Malware Analysis Report

2025-01-02 09:23

Sample ID 230117-vvk8hafh5t
Target 6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778
SHA256 6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778
Tags
lgoogloader downloader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778

Threat Level: Known bad

The file 6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778 was found to be: Known bad.

Malicious Activity Summary

lgoogloader downloader persistence

Detects LgoogLoader payload

LgoogLoader

Sets service image path in registry

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-17 17:18

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-17 17:18

Reported

2023-01-17 17:21

Platform

win10v2004-20221111-en

Max time kernel

90s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe"

Signatures

Detects LgoogLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

LgoogLoader

downloader lgoogloader

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4984 set thread context of 4156 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4984 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
PID 4984 wrote to memory of 2100 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
PID 4984 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
PID 4984 wrote to memory of 1520 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
PID 4984 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
PID 4984 wrote to memory of 64 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
PID 4984 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 4984 wrote to memory of 1028 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
PID 4984 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 4984 wrote to memory of 1468 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
PID 4984 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
PID 4984 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
PID 4984 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
PID 4984 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
PID 4984 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 4984 wrote to memory of 4952 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
PID 4984 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
PID 4984 wrote to memory of 1080 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
PID 4984 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4984 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4984 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4984 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4984 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4984 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4984 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4984 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4984 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4984 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4984 wrote to memory of 4156 N/A C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe

"C:\Users\Admin\AppData\Local\Temp\6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"

Network

Country Destination Domain Proto
N/A 88.221.25.154:80 tcp
N/A 104.80.225.205:443 tcp
N/A 52.178.17.3:443 tcp
N/A 87.248.202.1:80 tcp
N/A 87.248.202.1:80 tcp

Files

memory/4984-132-0x000002A49B7A0000-0x000002A49B854000-memory.dmp

memory/4984-133-0x00007FF9C6AF0000-0x00007FF9C75B1000-memory.dmp

memory/4156-134-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4156-135-0x0000000000403980-mapping.dmp

memory/4156-136-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4984-137-0x00007FF9C6AF0000-0x00007FF9C75B1000-memory.dmp

memory/4156-138-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4156-139-0x0000000001370000-0x0000000001379000-memory.dmp

memory/4156-140-0x0000000001470000-0x000000000147D000-memory.dmp