Malware Analysis Report

2025-01-02 09:24

Sample ID 230109-fzvkeagf5w
Target file.exe
SHA256 9146cee3d387cb3d665885b95d885734541f281cbb2a4726b6a59df922a83ee7
Tags
lgoogloader downloader
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

9146cee3d387cb3d665885b95d885734541f281cbb2a4726b6a59df922a83ee7

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

lgoogloader downloader

LgoogLoader

Suspicious use of NtCreateUserProcessOtherParentProcess

Detects LgoogLoader payload

Loads dropped DLL

Suspicious use of NtSetInformationThreadHideFromDebugger

Suspicious use of SetThreadContext

Program crash

Suspicious behavior: EnumeratesProcesses

Checks SCSI registry key(s)

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-09 05:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-09 05:19

Reported

2023-01-09 05:21

Platform

win7-20221111-en

Max time kernel

31s

Max time network

34s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Network

Country Destination Domain Proto
N/A 8.8.8.8:53 z0kai0cpleabl4bfdjucsagvcxeb.bbjqmjlp7anyicvm6gjxxc udp

Files

memory/1708-54-0x0000000075551000-0x0000000075553000-memory.dmp

memory/1708-55-0x0000000002620000-0x00000000027C7000-memory.dmp

memory/1708-56-0x000000000DBC0000-0x000000000DEC5000-memory.dmp

memory/1708-57-0x000000000DA60000-0x000000000DC24000-memory.dmp

memory/1708-58-0x0000000002620000-0x00000000027C7000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-09 05:19

Reported

2023-01-09 05:21

Platform

win10v2004-20221111-en

Max time kernel

65s

Max time network

145s

Command Line

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

Signatures

Detects LgoogLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

LgoogLoader

downloader lgoogloader

Suspicious use of NtCreateUserProcessOtherParentProcess

Description Indicator Process Target
PID 4796 created 2876 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\system32\taskhostw.exe

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of NtSetInformationThreadHideFromDebugger

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A
N/A N/A C:\Windows\SysWOW64\fontview.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4796 set thread context of 672 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

Checks SCSI registry key(s)

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 C:\Windows\SysWOW64\fontview.exe N/A
Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID C:\Windows\SysWOW64\fontview.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A
Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI C:\Windows\SysWOW64\fontview.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\fontview.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\fontview.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4796 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4796 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4796 wrote to memory of 4088 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4796 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4796 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4796 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4796 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4796 wrote to memory of 672 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe
PID 4796 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\fontview.exe
PID 4796 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\fontview.exe
PID 4796 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\fontview.exe
PID 4796 wrote to memory of 1516 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\SysWOW64\fontview.exe

Processes

C:\Windows\system32\taskhostw.exe

taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe

"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"

C:\Windows\SysWOW64\fontview.exe

"C:\Windows\SYSWOW64\fontview.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 436 -p 4796 -ip 4796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1268

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 484 -p 4796 -ip 4796

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 4796 -s 1276

Network

Country Destination Domain Proto
N/A 162.19.139.184:2222 tcp
N/A 8.8.8.8:53 z0kai0cpleabl4bfdjucsagvcxeb.bbjqmjlp7anyicvm6gjxxc udp
N/A 20.189.173.11:443 tcp
N/A 104.80.225.205:443 tcp

Files

memory/4796-132-0x000000000D570000-0x000000000D875000-memory.dmp

memory/4796-133-0x0000000002DE0000-0x0000000002F87000-memory.dmp

memory/4796-134-0x000000000D570000-0x000000000D875000-memory.dmp

memory/4088-135-0x0000000000000000-mapping.dmp

memory/672-136-0x0000000000000000-mapping.dmp

memory/672-137-0x0000000000400000-0x0000000000440000-memory.dmp

memory/672-139-0x0000000000400000-0x0000000000440000-memory.dmp

memory/672-140-0x0000000000400000-0x0000000000440000-memory.dmp

memory/672-141-0x0000000000400000-0x0000000000440000-memory.dmp

memory/672-142-0x0000000001310000-0x0000000001319000-memory.dmp

memory/672-143-0x0000000001430000-0x000000000143D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\240552390.dll

MD5 acf51213c2e0b564c28cf0db859c9e38
SHA1 0ec6d956dd0299a8d26bd4671af11c9c3fbe2ca0
SHA256 643044a62d07c6725a73bce3ee702ad0c15f0fe332165821c5e7f73937f898b7
SHA512 15f30f50afdc2838ebdc4f38199f9857c1b9bc43350588abed404dcaef039698a2533dd5c074d2bfc88448a578c2202c033073592a9c551f7a7e4d263e293eed

memory/1516-145-0x0000000000AA0000-0x0000000000AD5000-memory.dmp

memory/1516-146-0x0000000000000000-mapping.dmp

memory/1516-147-0x0000000000AA0000-0x0000000000AD5000-memory.dmp

memory/1516-148-0x0000000000FC5000-0x0000000000FC7000-memory.dmp

memory/1516-149-0x0000000000FC5000-0x0000000000FC7000-memory.dmp

memory/1516-150-0x0000000000F60000-0x0000000000F7D000-memory.dmp

memory/1516-151-0x0000000002C70000-0x0000000003C70000-memory.dmp

memory/4796-152-0x0000000002DE0000-0x0000000002F87000-memory.dmp

memory/4796-153-0x000000000D570000-0x000000000D875000-memory.dmp

memory/1516-154-0x0000000000AA0000-0x0000000000AD5000-memory.dmp

memory/4796-155-0x0000000002DE0000-0x0000000002F87000-memory.dmp