Analysis
-
max time kernel
120s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
07-02-2023 00:24
Static task
static1
Behavioral task
behavioral1
Sample
LolScriptV13.1/LolScriptV13.1/LolScript/LolScript.exe
Resource
win7-20221111-en
General
-
Target
LolScriptV13.1/LolScriptV13.1/LolScript/LolScript.exe
-
Size
11.0MB
-
MD5
15f8670edce8902831bf9541c8749e90
-
SHA1
bcb53912c22a7328e3ead74b5dd01400d6ee5536
-
SHA256
f8bae3cd04ff1b52391dc3c62f5e47a44be2271dcba9964290ce5f81b0e32e85
-
SHA512
8ce3d82ffa17d5e1a15f37f08f0af54a86e9100806dda7c099e1758fff41c9a60b0658e93cbeec0465e70280296ef545054d1d3927fdbcd6468361528fb8c5fc
-
SSDEEP
196608:QsKmZRO75oqIqZzeYZ14asm96c0p7rUMNsMC/pb4jKooMFteo4XTi22MXW1jAiJn:QsXZIPIaR+UGxrpNsM2pb4jK1osTi20P
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
LolScript.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ LolScript.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
LolScript.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion LolScript.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion LolScript.exe -
Processes:
LolScript.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA LolScript.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
LolScript.exepid process 3272 LolScript.exe -
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4856 3272 WerFault.exe LolScript.exe -
Modifies registry key 1 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
LolScript.exepid process 3272 LolScript.exe 3272 LolScript.exe 3272 LolScript.exe 3272 LolScript.exe 3272 LolScript.exe 3272 LolScript.exe 3272 LolScript.exe 3272 LolScript.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
LolScript.exepid process 3272 LolScript.exe 3272 LolScript.exe 3272 LolScript.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
LolScript.execmd.execmd.exedescription pid process target process PID 3272 wrote to memory of 1136 3272 LolScript.exe cmd.exe PID 3272 wrote to memory of 1136 3272 LolScript.exe cmd.exe PID 3272 wrote to memory of 1136 3272 LolScript.exe cmd.exe PID 1136 wrote to memory of 2648 1136 cmd.exe reg.exe PID 1136 wrote to memory of 2648 1136 cmd.exe reg.exe PID 1136 wrote to memory of 2648 1136 cmd.exe reg.exe PID 3272 wrote to memory of 3500 3272 LolScript.exe cmd.exe PID 3272 wrote to memory of 3500 3272 LolScript.exe cmd.exe PID 3272 wrote to memory of 3500 3272 LolScript.exe cmd.exe PID 3500 wrote to memory of 4544 3500 cmd.exe reg.exe PID 3500 wrote to memory of 4544 3500 cmd.exe reg.exe PID 3500 wrote to memory of 4544 3500 cmd.exe reg.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\LolScriptV13.1\LolScriptV13.1\LolScript\LolScript.exe"C:\Users\Admin\AppData\Local\Temp\LolScriptV13.1\LolScriptV13.1\LolScript\LolScript.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Start_TrackProgs" /t REG_DWORD /d 0 /f >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Start_TrackProgs" /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c REG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Start_TrackEnabled" /t REG_DWORD /d 0 /f >nul 2>&12⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD HKCU\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced /v "Start_TrackEnabled" /t REG_DWORD /d 0 /f3⤵
- Modifies registry key
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3272 -s 7322⤵
- Program crash
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3272 -ip 32721⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1136-141-0x0000000000000000-mapping.dmp
-
memory/2648-142-0x0000000000000000-mapping.dmp
-
memory/3272-135-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-132-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-136-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-137-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-138-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-139-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-140-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-134-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-133-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/3272-145-0x00000000007C0000-0x000000000217E000-memory.dmpFilesize
25.7MB
-
memory/3272-146-0x0000000077730000-0x00000000778D3000-memory.dmpFilesize
1.6MB
-
memory/3500-143-0x0000000000000000-mapping.dmp
-
memory/4544-144-0x0000000000000000-mapping.dmp