Analysis
-
max time kernel
72s -
max time network
94s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
12-01-2023 13:59
Static task
static1
Behavioral task
behavioral1
Sample
022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe
Resource
win10v2004-20221111-en
General
-
Target
022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe
-
Size
483KB
-
MD5
d1ebe12d5468beb014f3166bf5a8e95d
-
SHA1
862cd6b7fc51995d52ba2687f690c0c14cb634c8
-
SHA256
022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece
-
SHA512
a610a88446f9e4f90a6cff9e5d3fc158d5865565a6fd402b4b35920ac23d9de5113ceff6a1975c0d23e1184ce18f616fe27cb68b75ca0d33d0116d544e19d774
-
SSDEEP
12288:56e8Zdtnm7dDjqOyC+M+Dj2iLQY6CZcxdincr1CChPQXY:5x8Z+Zn4C+MCf6txdinsbPQo
Malware Config
Signatures
-
Detects LgoogLoader payload 1 IoCs
resource yara_rule behavioral2/memory/876-143-0x0000000001120000-0x000000000112D000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe = "0" 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2971393436-602173351-1645505021-1000\Control Panel\International\Geo\Nation 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe = "0" 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows Defender\Exclusions\Paths 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2664 set thread context of 876 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 88 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 2300 powershell.exe 2300 powershell.exe 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe Token: SeDebugPrivilege 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe Token: SeLoadDriverPrivilege 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe Token: SeDebugPrivilege 2300 powershell.exe -
Suspicious use of WriteProcessMemory 22 IoCs
description pid Process procid_target PID 2664 wrote to memory of 2300 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 81 PID 2664 wrote to memory of 2300 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 81 PID 2664 wrote to memory of 1272 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 85 PID 2664 wrote to memory of 1272 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 85 PID 2664 wrote to memory of 1272 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 85 PID 2664 wrote to memory of 3704 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 86 PID 2664 wrote to memory of 3704 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 86 PID 2664 wrote to memory of 3704 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 86 PID 2664 wrote to memory of 2420 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 87 PID 2664 wrote to memory of 2420 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 87 PID 2664 wrote to memory of 2420 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 87 PID 2664 wrote to memory of 876 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 88 PID 2664 wrote to memory of 876 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 88 PID 2664 wrote to memory of 876 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 88 PID 2664 wrote to memory of 876 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 88 PID 2664 wrote to memory of 876 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 88 PID 2664 wrote to memory of 876 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 88 PID 2664 wrote to memory of 876 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 88 PID 2664 wrote to memory of 876 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 88 PID 2664 wrote to memory of 876 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 88 PID 2664 wrote to memory of 876 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 88 PID 2664 wrote to memory of 876 2664 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe 88 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe"C:\Users\Admin\AppData\Local\Temp\022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe"1⤵
- UAC bypass
- Windows security bypass
- Sets service image path in registry
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2664 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\022b13591392ab767062cd3b9250bc02dc9ec7e7852c613d84373b1d192beece.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2300
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵PID:1272
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵PID:3704
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵PID:2420
-
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"2⤵PID:876
-