Overview
overview
10Static
static
10Loli-Mod-m...nt.exe
windows7-x64
10Loli-Mod-m...nt.exe
windows10-2004-x64
10Loli-Mod-m...nt.exe
windows10-ltsc 2021-x64
10Loli-Mod-m...nt.exe
windows11-21h2-x64
10Loli-Mod-m...or.bat
windows7-x64
1Loli-Mod-m...or.bat
windows10-2004-x64
1Loli-Mod-m...or.bat
windows10-ltsc 2021-x64
1Loli-Mod-m...or.bat
windows11-21h2-x64
1Loli-Mod-m... 1.exe
windows7-x64
1Loli-Mod-m... 1.exe
windows10-2004-x64
1Loli-Mod-m... 1.exe
windows10-ltsc 2021-x64
1Loli-Mod-m... 1.exe
windows11-21h2-x64
1Loli-Mod-m...nc.exe
windows7-x64
3Loli-Mod-m...nc.exe
windows10-2004-x64
3Loli-Mod-m...nc.exe
windows10-ltsc 2021-x64
3Loli-Mod-m...nc.exe
windows11-21h2-x64
3Loli-Mod-main/y.exe
windows7-x64
10Loli-Mod-main/y.exe
windows10-2004-x64
10Loli-Mod-main/y.exe
windows10-ltsc 2021-x64
10Loli-Mod-main/y.exe
windows11-21h2-x64
10Analysis
-
max time kernel
123s -
max time network
140s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20241211-en -
resource tags
arch:x64arch:x86image:win10ltsc2021-20241211-enlocale:en-usos:windows10-ltsc 2021-x64system -
submitted
18-12-2024 19:34
Behavioral task
behavioral1
Sample
Loli-Mod-main/AsyncClient.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Loli-Mod-main/AsyncClient.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Loli-Mod-main/AsyncClient.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral4
Sample
Loli-Mod-main/AsyncClient.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
Loli-Mod-main/Loli Injector.bat
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
Loli-Mod-main/Loli Injector.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Loli-Mod-main/Loli Injector.bat
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral8
Sample
Loli-Mod-main/Loli Injector.bat
Resource
win11-20241007-en
Behavioral task
behavioral9
Sample
Loli-Mod-main/Stage 1.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
Loli-Mod-main/Stage 1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Loli-Mod-main/Stage 1.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral12
Sample
Loli-Mod-main/Stage 1.exe
Resource
win11-20241007-en
Behavioral task
behavioral13
Sample
Loli-Mod-main/hvnc.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Loli-Mod-main/hvnc.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Loli-Mod-main/hvnc.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral16
Sample
Loli-Mod-main/hvnc.exe
Resource
win11-20241007-en
Behavioral task
behavioral17
Sample
Loli-Mod-main/y.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
Loli-Mod-main/y.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Loli-Mod-main/y.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral20
Sample
Loli-Mod-main/y.exe
Resource
win11-20241007-en
General
-
Target
Loli-Mod-main/y.exe
-
Size
38KB
-
MD5
9212396ec7e75aee632a2304c9050bb3
-
SHA1
ecd187b60d5619ba78ab54bdd43ab9419ca4a72d
-
SHA256
6b82fc5f7ed107648cdb24ebd5f2aa0cff16af9d736ac8455175498a7ad47266
-
SHA512
b00528fa583cbd17b4a7b3f474c8177a288d95ab0f80aca1381434cb15df7fe0b2a9b7d6ea95d4ec55e8ad279f7473db07dde82d1ec408a46cbb60b4e4c5d2a4
-
SSDEEP
768:AXI+D3yb6a5up+I3pHGFyw9/PO6rO/hbPNQU:AnDiHDsEFr9HO6rO/NOU
Malware Config
Extracted
xworm
5.0
GQrSWs3TiKJsppyp
-
Install_directory
%AppData%
-
install_file
COM Surogate.exe
-
pastebin_url
https://pastebin.com/raw/EJ2UmS6u
Signatures
-
Detect Xworm Payload 1 IoCs
resource yara_rule behavioral19/memory/5108-1-0x0000000000050000-0x0000000000060000-memory.dmp family_xworm -
Xworm family
-
Command and Scripting Interpreter: PowerShell 1 TTPs 4 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
pid Process 2584 powershell.exe 3396 powershell.exe 4332 powershell.exe 812 powershell.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\Control Panel\International\Geo\Nation y.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COM Surogate.lnk y.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\COM Surogate.lnk y.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1798060429-1844192857-3165087720-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\COM Surogate = "C:\\Users\\Admin\\AppData\\Roaming\\COM Surogate.exe" y.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
flow ioc 10 pastebin.com 11 pastebin.com -
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 7 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2576 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 3396 powershell.exe 3396 powershell.exe 4332 powershell.exe 4332 powershell.exe 812 powershell.exe 812 powershell.exe 2584 powershell.exe 2584 powershell.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5108 y.exe Token: SeDebugPrivilege 3396 powershell.exe Token: SeIncreaseQuotaPrivilege 3396 powershell.exe Token: SeSecurityPrivilege 3396 powershell.exe Token: SeTakeOwnershipPrivilege 3396 powershell.exe Token: SeLoadDriverPrivilege 3396 powershell.exe Token: SeSystemProfilePrivilege 3396 powershell.exe Token: SeSystemtimePrivilege 3396 powershell.exe Token: SeProfSingleProcessPrivilege 3396 powershell.exe Token: SeIncBasePriorityPrivilege 3396 powershell.exe Token: SeCreatePagefilePrivilege 3396 powershell.exe Token: SeBackupPrivilege 3396 powershell.exe Token: SeRestorePrivilege 3396 powershell.exe Token: SeShutdownPrivilege 3396 powershell.exe Token: SeDebugPrivilege 3396 powershell.exe Token: SeSystemEnvironmentPrivilege 3396 powershell.exe Token: SeRemoteShutdownPrivilege 3396 powershell.exe Token: SeUndockPrivilege 3396 powershell.exe Token: SeManageVolumePrivilege 3396 powershell.exe Token: 33 3396 powershell.exe Token: 34 3396 powershell.exe Token: 35 3396 powershell.exe Token: 36 3396 powershell.exe Token: SeDebugPrivilege 4332 powershell.exe Token: SeIncreaseQuotaPrivilege 4332 powershell.exe Token: SeSecurityPrivilege 4332 powershell.exe Token: SeTakeOwnershipPrivilege 4332 powershell.exe Token: SeLoadDriverPrivilege 4332 powershell.exe Token: SeSystemProfilePrivilege 4332 powershell.exe Token: SeSystemtimePrivilege 4332 powershell.exe Token: SeProfSingleProcessPrivilege 4332 powershell.exe Token: SeIncBasePriorityPrivilege 4332 powershell.exe Token: SeCreatePagefilePrivilege 4332 powershell.exe Token: SeBackupPrivilege 4332 powershell.exe Token: SeRestorePrivilege 4332 powershell.exe Token: SeShutdownPrivilege 4332 powershell.exe Token: SeDebugPrivilege 4332 powershell.exe Token: SeSystemEnvironmentPrivilege 4332 powershell.exe Token: SeRemoteShutdownPrivilege 4332 powershell.exe Token: SeUndockPrivilege 4332 powershell.exe Token: SeManageVolumePrivilege 4332 powershell.exe Token: 33 4332 powershell.exe Token: 34 4332 powershell.exe Token: 35 4332 powershell.exe Token: 36 4332 powershell.exe Token: SeDebugPrivilege 812 powershell.exe Token: SeIncreaseQuotaPrivilege 812 powershell.exe Token: SeSecurityPrivilege 812 powershell.exe Token: SeTakeOwnershipPrivilege 812 powershell.exe Token: SeLoadDriverPrivilege 812 powershell.exe Token: SeSystemProfilePrivilege 812 powershell.exe Token: SeSystemtimePrivilege 812 powershell.exe Token: SeProfSingleProcessPrivilege 812 powershell.exe Token: SeIncBasePriorityPrivilege 812 powershell.exe Token: SeCreatePagefilePrivilege 812 powershell.exe Token: SeBackupPrivilege 812 powershell.exe Token: SeRestorePrivilege 812 powershell.exe Token: SeShutdownPrivilege 812 powershell.exe Token: SeDebugPrivilege 812 powershell.exe Token: SeSystemEnvironmentPrivilege 812 powershell.exe Token: SeRemoteShutdownPrivilege 812 powershell.exe Token: SeUndockPrivilege 812 powershell.exe Token: SeManageVolumePrivilege 812 powershell.exe Token: 33 812 powershell.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 5108 wrote to memory of 3396 5108 y.exe 84 PID 5108 wrote to memory of 3396 5108 y.exe 84 PID 5108 wrote to memory of 4332 5108 y.exe 87 PID 5108 wrote to memory of 4332 5108 y.exe 87 PID 5108 wrote to memory of 812 5108 y.exe 89 PID 5108 wrote to memory of 812 5108 y.exe 89 PID 5108 wrote to memory of 2584 5108 y.exe 91 PID 5108 wrote to memory of 2584 5108 y.exe 91 PID 5108 wrote to memory of 2576 5108 y.exe 93 PID 5108 wrote to memory of 2576 5108 y.exe 93 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\Loli-Mod-main\y.exe"C:\Users\Admin\AppData\Local\Temp\Loli-Mod-main\y.exe"1⤵
- Checks computer location settings
- Drops startup file
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5108 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Local\Temp\Loli-Mod-main\y.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3396
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'y.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4332
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionPath 'C:\Users\Admin\AppData\Roaming\COM Surogate.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:812
-
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" -ExecutionPolicy Bypass Add-MpPreference -ExclusionProcess 'COM Surogate.exe'2⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
PID:2584
-
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /f /RL HIGHEST /sc minute /mo 1 /tn "COM Surogate" /tr "C:\Users\Admin\AppData\Roaming\COM Surogate.exe"2⤵
- Scheduled Task/Job: Scheduled Task
PID:2576
-
Network
MITRE ATT&CK Enterprise v15
Execution
Command and Scripting Interpreter
1PowerShell
1Scheduled Task/Job
1Scheduled Task
1Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Scheduled Task
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3KB
MD53eb3833f769dd890afc295b977eab4b4
SHA1e857649b037939602c72ad003e5d3698695f436f
SHA256c485a6e2fd17c342fca60060f47d6a5655a65a412e35e001bb5bf88d96e6e485
SHA512c24bbc8f278478d43756807b8c584d4e3fb2289db468bc92986a489f74a8da386a667a758360a397e77e018e363be8912ac260072fa3e31117ad0599ac749e72
-
Filesize
1KB
MD526c94c408a5a2e1e04f1191fc2902d3e
SHA1ce50b153be03511bd62a477abf71a7e9f94e68a5
SHA25686ad00a425874b935cc725f83780add09d08d7dc9cbfb705821955fe937c05ec
SHA51270e7bc620b369d7d0fcf06f93da000819bf089a502f1014641ad14d56ead22f31c25b97363296fd3749c63bde6db3bf115b33504b160485d792e1331c337b586
-
Filesize
1KB
MD5cd3ff24033bcac59bacd562de7e8f81e
SHA1eb9bf2d35583075801c7faf9705f5bcfea9b9cda
SHA256786ab4b8f344487365ba7e3bbe4ea8a2e310a25a42a5c579dd647b807d8e3875
SHA5129b86fd5d942fb9031a87bfc4c552fc1286b72e53da43b2cb6e256c9332c3310f92453e04779a0d95a29201d8b90c7b043b754e1f43ea30f4176191e8050e946a
-
Filesize
1KB
MD529daeef2e92579b02c2a864fad203359
SHA12cd0b964ebcc0c7646370fe14416df2704f1d96f
SHA256ffd227efd83ecda5b9716eea0086c1c71f76c6186cd0c1c3b60bd6a139e49d51
SHA5127091fa3f254fbcc3dafc4f982960b673c672f04b87c1640a517edf0b47742f6d64ecda901a08ea5d949cef4914daadf1adea20260171d87d8e3d0a38f23d30c7
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82