Overview
overview
10Static
static
10Loli-Mod-m...nt.exe
windows7-x64
10Loli-Mod-m...nt.exe
windows10-2004-x64
10Loli-Mod-m...nt.exe
windows10-ltsc 2021-x64
10Loli-Mod-m...nt.exe
windows11-21h2-x64
10Loli-Mod-m...or.bat
windows7-x64
1Loli-Mod-m...or.bat
windows10-2004-x64
1Loli-Mod-m...or.bat
windows10-ltsc 2021-x64
1Loli-Mod-m...or.bat
windows11-21h2-x64
1Loli-Mod-m... 1.exe
windows7-x64
1Loli-Mod-m... 1.exe
windows10-2004-x64
1Loli-Mod-m... 1.exe
windows10-ltsc 2021-x64
1Loli-Mod-m... 1.exe
windows11-21h2-x64
1Loli-Mod-m...nc.exe
windows7-x64
3Loli-Mod-m...nc.exe
windows10-2004-x64
3Loli-Mod-m...nc.exe
windows10-ltsc 2021-x64
3Loli-Mod-m...nc.exe
windows11-21h2-x64
3Loli-Mod-main/y.exe
windows7-x64
10Loli-Mod-main/y.exe
windows10-2004-x64
10Loli-Mod-main/y.exe
windows10-ltsc 2021-x64
10Loli-Mod-main/y.exe
windows11-21h2-x64
10Analysis
-
max time kernel
93s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
18-12-2024 19:34
Behavioral task
behavioral1
Sample
Loli-Mod-main/AsyncClient.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Loli-Mod-main/AsyncClient.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Loli-Mod-main/AsyncClient.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral4
Sample
Loli-Mod-main/AsyncClient.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
Loli-Mod-main/Loli Injector.bat
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
Loli-Mod-main/Loli Injector.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Loli-Mod-main/Loli Injector.bat
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral8
Sample
Loli-Mod-main/Loli Injector.bat
Resource
win11-20241007-en
Behavioral task
behavioral9
Sample
Loli-Mod-main/Stage 1.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
Loli-Mod-main/Stage 1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Loli-Mod-main/Stage 1.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral12
Sample
Loli-Mod-main/Stage 1.exe
Resource
win11-20241007-en
Behavioral task
behavioral13
Sample
Loli-Mod-main/hvnc.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Loli-Mod-main/hvnc.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Loli-Mod-main/hvnc.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral16
Sample
Loli-Mod-main/hvnc.exe
Resource
win11-20241007-en
Behavioral task
behavioral17
Sample
Loli-Mod-main/y.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
Loli-Mod-main/y.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Loli-Mod-main/y.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral20
Sample
Loli-Mod-main/y.exe
Resource
win11-20241007-en
General
-
Target
Loli-Mod-main/Stage 1.exe
-
Size
151KB
-
MD5
d58b5b6cfcaf63f9dd9015fadf8e8223
-
SHA1
f927a187ca142b03f5dc0c49804fb6eb4425f3f3
-
SHA256
906f16836d4ed91fbaf79a1e21a140a4a29783f3b21e55ae4247f26c1916d70f
-
SHA512
cb5d0832d00cd5cf72734425d0bae5039e1356a1da1105af6260468e1420e3207d90fbe09a9019134b0a1d6528ff3f84f2b025d6111cde2364eb255c5c885b47
-
SSDEEP
3072:6J/Rm34y9GUVkpj3KOVgHqMPfKVqcbYA/LzNAtV:6nm34y9D2pj3TgnKVqc0B
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2468 Stage 1.exe 2468 Stage 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2468 Stage 1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2468 wrote to memory of 620 2468 Stage 1.exe 5 PID 2468 wrote to memory of 620 2468 Stage 1.exe 5 PID 2468 wrote to memory of 620 2468 Stage 1.exe 5 PID 2468 wrote to memory of 680 2468 Stage 1.exe 7 PID 2468 wrote to memory of 680 2468 Stage 1.exe 7 PID 2468 wrote to memory of 680 2468 Stage 1.exe 7 PID 2468 wrote to memory of 784 2468 Stage 1.exe 8 PID 2468 wrote to memory of 788 2468 Stage 1.exe 9 PID 2468 wrote to memory of 800 2468 Stage 1.exe 10 PID 2468 wrote to memory of 800 2468 Stage 1.exe 10 PID 2468 wrote to memory of 800 2468 Stage 1.exe 10 PID 2468 wrote to memory of 904 2468 Stage 1.exe 11 PID 2468 wrote to memory of 904 2468 Stage 1.exe 11 PID 2468 wrote to memory of 904 2468 Stage 1.exe 11 PID 2468 wrote to memory of 964 2468 Stage 1.exe 12 PID 2468 wrote to memory of 964 2468 Stage 1.exe 12 PID 2468 wrote to memory of 964 2468 Stage 1.exe 12 PID 2468 wrote to memory of 388 2468 Stage 1.exe 13 PID 2468 wrote to memory of 388 2468 Stage 1.exe 13 PID 2468 wrote to memory of 388 2468 Stage 1.exe 13 PID 2468 wrote to memory of 872 2468 Stage 1.exe 14 PID 2468 wrote to memory of 872 2468 Stage 1.exe 14 PID 2468 wrote to memory of 872 2468 Stage 1.exe 14 PID 2468 wrote to memory of 1036 2468 Stage 1.exe 15 PID 2468 wrote to memory of 1036 2468 Stage 1.exe 15 PID 2468 wrote to memory of 1036 2468 Stage 1.exe 15 PID 2468 wrote to memory of 1052 2468 Stage 1.exe 16 PID 2468 wrote to memory of 1052 2468 Stage 1.exe 16 PID 2468 wrote to memory of 1052 2468 Stage 1.exe 16 PID 2468 wrote to memory of 1112 2468 Stage 1.exe 17 PID 2468 wrote to memory of 1112 2468 Stage 1.exe 17 PID 2468 wrote to memory of 1112 2468 Stage 1.exe 17 PID 2468 wrote to memory of 1136 2468 Stage 1.exe 18 PID 2468 wrote to memory of 1136 2468 Stage 1.exe 18 PID 2468 wrote to memory of 1136 2468 Stage 1.exe 18 PID 2468 wrote to memory of 1184 2468 Stage 1.exe 19 PID 2468 wrote to memory of 1184 2468 Stage 1.exe 19 PID 2468 wrote to memory of 1184 2468 Stage 1.exe 19 PID 2468 wrote to memory of 1296 2468 Stage 1.exe 20 PID 2468 wrote to memory of 1296 2468 Stage 1.exe 20 PID 2468 wrote to memory of 1296 2468 Stage 1.exe 20 PID 2468 wrote to memory of 1324 2468 Stage 1.exe 21 PID 2468 wrote to memory of 1324 2468 Stage 1.exe 21 PID 2468 wrote to memory of 1324 2468 Stage 1.exe 21 PID 2468 wrote to memory of 1340 2468 Stage 1.exe 22 PID 2468 wrote to memory of 1340 2468 Stage 1.exe 22 PID 2468 wrote to memory of 1340 2468 Stage 1.exe 22 PID 2468 wrote to memory of 1360 2468 Stage 1.exe 23 PID 2468 wrote to memory of 1360 2468 Stage 1.exe 23 PID 2468 wrote to memory of 1360 2468 Stage 1.exe 23 PID 2468 wrote to memory of 1376 2468 Stage 1.exe 24 PID 2468 wrote to memory of 1376 2468 Stage 1.exe 24 PID 2468 wrote to memory of 1376 2468 Stage 1.exe 24 PID 2468 wrote to memory of 1456 2468 Stage 1.exe 25 PID 2468 wrote to memory of 1456 2468 Stage 1.exe 25 PID 2468 wrote to memory of 1456 2468 Stage 1.exe 25 PID 2468 wrote to memory of 1544 2468 Stage 1.exe 26 PID 2468 wrote to memory of 1544 2468 Stage 1.exe 26 PID 2468 wrote to memory of 1544 2468 Stage 1.exe 26 PID 2468 wrote to memory of 1600 2468 Stage 1.exe 27 PID 2468 wrote to memory of 1600 2468 Stage 1.exe 27 PID 2468 wrote to memory of 1600 2468 Stage 1.exe 27 PID 2468 wrote to memory of 1608 2468 Stage 1.exe 28 PID 2468 wrote to memory of 1608 2468 Stage 1.exe 28 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:620
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:784
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:388
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:680
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:788
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:800
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:2904
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3936
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4008
-
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca2⤵PID:4084
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:4204
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:1660
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca2⤵PID:4116
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:1728
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca2⤵PID:3956
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:904
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:964
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:872
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1036
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1052
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1112
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1136
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}2⤵PID:3148
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1184
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1296
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1340
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1360
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1376
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1544
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1600
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2128
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1608
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s NlaSvc1⤵PID:1672
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s netprofm1⤵PID:1752
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1780
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s Dnscache1⤵PID:1880
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1888
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:1948
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:1956
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:1220
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:1932
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2088
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2260
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2312
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2380
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2388
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p -s CryptSvc1⤵PID:2440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2528
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2548
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2596
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:692
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s TokenBroker1⤵PID:3228
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:3412
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3480
-
C:\Users\Admin\AppData\Local\Temp\Loli-Mod-main\Stage 1.exe"C:\Users\Admin\AppData\Local\Temp\Loli-Mod-main\Stage 1.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2468 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:2332
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:3264
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵PID:3512
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3640
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3352
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:2616
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:3144
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2032
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:4932
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:440
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:3348
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:4592