lgoogloader | bf9cbad13935f939f44add9a131188c73e3dda014e039debc553ebacab228d83

General

Target

35d19a9ba44fa423cb90f734f53de2aa.exe
Size

1.3MB
MD5

35d19a9ba44fa423cb90f734f53de2aa
SHA1

104f7b53b01d3b6a7ff871b51057c3193b431a23
SHA256

bf9cbad13935f939f44add9a131188c73e3dda014e039debc553ebacab228d83
SHA512

e85c53d709977ff9f17abcbb48f02d72b8792be4393b10146f983c325c8d023d439372fb448c27ca60eb58f70c6e7139581b059d06edcb25dbfe8abcf63f5a25
SSDEEP

12288:yy7iK8b0X+aOAQhWL+Yr0+Et5iV4mSKj7+QHa+ZGJ8/83tPAjb5nZK0cfCoA8rKD:wXKhC8sPsbnaAmsVkonYyd3h

Score

10^/10

lgoogloader downloader persistence

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1288-62-0x00000000000D0000-0x00000000000DD000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

35d19a9ba44fa423cb90f734f53de2aa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	35d19a9ba44fa423cb90f734f53de2aa.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

35d19a9ba44fa423cb90f734f53de2aa.exe

description pid process target process

PID 1760 set thread context of 1288 1760 35d19a9ba44fa423cb90f734f53de2aa.exe AddInProcess32.exe

description	pid	process	target process
PID 1760 set thread context of 1288	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 13 IoCs

Processes:

35d19a9ba44fa423cb90f734f53de2aa.exe

pid	process
1760	35d19a9ba44fa423cb90f734f53de2aa.exe
1760	35d19a9ba44fa423cb90f734f53de2aa.exe
1760	35d19a9ba44fa423cb90f734f53de2aa.exe
1760	35d19a9ba44fa423cb90f734f53de2aa.exe
1760	35d19a9ba44fa423cb90f734f53de2aa.exe
1760	35d19a9ba44fa423cb90f734f53de2aa.exe
1760	35d19a9ba44fa423cb90f734f53de2aa.exe
1760	35d19a9ba44fa423cb90f734f53de2aa.exe
1760	35d19a9ba44fa423cb90f734f53de2aa.exe
1760	35d19a9ba44fa423cb90f734f53de2aa.exe
1760	35d19a9ba44fa423cb90f734f53de2aa.exe
1760	35d19a9ba44fa423cb90f734f53de2aa.exe
1760	35d19a9ba44fa423cb90f734f53de2aa.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

35d19a9ba44fa423cb90f734f53de2aa.exe

pid process

1760 35d19a9ba44fa423cb90f734f53de2aa.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

35d19a9ba44fa423cb90f734f53de2aa.exe

description	pid	process
Token: SeDebugPrivilege	1760	35d19a9ba44fa423cb90f734f53de2aa.exe
Token: SeLoadDriverPrivilege	1760	35d19a9ba44fa423cb90f734f53de2aa.exe
Token: SeDebugPrivilege	1760	35d19a9ba44fa423cb90f734f53de2aa.exe

Suspicious use of WriteProcessMemory 51 IoCs

Processes:

35d19a9ba44fa423cb90f734f53de2aa.exe

description	pid	process	target process
PID 1760 wrote to memory of 1740	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	EdmGen.exe
PID 1760 wrote to memory of 1740	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	EdmGen.exe
PID 1760 wrote to memory of 1740	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	EdmGen.exe
PID 1760 wrote to memory of 980	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	ngen.exe
PID 1760 wrote to memory of 980	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	ngen.exe
PID 1760 wrote to memory of 980	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	ngen.exe
PID 1760 wrote to memory of 948	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	RegSvcs.exe
PID 1760 wrote to memory of 948	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	RegSvcs.exe
PID 1760 wrote to memory of 948	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	RegSvcs.exe
PID 1760 wrote to memory of 1492	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	dfsvc.exe
PID 1760 wrote to memory of 1492	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	dfsvc.exe
PID 1760 wrote to memory of 1492	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	dfsvc.exe
PID 1760 wrote to memory of 1488	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	InstallUtil.exe
PID 1760 wrote to memory of 1488	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	InstallUtil.exe
PID 1760 wrote to memory of 1488	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	InstallUtil.exe
PID 1760 wrote to memory of 1540	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_regiis.exe
PID 1760 wrote to memory of 1540	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_regiis.exe
PID 1760 wrote to memory of 1540	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_regiis.exe
PID 1760 wrote to memory of 1756	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	jsc.exe
PID 1760 wrote to memory of 1756	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	jsc.exe
PID 1760 wrote to memory of 1756	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	jsc.exe
PID 1760 wrote to memory of 1756	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	jsc.exe
PID 1760 wrote to memory of 1328	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	ServiceModelReg.exe
PID 1760 wrote to memory of 1328	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	ServiceModelReg.exe
PID 1760 wrote to memory of 1328	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	ServiceModelReg.exe
PID 1760 wrote to memory of 1312	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_regbrowsers.exe
PID 1760 wrote to memory of 1312	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_regbrowsers.exe
PID 1760 wrote to memory of 1312	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_regbrowsers.exe
PID 1760 wrote to memory of 1444	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	mscorsvw.exe
PID 1760 wrote to memory of 1444	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	mscorsvw.exe
PID 1760 wrote to memory of 1444	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	mscorsvw.exe
PID 1760 wrote to memory of 1476	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_state.exe
PID 1760 wrote to memory of 1476	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_state.exe
PID 1760 wrote to memory of 1476	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_state.exe
PID 1760 wrote to memory of 1720	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	DataSvcUtil.exe
PID 1760 wrote to memory of 1720	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	DataSvcUtil.exe
PID 1760 wrote to memory of 1720	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	DataSvcUtil.exe
PID 1760 wrote to memory of 1332	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	ComSvcConfig.exe
PID 1760 wrote to memory of 1332	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	ComSvcConfig.exe
PID 1760 wrote to memory of 1332	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	ComSvcConfig.exe
PID 1760 wrote to memory of 1288	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	AddInProcess32.exe
PID 1760 wrote to memory of 1288	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	AddInProcess32.exe
PID 1760 wrote to memory of 1288	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	AddInProcess32.exe
PID 1760 wrote to memory of 1288	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	AddInProcess32.exe
PID 1760 wrote to memory of 1288	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	AddInProcess32.exe
PID 1760 wrote to memory of 1288	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	AddInProcess32.exe
PID 1760 wrote to memory of 1288	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	AddInProcess32.exe
PID 1760 wrote to memory of 1288	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	AddInProcess32.exe
PID 1760 wrote to memory of 1288	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	AddInProcess32.exe
PID 1760 wrote to memory of 1288	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	AddInProcess32.exe
PID 1760 wrote to memory of 1288	1760	35d19a9ba44fa423cb90f734f53de2aa.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\35d19a9ba44fa423cb90f734f53de2aa.exe
"C:\Users\Admin\AppData\Local\Temp\35d19a9ba44fa423cb90f734f53de2aa.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1760

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
2⤵
PID:1740

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
2⤵
PID:980

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
2⤵
PID:948

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
2⤵
PID:1492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:1488

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
2⤵
PID:1540

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
2⤵
PID:1756

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
2⤵
PID:1328

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:1312

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
2⤵
PID:1444

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
2⤵
PID:1476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
2⤵
PID:1720

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
2⤵
PID:1332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
2⤵
PID:1288

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1288-56-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1288-57-0x0000000000403BA0-mapping.dmp

Download
memory/1288-59-0x0000000075281000-0x0000000075283000-memory.dmp

Filesize
8KB

Download
memory/1288-60-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/1288-61-0x0000000000090000-0x0000000000099000-memory.dmp

Filesize
36KB

Download
memory/1288-62-0x00000000000D0000-0x00000000000DD000-memory.dmp

Filesize
52KB

Download
memory/1760-54-0x0000000000B20000-0x0000000000C6A000-memory.dmp

Filesize
1.3MB

Download
memory/1760-55-0x0000000000A60000-0x0000000000AD8000-memory.dmp

Filesize
480KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads