Overview

overview

10

Static

static

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    90s
  • max time network
    106s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220901-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
  • submitted
    16-01-2023 17:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    510KB

  • MD5

    ff0ac8d6c0a5990dd442f677315e6c4b

  • SHA1

    4358324f102afd639d6b1ec92521b37f31ca5d1c

  • SHA256

    eb5ec9cf758bd526db090f9290d323201911b4181c3bfeb3ebd1f1af8be19285

  • SHA512

    47b93db0d6f90bd4805508663353472709fe53d5397834eadd5ee2feb4a2c2d59f57cf929ac8039f4ea07a2303d880f98806f4d7aade7cee700ff48f3ecf91ae

  • SSDEEP

    12288:ytFk7iHlOP8nFr/AuvlNn7N9Opxb6VelFxgcdM:EHlTn5Bv2begS

Score
10/10
lgoogloaderdownloaderpersistence

Malware Config

Signatures

  • Detects LgoogLoader payload 1 IoCs
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 36 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 47 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Sets service image path in registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4880
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
      2⤵
        PID:680
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
        2⤵
          PID:2800
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
          2⤵
            PID:1412
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
            2⤵
              PID:1292
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
              2⤵
                PID:3060
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                2⤵
                  PID:2700
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                  2⤵
                    PID:2416
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
                    2⤵
                      PID:3084
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
                      2⤵
                        PID:2160
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
                        2⤵
                          PID:2412
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
                          2⤵
                            PID:2432
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
                            2⤵
                              PID:2584
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
                              2⤵
                                PID:4124
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
                                2⤵
                                  PID:2116
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
                                  2⤵
                                    PID:416
                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
                                    2⤵
                                      PID:3212
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
                                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
                                      2⤵
                                        PID:3808
                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
                                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
                                        2⤵
                                          PID:2892
                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
                                          2⤵
                                            PID:1908

                                        Network

                                        MITRE ATT&CK Matrix ATT&CK v6

                                        Initial Access

                                        Execution

                                        Scripting

                                        1
                                        T1064

                                        Persistence

                                        Registry Run Keys / Startup Folder

                                        1
                                        T1060

                                        Privilege Escalation

                                        Defense Evasion

                                        Modify Registry

                                        1
                                        T1112

                                        Scripting

                                        1
                                        T1064

                                        Credential Access

                                        Discovery

                                        Lateral Movement

                                        Collection

                                        Exfiltration

                                        Command and Control

                                        Impact

                                        Replay Monitor

                                        Loading Replay Monitor...

                                        Downloads

                                        • memory/1908-134-0x0000000000400000-0x000000000043E000-memory.dmp
                                          Filesize

                                          248KB

                                          Download
                                        • memory/1908-135-0x0000000000403980-mapping.dmp
                                          Download
                                        • memory/1908-136-0x0000000000400000-0x000000000043E000-memory.dmp
                                          Filesize

                                          248KB

                                          Download
                                        • memory/1908-138-0x0000000000400000-0x000000000043E000-memory.dmp
                                          Filesize

                                          248KB

                                          Download
                                        • memory/1908-139-0x0000000000D30000-0x0000000000D39000-memory.dmp
                                          Filesize

                                          36KB

                                          Download
                                        • memory/1908-140-0x0000000000D60000-0x0000000000D6D000-memory.dmp
                                          Filesize

                                          52KB

                                          Download
                                        • memory/4880-132-0x000001960DC60000-0x000001960DCE2000-memory.dmp
                                          Filesize

                                          520KB

                                          Download
                                        • memory/4880-133-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp
                                          Filesize

                                          10.8MB

                                          Download
                                        • memory/4880-137-0x00007FFA541B0000-0x00007FFA54C71000-memory.dmp
                                          Filesize

                                          10.8MB

                                          Download