Analysis
-
max time kernel
38s -
max time network
43s -
platform
windows7_x64 -
resource
win7-20220812-en -
resource tags
-
submitted
25-11-2022 07:37
General
-
Target
197cc0b311afc440dd150387e68bf49f.exe
-
Size
485KB
-
MD5
197cc0b311afc440dd150387e68bf49f
-
SHA1
78434666b854de78dfbfb253e66644865d324586
-
SHA256
d0f5a3be9ab80e06600ffcb13d897f325b7c8737b895223b3b7e03ecc79abbca
-
SHA512
93e805b0956a69a2f9bcabd059bafef689a82aa8654a71bf56d9834db9a5d1904aca34178e02b47f85b6bbac3b4430209dc989071e50c1d63c152daeb5052fed
-
SSDEEP
6144:up65pkrxfUvq1uWsCbIG3p2NtIzCuAsTF5nCLggt6wVsp03cPqfXETRaLP5bhxJ:vs+DNCMG5WIzCETqLgm6RyPETYRfq
Score
10/10
Malware Config
Signatures
-
Detects LgoogLoader payload 1 IoCs
-
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
UAC bypass 3 TTPs 1 IoCs
-
Sets service image path in registry 2 TTPs 1 IoCs
-
Checks whether UAC is enabled 1 TTPs 2 IoCs
-
Suspicious use of SetThreadContext 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
-
Suspicious behavior: LoadsDriver 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of WriteProcessMemory 14 IoCs
-
System policy modification 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\197cc0b311afc440dd150387e68bf49f.exe"C:\Users\Admin\AppData\Local\Temp\197cc0b311afc440dd150387e68bf49f.exe"1⤵
- UAC bypass
- Sets service image path in registry
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\197cc0b311afc440dd150387e68bf49f.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1476-55-0x0000000001FF0000-0x000000000206A000-memory.dmpFilesize
488KB
-
memory/1476-54-0x00000000002C0000-0x000000000033E000-memory.dmpFilesize
504KB
-
memory/1776-64-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1776-70-0x0000000000150000-0x000000000015D000-memory.dmpFilesize
52KB
-
memory/1776-69-0x0000000000120000-0x0000000000129000-memory.dmpFilesize
36KB
-
memory/1776-68-0x0000000000400000-0x0000000000438000-memory.dmpFilesize
224KB
-
memory/1776-67-0x0000000075E51000-0x0000000075E53000-memory.dmpFilesize
8KB
-
memory/1776-65-0x0000000000403BA0-mapping.dmp
-
memory/1932-58-0x000007FEEC380000-0x000007FEECDA3000-memory.dmpFilesize
10.1MB
-
memory/1932-63-0x000000000274B000-0x000000000276A000-memory.dmpFilesize
124KB
-
memory/1932-62-0x0000000002744000-0x0000000002747000-memory.dmpFilesize
12KB
-
memory/1932-61-0x000000000274B000-0x000000000276A000-memory.dmpFilesize
124KB
-
memory/1932-60-0x0000000002744000-0x0000000002747000-memory.dmpFilesize
12KB
-
memory/1932-59-0x000007FEEB820000-0x000007FEEC37D000-memory.dmpFilesize
11.4MB
-
memory/1932-57-0x000007FEFC311000-0x000007FEFC313000-memory.dmpFilesize
8KB
-
memory/1932-56-0x0000000000000000-mapping.dmp