ccc71819287c931ddf6625bfede42bc3cce4ffc61795cc955822fc981564fbc5

Analysis

max time kernel
1484s
max time network
1454s
platform
windows11-21h2_x64
resource
win11-20240214-en
resource tags

arch:x64arch:x86image:win11-20240214-enlocale:en-usos:windows11-21h2-x64system
submitted
20/02/2024, 00:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

decode_Fakeupdate.ps1
Size

4KB
MD5

de20d86ec1a1e85bfbc5745a03a38e51
SHA1

3558b1d1c1049f8852a79162e98ad201f1ba5426
SHA256

ccc71819287c931ddf6625bfede42bc3cce4ffc61795cc955822fc981564fbc5
SHA512

243ddbc84f0ca0f319f68028e39331f196c6085756a12820f78f996a47700ecf8066b681d265ecdbcead4439ec67e307e739acd2a07a759cb001b4170d501b9b
SSDEEP

96:lrlrvxj+/ZFAAIxnkIh3qa9RDyj5tsMemPYTall:l5IjMku6e1yjXsMemPYOll

Score

8^/10

Malware Config

Signatures

Blocklisted process makes network request 10 IoCs

flow	pid	Process
20	4220	WScript.exe
21	4220	WScript.exe
22	4220	WScript.exe
23	4220	WScript.exe
26	4408	WScript.exe
27	2908	WScript.exe
30	1880	WScript.exe
35	4112	WScript.exe
36	1896	WScript.exe
38	4512	CScript.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 3 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3513082673-3003704585-445662156-1000_Classes\Local Settings	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-3513082673-3003704585-445662156-1000_Classes\Local Settings	OpenWith.exe
Key created	\REGISTRY\USER\S-1-5-21-3513082673-3003704585-445662156-1000_Classes\Local Settings	OpenWith.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2300	powershell.exe
2300	powershell.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2456	OpenWith.exe
4296	OpenWith.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2300	powershell.exe

Suspicious use of SetWindowsHookEx 64 IoCs

pid	Process
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe
2456	OpenWith.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 1820 wrote to memory of 1880	1820	cmd.exe	89
PID 1820 wrote to memory of 1880	1820	cmd.exe	89

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
powershell.exe -ExecutionPolicy bypass -File C:\Users\Admin\AppData\Local\Temp\decode_Fakeupdate.ps1
1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300

C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
1⤵
PID:760

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
1⤵
- Blocklisted process makes network request
PID:4220

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
1⤵
- Blocklisted process makes network request
PID:4408

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
1⤵
- Blocklisted process makes network request
PID:2908

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1820
- C:\Windows\System32\WScript.exe
  "C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
  2⤵
  - Blocklisted process makes network request
  PID:1880

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
1⤵
- Blocklisted process makes network request
PID:4112

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2456

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
1⤵
- Blocklisted process makes network request
PID:1896

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:4296

C:\Windows\System32\CScript.exe
"C:\Windows\System32\CScript.exe" "C:\Users\Admin\Desktop\OutputFile\Version.89.3512.58.js"
1⤵
- Blocklisted process makes network request
PID:4512

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\518DFDD116D9AD0210609502E2F95908

Filesize
317B

MD5
dd982383a2370b4ffbee127c259c9bf6

SHA1
32a17db6fff1558e9c58e0a0b4f9ae716739f60f

SHA256
e09c36d4677c9986b0766345054bd522b0b7352b5b1bf60762ef925b925d0668

SHA512
696a59808de4d380f4c89eb512472200315cc7c1d4d3e5abd7a71639f2eed273dfe8a1943556f367e1debbb3f504ce235ddf58056e3947596ba67c040c78c6b6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
1KB

MD5
a99377a27910f2447a1d4c78a1d55540

SHA1
2d82c4bd9ef86fae0cede0bde4d85a52304c5cb2

SHA256
cd3094c0df506297237c88653680d7a4e83e613696e78c30b99e428fde3c4b48

SHA512
406df06cbe6c28a5908bd66ab0f0d71b7e06ef8347410850f97188cfc5575c471ea388a12c5d93dbace884f8328df7ad828940b6c442e691e72d73fa8bc853a7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19

Filesize
977B

MD5
50cb447f2a8f99cb126cb51392696c7f

SHA1
80c4b991dd02b94f2d96eb07da7f197d5e3196a9

SHA256
0d00728a79f840f071f85740efff9a27ec0c7d1f489511b5b7c4c861767aa059

SHA512
d99eb91f441ba2fddbb6bd0f7a19d51452a5d45fd24315ddfb1f744d2866b3d4d481e2aef38f1eff31f5434979439c4415780b7e6b0d9f15b4a56f9cb2d3d97c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\518DFDD116D9AD0210609502E2F95908

Filesize
508B

MD5
d2c73a0502ecbdaf161f585cb3655629

SHA1
48f22d578468bc4da0b747db084f7ef6d57d89e0

SHA256
377ca858e18f5d8b2c92e828d444d76e3dc04e4ba719eecaf422a845b6bbacd6

SHA512
a3b8662e5f4cec882e2dc559f3cc671ca870fd9331ff912ddcff9654c82daf9a9d8f1f52a455524da512ab84a24942f62f1150e3daa157573e5d1f9bd36efe9a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_89854CA6A0F0936A4D2ECA78845CEA25

Filesize
482B

MD5
38c062118b639a21cedf74faa4423e1a

SHA1
dd97088cd20b8d5b38b832c0c820491eb14449fa

SHA256
5b28e83ea66f1c8f355292a61bc0b6e705b619535aeeafc7ecbf13c3799eef3e

SHA512
30e9bd0030e0f89da956c01a02e1188e62c82fa03b44ff6a9c6f4523ff9e202dcd8df7ffb9d75fba403e278bbebd15a98011479ab03c745290feff45631d6f94

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D0E1C4B6144E7ECAB3F020E4A19EFC29_03D1B482EE3032A122274428715A4E19

Filesize
484B

MD5
5034bd3945ed66eac71b25936efec1d4

SHA1
b9e9744d7574df0497d0957916f118f643270e21

SHA256
c399acdf8143c046af3d13faea35ef3f255d3e1af10123269a80c0e0d91165ef

SHA512
2d33da6cd0e026fc426fe730d53eb8f27022a46bedd309f87da1ca171dfcf2a9bec1c0735427cf9f7ee9b08e22d9a6401c54211799e74fe953f5522651048f55

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_fttjtoni.h1o.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
memory/2300-0-0x000001DF54250000-0x000001DF54272000-memory.dmp

Filesize
136KB

Download
memory/2300-10-0x000001DF542C0000-0x000001DF542D0000-memory.dmp

Filesize
64KB

Download
memory/2300-11-0x000001DF542C0000-0x000001DF542D0000-memory.dmp

Filesize
64KB

Download
memory/2300-9-0x00007FFE72C60000-0x00007FFE73722000-memory.dmp

Filesize
10.8MB

Download
memory/2300-15-0x00007FFE72C60000-0x00007FFE73722000-memory.dmp

Filesize
10.8MB

Download