Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    34s
  • platform
    windows7_x64
  • resource
    win7-20221111-en
  • resource tags

    arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
  • submitted
    16-01-2023 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    510KB

  • MD5

    ff0ac8d6c0a5990dd442f677315e6c4b

  • SHA1

    4358324f102afd639d6b1ec92521b37f31ca5d1c

  • SHA256

    eb5ec9cf758bd526db090f9290d323201911b4181c3bfeb3ebd1f1af8be19285

  • SHA512

    47b93db0d6f90bd4805508663353472709fe53d5397834eadd5ee2feb4a2c2d59f57cf929ac8039f4ea07a2303d880f98806f4d7aade7cee700ff48f3ecf91ae

  • SSDEEP

    12288:ytFk7iHlOP8nFr/AuvlNn7N9Opxb6VelFxgcdM:EHlTn5Bv2begS

Score
10/10
lgoogloaderdownloaderpersistence

Malware Config

Signatures

  • Detects LgoogLoader payload 1 IoCs
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 15 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Sets service image path in registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1320
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:316
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
        2⤵
          PID:1232

      Network

      MITRE ATT&CK Matrix ATT&CK v6

      Initial Access

      Execution

      Persistence

      Registry Run Keys / Startup Folder

      1
      T1060

      Privilege Escalation

      Defense Evasion

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/1232-56-0x0000000000400000-0x000000000043E000-memory.dmp
        Filesize

        248KB

        Download
      • memory/1232-57-0x0000000000403980-mapping.dmp
        Download
      • memory/1232-60-0x0000000000400000-0x000000000043E000-memory.dmp
        Filesize

        248KB

        Download
      • memory/1232-59-0x0000000075D01000-0x0000000075D03000-memory.dmp
        Filesize

        8KB

        Download
      • memory/1232-61-0x0000000000180000-0x0000000000189000-memory.dmp
        Filesize

        36KB

        Download
      • memory/1232-62-0x0000000000250000-0x000000000025D000-memory.dmp
        Filesize

        52KB

        Download
      • memory/1320-54-0x0000000001110000-0x0000000001192000-memory.dmp
        Filesize

        520KB

        Download
      • memory/1320-55-0x0000000000360000-0x00000000003DC000-memory.dmp
        Filesize

        496KB

        Download