Malware Analysis Report

2025-01-02 09:23

Sample ID 230115-h5rrtafe8w
Target 357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51
SHA256 357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51
Tags
lgoogloader downloader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51

Threat Level: Known bad

The file 357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51 was found to be: Known bad.

Malicious Activity Summary

lgoogloader downloader persistence

Detects LgoogLoader payload

LgoogLoader

Sets service image path in registry

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-15 07:19

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-15 07:19

Reported

2023-01-15 07:22

Platform

win10-20220901-en

Max time kernel

50s

Max time network

70s

Command Line

"C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe"

Signatures

Detects LgoogLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

LgoogLoader

downloader lgoogloader

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1784 set thread context of 1880 N/A C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1784 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
PID 1784 wrote to memory of 2140 N/A C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
PID 1784 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1784 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1784 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1784 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1784 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1784 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1784 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1784 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1784 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1784 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1784 wrote to memory of 1880 N/A C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

"C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"

Network

Country Destination Domain Proto
N/A 52.182.143.208:443 tcp
N/A 209.197.3.8:80 tcp

Files

memory/1784-120-0x000001C9E5120000-0x000001C9E51BC000-memory.dmp

memory/1784-121-0x000001C9FF5A0000-0x000001C9FF616000-memory.dmp

memory/1784-122-0x000001C9E5530000-0x000001C9E55B2000-memory.dmp

memory/1784-123-0x000001C9E55B0000-0x000001C9E55CE000-memory.dmp

memory/1880-124-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1880-125-0x0000000000403980-mapping.dmp

memory/1880-126-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-127-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-128-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-129-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-130-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-131-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1880-133-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-134-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-135-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-136-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-132-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-137-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-138-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-139-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-140-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-142-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-143-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-144-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-145-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-141-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-146-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-147-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-148-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-149-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-150-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-152-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-153-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-154-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-155-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-157-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-158-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-156-0x0000000000400000-0x0000000000442000-memory.dmp

memory/1880-151-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-159-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-160-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-161-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-162-0x0000000076F50000-0x00000000770DE000-memory.dmp

memory/1880-164-0x0000000002DB0000-0x0000000002DBD000-memory.dmp

memory/1880-163-0x0000000002D80000-0x0000000002D89000-memory.dmp