Analysis
-
max time kernel
77s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
06-01-2023 10:00
Static task
static1
Behavioral task
behavioral1
Sample
35d19a9ba44fa423cb90f734f53de2aa.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
35d19a9ba44fa423cb90f734f53de2aa.exe
Resource
win10v2004-20221111-en
General
-
Target
35d19a9ba44fa423cb90f734f53de2aa.exe
-
Size
1.3MB
-
MD5
35d19a9ba44fa423cb90f734f53de2aa
-
SHA1
104f7b53b01d3b6a7ff871b51057c3193b431a23
-
SHA256
bf9cbad13935f939f44add9a131188c73e3dda014e039debc553ebacab228d83
-
SHA512
e85c53d709977ff9f17abcbb48f02d72b8792be4393b10146f983c325c8d023d439372fb448c27ca60eb58f70c6e7139581b059d06edcb25dbfe8abcf63f5a25
-
SSDEEP
12288:yy7iK8b0X+aOAQhWL+Yr0+Et5iV4mSKj7+QHa+ZGJ8/83tPAjb5nZK0cfCoA8rKD:wXKhC8sPsbnaAmsVkonYyd3h
Malware Config
Signatures
-
Detects LgoogLoader payload 1 IoCs
Processes:
resource yara_rule behavioral2/memory/3052-140-0x00000000015E0000-0x00000000015ED000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Sets service image path in registry 2 TTPs 1 IoCs
Processes:
35d19a9ba44fa423cb90f734f53de2aa.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" 35d19a9ba44fa423cb90f734f53de2aa.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
Processes:
35d19a9ba44fa423cb90f734f53de2aa.exedescription pid process target process PID 4264 set thread context of 3052 4264 35d19a9ba44fa423cb90f734f53de2aa.exe jsc.exe -
Suspicious behavior: EnumeratesProcesses 44 IoCs
Processes:
35d19a9ba44fa423cb90f734f53de2aa.exepid process 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe 4264 35d19a9ba44fa423cb90f734f53de2aa.exe -
Suspicious behavior: LoadsDriver 1 IoCs
Processes:
35d19a9ba44fa423cb90f734f53de2aa.exepid process 4264 35d19a9ba44fa423cb90f734f53de2aa.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
35d19a9ba44fa423cb90f734f53de2aa.exedescription pid process Token: SeDebugPrivilege 4264 35d19a9ba44fa423cb90f734f53de2aa.exe Token: SeLoadDriverPrivilege 4264 35d19a9ba44fa423cb90f734f53de2aa.exe Token: SeDebugPrivilege 4264 35d19a9ba44fa423cb90f734f53de2aa.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
35d19a9ba44fa423cb90f734f53de2aa.exedescription pid process target process PID 4264 wrote to memory of 1596 4264 35d19a9ba44fa423cb90f734f53de2aa.exe aspnet_regsql.exe PID 4264 wrote to memory of 1596 4264 35d19a9ba44fa423cb90f734f53de2aa.exe aspnet_regsql.exe PID 4264 wrote to memory of 1216 4264 35d19a9ba44fa423cb90f734f53de2aa.exe Microsoft.Workflow.Compiler.exe PID 4264 wrote to memory of 1216 4264 35d19a9ba44fa423cb90f734f53de2aa.exe Microsoft.Workflow.Compiler.exe PID 4264 wrote to memory of 2136 4264 35d19a9ba44fa423cb90f734f53de2aa.exe aspnet_wp.exe PID 4264 wrote to memory of 2136 4264 35d19a9ba44fa423cb90f734f53de2aa.exe aspnet_wp.exe PID 4264 wrote to memory of 4828 4264 35d19a9ba44fa423cb90f734f53de2aa.exe aspnet_regiis.exe PID 4264 wrote to memory of 4828 4264 35d19a9ba44fa423cb90f734f53de2aa.exe aspnet_regiis.exe PID 4264 wrote to memory of 2236 4264 35d19a9ba44fa423cb90f734f53de2aa.exe cvtres.exe PID 4264 wrote to memory of 2236 4264 35d19a9ba44fa423cb90f734f53de2aa.exe cvtres.exe PID 4264 wrote to memory of 2368 4264 35d19a9ba44fa423cb90f734f53de2aa.exe MSBuild.exe PID 4264 wrote to memory of 2368 4264 35d19a9ba44fa423cb90f734f53de2aa.exe MSBuild.exe PID 4264 wrote to memory of 1500 4264 35d19a9ba44fa423cb90f734f53de2aa.exe RegAsm.exe PID 4264 wrote to memory of 1500 4264 35d19a9ba44fa423cb90f734f53de2aa.exe RegAsm.exe PID 4264 wrote to memory of 1624 4264 35d19a9ba44fa423cb90f734f53de2aa.exe InstallUtil.exe PID 4264 wrote to memory of 1624 4264 35d19a9ba44fa423cb90f734f53de2aa.exe InstallUtil.exe PID 4264 wrote to memory of 1796 4264 35d19a9ba44fa423cb90f734f53de2aa.exe ComSvcConfig.exe PID 4264 wrote to memory of 1796 4264 35d19a9ba44fa423cb90f734f53de2aa.exe ComSvcConfig.exe PID 4264 wrote to memory of 1792 4264 35d19a9ba44fa423cb90f734f53de2aa.exe aspnet_regbrowsers.exe PID 4264 wrote to memory of 1792 4264 35d19a9ba44fa423cb90f734f53de2aa.exe aspnet_regbrowsers.exe PID 4264 wrote to memory of 2084 4264 35d19a9ba44fa423cb90f734f53de2aa.exe dfsvc.exe PID 4264 wrote to memory of 2084 4264 35d19a9ba44fa423cb90f734f53de2aa.exe dfsvc.exe PID 4264 wrote to memory of 1532 4264 35d19a9ba44fa423cb90f734f53de2aa.exe ngen.exe PID 4264 wrote to memory of 1532 4264 35d19a9ba44fa423cb90f734f53de2aa.exe ngen.exe PID 4264 wrote to memory of 2712 4264 35d19a9ba44fa423cb90f734f53de2aa.exe vbc.exe PID 4264 wrote to memory of 2712 4264 35d19a9ba44fa423cb90f734f53de2aa.exe vbc.exe PID 4264 wrote to memory of 2544 4264 35d19a9ba44fa423cb90f734f53de2aa.exe DataSvcUtil.exe PID 4264 wrote to memory of 2544 4264 35d19a9ba44fa423cb90f734f53de2aa.exe DataSvcUtil.exe PID 4264 wrote to memory of 1728 4264 35d19a9ba44fa423cb90f734f53de2aa.exe ServiceModelReg.exe PID 4264 wrote to memory of 1728 4264 35d19a9ba44fa423cb90f734f53de2aa.exe ServiceModelReg.exe PID 4264 wrote to memory of 1716 4264 35d19a9ba44fa423cb90f734f53de2aa.exe RegSvcs.exe PID 4264 wrote to memory of 1716 4264 35d19a9ba44fa423cb90f734f53de2aa.exe RegSvcs.exe PID 4264 wrote to memory of 2564 4264 35d19a9ba44fa423cb90f734f53de2aa.exe CasPol.exe PID 4264 wrote to memory of 2564 4264 35d19a9ba44fa423cb90f734f53de2aa.exe CasPol.exe PID 4264 wrote to memory of 3880 4264 35d19a9ba44fa423cb90f734f53de2aa.exe ngentask.exe PID 4264 wrote to memory of 3880 4264 35d19a9ba44fa423cb90f734f53de2aa.exe ngentask.exe PID 4264 wrote to memory of 2528 4264 35d19a9ba44fa423cb90f734f53de2aa.exe AppLaunch.exe PID 4264 wrote to memory of 2528 4264 35d19a9ba44fa423cb90f734f53de2aa.exe AppLaunch.exe PID 4264 wrote to memory of 2180 4264 35d19a9ba44fa423cb90f734f53de2aa.exe mscorsvw.exe PID 4264 wrote to memory of 2180 4264 35d19a9ba44fa423cb90f734f53de2aa.exe mscorsvw.exe PID 4264 wrote to memory of 1696 4264 35d19a9ba44fa423cb90f734f53de2aa.exe EdmGen.exe PID 4264 wrote to memory of 1696 4264 35d19a9ba44fa423cb90f734f53de2aa.exe EdmGen.exe PID 4264 wrote to memory of 388 4264 35d19a9ba44fa423cb90f734f53de2aa.exe ilasm.exe PID 4264 wrote to memory of 388 4264 35d19a9ba44fa423cb90f734f53de2aa.exe ilasm.exe PID 4264 wrote to memory of 3052 4264 35d19a9ba44fa423cb90f734f53de2aa.exe jsc.exe PID 4264 wrote to memory of 3052 4264 35d19a9ba44fa423cb90f734f53de2aa.exe jsc.exe PID 4264 wrote to memory of 3052 4264 35d19a9ba44fa423cb90f734f53de2aa.exe jsc.exe PID 4264 wrote to memory of 3052 4264 35d19a9ba44fa423cb90f734f53de2aa.exe jsc.exe PID 4264 wrote to memory of 3052 4264 35d19a9ba44fa423cb90f734f53de2aa.exe jsc.exe PID 4264 wrote to memory of 3052 4264 35d19a9ba44fa423cb90f734f53de2aa.exe jsc.exe PID 4264 wrote to memory of 3052 4264 35d19a9ba44fa423cb90f734f53de2aa.exe jsc.exe PID 4264 wrote to memory of 3052 4264 35d19a9ba44fa423cb90f734f53de2aa.exe jsc.exe PID 4264 wrote to memory of 3052 4264 35d19a9ba44fa423cb90f734f53de2aa.exe jsc.exe PID 4264 wrote to memory of 3052 4264 35d19a9ba44fa423cb90f734f53de2aa.exe jsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\35d19a9ba44fa423cb90f734f53de2aa.exe"C:\Users\Admin\AppData\Local\Temp\35d19a9ba44fa423cb90f734f53de2aa.exe"1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"2⤵
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"2⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3052-134-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3052-135-0x0000000000403BA0-mapping.dmp
-
memory/3052-136-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3052-137-0x0000000000400000-0x0000000000435000-memory.dmpFilesize
212KB
-
memory/3052-139-0x00000000015C0000-0x00000000015C9000-memory.dmpFilesize
36KB
-
memory/3052-140-0x00000000015E0000-0x00000000015ED000-memory.dmpFilesize
52KB
-
memory/4264-132-0x000001542A890000-0x000001542A9DA000-memory.dmpFilesize
1.3MB
-
memory/4264-133-0x00007FF9E84C0000-0x00007FF9E8F81000-memory.dmpFilesize
10.8MB
-
memory/4264-138-0x00007FF9E84C0000-0x00007FF9E8F81000-memory.dmpFilesize
10.8MB