ccc71819287c931ddf6625bfede42bc3cce4ffc61795cc955822fc981564fbc5

Analysis

max time kernel
1526s
max time network
1526s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
20/02/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

decode_Fakeupdate.ps1
Size

4KB
MD5

de20d86ec1a1e85bfbc5745a03a38e51
SHA1

3558b1d1c1049f8852a79162e98ad201f1ba5426
SHA256

ccc71819287c931ddf6625bfede42bc3cce4ffc61795cc955822fc981564fbc5
SHA512

243ddbc84f0ca0f319f68028e39331f196c6085756a12820f78f996a47700ecf8066b681d265ecdbcead4439ec67e307e739acd2a07a759cb001b4170d501b9b
SSDEEP

96:lrlrvxj+/ZFAAIxnkIh3qa9RDyj5tsMemPYTall:l5IjMku6e1yjXsMemPYOll

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 9 IoCs

flow	pid	Process
45	1688	CScript.exe
47	1688	CScript.exe
49	1688	CScript.exe
51	1688	CScript.exe
55	3168	WScript.exe
70	5060	WScript.exe
71	32	WScript.exe
72	1424	CScript.exe
73	4648	WScript.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
828	Notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5048	powershell.exe
5048	powershell.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	5048	powershell.exe
Token: SeRestorePrivilege	3848	7zG.exe
Token: 35	3848	7zG.exe
Token: SeSecurityPrivilege	3848	7zG.exe
Token: SeSecurityPrivilege	3848	7zG.exe
Token: SeManageVolumePrivilege	2368	svchost.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3848	7zG.exe

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\decode_Fakeupdate.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:5048

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:2300

C:\Program Files\7-Zip\7zG.exe
"C:\Program Files\7-Zip\7zG.exe" x -o"C:\Users\Admin\Desktop\OutputFile\" -spe -an -ai#7zMap20604:78:7zEvent9067
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3848

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
1⤵
- Blocklisted process makes network request
PID:1688

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
1⤵
- Blocklisted process makes network request
PID:3168

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
1⤵
- Blocklisted process makes network request
PID:5060

C:\Windows\System32\Notepad.exe
"C:\Windows\System32\Notepad.exe" C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js
1⤵
- Opens file in notepad (likely ransom note)
PID:828

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
1⤵
- Blocklisted process makes network request
PID:32

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
1⤵
- Blocklisted process makes network request
PID:1424

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
1⤵
- Blocklisted process makes network request
PID:4648

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" "C:\Windows\SYSTEM32\EDGEHTML.dll",#141 Microsoft.VCLibs.140.00_8wekyb3d8bbwe
1⤵
PID:1568

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k UnistackSvcGroup
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2368

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\518DFDD116D9AD0210609502E2F95908

Filesize
317B

MD5
dd982383a2370b4ffbee127c259c9bf6

SHA1
32a17db6fff1558e9c58e0a0b4f9ae716739f60f

SHA256
e09c36d4677c9986b0766345054bd522b0b7352b5b1bf60762ef925b925d0668

SHA512
696a59808de4d380f4c89eb512472200315cc7c1d4d3e5abd7a71639f2eed273dfe8a1943556f367e1debbb3f504ce235ddf58056e3947596ba67c040c78c6b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
a99377a27910f2447a1d4c78a1d55540

SHA1
2d82c4bd9ef86fae0cede0bde4d85a52304c5cb2

SHA256
cd3094c0df506297237c88653680d7a4e83e613696e78c30b99e428fde3c4b48

SHA512
406df06cbe6c28a5908bd66ab0f0d71b7e06ef8347410850f97188cfc5575c471ea388a12c5d93dbace884f8328df7ad828940b6c442e691e72d73fa8bc853a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19

Filesize
977B

MD5
50cb447f2a8f99cb126cb51392696c7f

SHA1
80c4b991dd02b94f2d96eb07da7f197d5e3196a9

SHA256
0d00728a79f840f071f85740efff9a27ec0c7d1f489511b5b7c4c861767aa059

SHA512
d99eb91f441ba2fddbb6bd0f7a19d51452a5d45fd24315ddfb1f744d2866b3d4d481e2aef38f1eff31f5434979439c4415780b7e6b0d9f15b4a56f9cb2d3d97c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\518DFDD116D9AD0210609502E2F95908

Filesize
508B

MD5
8e55448f570d635256231545c438ada9

SHA1
1ed99ca79aac6f40eaad7e4a0dfec03ed87bd2ba

SHA256
b954d7091f5f67807e7e568171ab8c050516121fa7400f0c5576574447d9126a

SHA512
470f5d192fae704a12d99f4ca3ab4b8a74699d214cc5942973e2a7dbee84609d53caa97f815357ab354b7c60b20cdd22587ebcb6bc5929f0257fade1e7b0de0d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
24e0a02d614a5579136a19bbe371c708

SHA1
af650c2cd3813ed3884a4e10dfc1587a3844f6f2

SHA256
ec913755689c13c2be985695765d6991338c743b01a5a75f522c669ffeef0e48

SHA512
e74dc13d28d44506635db3bc8d7f65469e31964fc36e3bedbc28c31c429e525b308990d22ea085a819fda45b93b5c6962ae70827dd88d423a01e792d3e83a659

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19

Filesize
484B

MD5
14791404d201e2657135de716526ab09

SHA1
f2371fb8b5821ad5eb8f382f65979a593fc4e2b6

SHA256
e92b1063c111915ca4075211bdadd7839902329724103f8553f86f5e9f9ba84b

SHA512
652977e5364e5cd7f7c2c67223887af35839ebfd3551bec70cdb2e9a92e89192ce024cfb863d998e2f5838da557c52bb1a569e1c843af61eb8f3296e79a99e6b

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_rsadibcl.vb3.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\Desktop\OutputFile.zip

Filesize
2KB

MD5
99b9486516ec3ddab05bcfaa6324b34b

SHA1
ae320bea3bfdc991dbcd08a7f66bf50c7a93d55e

SHA256
3b8d115ec85816a2c145ae8a4867bdc4b0eb5dc5c685c948ae1e24bb26bf30eb

SHA512
600be81c0fd78c4993e09c5bd292c1fa24738cf2b01b78c4c0f7594446176387b8d36d980bb16156a7f866aa64b2779ef02812a90887d3a9ec7b96a75f64ed50

Download Submit
C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js

Filesize
5KB

MD5
6a554ad7f1c931ce492818411bb3a80a

SHA1
53434b9ee9fb4ba0978daba61bb12342fc519c80

SHA256
2e5b08a46a45f6f311e09b6b944593ab499fb581ab6c53528e777f1080ca3085

SHA512
fc03ffdf63813df3c3696d8ca2d3b124834eeb9bc40608048b802ebd9d6213a365f656e94ee1d2836f71e64432554192ea1479399a0d37b88023be978c66cfe0

Download Submit
C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js

Filesize
5KB

MD5
e92709125e76b1ee8ca5dab5a4ebe16c

SHA1
80dd791ec949e51284fc241951cd7680266e8cf1

SHA256
c04e7d00dd75bf7dae1a8cd83f82ae4243a231bdc922cb71282261e3fbd26343

SHA512
1f583f241d1fb45867869132db858794a30ab45c52656c1e58855554ea89177daa185e91e5631414052edb8c4f2cd70682538779e0f6e1c7eeab93b2daf3e8fb

Download Submit
memory/2368-55-0x0000021A03040000-0x0000021A03050000-memory.dmp

Filesize
64KB

Download
memory/2368-71-0x0000021A0B340000-0x0000021A0B341000-memory.dmp

Filesize
4KB

Download
memory/2368-73-0x0000021A0B370000-0x0000021A0B371000-memory.dmp

Filesize
4KB

Download
memory/2368-75-0x0000021A0B480000-0x0000021A0B481000-memory.dmp

Filesize
4KB

Download
memory/2368-74-0x0000021A0B370000-0x0000021A0B371000-memory.dmp

Filesize
4KB

Download
memory/5048-17-0x00007FFE328E0000-0x00007FFE333A1000-memory.dmp

Filesize
10.8MB

Download
memory/5048-13-0x0000023575D80000-0x0000023575D90000-memory.dmp

Filesize
64KB

Download
memory/5048-12-0x0000023575D80000-0x0000023575D90000-memory.dmp

Filesize
64KB

Download
memory/5048-11-0x0000023575D80000-0x0000023575D90000-memory.dmp

Filesize
64KB

Download
memory/5048-10-0x00007FFE328E0000-0x00007FFE333A1000-memory.dmp

Filesize
10.8MB

Download
memory/5048-9-0x0000023575D30000-0x0000023575D52000-memory.dmp

Filesize
136KB

Download