Analysis
-
max time kernel
91s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2023 23:07
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20220901-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220812-en
8 signatures
150 seconds
General
-
Target
file.exe
-
Size
534KB
-
MD5
4715769b2a3a90dc8c939aec11c52bc1
-
SHA1
1a1eeabc9d4758de67016ed1e06defd571107e63
-
SHA256
7ce366cf2cc3e1787d552e5603568e1ce96496aacef73df9676b9a3fafe660db
-
SHA512
308badf1be750b58399a3532b452a85cf345d222a1ec48949c99fd5cbe6505a79e8093b72ea117ef8b3963b8ddcbf2812907a5d8535b98c9480bb038fcdfe579
-
SSDEEP
12288:j3RH/6XLdYJkrsi+u3bYIvz6D6bX1lbBLfzn6lU1F4Xla:DY5YgEmFpBr9yM
Score
10/10
Malware Config
Signatures
-
Detects LgoogLoader payload 1 IoCs
resource yara_rule behavioral2/memory/4912-142-0x00000000014A0000-0x00000000014AD000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" file.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3312 set thread context of 4912 3312 file.exe 89 -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe 3312 file.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 3312 file.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 3312 file.exe Token: SeLoadDriverPrivilege 3312 file.exe Token: SeDebugPrivilege 3312 file.exe -
Suspicious use of WriteProcessMemory 31 IoCs
description pid Process procid_target PID 3312 wrote to memory of 2196 3312 file.exe 79 PID 3312 wrote to memory of 2196 3312 file.exe 79 PID 3312 wrote to memory of 2080 3312 file.exe 80 PID 3312 wrote to memory of 2080 3312 file.exe 80 PID 3312 wrote to memory of 2556 3312 file.exe 81 PID 3312 wrote to memory of 2556 3312 file.exe 81 PID 3312 wrote to memory of 2820 3312 file.exe 82 PID 3312 wrote to memory of 2820 3312 file.exe 82 PID 3312 wrote to memory of 1156 3312 file.exe 83 PID 3312 wrote to memory of 1156 3312 file.exe 83 PID 3312 wrote to memory of 5024 3312 file.exe 84 PID 3312 wrote to memory of 5024 3312 file.exe 84 PID 3312 wrote to memory of 5008 3312 file.exe 85 PID 3312 wrote to memory of 5008 3312 file.exe 85 PID 3312 wrote to memory of 4564 3312 file.exe 86 PID 3312 wrote to memory of 4564 3312 file.exe 86 PID 3312 wrote to memory of 5004 3312 file.exe 87 PID 3312 wrote to memory of 5004 3312 file.exe 87 PID 3312 wrote to memory of 4940 3312 file.exe 88 PID 3312 wrote to memory of 4940 3312 file.exe 88 PID 3312 wrote to memory of 4912 3312 file.exe 89 PID 3312 wrote to memory of 4912 3312 file.exe 89 PID 3312 wrote to memory of 4912 3312 file.exe 89 PID 3312 wrote to memory of 4912 3312 file.exe 89 PID 3312 wrote to memory of 4912 3312 file.exe 89 PID 3312 wrote to memory of 4912 3312 file.exe 89 PID 3312 wrote to memory of 4912 3312 file.exe 89 PID 3312 wrote to memory of 4912 3312 file.exe 89 PID 3312 wrote to memory of 4912 3312 file.exe 89 PID 3312 wrote to memory of 4912 3312 file.exe 89 PID 3312 wrote to memory of 4912 3312 file.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3312 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"2⤵PID:2196
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"2⤵PID:2080
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"2⤵PID:2556
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"2⤵PID:2820
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"2⤵PID:1156
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"2⤵PID:5024
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"2⤵PID:5008
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"2⤵PID:4564
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"2⤵PID:5004
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"2⤵PID:4940
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"2⤵PID:4912
-