Analysis Overview
SHA256
9146cee3d387cb3d665885b95d885734541f281cbb2a4726b6a59df922a83ee7
Threat Level: Known bad
The file file.exe was found to be: Known bad.
Malicious Activity Summary
LgoogLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
Detects LgoogLoader payload
Loads dropped DLL
Suspicious use of NtSetInformationThreadHideFromDebugger
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: EnumeratesProcesses
Checks SCSI registry key(s)
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-09 05:19
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-09 05:19
Reported
2023-01-09 05:21
Platform
win7-20221111-en
Max time kernel
31s
Max time network
34s
Command Line
Signatures
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 8.8.8.8:53 | z0kai0cpleabl4bfdjucsagvcxeb.bbjqmjlp7anyicvm6gjxxc | udp |
Files
memory/1708-54-0x0000000075551000-0x0000000075553000-memory.dmp
memory/1708-55-0x0000000002620000-0x00000000027C7000-memory.dmp
memory/1708-56-0x000000000DBC0000-0x000000000DEC5000-memory.dmp
memory/1708-57-0x000000000DA60000-0x000000000DC24000-memory.dmp
memory/1708-58-0x0000000002620000-0x00000000027C7000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-09 05:19
Reported
2023-01-09 05:21
Platform
win10v2004-20221111-en
Max time kernel
65s
Max time network
145s
Command Line
Signatures
Detects LgoogLoader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
LgoogLoader
Suspicious use of NtCreateUserProcessOtherParentProcess
| Description | Indicator | Process | Target |
| PID 4796 created 2876 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\system32\taskhostw.exe |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | N/A |
Suspicious use of NtSetInformationThreadHideFromDebugger
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4796 set thread context of 672 | N/A | C:\Users\Admin\AppData\Local\Temp\file.exe | C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe |
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\file.exe |
Checks SCSI registry key(s)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key queried | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
| Key enumerated | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI | C:\Windows\SysWOW64\fontview.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeShutdownPrivilege | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\SysWOW64\fontview.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"
C:\Windows\SysWOW64\fontview.exe
"C:\Windows\SYSWOW64\fontview.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4796 -ip 4796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1268
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4796 -ip 4796
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1276
Network
| Country | Destination | Domain | Proto |
| N/A | 162.19.139.184:2222 | tcp | |
| N/A | 8.8.8.8:53 | z0kai0cpleabl4bfdjucsagvcxeb.bbjqmjlp7anyicvm6gjxxc | udp |
| N/A | 20.189.173.11:443 | tcp | |
| N/A | 104.80.225.205:443 | tcp |
Files
memory/4796-132-0x000000000D570000-0x000000000D875000-memory.dmp
memory/4796-133-0x0000000002DE0000-0x0000000002F87000-memory.dmp
memory/4796-134-0x000000000D570000-0x000000000D875000-memory.dmp
memory/4088-135-0x0000000000000000-mapping.dmp
memory/672-136-0x0000000000000000-mapping.dmp
memory/672-137-0x0000000000400000-0x0000000000440000-memory.dmp
memory/672-139-0x0000000000400000-0x0000000000440000-memory.dmp
memory/672-140-0x0000000000400000-0x0000000000440000-memory.dmp
memory/672-141-0x0000000000400000-0x0000000000440000-memory.dmp
memory/672-142-0x0000000001310000-0x0000000001319000-memory.dmp
memory/672-143-0x0000000001430000-0x000000000143D000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\240552390.dll
| MD5 | acf51213c2e0b564c28cf0db859c9e38 |
| SHA1 | 0ec6d956dd0299a8d26bd4671af11c9c3fbe2ca0 |
| SHA256 | 643044a62d07c6725a73bce3ee702ad0c15f0fe332165821c5e7f73937f898b7 |
| SHA512 | 15f30f50afdc2838ebdc4f38199f9857c1b9bc43350588abed404dcaef039698a2533dd5c074d2bfc88448a578c2202c033073592a9c551f7a7e4d263e293eed |
memory/1516-145-0x0000000000AA0000-0x0000000000AD5000-memory.dmp
memory/1516-146-0x0000000000000000-mapping.dmp
memory/1516-147-0x0000000000AA0000-0x0000000000AD5000-memory.dmp
memory/1516-148-0x0000000000FC5000-0x0000000000FC7000-memory.dmp
memory/1516-149-0x0000000000FC5000-0x0000000000FC7000-memory.dmp
memory/1516-150-0x0000000000F60000-0x0000000000F7D000-memory.dmp
memory/1516-151-0x0000000002C70000-0x0000000003C70000-memory.dmp
memory/4796-152-0x0000000002DE0000-0x0000000002F87000-memory.dmp
memory/4796-153-0x000000000D570000-0x000000000D875000-memory.dmp
memory/1516-154-0x0000000000AA0000-0x0000000000AD5000-memory.dmp
memory/4796-155-0x0000000002DE0000-0x0000000002F87000-memory.dmp