We started off with a file download. This file is a Microsoft OneNote attachment, all the rage for phishing a few months ago (and still a bit today). I immediately went and dropped it into CyberChef so I can mess with it.
The first thing I ran on it was strings and tada! We got the commands that would execute if you enabled it.
In the commands run we see two main parts. Both are similar, with the usage of powershell to download a file and then running the file. The main one of interest for this is the windows.bat file that gets renamed to system32.bat.
If we download the file from the link we get this:
In the contents we can see it declaring a ton of variables and then combining them to create commands that will actually run. To make this readable I used sublime to edit out junk and created a python version of it and had it print it out to me.
Copy eFlP = "set "
ualBOGvshk = "ws"
...
fLycQgNMii = "oin "
KsuJogdoiJ = " -no"
djeIEnPaCg = "tsWi"
brwOvSubJT = "e =\" "
TOqZKQRZli = "uZOc"
test1 = CJnGNBkyYp + UBndSzFkbH + ujJtlzSIGW + nwIWiBzpbz + cHFmSnCqnE + kTEDvsZUvn + JBRccySrUq + ZqjBENExAX + XBucLtReBQ + BFTOQBPCju + vlwWETKcZH + NCtxqhhPqI + GOPdPuwuLd + YcnfCLfyyS + JPfTcZlwxJ + ualBOGvshk + xprVJLooVF + cIqyYRJWbQ + jaXcJXQMrV + pMrovuxjjq + KXASGLJNCX + XzrrbwrpmM + VCWZpprcdE + tzMKflzfvX + ndjtYQuanY + chXxviaBCr + tHJYExMHlP + WmUoySsDby + UrPeBlCopW + lYCdEGtlPA + eNOycQnIZD + PxzdwcSExs + VxroDYJQKR + zhNAugCrcK + XUpMhOyyHB + OOOxFGwzUd
#cls
test2 = dzPrbmmccE + xQseEVnPet
test3 = eDhTebXJLa + vShQyqnqqU + KsuJogdoiJ + uVLEiIUjzw + SJsEzuInUY + gNELMMjyFY + XIAbFAgCIP + weRTbbZPjT + yQujDHraSv + zwDBykiqZZ + nfEeCcWKKK + MtoMzhoqyY + igJmqZApvQ + SIQjFslpHA + KHqiJghRbq + WSRbQhwrOC + BGoTReCegg + WYJXnBQBDj + SIneUaQPty + WTAeYdswqF + EdLUuXiTNo + rVOFKTskYR + nMLIkcyFZj + jtkYEPXtKX + RWcegafVtf + KhyyrSrcKr + zDUDeXKPaV + VZAbZqJHBk + XClTzcVMGM + xVIsxobyZi + qpUykKHwzb + iKAAuWsbec + cYinxarhDL + olHsTHINJO + uynFENuiYB + WauWfrgGak + tzSNMWchGN + oFspIELDJK + FijcPoQLnC + AbMyvUGzSH + LmCknrHfoB + GDXqElqPYy + gqUdnmSTUN + YlKbYsFYPy + GLwLVWewUj + EQAuBusyXb + yOkBDuSVrl + FraARuTjiq + hwZKiiLqAE + ahbOZSBViB + djeIEnPaCg + AiqHTcPzsv + JCuNlxqlBZ + TYbHmXrqgV + sLNudRRtUX + dbDMRBPrxg + XEyDmChJvW + KytxcYPZKt + GWrDWSvoPL + haSZYOmkiA + JhYYmEHfJT + LPGeAanVGt + hTTJOKGuzo + MFRjJyYsrs + kpEWZrtOzX + BrDOtQoojB + YnGvhgYxvb + cUDojRpXKx + rSVBNvbdPT + kJjQuXIjOT + tVtxVGNpFB + BqEMjgsfHM + fVHBRsLNUl + jgiQdwyxFg + HLynrUfwGo + FCBcNynRGD + VavtsuhNIN + HUAAetwukX + nogFGGEgdF + iHRclHpeVX + MrNTGKcbYu + bTHJpHTPMM + QbKdEZdxpx + drymkVAnZW + DDiJEpaiME + OAsjgKHKoH + HFLAqJuuyu + gFQQimTbzp + YULKJDZpgz + oQYrpYRHsU + VGKsxiJBaT + RGlZIMTaRM + JenYfqHzBk + vmIEtsktnA + TypmIIEYJC + eQPFkQsLmh + AkaPyEXHFq + BANrSlObpx + LIQYgFxctD + ZygfZJxAOd + KXttaDcyMZ + brwOvSubJT + hVncqdtHrj + OonlMOpxYC + CZpuCIcrKh + owRVWPJqcX + jugDlMdkcG + DXdgqiFTAH + acXjUrxrpX + eYuashSMjP + ESpdErsKEO + kQQvXhxXIT + pLUeCEDcNj + pTKKchMUFD + ZMNBNnhYdl + KVdpASYkBZ + OpWuyrggtP + uDsfTCYsro + wEZCzuPukj + jCsFOJQsdv + hbFnQgCXwX + UFSmCjquVd + BMVjGSkNrk + MFpVhvZMMs + SRYmoDJgcF + svwZUufvHX + WPGlloqWfh + kEHDlJOIVc + jdKMRqipbM + pEeOvclMbZ + nMbUuONTOk + GwAFOSfUtV + gbVsRGzTij + ybHVOwcPrc + CpAQgSdzaC + XqtgTmRIdO + pUKFMEPFQs + QpDqsQAemY + CZTFliIBbC + EuMCNHEVeC + dyJHMHMcNc + LNwemqbftD + VnDoNvCbDL + mFZJVdqlTD + vGOYQQYIpx + GzBAHPVuTq + fLycQgNMii + ZPlPiozEyW + xULgeMdzcg + iVrCyJhMiJ + dlzhxQnMss + pqWXTkasXe + doKcadyJqy + hNwOTmvEJo + yqhJQSZuJo + JPOdGPAwht + rEvTlCThdH + PwJJFMgamh + eeacPrYshd + LYxpWUVnyn + YRqcyngfyU + IAkZpnEseT + DAaZVQYtML + QTBYjmNXEB + lSUnvlNyZI + pCjFJxRqgH + oMsMdPYmPd + AGOCIKFMEK + dAuevoJWoL + uwRWnyAikF + mBIWiJNHWZ + RfMwENsorP + gbXeIdPSoj + kxCYxBSxVM + AbZpTpKurz + glRvzlEEoe + TVsNOuCNZd + VUsEoebHks + tuAPcYGhzl + WojQSFImBz + NXvoEmTmgu + jWtWLzuDKP + NvnNgHLBLJ + vPgKEvZmlQ + ftaecaUnft + lfCLMrJHhW + ArAxZuPIrp + zhsTKtujLg + MxwsyqmvYm + MsfoqNTDfI + klVPUdMJas + XzWakcViZI + htJeDhbeDW + ARecVABHyu + EDuGpmwedn + SKEwAQBRlN + bIgeRgvTeJ + AnKEeEZdOq + KXapePmHCe + YKwLsVwqOj + QCZuMFaZsV + RycUceHQZc + TOqZKQRZli + hIpFAiXGDz + PmpGnAHBIo + nGqMpclaJV + NbOjNijxuU + hbnAmGyJMk + jpqWVBsCpx + WXWHLOygSe + rjhOhltPzI + DCnzMxKRnm + QGiWXkfFPy + isQISZiBPJ + iCcGUuJxVn + dGSGnKbkQW + gNabAkLFGN + pibEdoDBbD + AHKCuBAkui + YYKSCuCbgJ + IeRiYUFnCZ + hzjnwzdyGY + KAlyOryibJ + MBvrUwPCDz + WmHvayPxwd + reviZiSttH + wwmTmFdRsZ + JBUgbyTPxp + BaMYsIgnsM + DwiWdAaOiv + vXewtPjogB + odWdfvJnBE + yPzFwnsYdA + xfHbUEWpFC + ySgQyAAfQH + QMmDXFyyag + xllGdjvUjB + zuIYfGJIhV + MmhvJKSdep + fxpyemHAMo + eFWpiweoyr + WQqetkePWs + qsPTvcejTS + YiVTQhqRnm + GEFNspgkfU + iREuYMPcTg + rVuFsOUxnm + UmCJMMMcBg + VUeZKgDBUe + roXhULjavE + uIWSZVpUHl + ZNBNkxQuUl + ktDjVGpvOa + CMHWMmXlZO + RITIeDNkWx + UPfjubfNXt + GTgGJngEbX + zFvgtBzUer + TfyrgNGxBL + hknFiXCnZQ + xijYXotZPT + BlIFABuPAW + GJcpQprPXv + YmUoUKWAtR + tHHIjVCHeH + DNNdkNfTiI + XEcuUpquLQ + EUwICZcugV + MJKqSlzRdg + FcrKUOEnOU + EiWocIreAk + LLNnWnTLBJ + QzqEkBCLON + uOGlqENvnk + TuqTvTpeOG + USLedfRsdA + fFqNPWfBWr + AyyrPvjwjr + mxXhSCdBil + MusMeoeDey + OOiwgwuupI + WvjMoIIiUn + TEtLFfgLmA + rFsKCxpAbv + hImzprlFyw + GVIREkvxRa + qIhOqqdyjR + shhyfkrTvn + UAnQUvXBfs + bSIafzAxiZ + oNvGdyNkLt + SCbDgQuqTU + tBsRPAyhtG + KUKwZheGNw + INPLAzQfUo + ekEoGMuERC + aGQeJYSFDZ + LODxmGMGqq + KtmeCApwQn + MAPkvbWKbC + HlBVDpGgba + ZNnASGtLCj + IwOqmlYsbl + JbFOJyRrBm + TiuQnZmosP + HkiSTlwlIs + rofQqYizRu + OckpqzbYcn + YJZmDySMUy + cGJiVEdEzp + QNxYaFZSBu + jxjvtHoTnR + fvEtritbuM + wxzMwkmbmY + yZlAoExoOn + pjrIjvjdGR + mYyPXMYwYi + vnHosfjdeN + LfngwmfRCb + bivuMABwCB + GapFScCcpe + lfYSggLrsL + GhTXhmRnCR + ENADhKPHot + KdByPVjCnF + PjdRUyhsyG + kpzxAxFvLw + rddZbDFvhl
#exit /b
print (test1)
print ( "Second: \n" )
print (test2)
print ( "Third: \n" )
print (test3) Using this I got the commands being run on the system. From that I gathered it was trying to hide that it was running powershell commands by copying the powershell executable and using the copy instead. With powershell it was then decrypting an AES encrypted payload decompressing it from GZip and then running it. I modified the powershell to try to print this out so I could see what the payload was but it kept breaking.
To fix this I had it print the contents to a output.gz file like this:
Once I had it saved I threw it into CyberChef and got the flag!
PWNED!!
