Overview
overview
10Static
static
10Loli-Mod-m...nt.exe
windows7-x64
10Loli-Mod-m...nt.exe
windows10-2004-x64
10Loli-Mod-m...nt.exe
windows10-ltsc 2021-x64
10Loli-Mod-m...nt.exe
windows11-21h2-x64
10Loli-Mod-m...or.bat
windows7-x64
1Loli-Mod-m...or.bat
windows10-2004-x64
1Loli-Mod-m...or.bat
windows10-ltsc 2021-x64
1Loli-Mod-m...or.bat
windows11-21h2-x64
1Loli-Mod-m... 1.exe
windows7-x64
1Loli-Mod-m... 1.exe
windows10-2004-x64
1Loli-Mod-m... 1.exe
windows10-ltsc 2021-x64
1Loli-Mod-m... 1.exe
windows11-21h2-x64
1Loli-Mod-m...nc.exe
windows7-x64
3Loli-Mod-m...nc.exe
windows10-2004-x64
3Loli-Mod-m...nc.exe
windows10-ltsc 2021-x64
3Loli-Mod-m...nc.exe
windows11-21h2-x64
3Loli-Mod-main/y.exe
windows7-x64
10Loli-Mod-main/y.exe
windows10-2004-x64
10Loli-Mod-main/y.exe
windows10-ltsc 2021-x64
10Loli-Mod-main/y.exe
windows11-21h2-x64
10Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
18-12-2024 19:34
Behavioral task
behavioral1
Sample
Loli-Mod-main/AsyncClient.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Loli-Mod-main/AsyncClient.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Loli-Mod-main/AsyncClient.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral4
Sample
Loli-Mod-main/AsyncClient.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
Loli-Mod-main/Loli Injector.bat
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
Loli-Mod-main/Loli Injector.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Loli-Mod-main/Loli Injector.bat
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral8
Sample
Loli-Mod-main/Loli Injector.bat
Resource
win11-20241007-en
Behavioral task
behavioral9
Sample
Loli-Mod-main/Stage 1.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
Loli-Mod-main/Stage 1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Loli-Mod-main/Stage 1.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral12
Sample
Loli-Mod-main/Stage 1.exe
Resource
win11-20241007-en
Behavioral task
behavioral13
Sample
Loli-Mod-main/hvnc.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Loli-Mod-main/hvnc.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Loli-Mod-main/hvnc.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral16
Sample
Loli-Mod-main/hvnc.exe
Resource
win11-20241007-en
Behavioral task
behavioral17
Sample
Loli-Mod-main/y.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
Loli-Mod-main/y.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Loli-Mod-main/y.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral20
Sample
Loli-Mod-main/y.exe
Resource
win11-20241007-en
General
-
Target
Loli-Mod-main/Stage 1.exe
-
Size
151KB
-
MD5
d58b5b6cfcaf63f9dd9015fadf8e8223
-
SHA1
f927a187ca142b03f5dc0c49804fb6eb4425f3f3
-
SHA256
906f16836d4ed91fbaf79a1e21a140a4a29783f3b21e55ae4247f26c1916d70f
-
SHA512
cb5d0832d00cd5cf72734425d0bae5039e1356a1da1105af6260468e1420e3207d90fbe09a9019134b0a1d6528ff3f84f2b025d6111cde2364eb255c5c885b47
-
SSDEEP
3072:6J/Rm34y9GUVkpj3KOVgHqMPfKVqcbYA/LzNAtV:6nm34y9D2pj3TgnKVqc0B
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1292 Stage 1.exe 1292 Stage 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 1292 Stage 1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1292 wrote to memory of 648 1292 Stage 1.exe 5 PID 1292 wrote to memory of 648 1292 Stage 1.exe 5 PID 1292 wrote to memory of 648 1292 Stage 1.exe 5 PID 1292 wrote to memory of 704 1292 Stage 1.exe 7 PID 1292 wrote to memory of 704 1292 Stage 1.exe 7 PID 1292 wrote to memory of 704 1292 Stage 1.exe 7 PID 1292 wrote to memory of 812 1292 Stage 1.exe 8 PID 1292 wrote to memory of 812 1292 Stage 1.exe 8 PID 1292 wrote to memory of 812 1292 Stage 1.exe 8 PID 1292 wrote to memory of 824 1292 Stage 1.exe 9 PID 1292 wrote to memory of 832 1292 Stage 1.exe 10 PID 1292 wrote to memory of 948 1292 Stage 1.exe 11 PID 1292 wrote to memory of 948 1292 Stage 1.exe 11 PID 1292 wrote to memory of 948 1292 Stage 1.exe 11 PID 1292 wrote to memory of 1008 1292 Stage 1.exe 12 PID 1292 wrote to memory of 1008 1292 Stage 1.exe 12 PID 1292 wrote to memory of 1008 1292 Stage 1.exe 12 PID 1292 wrote to memory of 764 1292 Stage 1.exe 13 PID 1292 wrote to memory of 764 1292 Stage 1.exe 13 PID 1292 wrote to memory of 764 1292 Stage 1.exe 13 PID 1292 wrote to memory of 776 1292 Stage 1.exe 14 PID 1292 wrote to memory of 776 1292 Stage 1.exe 14 PID 1292 wrote to memory of 692 1292 Stage 1.exe 15 PID 1292 wrote to memory of 692 1292 Stage 1.exe 15 PID 1292 wrote to memory of 1076 1292 Stage 1.exe 16 PID 1292 wrote to memory of 1076 1292 Stage 1.exe 16 PID 1292 wrote to memory of 1128 1292 Stage 1.exe 17 PID 1292 wrote to memory of 1128 1292 Stage 1.exe 17 PID 1292 wrote to memory of 1160 1292 Stage 1.exe 18 PID 1292 wrote to memory of 1160 1292 Stage 1.exe 18 PID 1292 wrote to memory of 1168 1292 Stage 1.exe 19 PID 1292 wrote to memory of 1168 1292 Stage 1.exe 19 PID 1292 wrote to memory of 1168 1292 Stage 1.exe 19 PID 1292 wrote to memory of 1224 1292 Stage 1.exe 20 PID 1292 wrote to memory of 1224 1292 Stage 1.exe 20 PID 1292 wrote to memory of 1248 1292 Stage 1.exe 21 PID 1292 wrote to memory of 1248 1292 Stage 1.exe 21 PID 1292 wrote to memory of 1324 1292 Stage 1.exe 22 PID 1292 wrote to memory of 1324 1292 Stage 1.exe 22 PID 1292 wrote to memory of 1456 1292 Stage 1.exe 23 PID 1292 wrote to memory of 1456 1292 Stage 1.exe 23 PID 1292 wrote to memory of 1468 1292 Stage 1.exe 24 PID 1292 wrote to memory of 1468 1292 Stage 1.exe 24 PID 1292 wrote to memory of 1468 1292 Stage 1.exe 24 PID 1292 wrote to memory of 1520 1292 Stage 1.exe 25 PID 1292 wrote to memory of 1520 1292 Stage 1.exe 25 PID 1292 wrote to memory of 1600 1292 Stage 1.exe 26 PID 1292 wrote to memory of 1600 1292 Stage 1.exe 26 PID 1292 wrote to memory of 1600 1292 Stage 1.exe 26 PID 1292 wrote to memory of 1612 1292 Stage 1.exe 27 PID 1292 wrote to memory of 1612 1292 Stage 1.exe 27 PID 1292 wrote to memory of 1700 1292 Stage 1.exe 28 PID 1292 wrote to memory of 1700 1292 Stage 1.exe 28 PID 1292 wrote to memory of 1732 1292 Stage 1.exe 29 PID 1292 wrote to memory of 1732 1292 Stage 1.exe 29 PID 1292 wrote to memory of 1732 1292 Stage 1.exe 29 PID 1292 wrote to memory of 1792 1292 Stage 1.exe 30 PID 1292 wrote to memory of 1792 1292 Stage 1.exe 30 PID 1292 wrote to memory of 1792 1292 Stage 1.exe 30 PID 1292 wrote to memory of 1852 1292 Stage 1.exe 31 PID 1292 wrote to memory of 1852 1292 Stage 1.exe 31 PID 1292 wrote to memory of 1040 1292 Stage 1.exe 32 PID 1292 wrote to memory of 1040 1292 Stage 1.exe 32 PID 1292 wrote to memory of 1040 1292 Stage 1.exe 32 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:648
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"2⤵PID:832
-
-
C:\Windows\system32\dwm.exe"dwm.exe"2⤵PID:764
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe1⤵PID:704
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p1⤵PID:812
-
C:\Windows\system32\wbem\unsecapp.exeC:\Windows\system32\wbem\unsecapp.exe -Embedding2⤵PID:3080
-
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca2⤵PID:3716
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca2⤵PID:3788
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3848
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding2⤵PID:3928
-
-
C:\Windows\system32\SppExtComObj.exeC:\Windows\system32\SppExtComObj.exe -Embedding2⤵PID:1536
-
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:824
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS -p1⤵PID:948
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch -p -s LSM1⤵PID:1008
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s gpsvc1⤵PID:776
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s lmhosts1⤵PID:692
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s NcbService1⤵PID:1076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s nsi1⤵PID:1128
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork -p1⤵PID:1160
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Schedule1⤵PID:1168
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s TimeBrokerSvc1⤵PID:1224
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netprofm -p -s netprofm1⤵PID:1248
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s ProfSvc1⤵PID:1324
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s DispBrokerDesktopSvc1⤵PID:1456
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s UserManager1⤵PID:1468
-
C:\Windows\system32\sihost.exesihost.exe2⤵PID:2764
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p -s EventLog1⤵PID:1520
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s EventSystem1⤵PID:1600
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s Themes1⤵PID:1612
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:1700
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s SENS1⤵PID:1732
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s AudioEndpointBuilder1⤵PID:1792
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s Dhcp1⤵PID:1852
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:1040
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k appmodel -p -s StateRepository1⤵PID:2000
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2056
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -p1⤵PID:2064
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s ShellHWDetection1⤵PID:2100
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe1⤵PID:2152
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetworkFirewall -p1⤵PID:2188
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k NetworkService -p -s LanmanWorkstation1⤵PID:2292
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted -s RmSvc1⤵PID:2316
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkServiceNetworkRestricted -p -s PolicyAgent1⤵PID:2500
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s IKEEXT1⤵PID:2508
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService -p1⤵PID:2584
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s LanmanServer1⤵PID:2664
-
C:\Windows\sysmon.exeC:\Windows\sysmon.exe1⤵PID:2676
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s TrkWks1⤵PID:2696
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Winmgmt1⤵PID:2708
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s WpnService1⤵PID:2740
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2820
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3296
-
C:\Users\Admin\AppData\Local\Temp\Loli-Mod-main\Stage 1.exe"C:\Users\Admin\AppData\Local\Temp\Loli-Mod-main\Stage 1.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1292 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV13⤵PID:4192
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls3⤵PID:1412
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause3⤵PID:4572
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3428
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s Appinfo1⤵PID:3472
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UdkSvcGroup -s UdkUserSvc1⤵PID:4076
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k osprivacy -p -s camsvc1⤵PID:4448
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService -p -s CDPSvc1⤵PID:4932
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s StorSvc1⤵PID:3132
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s WinHttpAutoProxySvc1⤵PID:3504
-
C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe"C:\Program Files\Common Files\Microsoft Shared\ClickToRun\OfficeClickToRun.exe" /service1⤵PID:1368
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalService -p -s LicenseManager1⤵PID:2020
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs -p -s wlidsvc1⤵PID:2120
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNetworkRestricted -p -s NgcCtnrSvc1⤵PID:4336