Analysis
-
max time kernel
90s -
max time network
119s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
12-01-2023 07:20
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220812-en
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20221111-en
General
-
Target
file.exe
-
Size
2.0MB
-
MD5
1184c28ad980d08f820085fa46018b9f
-
SHA1
4cfd74333320f9aa38d5a77eb16ce3da10729c9a
-
SHA256
fee1d36af03a162f70a627c7cd3efa55b0557530d7eefbe8c72026f48b904595
-
SHA512
8ebe95c7d32ceb7986617d4a069cc73540fd32049cd3c10cd9c1aac5a1993814ec43eece61195d7de1e4a2aad35cfab5959e75ad8551de22ad904eed3811e1b9
-
SSDEEP
49152:0KlYcfLLLIWpjLHUmACAkczzqcBrywk0dTTBj:0KWcfrXxH1AVDBmwfdT9
Malware Config
Signatures
-
Detects LgoogLoader payload 1 IoCs
resource yara_rule behavioral2/memory/2344-142-0x0000000002D20000-0x0000000002D2D000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
description pid Process procid_target PID 3416 created 2548 3416 file.exe 52 -
Loads dropped DLL 1 IoCs
pid Process 3416 file.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 60 fontview.exe 60 fontview.exe 60 fontview.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3416 set thread context of 2344 3416 file.exe 84 -
Program crash 2 IoCs
pid pid_target Process procid_target 1996 3416 WerFault.exe 81 3808 3416 WerFault.exe 81 -
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key enumerated \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 fontview.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\HardwareID fontview.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI fontview.exe -
Suspicious behavior: EnumeratesProcesses 40 IoCs
pid Process 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe 3416 file.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeShutdownPrivilege 60 fontview.exe Token: SeCreatePagefilePrivilege 60 fontview.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 3416 wrote to memory of 2344 3416 file.exe 84 PID 3416 wrote to memory of 2344 3416 file.exe 84 PID 3416 wrote to memory of 2344 3416 file.exe 84 PID 3416 wrote to memory of 2344 3416 file.exe 84 PID 3416 wrote to memory of 2344 3416 file.exe 84 PID 3416 wrote to memory of 60 3416 file.exe 86 PID 3416 wrote to memory of 60 3416 file.exe 86 PID 3416 wrote to memory of 60 3416 file.exe 86 PID 3416 wrote to memory of 60 3416 file.exe 86
Processes
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2548
-
C:\Windows\SysWOW64\fontview.exe"C:\Windows\SYSWOW64\fontview.exe"2⤵
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:60
-
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3416 -
C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngentask.exe"2⤵PID:2344
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 12642⤵
- Program crash
PID:1996
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 3416 -s 13042⤵
- Program crash
PID:3808
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 3416 -ip 34161⤵PID:3948
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3416 -ip 34161⤵PID:3364
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
442KB
MD5acf51213c2e0b564c28cf0db859c9e38
SHA10ec6d956dd0299a8d26bd4671af11c9c3fbe2ca0
SHA256643044a62d07c6725a73bce3ee702ad0c15f0fe332165821c5e7f73937f898b7
SHA51215f30f50afdc2838ebdc4f38199f9857c1b9bc43350588abed404dcaef039698a2533dd5c074d2bfc88448a578c2202c033073592a9c551f7a7e4d263e293eed