Overview
overview
10Static
static
10Loli-Mod-m...nt.exe
windows7-x64
10Loli-Mod-m...nt.exe
windows10-2004-x64
10Loli-Mod-m...nt.exe
windows10-ltsc 2021-x64
10Loli-Mod-m...nt.exe
windows11-21h2-x64
10Loli-Mod-m...or.bat
windows7-x64
1Loli-Mod-m...or.bat
windows10-2004-x64
1Loli-Mod-m...or.bat
windows10-ltsc 2021-x64
1Loli-Mod-m...or.bat
windows11-21h2-x64
1Loli-Mod-m... 1.exe
windows7-x64
1Loli-Mod-m... 1.exe
windows10-2004-x64
1Loli-Mod-m... 1.exe
windows10-ltsc 2021-x64
1Loli-Mod-m... 1.exe
windows11-21h2-x64
1Loli-Mod-m...nc.exe
windows7-x64
3Loli-Mod-m...nc.exe
windows10-2004-x64
3Loli-Mod-m...nc.exe
windows10-ltsc 2021-x64
3Loli-Mod-m...nc.exe
windows11-21h2-x64
3Loli-Mod-main/y.exe
windows7-x64
10Loli-Mod-main/y.exe
windows10-2004-x64
10Loli-Mod-main/y.exe
windows10-ltsc 2021-x64
10Loli-Mod-main/y.exe
windows11-21h2-x64
10Analysis
-
max time kernel
12s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
18-12-2024 19:34
Behavioral task
behavioral1
Sample
Loli-Mod-main/AsyncClient.exe
Resource
win7-20241010-en
Behavioral task
behavioral2
Sample
Loli-Mod-main/AsyncClient.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
Loli-Mod-main/AsyncClient.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral4
Sample
Loli-Mod-main/AsyncClient.exe
Resource
win11-20241007-en
Behavioral task
behavioral5
Sample
Loli-Mod-main/Loli Injector.bat
Resource
win7-20241010-en
Behavioral task
behavioral6
Sample
Loli-Mod-main/Loli Injector.bat
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
Loli-Mod-main/Loli Injector.bat
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral8
Sample
Loli-Mod-main/Loli Injector.bat
Resource
win11-20241007-en
Behavioral task
behavioral9
Sample
Loli-Mod-main/Stage 1.exe
Resource
win7-20241010-en
Behavioral task
behavioral10
Sample
Loli-Mod-main/Stage 1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
Loli-Mod-main/Stage 1.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral12
Sample
Loli-Mod-main/Stage 1.exe
Resource
win11-20241007-en
Behavioral task
behavioral13
Sample
Loli-Mod-main/hvnc.exe
Resource
win7-20240903-en
Behavioral task
behavioral14
Sample
Loli-Mod-main/hvnc.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
Loli-Mod-main/hvnc.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral16
Sample
Loli-Mod-main/hvnc.exe
Resource
win11-20241007-en
Behavioral task
behavioral17
Sample
Loli-Mod-main/y.exe
Resource
win7-20241010-en
Behavioral task
behavioral18
Sample
Loli-Mod-main/y.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
Loli-Mod-main/y.exe
Resource
win10ltsc2021-20241211-en
Behavioral task
behavioral20
Sample
Loli-Mod-main/y.exe
Resource
win11-20241007-en
General
-
Target
Loli-Mod-main/Stage 1.exe
-
Size
151KB
-
MD5
d58b5b6cfcaf63f9dd9015fadf8e8223
-
SHA1
f927a187ca142b03f5dc0c49804fb6eb4425f3f3
-
SHA256
906f16836d4ed91fbaf79a1e21a140a4a29783f3b21e55ae4247f26c1916d70f
-
SHA512
cb5d0832d00cd5cf72734425d0bae5039e1356a1da1105af6260468e1420e3207d90fbe09a9019134b0a1d6528ff3f84f2b025d6111cde2364eb255c5c885b47
-
SSDEEP
3072:6J/Rm34y9GUVkpj3KOVgHqMPfKVqcbYA/LzNAtV:6nm34y9D2pj3TgnKVqc0B
Malware Config
Signatures
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2460 Stage 1.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2460 Stage 1.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2460 wrote to memory of 256 2460 Stage 1.exe 1 PID 2460 wrote to memory of 332 2460 Stage 1.exe 2 PID 2460 wrote to memory of 372 2460 Stage 1.exe 3 PID 2460 wrote to memory of 372 2460 Stage 1.exe 3 PID 2460 wrote to memory of 372 2460 Stage 1.exe 3 PID 2460 wrote to memory of 384 2460 Stage 1.exe 4 PID 2460 wrote to memory of 384 2460 Stage 1.exe 4 PID 2460 wrote to memory of 384 2460 Stage 1.exe 4 PID 2460 wrote to memory of 420 2460 Stage 1.exe 5 PID 2460 wrote to memory of 420 2460 Stage 1.exe 5 PID 2460 wrote to memory of 420 2460 Stage 1.exe 5 PID 2460 wrote to memory of 464 2460 Stage 1.exe 6 PID 2460 wrote to memory of 464 2460 Stage 1.exe 6 PID 2460 wrote to memory of 464 2460 Stage 1.exe 6 PID 2460 wrote to memory of 480 2460 Stage 1.exe 7 PID 2460 wrote to memory of 480 2460 Stage 1.exe 7 PID 2460 wrote to memory of 480 2460 Stage 1.exe 7 PID 2460 wrote to memory of 488 2460 Stage 1.exe 8 PID 2460 wrote to memory of 488 2460 Stage 1.exe 8 PID 2460 wrote to memory of 488 2460 Stage 1.exe 8 PID 2460 wrote to memory of 580 2460 Stage 1.exe 9 PID 2460 wrote to memory of 580 2460 Stage 1.exe 9 PID 2460 wrote to memory of 580 2460 Stage 1.exe 9 PID 2460 wrote to memory of 660 2460 Stage 1.exe 10 PID 2460 wrote to memory of 660 2460 Stage 1.exe 10 PID 2460 wrote to memory of 660 2460 Stage 1.exe 10 PID 2460 wrote to memory of 740 2460 Stage 1.exe 11 PID 2460 wrote to memory of 740 2460 Stage 1.exe 11 PID 2460 wrote to memory of 740 2460 Stage 1.exe 11 PID 2460 wrote to memory of 804 2460 Stage 1.exe 12 PID 2460 wrote to memory of 804 2460 Stage 1.exe 12 PID 2460 wrote to memory of 804 2460 Stage 1.exe 12 PID 2460 wrote to memory of 848 2460 Stage 1.exe 13 PID 2460 wrote to memory of 848 2460 Stage 1.exe 13 PID 2460 wrote to memory of 848 2460 Stage 1.exe 13 PID 2460 wrote to memory of 1000 2460 Stage 1.exe 14 PID 2460 wrote to memory of 1000 2460 Stage 1.exe 14 PID 2460 wrote to memory of 1000 2460 Stage 1.exe 14 PID 2460 wrote to memory of 300 2460 Stage 1.exe 15 PID 2460 wrote to memory of 300 2460 Stage 1.exe 15 PID 2460 wrote to memory of 300 2460 Stage 1.exe 15 PID 2460 wrote to memory of 280 2460 Stage 1.exe 16 PID 2460 wrote to memory of 280 2460 Stage 1.exe 16 PID 2460 wrote to memory of 280 2460 Stage 1.exe 16 PID 2460 wrote to memory of 1080 2460 Stage 1.exe 17 PID 2460 wrote to memory of 1080 2460 Stage 1.exe 17 PID 2460 wrote to memory of 1080 2460 Stage 1.exe 17 PID 2460 wrote to memory of 1104 2460 Stage 1.exe 18 PID 2460 wrote to memory of 1104 2460 Stage 1.exe 18 PID 2460 wrote to memory of 1104 2460 Stage 1.exe 18 PID 2460 wrote to memory of 1168 2460 Stage 1.exe 19 PID 2460 wrote to memory of 1168 2460 Stage 1.exe 19 PID 2460 wrote to memory of 1168 2460 Stage 1.exe 19 PID 2460 wrote to memory of 1204 2460 Stage 1.exe 20 PID 2460 wrote to memory of 1204 2460 Stage 1.exe 20 PID 2460 wrote to memory of 1204 2460 Stage 1.exe 20 PID 2460 wrote to memory of 748 2460 Stage 1.exe 23 PID 2460 wrote to memory of 748 2460 Stage 1.exe 23 PID 2460 wrote to memory of 748 2460 Stage 1.exe 23 PID 2460 wrote to memory of 1728 2460 Stage 1.exe 24 PID 2460 wrote to memory of 1728 2460 Stage 1.exe 24 PID 2460 wrote to memory of 1728 2460 Stage 1.exe 24 PID 2460 wrote to memory of 2012 2460 Stage 1.exe 25 PID 2460 wrote to memory of 2012 2460 Stage 1.exe 25
Processes
-
C:\Windows\System32\smss.exe\SystemRoot\System32\smss.exe1⤵PID:256
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:332
-
C:\Windows\system32\wininit.exewininit.exe1⤵PID:372
-
C:\Windows\system32\services.exeC:\Windows\system32\services.exe2⤵PID:464
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch3⤵PID:580
-
C:\Windows\system32\wbem\wmiprvse.exeC:\Windows\system32\wbem\wmiprvse.exe4⤵PID:1728
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k RPCSS3⤵PID:660
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalServiceNetworkRestricted3⤵PID:740
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted3⤵PID:804
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"4⤵PID:1168
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k netsvcs3⤵PID:848
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalService3⤵PID:1000
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k NetworkService3⤵PID:300
-
-
C:\Windows\System32\spoolsv.exeC:\Windows\System32\spoolsv.exe3⤵PID:280
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceNoNetwork3⤵PID:1080
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"3⤵PID:1104
-
-
C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"C:\Program Files\Common Files\Microsoft Shared\OfficeSoftwareProtectionPlatform\OSPPSVC.EXE"3⤵PID:748
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation3⤵PID:2012
-
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe3⤵PID:1984
-
-
-
C:\Windows\system32\lsass.exeC:\Windows\system32\lsass.exe2⤵PID:480
-
-
C:\Windows\system32\lsm.exeC:\Windows\system32\lsm.exe2⤵PID:488
-
-
C:\Windows\system32\csrss.exe%SystemRoot%\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ServerDll=sxssrv,4 ProfileControl=Off MaxRequestThreads=161⤵PID:384
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-10666176581685568598102949072024170643-21322623291769947887-1470918091249953153"2⤵PID:2284
-
-
C:\Windows\system32\winlogon.exewinlogon.exe1⤵PID:420
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:1204
-
C:\Users\Admin\AppData\Local\Temp\Loli-Mod-main\Stage 1.exe"C:\Users\Admin\AppData\Local\Temp\Loli-Mod-main\Stage 1.exe"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2460
-