ceecefcf9cdd5c58e5b934ae568c241986f85df3ba4648dc925fc93b2243cbf8

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
23-05-2024 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

plpscripts_freeV2/auto_setup_install.bat
Size

2KB
MD5

bdba7ddafbddca1a9bd0ed4646819426
SHA1

9a69db7ab775800ce12e7c05e0193046b6d9ee04
SHA256

160184eb890d9d25418bba37efb2fabedb93b333de9a1fd291e233e750344a15
SHA512

7d46bc1c8723a43fe0b9a8bce21be3abad96b6bba9558bc564b9e6adfc8eebd5c94bae8839f1d4d46654a15a46398ada29aad33d18fc49efe8468d8841c69898

Score

10^/10

execution

Malware Config

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://www.python.org/ftp/python/3.10.5/python-3.10.5-amd64.exe

Extracted

Language

ps1

Deobfuscated

URLs

exe.dropper

https://developer.download.nvidia.com/compute/cuda/12.2.0/network_installers/cuda_12.2.0_windows_network.exe

Signatures

Blocklisted process makes network request 4 IoCs

Processes:

powershell.exepowershell.exe

flow pid process

3 2864 powershell.exe
4 2864 powershell.exe
6 2252 powershell.exe
7 2252 powershell.exe
Command and Scripting Interpreter: PowerShell 1 TTPs 2 IoCs
Using powershell.exe command.
execution

PowerShell
T1059.001

Processes:

powershell.exepowershell.exe

pid process

2864 powershell.exe
2252 powershell.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Delays execution with timeout.exe 2 IoCs
evasion

Processes:

timeout.exetimeout.exe

pid process

2712 timeout.exe
1976 timeout.exe
Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery
T1057

Processes:

tasklist.exetasklist.exe

pid process

2660 tasklist.exe
2616 tasklist.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

powershell.exepowershell.exe

pid process

2864 powershell.exe
2252 powershell.exe

flow	pid	process
3	2864	powershell.exe
4	2864	powershell.exe
6	2252	powershell.exe
7	2252	powershell.exe

pid	process
2864	powershell.exe
2252	powershell.exe

pid	process
2712	timeout.exe
1976	timeout.exe

pid	process
2660	tasklist.exe
2616	tasklist.exe

pid	process
2864	powershell.exe
2252	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

powershell.exetasklist.exepowershell.exetasklist.exe

description	pid	process
Token: SeDebugPrivilege	2864	powershell.exe
Token: SeDebugPrivilege	2660	tasklist.exe
Token: SeDebugPrivilege	2252	powershell.exe
Token: SeDebugPrivilege	2616	tasklist.exe

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

cmd.exe

description	pid	process	target process
PID 492 wrote to memory of 1532	492	cmd.exe	cacls.exe
PID 492 wrote to memory of 1532	492	cmd.exe	cacls.exe
PID 492 wrote to memory of 1532	492	cmd.exe	cacls.exe
PID 492 wrote to memory of 2864	492	cmd.exe	powershell.exe
PID 492 wrote to memory of 2864	492	cmd.exe	powershell.exe
PID 492 wrote to memory of 2864	492	cmd.exe	powershell.exe
PID 492 wrote to memory of 2712	492	cmd.exe	timeout.exe
PID 492 wrote to memory of 2712	492	cmd.exe	timeout.exe
PID 492 wrote to memory of 2712	492	cmd.exe	timeout.exe
PID 492 wrote to memory of 2660	492	cmd.exe	tasklist.exe
PID 492 wrote to memory of 2660	492	cmd.exe	tasklist.exe
PID 492 wrote to memory of 2660	492	cmd.exe	tasklist.exe
PID 492 wrote to memory of 3048	492	cmd.exe	find.exe
PID 492 wrote to memory of 3048	492	cmd.exe	find.exe
PID 492 wrote to memory of 3048	492	cmd.exe	find.exe
PID 492 wrote to memory of 2252	492	cmd.exe	powershell.exe
PID 492 wrote to memory of 2252	492	cmd.exe	powershell.exe
PID 492 wrote to memory of 2252	492	cmd.exe	powershell.exe
PID 492 wrote to memory of 1976	492	cmd.exe	timeout.exe
PID 492 wrote to memory of 1976	492	cmd.exe	timeout.exe
PID 492 wrote to memory of 1976	492	cmd.exe	timeout.exe
PID 492 wrote to memory of 2616	492	cmd.exe	tasklist.exe
PID 492 wrote to memory of 2616	492	cmd.exe	tasklist.exe
PID 492 wrote to memory of 2616	492	cmd.exe	tasklist.exe
PID 492 wrote to memory of 2560	492	cmd.exe	find.exe
PID 492 wrote to memory of 2560	492	cmd.exe	find.exe
PID 492 wrote to memory of 2560	492	cmd.exe	find.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\plpscripts_freeV2\auto_setup_install.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\system32\cacls.exe
"C:\Windows\system32\cacls.exe" "C:\Windows\system32\config\system"
2⤵
PID:1532

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://www.python.org/ftp/python/3.10.5/python-3.10.5-amd64.exe', 'C:\Users\Admin\AppData\Local\Temp\python_installer.exe')"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2864

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
2⤵
- Delays execution with timeout.exe
PID:2712

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2660

C:\Windows\system32\find.exe
find /i "python_installer.exe"
2⤵
PID:3048

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell -command "(New-Object System.Net.WebClient).DownloadFile('https://developer.download.nvidia.com/compute/cuda/12.2.0/network_installers/cuda_12.2.0_windows_network.exe', 'C:\Users\Admin\AppData\Local\Temp\cuda_installer.exe')"
2⤵
- Blocklisted process makes network request
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2252

C:\Windows\system32\timeout.exe
timeout /t 2 /nobreak
2⤵
- Delays execution with timeout.exe
PID:1976

C:\Windows\system32\tasklist.exe
tasklist
2⤵
- Enumerates processes with tasklist
- Suspicious use of AdjustPrivilegeToken
PID:2616

C:\Windows\system32\find.exe
find /i "cuda_installer.exe"
2⤵
PID:2560

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Process Discovery

T1057

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
2a80112518f6c421a468fb5be1319e2d

SHA1
fffd13afe20153d5e77238cdcd8791901554a35a

SHA256
46387241a6fafc24bab0309c5ce2a056adc8e1cd6675aa13a72632f7b7ba6cfe

SHA512
68e06da5b1a7d8098d68bcf23b29e9bada09a94b14d83a73230fad5d58fcebcb2f18bee89509f0d0b98e977d4f29a9715ff5e2187748b785597fa90f7f153093

Download Submit
memory/2252-16-0x000000001B540000-0x000000001B822000-memory.dmp

Filesize
2.9MB

Download
memory/2252-17-0x0000000002240000-0x0000000002248000-memory.dmp

Filesize
32KB

Download
memory/2864-4-0x000007FEF53EE000-0x000007FEF53EF000-memory.dmp

Filesize
4KB

Download
memory/2864-5-0x000000001B650000-0x000000001B932000-memory.dmp

Filesize
2.9MB

Download
memory/2864-6-0x0000000001F40000-0x0000000001F48000-memory.dmp

Filesize
32KB

Download
memory/2864-7-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-8-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-9-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp

Filesize
9.6MB

Download
memory/2864-10-0x000007FEF5130000-0x000007FEF5ACD000-memory.dmp

Filesize
9.6MB

Download