lgoogloader | 314410dacd8226075671d108c091e8dcf6f24156b10b430e81e25891d750d68d

General

Target

file.exe
Size

1.1MB
MD5

2ad4efa6bd88630d2a3a61b1898cd62f
SHA1

e5b869841b26fbb54b9e94668b3017face715581
SHA256

314410dacd8226075671d108c091e8dcf6f24156b10b430e81e25891d750d68d
SHA512

2df531a6634c0ecd3448b5369507b2f9735f651cfd932ec13140521154bcdbaaf03d76f82fc6e61cec669ab58cc06ef04d349f9b2a2c604a00eeeaf59e6b413c
SSDEEP

24576:X9ERWaeW0rxk6fIAkiWOurxoETjpoLIrDoS:X9EwW8xkVQvuloETjGLIrDoS

Score

10^/10

lgoogloader downloader persistence

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2820-162-0x0000000002890000-0x000000000289D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
Executes dropped EXE 1 IoCs

Processes:

Np.exe.pif

pid process

3996 Np.exe.pif

pid	process
3996	Np.exe.pif

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

file.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	file.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	file.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

Np.exe.pif

description pid process target process

PID 3996 set thread context of 2820 3996 Np.exe.pif ipconfig.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command-Line Interface
T1059

Processes:

ipconfig.exe

pid process

2820 ipconfig.exe
Runs ping.exe 1 TTPs 2 IoCs

Remote System Discovery
T1018

Processes:

PING.EXEPING.EXE

pid process

4572 PING.EXE
1328 PING.EXE

description	pid	process	target process
PID 3996 set thread context of 2820	3996	Np.exe.pif	ipconfig.exe

pid	process
2820	ipconfig.exe

pid	process
4572	PING.EXE
1328	PING.EXE

Suspicious behavior: EnumeratesProcesses 12 IoCs

Processes:

powershell.exepowershell.exeNp.exe.pif

pid	process
3456	powershell.exe
3456	powershell.exe
3456	powershell.exe
1048	powershell.exe
1048	powershell.exe
1048	powershell.exe
3996	Np.exe.pif
3996	Np.exe.pif
3996	Np.exe.pif
3996	Np.exe.pif
3996	Np.exe.pif
3996	Np.exe.pif

Suspicious use of AdjustPrivilegeToken 2 IoCs

Processes:

powershell.exepowershell.exe

description pid process

Token: SeDebugPrivilege 3456 powershell.exe
Token: SeDebugPrivilege 1048 powershell.exe
Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

Np.exe.pif

pid process

3996 Np.exe.pif
3996 Np.exe.pif
3996 Np.exe.pif
Suspicious use of SendNotifyMessage 3 IoCs

Processes:

Np.exe.pif

pid process

3996 Np.exe.pif
3996 Np.exe.pif
3996 Np.exe.pif

description	pid	process
Token: SeDebugPrivilege	3456	powershell.exe
Token: SeDebugPrivilege	1048	powershell.exe

pid	process
3996	Np.exe.pif
3996	Np.exe.pif
3996	Np.exe.pif

pid	process
3996	Np.exe.pif
3996	Np.exe.pif
3996	Np.exe.pif

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

file.execmd.execmd.exeNp.exe.pif

description	pid	process	target process
PID 4176 wrote to memory of 3372	4176	file.exe	waitfor.exe
PID 4176 wrote to memory of 3372	4176	file.exe	waitfor.exe
PID 4176 wrote to memory of 3372	4176	file.exe	waitfor.exe
PID 4176 wrote to memory of 3136	4176	file.exe	cmd.exe
PID 4176 wrote to memory of 3136	4176	file.exe	cmd.exe
PID 4176 wrote to memory of 3136	4176	file.exe	cmd.exe
PID 3136 wrote to memory of 4200	3136	cmd.exe	cmd.exe
PID 3136 wrote to memory of 4200	3136	cmd.exe	cmd.exe
PID 3136 wrote to memory of 4200	3136	cmd.exe	cmd.exe
PID 4200 wrote to memory of 3456	4200	cmd.exe	powershell.exe
PID 4200 wrote to memory of 3456	4200	cmd.exe	powershell.exe
PID 4200 wrote to memory of 3456	4200	cmd.exe	powershell.exe
PID 4200 wrote to memory of 1048	4200	cmd.exe	powershell.exe
PID 4200 wrote to memory of 1048	4200	cmd.exe	powershell.exe
PID 4200 wrote to memory of 1048	4200	cmd.exe	powershell.exe
PID 4200 wrote to memory of 5028	4200	cmd.exe	findstr.exe
PID 4200 wrote to memory of 5028	4200	cmd.exe	findstr.exe
PID 4200 wrote to memory of 5028	4200	cmd.exe	findstr.exe
PID 4200 wrote to memory of 3996	4200	cmd.exe	Np.exe.pif
PID 4200 wrote to memory of 3996	4200	cmd.exe	Np.exe.pif
PID 4200 wrote to memory of 3996	4200	cmd.exe	Np.exe.pif
PID 3996 wrote to memory of 2820	3996	Np.exe.pif	ipconfig.exe
PID 3996 wrote to memory of 2820	3996	Np.exe.pif	ipconfig.exe
PID 3996 wrote to memory of 2820	3996	Np.exe.pif	ipconfig.exe
PID 3996 wrote to memory of 2820	3996	Np.exe.pif	ipconfig.exe
PID 3996 wrote to memory of 2820	3996	Np.exe.pif	ipconfig.exe
PID 4200 wrote to memory of 4572	4200	cmd.exe	PING.EXE
PID 4200 wrote to memory of 4572	4200	cmd.exe	PING.EXE
PID 4200 wrote to memory of 4572	4200	cmd.exe	PING.EXE
PID 3136 wrote to memory of 1328	3136	cmd.exe	PING.EXE
PID 3136 wrote to memory of 1328	3136	cmd.exe	PING.EXE
PID 3136 wrote to memory of 1328	3136	cmd.exe	PING.EXE

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4176

C:\Windows\SysWOW64\waitfor.exe
waitfor /???????
2⤵
PID:3372

C:\Windows\SysWOW64\cmd.exe
cmd /c cmd < Operational.xltm & ping -n 5 localhost
2⤵
- Suspicious use of WriteProcessMemory
PID:3136

C:\Windows\SysWOW64\cmd.exe
cmd
3⤵
- Suspicious use of WriteProcessMemory
PID:4200

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avastui
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:3456

C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
powershell get-process avgui
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1048

C:\Windows\SysWOW64\findstr.exe
findstr /V /R "^519108589851565250197076846500850658372543232388340136155336318910191799876584467827183560404633643339766237077108059294864149534305224827205669431779545957662771$" Corporations.xltm
4⤵
PID:5028

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Np.exe.pif
Np.exe.pif n
4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3996

C:\Windows\SysWOW64\ipconfig.exe
C:\Windows\SysWOW64\ipconfig.exe
5⤵
- Gathers network information
PID:2820

C:\Windows\SysWOW64\PING.EXE
ping localhost -n 5
4⤵
- Runs ping.exe
PID:4572

C:\Windows\SysWOW64\PING.EXE
ping -n 5 localhost
3⤵
- Runs ping.exe
PID:1328

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Command-Line Interface

1

T1059

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Information Discovery

1

T1082

Remote System Discovery

1

T1018

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log
Filesize
1KB

MD5
def65711d78669d7f8e69313be4acf2e

SHA1
6522ebf1de09eeb981e270bd95114bc69a49cda6

SHA256
aa1c97cdbce9a848f1db2ad483f19caa535b55a3a1ef2ad1260e0437002bc82c

SHA512
05b2f9cd9bc3b46f52fded320b68e05f79b2b3ceaeb13e5d87ae9f8cd8e6c90bbb4ffa4da8192c2bfe0f58826cabff2e99e7c5cc8dd47037d4eb7bfc6f2710a7

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
Filesize
18KB

MD5
fdee2fd2947994725a391e5a2b53fb85

SHA1
acf8d8e411448dff7e1cedc656b3db98010c339f

SHA256
779546f0e4eec207c3347a4511489ab47f2792d8b589002e5722e1aa95b958d9

SHA512
4ef96842c3f01edbcdd46a565b39b8f6d715d464a8b2cb056241d95a4f2b8e11d20257d8e56b29957c0915425fca00a59c5d9a23c32a59e95b5850c12d3b09d2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Corporations.xltm
Filesize
872KB

MD5
32da7eafa71e678af3a83da6912f0a03

SHA1
1c34ffdea2f3d9a97cd9fc9def3838ffaced2edc

SHA256
09b2081b94c9e95914048405358ec919edf04201ed2dc70d6c58d6be551194b7

SHA512
1fa5d8e7be4a919ec2b4338d5f5941cff5cdd70c0a613fa5dcc4b4c3c08682bf406e0d27fc50525e2a1d605f8d2a834d075a30a7a952e9a36c514437db887499

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Entrepreneurs.xltm
Filesize
874KB

MD5
e3db4085680bc80edf022bbc3b0f2459

SHA1
a4ea81c6aae2412c4442ebc5bd4e3277cad8ed7a

SHA256
ab41840e958e7ac51637a95d32c9525b2235eb55bbe4f1ca20bb54c92592eadb

SHA512
a607404da3ba4690ef270aaea83e4ac01483b8a9bdae1861c2989a06e6e8c99e531795abb7097e4e48269d06bf926d133dfd451697a176ffc21f65cf077011c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Np.exe.pif
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Np.exe.pif
Filesize
872KB

MD5
c56b5f0201a3b3de53e561fe76912bfd

SHA1
2a4062e10a5de813f5688221dbeb3f3ff33eb417

SHA256
237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

SHA512
195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\Operational.xltm
Filesize
12KB

MD5
58f102665d0ba1ef5c800935468ff278

SHA1
3eee4e7eb76cbe94122a6a854901304c8212a11f

SHA256
1a70c59886d8ac7c2b783c644fa83c32b4f08af563da6b9c1d501d8f8a0e5c5b

SHA512
f5dd4ef83e61b78e345f8fea42eca74359131c5fc235125fee8371f3b5a9a07f95dc756728470f7f118e050aaf502993149f13e06273448194a3f4279f7d8387

Download Submit
memory/1048-147-0x0000000000000000-mapping.dmp

Download
memory/1328-163-0x0000000000000000-mapping.dmp

Download
memory/2820-156-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-155-0x0000000000000000-mapping.dmp

Download
memory/2820-162-0x0000000002890000-0x000000000289D000-memory.dmp

Filesize
52KB

Download
memory/2820-161-0x0000000000C90000-0x0000000000C99000-memory.dmp

Filesize
36KB

Download
memory/2820-159-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/2820-158-0x0000000000400000-0x0000000000440000-memory.dmp

Filesize
256KB

Download
memory/3136-133-0x0000000000000000-mapping.dmp

Download
memory/3372-132-0x0000000000000000-mapping.dmp

Download
memory/3456-141-0x00000000052F0000-0x0000000005356000-memory.dmp

Filesize
408KB

Download
memory/3456-145-0x0000000006680000-0x00000000066A2000-memory.dmp

Filesize
136KB

Download
memory/3456-138-0x0000000005360000-0x0000000005988000-memory.dmp

Filesize
6.2MB

Download
memory/3456-137-0x0000000004B70000-0x0000000004BA6000-memory.dmp

Filesize
216KB

Download
memory/3456-143-0x00000000066B0000-0x0000000006746000-memory.dmp

Filesize
600KB

Download
memory/3456-136-0x0000000000000000-mapping.dmp

Download
memory/3456-139-0x0000000005060000-0x0000000005082000-memory.dmp

Filesize
136KB

Download
memory/3456-140-0x0000000005200000-0x0000000005266000-memory.dmp

Filesize
408KB

Download
memory/3456-142-0x00000000061C0000-0x00000000061DE000-memory.dmp

Filesize
120KB

Download
memory/3456-146-0x0000000007740000-0x0000000007CE4000-memory.dmp

Filesize
5.6MB

Download
memory/3456-144-0x0000000006630000-0x000000000664A000-memory.dmp

Filesize
104KB

Download
memory/3996-153-0x0000000000000000-mapping.dmp

Download
memory/4200-135-0x0000000000000000-mapping.dmp

Download
memory/4572-160-0x0000000000000000-mapping.dmp

Download
memory/5028-150-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads