lgoogloader | bf9cbad13935f939f44add9a131188c73e3dda014e039debc553ebacab228d83

General

Target

35d19a9ba44fa423cb90f734f53de2aa.exe
Size

1.3MB
MD5

35d19a9ba44fa423cb90f734f53de2aa
SHA1

104f7b53b01d3b6a7ff871b51057c3193b431a23
SHA256

bf9cbad13935f939f44add9a131188c73e3dda014e039debc553ebacab228d83
SHA512

e85c53d709977ff9f17abcbb48f02d72b8792be4393b10146f983c325c8d023d439372fb448c27ca60eb58f70c6e7139581b059d06edcb25dbfe8abcf63f5a25
SSDEEP

12288:yy7iK8b0X+aOAQhWL+Yr0+Et5iV4mSKj7+QHa+ZGJ8/83tPAjb5nZK0cfCoA8rKD:wXKhC8sPsbnaAmsVkonYyd3h

Score

10^/10

lgoogloader downloader persistence

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3052-140-0x00000000015E0000-0x00000000015ED000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

35d19a9ba44fa423cb90f734f53de2aa.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	35d19a9ba44fa423cb90f734f53de2aa.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 1 IoCs

Processes:

35d19a9ba44fa423cb90f734f53de2aa.exe

description pid process target process

PID 4264 set thread context of 3052 4264 35d19a9ba44fa423cb90f734f53de2aa.exe jsc.exe

description	pid	process	target process
PID 4264 set thread context of 3052	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	jsc.exe

Suspicious behavior: EnumeratesProcesses 44 IoCs

Processes:

35d19a9ba44fa423cb90f734f53de2aa.exe

pid	process
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe
4264	35d19a9ba44fa423cb90f734f53de2aa.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

35d19a9ba44fa423cb90f734f53de2aa.exe

pid process

4264 35d19a9ba44fa423cb90f734f53de2aa.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

35d19a9ba44fa423cb90f734f53de2aa.exe

description	pid	process
Token: SeDebugPrivilege	4264	35d19a9ba44fa423cb90f734f53de2aa.exe
Token: SeLoadDriverPrivilege	4264	35d19a9ba44fa423cb90f734f53de2aa.exe
Token: SeDebugPrivilege	4264	35d19a9ba44fa423cb90f734f53de2aa.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

35d19a9ba44fa423cb90f734f53de2aa.exe

description	pid	process	target process
PID 4264 wrote to memory of 1596	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_regsql.exe
PID 4264 wrote to memory of 1596	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_regsql.exe
PID 4264 wrote to memory of 1216	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	Microsoft.Workflow.Compiler.exe
PID 4264 wrote to memory of 1216	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	Microsoft.Workflow.Compiler.exe
PID 4264 wrote to memory of 2136	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_wp.exe
PID 4264 wrote to memory of 2136	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_wp.exe
PID 4264 wrote to memory of 4828	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_regiis.exe
PID 4264 wrote to memory of 4828	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_regiis.exe
PID 4264 wrote to memory of 2236	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	cvtres.exe
PID 4264 wrote to memory of 2236	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	cvtres.exe
PID 4264 wrote to memory of 2368	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	MSBuild.exe
PID 4264 wrote to memory of 2368	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	MSBuild.exe
PID 4264 wrote to memory of 1500	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	RegAsm.exe
PID 4264 wrote to memory of 1500	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	RegAsm.exe
PID 4264 wrote to memory of 1624	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	InstallUtil.exe
PID 4264 wrote to memory of 1624	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	InstallUtil.exe
PID 4264 wrote to memory of 1796	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	ComSvcConfig.exe
PID 4264 wrote to memory of 1796	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	ComSvcConfig.exe
PID 4264 wrote to memory of 1792	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_regbrowsers.exe
PID 4264 wrote to memory of 1792	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	aspnet_regbrowsers.exe
PID 4264 wrote to memory of 2084	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	dfsvc.exe
PID 4264 wrote to memory of 2084	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	dfsvc.exe
PID 4264 wrote to memory of 1532	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	ngen.exe
PID 4264 wrote to memory of 1532	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	ngen.exe
PID 4264 wrote to memory of 2712	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	vbc.exe
PID 4264 wrote to memory of 2712	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	vbc.exe
PID 4264 wrote to memory of 2544	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	DataSvcUtil.exe
PID 4264 wrote to memory of 2544	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	DataSvcUtil.exe
PID 4264 wrote to memory of 1728	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	ServiceModelReg.exe
PID 4264 wrote to memory of 1728	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	ServiceModelReg.exe
PID 4264 wrote to memory of 1716	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	RegSvcs.exe
PID 4264 wrote to memory of 1716	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	RegSvcs.exe
PID 4264 wrote to memory of 2564	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	CasPol.exe
PID 4264 wrote to memory of 2564	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	CasPol.exe
PID 4264 wrote to memory of 3880	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	ngentask.exe
PID 4264 wrote to memory of 3880	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	ngentask.exe
PID 4264 wrote to memory of 2528	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	AppLaunch.exe
PID 4264 wrote to memory of 2528	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	AppLaunch.exe
PID 4264 wrote to memory of 2180	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	mscorsvw.exe
PID 4264 wrote to memory of 2180	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	mscorsvw.exe
PID 4264 wrote to memory of 1696	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	EdmGen.exe
PID 4264 wrote to memory of 1696	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	EdmGen.exe
PID 4264 wrote to memory of 388	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	ilasm.exe
PID 4264 wrote to memory of 388	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	ilasm.exe
PID 4264 wrote to memory of 3052	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	jsc.exe
PID 4264 wrote to memory of 3052	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	jsc.exe
PID 4264 wrote to memory of 3052	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	jsc.exe
PID 4264 wrote to memory of 3052	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	jsc.exe
PID 4264 wrote to memory of 3052	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	jsc.exe
PID 4264 wrote to memory of 3052	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	jsc.exe
PID 4264 wrote to memory of 3052	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	jsc.exe
PID 4264 wrote to memory of 3052	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	jsc.exe
PID 4264 wrote to memory of 3052	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	jsc.exe
PID 4264 wrote to memory of 3052	4264	35d19a9ba44fa423cb90f734f53de2aa.exe	jsc.exe

C:\Users\Admin\AppData\Local\Temp\35d19a9ba44fa423cb90f734f53de2aa.exe
"C:\Users\Admin\AppData\Local\Temp\35d19a9ba44fa423cb90f734f53de2aa.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4264

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
2⤵
PID:1596

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
2⤵
PID:1216

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
2⤵
PID:2136

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
2⤵
PID:4828

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
2⤵
PID:2236

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
2⤵
PID:2368

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
2⤵
PID:1500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:1624

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
2⤵
PID:1796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
2⤵
PID:2084

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:1792

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
2⤵
PID:1532

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
2⤵
PID:2712

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
2⤵
PID:2544

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
2⤵
PID:1728

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
2⤵
PID:1716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
2⤵
PID:2564

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
2⤵
PID:3880

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
2⤵
PID:2528

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
2⤵
PID:2180

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
2⤵
PID:388

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
2⤵
PID:1696

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
2⤵
PID:3052

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Scripting

1

T1064

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3052-134-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-135-0x0000000000403BA0-mapping.dmp

Download
memory/3052-136-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-137-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/3052-139-0x00000000015C0000-0x00000000015C9000-memory.dmp

Filesize
36KB

Download
memory/3052-140-0x00000000015E0000-0x00000000015ED000-memory.dmp

Filesize
52KB

Download
memory/4264-132-0x000001542A890000-0x000001542A9DA000-memory.dmp

Filesize
1.3MB

Download
memory/4264-133-0x00007FF9E84C0000-0x00007FF9E8F81000-memory.dmp

Filesize
10.8MB

Download
memory/4264-138-0x00007FF9E84C0000-0x00007FF9E8F81000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads