Overview

overview

10

Static

static

file.exe

windows7-x64

1

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    65s
  • max time network
    145s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-01-2023 05:19

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    1.9MB

  • MD5

    b859b990ea2adae467e0080aacdfabe5

  • SHA1

    7e206519519d72bf49efbc272d70a4785e282808

  • SHA256

    9146cee3d387cb3d665885b95d885734541f281cbb2a4726b6a59df922a83ee7

  • SHA512

    f61c6e20793461f1a2dac2bd77561518a42010537011026ff406fe03fba0c0148244eb6f5f6ffe55d1f07cd5c21f1f8a898c9302720d9513cb5f606d6022a262

  • SSDEEP

    24576:MOYvJhKAX4PP/6E4OZO/1fURAGVaugrgvuy5KR4LzkKGAWO1ObUKdkES/ip:MJuAoPngIO/efaJ0LKAkYg8ES/ip

Score
10/10
lgoogloaderdownloader

Malware Config

Signatures

  • Detects LgoogLoader payload 1 IoCs
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Loads dropped DLL 1 IoCs
  • Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Program crash 2 IoCs
  • Checks SCSI registry key(s) 3 TTPs 5 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Windows\system32\taskhostw.exe
    taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
    1⤵
      PID:2876
      • C:\Windows\SysWOW64\fontview.exe
        "C:\Windows\SYSWOW64\fontview.exe"
        2⤵
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Checks SCSI registry key(s)
        • Suspicious use of AdjustPrivilegeToken
        PID:1516
    • C:\Users\Admin\AppData\Local\Temp\file.exe
      "C:\Users\Admin\AppData\Local\Temp\file.exe"
      1⤵
      • Suspicious use of NtCreateUserProcessOtherParentProcess
      • Loads dropped DLL
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:4796
      • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
        "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
        2⤵
          PID:4088
        • C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
          "C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
          2⤵
            PID:672
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1268
            2⤵
            • Program crash
            PID:3080
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1276
            2⤵
            • Program crash
            PID:3884
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4796 -ip 4796
          1⤵
            PID:3472
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4796 -ip 4796
            1⤵
              PID:4316

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\240552390.dll
              Filesize

              442KB

              MD5

              acf51213c2e0b564c28cf0db859c9e38

              SHA1

              0ec6d956dd0299a8d26bd4671af11c9c3fbe2ca0

              SHA256

              643044a62d07c6725a73bce3ee702ad0c15f0fe332165821c5e7f73937f898b7

              SHA512

              15f30f50afdc2838ebdc4f38199f9857c1b9bc43350588abed404dcaef039698a2533dd5c074d2bfc88448a578c2202c033073592a9c551f7a7e4d263e293eed

              Download Submit

            • memory/672-143-0x0000000001430000-0x000000000143D000-memory.dmp

              Filesize

              52KB

              Download

            • memory/672-141-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/672-142-0x0000000001310000-0x0000000001319000-memory.dmp

              Filesize

              36KB

              Download

            • memory/672-136-0x0000000000000000-mapping.dmp

              Download

            • memory/672-137-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/672-139-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/672-140-0x0000000000400000-0x0000000000440000-memory.dmp

              Filesize

              256KB

              Download

            • memory/1516-150-0x0000000000F60000-0x0000000000F7D000-memory.dmp

              Filesize

              116KB

              Download

            • memory/1516-151-0x0000000002C70000-0x0000000003C70000-memory.dmp

              Filesize

              16.0MB

              Download

            • memory/1516-154-0x0000000000AA0000-0x0000000000AD5000-memory.dmp

              Filesize

              212KB

              Download

            • memory/1516-146-0x0000000000000000-mapping.dmp

              Download

            • memory/1516-149-0x0000000000FC5000-0x0000000000FC7000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1516-145-0x0000000000AA0000-0x0000000000AD5000-memory.dmp

              Filesize

              212KB

              Download

            • memory/1516-147-0x0000000000AA0000-0x0000000000AD5000-memory.dmp

              Filesize

              212KB

              Download

            • memory/1516-148-0x0000000000FC5000-0x0000000000FC7000-memory.dmp

              Filesize

              8KB

              Download

            • memory/4088-135-0x0000000000000000-mapping.dmp

              Download

            • memory/4796-134-0x000000000D570000-0x000000000D875000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/4796-155-0x0000000002DE0000-0x0000000002F87000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/4796-152-0x0000000002DE0000-0x0000000002F87000-memory.dmp

              Filesize

              1.7MB

              Download

            • memory/4796-153-0x000000000D570000-0x000000000D875000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/4796-132-0x000000000D570000-0x000000000D875000-memory.dmp

              Filesize

              3.0MB

              Download

            • memory/4796-133-0x0000000002DE0000-0x0000000002F87000-memory.dmp

              Filesize

              1.7MB

              Download