ccc71819287c931ddf6625bfede42bc3cce4ffc61795cc955822fc981564fbc5

Analysis

max time kernel
770s
max time network
1604s
platform
windows10-1703_x64
resource
win10-20240214-en
resource tags

arch:x64arch:x86image:win10-20240214-enlocale:en-usos:windows10-1703-x64system
submitted
20/02/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

decode_Fakeupdate.ps1
Size

4KB
MD5

de20d86ec1a1e85bfbc5745a03a38e51
SHA1

3558b1d1c1049f8852a79162e98ad201f1ba5426
SHA256

ccc71819287c931ddf6625bfede42bc3cce4ffc61795cc955822fc981564fbc5
SHA512

243ddbc84f0ca0f319f68028e39331f196c6085756a12820f78f996a47700ecf8066b681d265ecdbcead4439ec67e307e739acd2a07a759cb001b4170d501b9b
SSDEEP

96:lrlrvxj+/ZFAAIxnkIh3qa9RDyj5tsMemPYTall:l5IjMku6e1yjXsMemPYOll

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 8 IoCs

flow	pid	Process
6	1688	CScript.exe
8	1688	CScript.exe
10	1688	CScript.exe
12	1688	CScript.exe
17	1688	CScript.exe
19	3968	WScript.exe
30	8	CScript.exe
31	2252	WScript.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
3448	powershell.exe
3448	powershell.exe
3448	powershell.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeDebugPrivilege	3448	powershell.exe
Token: SeRestorePrivilege	4116	7zG.exe
Token: 35	4116	7zG.exe
Token: SeSecurityPrivilege	4116	7zG.exe
Token: SeSecurityPrivilege	4116	7zG.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4116	7zG.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\decode_Fakeupdate.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3448

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:3292

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\OutputFile\" -spe -an -ai#7zMap26001:78:7zEvent25948
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4116

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
1⤵
- Blocklisted process makes network request
PID:1688

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
1⤵
- Blocklisted process makes network request
PID:3968

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
1⤵
- Blocklisted process makes network request
PID:8

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
1⤵
- Blocklisted process makes network request
PID:2252

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\518DFDD116D9AD0210609502E2F95908

Filesize
317B

MD5
dd982383a2370b4ffbee127c259c9bf6

SHA1
32a17db6fff1558e9c58e0a0b4f9ae716739f60f

SHA256
e09c36d4677c9986b0766345054bd522b0b7352b5b1bf60762ef925b925d0668

SHA512
696a59808de4d380f4c89eb512472200315cc7c1d4d3e5abd7a71639f2eed273dfe8a1943556f367e1debbb3f504ce235ddf58056e3947596ba67c040c78c6b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
a99377a27910f2447a1d4c78a1d55540

SHA1
2d82c4bd9ef86fae0cede0bde4d85a52304c5cb2

SHA256
cd3094c0df506297237c88653680d7a4e83e613696e78c30b99e428fde3c4b48

SHA512
406df06cbe6c28a5908bd66ab0f0d71b7e06ef8347410850f97188cfc5575c471ea388a12c5d93dbace884f8328df7ad828940b6c442e691e72d73fa8bc853a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19

Filesize
977B

MD5
50cb447f2a8f99cb126cb51392696c7f

SHA1
80c4b991dd02b94f2d96eb07da7f197d5e3196a9

SHA256
0d00728a79f840f071f85740efff9a27ec0c7d1f489511b5b7c4c861767aa059

SHA512
d99eb91f441ba2fddbb6bd0f7a19d51452a5d45fd24315ddfb1f744d2866b3d4d481e2aef38f1eff31f5434979439c4415780b7e6b0d9f15b4a56f9cb2d3d97c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\518DFDD116D9AD0210609502E2F95908

Filesize
508B

MD5
2828ce49805c8e195265d8bdd2863878

SHA1
cfc165a86ed81ff4e3d1f93f6f70309db68591d6

SHA256
bbfd648aa15a8f45a900df4673b5de72e25a54320b2e58c009a963af1a0f210d

SHA512
02229d6b6008693d5fa295d26eed19ab775343dd675d75c378e16283e8566388d4509405f73d0114e1d60c04f516b272e5bb37f277652e9cfde9e4a574648e15

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
f2702f2233fde1b9c359d98ff3103903

SHA1
ce9e17ec07e53e3f429dc82713d4871e95a35a7f

SHA256
2a87190cb6ba68d941ee7b82952f37ec867d2e7183d3dce6e6adcf48aec3335d

SHA512
ef40b2ff947e7951f52149a03934e14a0a5cc623e1b7422df238054d1185e88c9e8969e17de4b57b545d9fec529b42841829750e03d999092a88d383fb06e187

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19

Filesize
484B

MD5
0ca39f5d64b5691fa0b1febca057c599

SHA1
a60c3139dee6ca60c21ee31d843ad8cb9c0567e8

SHA256
ea8b350dcae44e2fbbfc68bc959942d662abfcb52063979a1b15a51bf678740e

SHA512
36f46ed7d239e2559243f9287171de766fe1f79925ddf3dd9d16014a43c61cb9e743a0d1ec9d69b4e62109493499e045ba6b123393e8b697fd44afe5058b6525

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_z51m30ny.0y1.ps1

Filesize
1B

MD5
c4ca4238a0b923820dcc509a6f75849b

SHA1
356a192b7913b04c54574d18c28d46e6395428ab

SHA256
6b86b273ff34fce19d6b804eff5a3f5747ada4eaa22f1d49c01e52ddb7875b4b

SHA512
4dff4ea340f0a823f15d3f4f01ab62eae0e5da579ccb851f8db9dfe84c58b2b37b89903a740e1ee172da793a6e79d560e5f7f9bd058a12a280433ed6fa46510a

Download Submit
C:\Users\Admin\Desktop\OutputFile.zip

Filesize
2KB

MD5
99b9486516ec3ddab05bcfaa6324b34b

SHA1
ae320bea3bfdc991dbcd08a7f66bf50c7a93d55e

SHA256
3b8d115ec85816a2c145ae8a4867bdc4b0eb5dc5c685c948ae1e24bb26bf30eb

SHA512
600be81c0fd78c4993e09c5bd292c1fa24738cf2b01b78c4c0f7594446176387b8d36d980bb16156a7f866aa64b2779ef02812a90887d3a9ec7b96a75f64ed50

Download Submit
C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js

Filesize
5KB

MD5
6a554ad7f1c931ce492818411bb3a80a

SHA1
53434b9ee9fb4ba0978daba61bb12342fc519c80

SHA256
2e5b08a46a45f6f311e09b6b944593ab499fb581ab6c53528e777f1080ca3085

SHA512
fc03ffdf63813df3c3696d8ca2d3b124834eeb9bc40608048b802ebd9d6213a365f656e94ee1d2836f71e64432554192ea1479399a0d37b88023be978c66cfe0

Download Submit
memory/3448-4-0x00007FF9C2920000-0x00007FF9C330C000-memory.dmp

Filesize
9.9MB

Download
memory/3448-34-0x00007FF9C2920000-0x00007FF9C330C000-memory.dmp

Filesize
9.9MB

Download
memory/3448-30-0x000001DE3B2B0000-0x000001DE3B2C0000-memory.dmp

Filesize
64KB

Download
memory/3448-10-0x000001DE3B640000-0x000001DE3B6B6000-memory.dmp

Filesize
472KB

Download
memory/3448-7-0x000001DE3B590000-0x000001DE3B5B2000-memory.dmp

Filesize
136KB

Download
memory/3448-6-0x000001DE3B2B0000-0x000001DE3B2C0000-memory.dmp

Filesize
64KB

Download
memory/3448-5-0x000001DE3B2B0000-0x000001DE3B2C0000-memory.dmp

Filesize
64KB

Download