lgoogloader | 70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360 | Triage

Analysis

max time kernel
61s
max time network
126s
platform
windows10-2004_x64
resource
win10v2004-20220901-en
resource tags

arch:x64arch:x86image:win10v2004-20220901-enlocale:en-usos:windows10-2004-x64system
submitted
18-01-2023 06:06

Sharing

Report Analysis Logs

General

Target

70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
Size

710KB
MD5

8536f1680e65cb9b9e93fa916d2ae93b
SHA1

2eb995c3da87f07fcbfb48008afbf3253ea86e76
SHA256

70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360
SHA512

7a34ec0fdfe7977bfbd07b2041172155d32019910801e8cf0c60a64c1d0a50dc2f1f6c028507039b5fca71575475f5f060d10931458f1518613ad332282c4ec7
SSDEEP

12288:ErIIpwFjtUQ0RlPdPd64bRZUDNVR9WnsGJxoeM4:ErIKQtUpfVPd6A/UjunLJxoC

Score

10^/10

lgoogloader downloader persistence

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral1/memory/2952-140-0x0000000002940000-0x000000000294D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

Processes:

70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe

description	pid	process	target process
PID 400 set thread context of 2952	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 24 IoCs

Processes:

70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe

pid	process
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe

pid process

400 70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe

description	pid	process
Token: SeDebugPrivilege	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
Token: SeLoadDriverPrivilege	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
Token: SeDebugPrivilege	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe

description	pid	process	target process
PID 400 wrote to memory of 1476	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	ngen.exe
PID 400 wrote to memory of 1476	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	ngen.exe
PID 400 wrote to memory of 452	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	vbc.exe
PID 400 wrote to memory of 452	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	vbc.exe
PID 400 wrote to memory of 3876	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	aspnet_wp.exe
PID 400 wrote to memory of 3876	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	aspnet_wp.exe
PID 400 wrote to memory of 3492	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	dfsvc.exe
PID 400 wrote to memory of 3492	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	dfsvc.exe
PID 400 wrote to memory of 3752	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	aspnet_regiis.exe
PID 400 wrote to memory of 3752	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	aspnet_regiis.exe
PID 400 wrote to memory of 2204	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	AppLaunch.exe
PID 400 wrote to memory of 2204	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	AppLaunch.exe
PID 400 wrote to memory of 2064	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	jsc.exe
PID 400 wrote to memory of 2064	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	jsc.exe
PID 400 wrote to memory of 2064	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	jsc.exe
PID 400 wrote to memory of 3928	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	ComSvcConfig.exe
PID 400 wrote to memory of 3928	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	ComSvcConfig.exe
PID 400 wrote to memory of 3932	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	aspnet_regsql.exe
PID 400 wrote to memory of 3932	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	aspnet_regsql.exe
PID 400 wrote to memory of 4376	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	MSBuild.exe
PID 400 wrote to memory of 4376	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	MSBuild.exe
PID 400 wrote to memory of 3304	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	InstallUtil.exe
PID 400 wrote to memory of 3304	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	InstallUtil.exe
PID 400 wrote to memory of 204	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	aspnet_regbrowsers.exe
PID 400 wrote to memory of 204	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	aspnet_regbrowsers.exe
PID 400 wrote to memory of 2952	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	AddInProcess32.exe
PID 400 wrote to memory of 2952	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	AddInProcess32.exe
PID 400 wrote to memory of 2952	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	AddInProcess32.exe
PID 400 wrote to memory of 2952	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	AddInProcess32.exe
PID 400 wrote to memory of 2952	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	AddInProcess32.exe
PID 400 wrote to memory of 2952	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	AddInProcess32.exe
PID 400 wrote to memory of 2952	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	AddInProcess32.exe
PID 400 wrote to memory of 2952	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	AddInProcess32.exe
PID 400 wrote to memory of 2952	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	AddInProcess32.exe
PID 400 wrote to memory of 2952	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	AddInProcess32.exe
PID 400 wrote to memory of 2952	400	70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe
"C:\Users\Admin\AppData\Local\Temp\70c0eab50ed39298ca6961b54dff822adde204067d84d1783f7d1b88ebbfe360.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:400

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
2⤵
PID:1476

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
2⤵
PID:452

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
2⤵
PID:3876

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
2⤵
PID:3492

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
2⤵
PID:2204

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
2⤵
PID:3752

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
2⤵
PID:2064

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
2⤵
PID:3928

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
2⤵
PID:3932

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
2⤵
PID:4376

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
2⤵
PID:2952

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:204

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:3304

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/400-132-0x00000213919A0000-0x0000021391A54000-memory.dmp

Filesize
720KB

Download
memory/400-133-0x00007FF984A20000-0x00007FF9854E1000-memory.dmp

Filesize
10.8MB

Download
memory/400-138-0x00007FF984A20000-0x00007FF9854E1000-memory.dmp

Filesize
10.8MB

Download
memory/2952-134-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-135-0x0000000000403980-mapping.dmp

Download
memory/2952-136-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-137-0x0000000000400000-0x000000000043E000-memory.dmp

Filesize
248KB

Download
memory/2952-139-0x0000000000D80000-0x0000000000D89000-memory.dmp

Filesize
36KB

Download
memory/2952-140-0x0000000002940000-0x000000000294D000-memory.dmp

Filesize
52KB

Download