Overview
overview
7Static
static
3Lorydos.exe
windows7-x64
7Lorydos.exe
windows10-2004-x64
7$PLUGINSDI...ls.dll
windows7-x64
3$PLUGINSDI...ls.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3Installer.exe
windows7-x64
1Installer.exe
windows10-2004-x64
1LICENSES.c...m.html
windows7-x64
3LICENSES.c...m.html
windows10-2004-x64
3d3dcompiler_47.dll
windows10-2004-x64
1ffmpeg.dll
windows7-x64
1ffmpeg.dll
windows10-2004-x64
1libEGL.dll
windows7-x64
1libEGL.dll
windows10-2004-x64
1libGLESv2.dll
windows7-x64
1libGLESv2.dll
windows10-2004-x64
1resources/...dex.js
windows7-x64
3resources/...dex.js
windows10-2004-x64
3resources/...pi.dll
windows7-x64
1resources/...pi.dll
windows10-2004-x64
1resources/...act.js
windows7-x64
3resources/...act.js
windows10-2004-x64
3sqlite-aut...ace.js
windows7-x64
3sqlite-aut...ace.js
windows10-2004-x64
3sqlite-aut...al.ps1
windows7-x64
3sqlite-aut...al.ps1
windows10-2004-x64
3sqlite-aut...re.vbs
windows7-x64
1sqlite-aut...re.vbs
windows10-2004-x64
1sqlite-aut...ain.sh
windows7-x64
3sqlite-aut...ain.sh
windows10-2004-x64
3sqlite-aut...re.vbs
windows7-x64
1Analysis
-
max time kernel
121s -
max time network
129s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
14/09/2024, 02:37
Static task
static1
Behavioral task
behavioral1
Sample
Lorydos.exe
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral2
Sample
Lorydos.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral3
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win7-20240704-en
windows7-x64
Behavioral task
behavioral4
Sample
$PLUGINSDIR/StdUtils.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral5
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral6
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral7
Sample
Installer.exe
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral8
Sample
Installer.exe
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral9
Sample
LICENSES.chromium.html
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral10
Sample
LICENSES.chromium.html
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral11
Sample
d3dcompiler_47.dll
Resource
win10v2004-20240910-en
windows10-2004-x64
Behavioral task
behavioral12
Sample
ffmpeg.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral13
Sample
ffmpeg.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral14
Sample
libEGL.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral15
Sample
libEGL.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral16
Sample
libGLESv2.dll
Resource
win7-20240708-en
windows7-x64
Behavioral task
behavioral17
Sample
libGLESv2.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral18
Sample
resources/app.asar.unpacked/node_modules/@primno/dpapi/dist/index.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral19
Sample
resources/app.asar.unpacked/node_modules/@primno/dpapi/dist/index.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral20
Sample
resources/app.asar.unpacked/node_modules/@primno/dpapi/prebuilds/win32-x64/node.napi.dll
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral21
Sample
resources/app.asar.unpacked/node_modules/@primno/dpapi/prebuilds/win32-x64/node.napi.dll
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral22
Sample
resources/app.asar.unpacked/node_modules/sqlite3/deps/extract.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral23
Sample
resources/app.asar.unpacked/node_modules/sqlite3/deps/extract.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral24
Sample
sqlite-autoconf-3410100/Replace.js
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral25
Sample
sqlite-autoconf-3410100/Replace.js
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral26
Sample
sqlite-autoconf-3410100/aclocal.ps1
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral27
Sample
sqlite-autoconf-3410100/aclocal.ps1
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral28
Sample
sqlite-autoconf-3410100/configure.vbs
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral29
Sample
sqlite-autoconf-3410100/configure.vbs
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral30
Sample
sqlite-autoconf-3410100/ltmain.sh
Resource
win7-20240903-en
windows7-x64
Behavioral task
behavioral31
Sample
sqlite-autoconf-3410100/ltmain.sh
Resource
win10v2004-20240802-en
windows10-2004-x64
Behavioral task
behavioral32
Sample
sqlite-autoconf-3410100/tea/configure.vbs
Resource
win7-20240903-en
windows7-x64
General
-
Target
Installer.exe
-
Size
120.4MB
-
MD5
36d0b5b1ed9a76523d7279752d995b9a
-
SHA1
a555ca2f60a5c80b145c5405002fa3e1b29268a8
-
SHA256
fc3146019e85fad7a1d2e2049fc7c45105d3cd337d2531967829103d87fe6bb3
-
SHA512
bd1312889a51dbf716001084a972bdbfbb0c44260adcb54c593bef078a394bc494dbc34a8a87a6d908674745c85d27fd9fe1c44f56636f8e60190ddf88bae3c9
-
SSDEEP
1572864:a1f0+Sva7Hdp1Nhn+aCdrvdYrZ/7/lbg8udR8SnuSE49z:3asulbg8yTnbEOz
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 3 IoCs
pid Process 2648 Installer.exe 1728 Installer.exe 1728 Installer.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2812 1728 Installer.exe 30 PID 1728 wrote to memory of 2648 1728 Installer.exe 31 PID 1728 wrote to memory of 2648 1728 Installer.exe 31 PID 1728 wrote to memory of 2648 1728 Installer.exe 31 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32 PID 1728 wrote to memory of 532 1728 Installer.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --field-trial-handle=1124,8842169610905053782,10245063904046746060,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --mojo-platform-channel-handle=1120 /prefetch:22⤵PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1124,8842169610905053782,10245063904046746060,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --lang=en-US --service-sandbox-type=network --mojo-platform-channel-handle=1468 /prefetch:82⤵
- Suspicious behavior: EnumeratesProcesses
PID:2648
-
-
C:\Users\Admin\AppData\Local\Temp\Installer.exe"C:\Users\Admin\AppData\Local\Temp\Installer.exe" --type=gpu-process --field-trial-handle=1124,8842169610905053782,10245063904046746060,131072 --enable-features=WebComponentsV0Enabled --disable-features=CookiesWithoutSameSiteMustBeSecure,SameSiteByDefaultCookies,SpareRendererForSitePerProcess --gpu-preferences=MAAAAAAAAADgAAAwAAAAAAAAAAAAAAAAAABgAAAAAAAQAAAAAAAAAAAAAAAAAAAAKAAAAAQAAAAgAAAAAAAAACgAAAAAAAAAMAAAAAAAAAA4AAAAAAAAABAAAAAAAAAAAAAAAAUAAAAQAAAAAAAAAAAAAAAGAAAAEAAAAAAAAAABAAAABQAAABAAAAAAAAAAAQAAAAYAAAA= --use-gl=swiftshader-webgl --mojo-platform-channel-handle=1184 /prefetch:22⤵PID:532
-