell OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\py_auto_file\shell\edit\command OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\py_auto_file\shell\open OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.py OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\py_auto_file OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\.py\ = "py_auto_file" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\Local Settings OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\埬阐㔀踀 OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\埬阐㔀踀\ = "py_auto_file" OpenWith.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\py_auto_file\shell\edit\command\ = "%SystemRoot%\\system32\\NOTEPAD.EXE %1" OpenWith.exe Key created \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000_Classes\py_auto_file\shell\open\command OpenWith.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
OpenWith.exepid process 1888 OpenWith.exe -
Suspicious use of SetWindowsHookEx 33 IoCs
Processes:
OpenWith.exepid process 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe 1888 OpenWith.exe -
Suspicious use of WriteProcessMemory 2 IoCs
Processes:
OpenWith.exedescription pid process target process PID 1888 wrote to memory of 5084 1888 OpenWith.exe NOTEPAD.EXE PID 1888 wrote to memory of 5084 1888 OpenWith.exe NOTEPAD.EXE
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\plpscripts_freeV2\plpscripts free ai aimbot\pyarmor_runtime_000000\__init__.py"1⤵
- Modifies registry class
PID:4444
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1888 -
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\AppData\Local\Temp\plpscripts_freeV2\plpscripts free ai aimbot\pyarmor_runtime_000000\__init__.py2⤵PID:5084
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3792 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:81⤵PID:4236