Malware Analysis Report

2025-01-02 09:24

Sample ID 230117-wdevtsgc4z
Target file.exe
SHA256 6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778
Tags
lgoogloader downloader persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V6

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

6326bea9cec6e2baec63ed96cd31a97770c6a63b96d1169a8b5586ec071c8778

Threat Level: Known bad

The file file.exe was found to be: Known bad.

Malicious Activity Summary

lgoogloader downloader persistence

Detects LgoogLoader payload

LgoogLoader

Sets service image path in registry

Suspicious use of SetThreadContext

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: LoadsDriver

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2023-01-17 17:48

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2023-01-17 17:48

Reported

2023-01-17 17:50

Platform

win7-20221111-en

Max time kernel

28s

Max time network

33s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detects LgoogLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

LgoogLoader

downloader lgoogloader

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1992 set thread context of 2004 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1992 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
PID 1992 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
PID 1992 wrote to memory of 1816 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
PID 1992 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 1992 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 1992 wrote to memory of 2044 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
PID 1992 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1992 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1992 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1992 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1992 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1992 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1992 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1992 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1992 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1992 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1992 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 1992 wrote to memory of 2004 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"

Network

N/A

Files

memory/1992-54-0x0000000000B40000-0x0000000000BF4000-memory.dmp

memory/1992-55-0x000000001A5B0000-0x000000001A62C000-memory.dmp

memory/2004-56-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2004-57-0x0000000000403980-mapping.dmp

memory/2004-59-0x0000000076411000-0x0000000076413000-memory.dmp

memory/2004-60-0x0000000000400000-0x000000000043E000-memory.dmp

memory/2004-61-0x00000000000F0000-0x00000000000F9000-memory.dmp

memory/2004-62-0x0000000000150000-0x000000000015D000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2023-01-17 17:48

Reported

2023-01-17 17:50

Platform

win10v2004-20220901-en

Max time kernel

90s

Max time network

110s

Command Line

"C:\Users\Admin\AppData\Local\Temp\file.exe"

Signatures

Detects LgoogLoader payload

Description Indicator Process Target
N/A N/A N/A N/A

LgoogLoader

downloader lgoogloader

Sets service image path in registry

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4972 set thread context of 1588 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Suspicious behavior: LoadsDriver

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\file.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4972 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
PID 4972 wrote to memory of 3960 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
PID 4972 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4972 wrote to memory of 4224 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
PID 4972 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
PID 4972 wrote to memory of 1420 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
PID 4972 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4972 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4972 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4972 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4972 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4972 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4972 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4972 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4972 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4972 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
PID 4972 wrote to memory of 1588 N/A C:\Users\Admin\AppData\Local\Temp\file.exe C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\file.exe

"C:\Users\Admin\AppData\Local\Temp\file.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe

"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"

Network

Country Destination Domain Proto
N/A 104.208.16.90:443 tcp
N/A 67.26.207.254:80 tcp
N/A 67.26.207.254:80 tcp
N/A 67.26.207.254:80 tcp

Files

memory/4972-132-0x000001F88E4B0000-0x000001F88E564000-memory.dmp

memory/4972-133-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

memory/1588-134-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1588-135-0x0000000000403980-mapping.dmp

memory/1588-136-0x0000000000400000-0x000000000043E000-memory.dmp

memory/1588-137-0x0000000000400000-0x000000000043E000-memory.dmp

memory/4972-138-0x00007FFCAAC70000-0x00007FFCAB731000-memory.dmp

memory/1588-139-0x00000000014D0000-0x00000000014D9000-memory.dmp

memory/1588-140-0x0000000001600000-0x000000000160D000-memory.dmp