c6ae6784459bfbda1dee5d7f441b849ba56b13efa9ffe2dbe8ea1860fcaf2fd4

Analysis

max time kernel
0s
platform
windows11-21h2_x64
resource
win11-20240802-en
resource tags

arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
submitted
27/09/2024, 21:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Loli.bat
Size

5.0MB
MD5

02fd9a3fecd7e43df3edf8bf08491668
SHA1

c2b1ea8020767c895fd39ac0011e23aa072c561a
SHA256

c6ae6784459bfbda1dee5d7f441b849ba56b13efa9ffe2dbe8ea1860fcaf2fd4
SHA512

778891d554e4a270db790e6ae60f6f605af6d9f22ed7662d3bed9cd344bac52c08cf1a8592289bea7694f50e5216136141e1c53abfa2a18e16f97320fddd9cd5
SSDEEP

49152:SOkIagh7g3N8KCIvXCdarIoYl95vlhhaYlUu5UA1+Jg+cU6i+5knDrdiVqG7V/Ax:4

Score

1^/10

Malware Config

Signatures

Suspicious use of AdjustPrivilegeToken 42 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	5048	WMIC.exe
Token: SeSecurityPrivilege	5048	WMIC.exe
Token: SeTakeOwnershipPrivilege	5048	WMIC.exe
Token: SeLoadDriverPrivilege	5048	WMIC.exe
Token: SeSystemProfilePrivilege	5048	WMIC.exe
Token: SeSystemtimePrivilege	5048	WMIC.exe
Token: SeProfSingleProcessPrivilege	5048	WMIC.exe
Token: SeIncBasePriorityPrivilege	5048	WMIC.exe
Token: SeCreatePagefilePrivilege	5048	WMIC.exe
Token: SeBackupPrivilege	5048	WMIC.exe
Token: SeRestorePrivilege	5048	WMIC.exe
Token: SeShutdownPrivilege	5048	WMIC.exe
Token: SeDebugPrivilege	5048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5048	WMIC.exe
Token: SeRemoteShutdownPrivilege	5048	WMIC.exe
Token: SeUndockPrivilege	5048	WMIC.exe
Token: SeManageVolumePrivilege	5048	WMIC.exe
Token: 33	5048	WMIC.exe
Token: 34	5048	WMIC.exe
Token: 35	5048	WMIC.exe
Token: 36	5048	WMIC.exe
Token: SeIncreaseQuotaPrivilege	5048	WMIC.exe
Token: SeSecurityPrivilege	5048	WMIC.exe
Token: SeTakeOwnershipPrivilege	5048	WMIC.exe
Token: SeLoadDriverPrivilege	5048	WMIC.exe
Token: SeSystemProfilePrivilege	5048	WMIC.exe
Token: SeSystemtimePrivilege	5048	WMIC.exe
Token: SeProfSingleProcessPrivilege	5048	WMIC.exe
Token: SeIncBasePriorityPrivilege	5048	WMIC.exe
Token: SeCreatePagefilePrivilege	5048	WMIC.exe
Token: SeBackupPrivilege	5048	WMIC.exe
Token: SeRestorePrivilege	5048	WMIC.exe
Token: SeShutdownPrivilege	5048	WMIC.exe
Token: SeDebugPrivilege	5048	WMIC.exe
Token: SeSystemEnvironmentPrivilege	5048	WMIC.exe
Token: SeRemoteShutdownPrivilege	5048	WMIC.exe
Token: SeUndockPrivilege	5048	WMIC.exe
Token: SeManageVolumePrivilege	5048	WMIC.exe
Token: 33	5048	WMIC.exe
Token: 34	5048	WMIC.exe
Token: 35	5048	WMIC.exe
Token: 36	5048	WMIC.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4452 wrote to memory of 5048	4452	cmd.exe	79
PID 4452 wrote to memory of 5048	4452	cmd.exe	79
PID 4452 wrote to memory of 652	4452	cmd.exe	80
PID 4452 wrote to memory of 652	4452	cmd.exe	80

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Loli.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:4452
- C:\Windows\System32\Wbem\WMIC.exe
  wmic diskdrive get Model
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:5048
- C:\Windows\system32\findstr.exe
  findstr /i /c:"WDS100T2B0A" /c:"DADY HARDDISK" /c:"QEMU HARDDISK"
  2⤵
  PID:652

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads