lgoogloader | 5b0fca6f18ae8fde80d95ae6578dd824271372ca5448ddcb4ffb7f81c8d5607e

Analysis

max time kernel
90s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20221111-en
resource tags

arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2023 01:47

Target

file.exe
Size

1.8MB
MD5

069f7d78fead905eba9ad321096a7f55
SHA1

0e6decf0a70b85825c699020b8a139e05692827e
SHA256

5b0fca6f18ae8fde80d95ae6578dd824271372ca5448ddcb4ffb7f81c8d5607e
SHA512

2bfba49cc003b1e38425d9a57b28c6c141005c721317f86a402846cf362ec9884a717e455826b1aff2574febc6c005067f69efccf4b2125d6205da870e46629d
SSDEEP

24576:ks5lGPjnl4wCuHb807NoAJfwgDwfpAkXWt8533g8wJoVnbUEDZcLAlG0S6vSe:ks5lam4b807J5QSxt8533qJSbUM3zKe

Score

10^/10

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/328-142-0x00000000018B0000-0x00000000018BD000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
Suspicious use of SetThreadContext 1 IoCs

Processes:

file.exe

description pid process target process

PID 4288 set thread context of 328 4288 file.exe ngentask.exe
Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid pid_target process target process

4396 4288 WerFault.exe file.exe
2264 4288 WerFault.exe file.exe

description	pid	process	target process
PID 4288 set thread context of 328	4288	file.exe	ngentask.exe

pid	pid_target	process	target process
4396	4288	WerFault.exe	file.exe
2264	4288	WerFault.exe	file.exe

Suspicious behavior: EnumeratesProcesses 36 IoCs

Processes:

file.exe

Suspicious use of WriteProcessMemory 5 IoCs

Processes:

file.exe

description	pid	process	target process
PID 4288 wrote to memory of 328	4288	file.exe	ngentask.exe
PID 4288 wrote to memory of 328	4288	file.exe	ngentask.exe
PID 4288 wrote to memory of 328	4288	file.exe	ngentask.exe
PID 4288 wrote to memory of 328	4288	file.exe	ngentask.exe
PID 4288 wrote to memory of 328	4288	file.exe	ngentask.exe

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
2⤵
PID:328

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1252
2⤵
- Program crash
PID:4396

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4288 -s 1232
2⤵
- Program crash
PID:2264

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 184 -p 4288 -ip 4288
1⤵
PID:4940

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 536 -p 4288 -ip 4288
1⤵
PID:4928

memory/328-135-0x0000000000000000-mapping.dmp

Download
memory/328-136-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/328-138-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/328-139-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/328-140-0x0000000000400000-0x0000000000432000-memory.dmp

Filesize
200KB

Download
memory/328-141-0x0000000001890000-0x0000000001899000-memory.dmp

Filesize
36KB

Download
memory/328-142-0x00000000018B0000-0x00000000018BD000-memory.dmp

Filesize
52KB

Download
memory/4288-132-0x000000000EE10000-0x000000000F0A1000-memory.dmp

Filesize
2.6MB

Download
memory/4288-133-0x00000000033CC000-0x000000000355F000-memory.dmp

Filesize
1.6MB

Download
memory/4288-134-0x000000000EE10000-0x000000000F0A1000-memory.dmp

Filesize
2.6MB

Download
memory/4288-143-0x00000000033CC000-0x000000000355F000-memory.dmp

Filesize
1.6MB

Download