Analysis

  • max time kernel
    97s
  • max time network
    208s
  • platform
    windows10-ltsc 2021_x64
  • resource
    win10ltsc2021-20241023-en
  • resource tags

    arch:x64arch:x86image:win10ltsc2021-20241023-enlocale:en-usos:windows10-ltsc 2021-x64system
  • submitted
    06-12-2024 10:38

General

  • Target

    Trojan/L0Lz.bat

  • Size

    6KB

  • MD5

    74f8a282848b8a26ceafe1f438e358e0

  • SHA1

    007b350c49b71b47dfc8dff003980d5f8da32b3a

  • SHA256

    fc94130b45112bdf7fe64713eb807f4958cdcdb758c25605ad9318cd5a8e17ae

  • SHA512

    3f73c734432b7999116452e673d734aa3f5fe9005efa7285c76d28a98b4c5d2620e772f421e030401ad223abbb07c6d0e79b91aa97b7464cb21e3dc0b49c5a81

  • SSDEEP

    192:tlYUT1jLPD5mZkRr3TfLQ4/zus8joPRJRqU1jXEmo:tlY85XW

Malware Config

Signatures

  • Modifies Windows Firewall 2 TTPs 1 IoCs
  • Drops startup file 2 IoCs
  • Network Share Discovery 1 TTPs

    Attempt to gather information on host network.

  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

  • Kills process with taskkill 1 IoCs
  • Runs net.exe
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\Trojan\L0Lz.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:4196
    • C:\Windows\system32\net.exe
      net session
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1476
      • C:\Windows\system32\net1.exe
        C:\Windows\system32\net1 session
        3⤵
          PID:1572
      • C:\Windows\system32\net.exe
        net stop "SDRSVC"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4256
        • C:\Windows\system32\net1.exe
          C:\Windows\system32\net1 stop "SDRSVC"
          3⤵
            PID:1040
        • C:\Windows\system32\net.exe
          net stop "WinDefend"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3196
          • C:\Windows\system32\net1.exe
            C:\Windows\system32\net1 stop "WinDefend"
            3⤵
              PID:4072
          • C:\Windows\system32\taskkill.exe
            taskkill /f /t /im "MSASCui.exe"
            2⤵
            • Kills process with taskkill
            • Suspicious use of AdjustPrivilegeToken
            PID:4220
          • C:\Windows\system32\net.exe
            net stop "security center"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4232
            • C:\Windows\system32\net1.exe
              C:\Windows\system32\net1 stop "security center"
              3⤵
                PID:4528
            • C:\Windows\system32\net.exe
              net stop sharedaccess
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4648
              • C:\Windows\system32\net1.exe
                C:\Windows\system32\net1 stop sharedaccess
                3⤵
                  PID:3800
              • C:\Windows\system32\netsh.exe
                netsh firewall set opmode mode-disable
                2⤵
                • Modifies Windows Firewall
                • Event Triggered Execution: Netsh Helper DLL
                PID:852
              • C:\Windows\system32\net.exe
                net stop "wuauserv"
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1184
                • C:\Windows\system32\net1.exe
                  C:\Windows\system32\net1 stop "wuauserv"
                  3⤵
                    PID:2288
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /S /D /c" echo tasklist "
                  2⤵
                    PID:2040
                  • C:\Windows\system32\find.exe
                    find /I "L0Lz"
                    2⤵
                      PID:252
                    • C:\Windows\system32\xcopy.exe
                      XCOPY "BitcoinMiner.bat" "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup"
                      2⤵
                      • Drops startup file
                      PID:4280
                    • C:\Windows\system32\xcopy.exe
                      XCOPY "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\BitcoinMiner.bat"
                      2⤵
                        PID:3772

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\AppData\Local\Temp\Trojan\BitcoinMiner.bat

                      Filesize

                      276B

                      MD5

                      873e37981c491d46b8648018c2512457

                      SHA1

                      8212272874b761052d3b51c30031a1555e23dcc5

                      SHA256

                      5e2757b28e2fc1ec2085807ea98ec9c2da5dcb15e3a72eccf2a00fdd512d1798

                      SHA512

                      93578dba6680a80ef7071c2780e1e71c4ddf3e51ae58c8efa2b3d726da8eabadbd54a902d0d438f216f31003b713b59ae07abf2c914a8221faebf06e1966ac26