Analysis
-
max time kernel
90s -
max time network
106s -
platform
windows10-2004_x64 -
resource
win10v2004-20220901-en -
resource tags
arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system -
submitted
16-01-2023 17:17
Static task
static1
Behavioral task
behavioral1
Sample
file.exe
Resource
win7-20221111-en
8 signatures
150 seconds
Behavioral task
behavioral2
Sample
file.exe
Resource
win10v2004-20220901-en
9 signatures
150 seconds
General
-
Target
file.exe
-
Size
510KB
-
MD5
ff0ac8d6c0a5990dd442f677315e6c4b
-
SHA1
4358324f102afd639d6b1ec92521b37f31ca5d1c
-
SHA256
eb5ec9cf758bd526db090f9290d323201911b4181c3bfeb3ebd1f1af8be19285
-
SHA512
47b93db0d6f90bd4805508663353472709fe53d5397834eadd5ee2feb4a2c2d59f57cf929ac8039f4ea07a2303d880f98806f4d7aade7cee700ff48f3ecf91ae
-
SSDEEP
12288:ytFk7iHlOP8nFr/AuvlNn7N9Opxb6VelFxgcdM:EHlTn5Bv2begS
Score
10/10
Malware Config
Signatures
-
Detects LgoogLoader payload 1 IoCs
resource yara_rule behavioral2/memory/1908-140-0x0000000000D60000-0x0000000000D6D000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" file.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4880 set thread context of 1908 4880 file.exe 98 -
Suspicious behavior: EnumeratesProcesses 36 IoCs
pid Process 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe 4880 file.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 4880 file.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 4880 file.exe Token: SeLoadDriverPrivilege 4880 file.exe Token: SeDebugPrivilege 4880 file.exe -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 4880 wrote to memory of 680 4880 file.exe 80 PID 4880 wrote to memory of 680 4880 file.exe 80 PID 4880 wrote to memory of 2800 4880 file.exe 81 PID 4880 wrote to memory of 2800 4880 file.exe 81 PID 4880 wrote to memory of 1412 4880 file.exe 82 PID 4880 wrote to memory of 1412 4880 file.exe 82 PID 4880 wrote to memory of 1292 4880 file.exe 83 PID 4880 wrote to memory of 1292 4880 file.exe 83 PID 4880 wrote to memory of 3060 4880 file.exe 84 PID 4880 wrote to memory of 3060 4880 file.exe 84 PID 4880 wrote to memory of 3084 4880 file.exe 87 PID 4880 wrote to memory of 3084 4880 file.exe 87 PID 4880 wrote to memory of 2700 4880 file.exe 85 PID 4880 wrote to memory of 2700 4880 file.exe 85 PID 4880 wrote to memory of 2416 4880 file.exe 86 PID 4880 wrote to memory of 2416 4880 file.exe 86 PID 4880 wrote to memory of 2160 4880 file.exe 88 PID 4880 wrote to memory of 2160 4880 file.exe 88 PID 4880 wrote to memory of 2412 4880 file.exe 89 PID 4880 wrote to memory of 2412 4880 file.exe 89 PID 4880 wrote to memory of 2432 4880 file.exe 90 PID 4880 wrote to memory of 2432 4880 file.exe 90 PID 4880 wrote to memory of 2584 4880 file.exe 91 PID 4880 wrote to memory of 2584 4880 file.exe 91 PID 4880 wrote to memory of 2892 4880 file.exe 97 PID 4880 wrote to memory of 2892 4880 file.exe 97 PID 4880 wrote to memory of 3212 4880 file.exe 95 PID 4880 wrote to memory of 3212 4880 file.exe 95 PID 4880 wrote to memory of 416 4880 file.exe 94 PID 4880 wrote to memory of 416 4880 file.exe 94 PID 4880 wrote to memory of 2116 4880 file.exe 93 PID 4880 wrote to memory of 2116 4880 file.exe 93 PID 4880 wrote to memory of 4124 4880 file.exe 92 PID 4880 wrote to memory of 4124 4880 file.exe 92 PID 4880 wrote to memory of 3808 4880 file.exe 96 PID 4880 wrote to memory of 3808 4880 file.exe 96 PID 4880 wrote to memory of 1908 4880 file.exe 98 PID 4880 wrote to memory of 1908 4880 file.exe 98 PID 4880 wrote to memory of 1908 4880 file.exe 98 PID 4880 wrote to memory of 1908 4880 file.exe 98 PID 4880 wrote to memory of 1908 4880 file.exe 98 PID 4880 wrote to memory of 1908 4880 file.exe 98 PID 4880 wrote to memory of 1908 4880 file.exe 98 PID 4880 wrote to memory of 1908 4880 file.exe 98 PID 4880 wrote to memory of 1908 4880 file.exe 98 PID 4880 wrote to memory of 1908 4880 file.exe 98 PID 4880 wrote to memory of 1908 4880 file.exe 98
Processes
-
C:\Users\Admin\AppData\Local\Temp\file.exe"C:\Users\Admin\AppData\Local\Temp\file.exe"1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4880 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"2⤵PID:680
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"2⤵PID:2800
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"2⤵PID:1412
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"2⤵PID:1292
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"2⤵PID:3060
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"2⤵PID:2700
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"2⤵PID:2416
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"2⤵PID:3084
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"2⤵PID:2160
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"2⤵PID:2412
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"2⤵PID:2432
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"2⤵PID:2584
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"2⤵PID:4124
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"2⤵PID:2116
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"2⤵PID:416
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"2⤵PID:3212
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"2⤵PID:3808
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"2⤵PID:2892
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"2⤵PID:1908
-