Overview
overview
10Static
static
3plpscripts...ll.bat
windows7-x64
10plpscripts...ll.bat
windows10-2004-x64
10plpscripts...bot.py
windows7-x64
3plpscripts...bot.py
windows10-2004-x64
3plpscripts...ain.py
windows7-x64
3plpscripts...ain.py
windows10-2004-x64
3plpscripts...ev2.py
windows7-x64
3plpscripts...ev2.py
windows10-2004-x64
3plpscripts...t__.py
windows7-x64
3plpscripts...t__.py
windows10-2004-x64
3plpscripts...me.dll
windows7-x64
1plpscripts...me.dll
windows10-2004-x64
1plpscripts...rt.bat
windows7-x64
1plpscripts...rt.bat
windows10-2004-x64
1Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 01:32
Static task
static1
Behavioral task
behavioral1
Sample
plpscripts_freeV2/auto_setup_install.bat
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
plpscripts_freeV2/auto_setup_install.bat
Resource
win10v2004-20240426-en
Behavioral task
behavioral3
Sample
plpscripts_freeV2/plpscripts free ai aimbot/aimbot.py
Resource
win7-20240221-en
Behavioral task
behavioral4
Sample
plpscripts_freeV2/plpscripts free ai aimbot/aimbot.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral5
Sample
plpscripts_freeV2/plpscripts free ai aimbot/main.py
Resource
win7-20240221-en
Behavioral task
behavioral6
Sample
plpscripts_freeV2/plpscripts free ai aimbot/main.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral7
Sample
plpscripts_freeV2/plpscripts free ai aimbot/plpscripts_freev2.py
Resource
win7-20240419-en
Behavioral task
behavioral8
Sample
plpscripts_freeV2/plpscripts free ai aimbot/plpscripts_freev2.py
Resource
win10v2004-20240508-en
Behavioral task
behavioral9
Sample
plpscripts_freeV2/plpscripts free ai aimbot/pyarmor_runtime_000000/__init__.py
Resource
win7-20240508-en
Behavioral task
behavioral10
Sample
plpscripts_freeV2/plpscripts free ai aimbot/pyarmor_runtime_000000/__init__.py
Resource
win10v2004-20240426-en
Behavioral task
behavioral11
Sample
plpscripts_freeV2/plpscripts free ai aimbot/pyarmor_runtime_000000/pyarmor_runtime.dll
Resource
win7-20240221-en
Behavioral task
behavioral12
Sample
plpscripts_freeV2/plpscripts free ai aimbot/pyarmor_runtime_000000/pyarmor_runtime.dll
Resource
win10v2004-20240426-en
Behavioral task
behavioral13
Sample
plpscripts_freeV2/plpscripts free ai aimbot/start.bat
Resource
win7-20240221-en
Behavioral task
behavioral14
Sample
plpscripts_freeV2/plpscripts free ai aimbot/start.bat
Resource
win10v2004-20240426-en
General
-
Target
plpscripts_freeV2/plpscripts free ai aimbot/main.py
-
Size
11KB
-
MD5
278b94da858a87ef65c1ddb484393078
-
SHA1
71ce6717e419421f16fda9172de23b1c52fd6292
-
SHA256
3424487c41c79ecd49110347c89460116d4fefd1725d84390dada977341a6bf3
-
SHA512
c1acace3f5911c641b1b9b87813c7fa9008fc1444218403ff36278818c86b9f36e8b41c03a20964f0c6577ef00b27134df83426227c94761b28508f8e197fc82
-
SSDEEP
192:G3cikohsCfRiF0OGaVOIJADz1ryh2A98DOD+qPwK4o7uSiWxtYTo1i:GMizsCGCalEvA9eOy8TcWyki
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\ rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_Classes\Local Settings rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py\ = "py_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\py_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000_CLASSES\.py rundll32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
AcroRd32.exepid process 2468 AcroRd32.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
AcroRd32.exepid process 2468 AcroRd32.exe 2468 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2420 wrote to memory of 2564 2420 cmd.exe rundll32.exe PID 2420 wrote to memory of 2564 2420 cmd.exe rundll32.exe PID 2420 wrote to memory of 2564 2420 cmd.exe rundll32.exe PID 2564 wrote to memory of 2468 2564 rundll32.exe AcroRd32.exe PID 2564 wrote to memory of 2468 2564 rundll32.exe AcroRd32.exe PID 2564 wrote to memory of 2468 2564 rundll32.exe AcroRd32.exe PID 2564 wrote to memory of 2468 2564 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\plpscripts_freeV2\plpscripts free ai aimbot\main.py"1⤵
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\plpscripts_freeV2\plpscripts free ai aimbot\main.py2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2564 -
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\plpscripts_freeV2\plpscripts free ai aimbot\main.py"3⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2468
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD552774946efbf8c02bd1fab6a9e77ba1f
SHA173d2a8f5406fe5b568f533af7d9722d9fbdd0c64
SHA256e8b2d17bac49bacc2e9bc83f6f4aafa84d9382c3a6f55c92b652ccd3866198dc
SHA5129f0454aeaae616c8a2def7b89d20209db937a010e935f1622c169d62fe9be13829d8d48525a7d03bc49728c58380de6d30b4e5dad14bb69243011cb2f63688e2