Overview

overview

10

Static

static

file.exe

windows7-x64

3

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20221111-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-01-2023 11:34

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    693KB

  • MD5

    2bfb1210836df1f8cd8ad0b23a4e751b

  • SHA1

    a9f0b00f0f237557338a7fdad9be320aff5c914b

  • SHA256

    6cfc4dfd10e4a160e8d70e9a8178288daff0ec49e39dd5f45f9ea553b94b4a8f

  • SHA512

    52cb115ec999c2af7a781bd5e42ca8dcb2df9c7660ddf2f8103212bac18f9fbf2610d3593102532dc84b63f790da9f830d5e244ff586277f9b46bbc7522cbc96

  • SSDEEP

    12288:dM7vTkRj+7mrsHXoVjFlXWRFrvUo9qU7wL/K0ifFAdEB3aB/Ksq/Ksd/KsS:di2j+UQ4FFYrvMQS//kUQ3gidi

Score
10/10
lgoogloaderdownloaderpersistence

Malware Config

Signatures

  • Detects LgoogLoader payload 1 IoCs
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 20 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 31 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Sets service image path in registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2620
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
      2⤵
        PID:4356
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
        2⤵
          PID:860
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
          2⤵
            PID:332
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
            2⤵
              PID:1912
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
              2⤵
                PID:4324
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
                2⤵
                  PID:4280
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
                  2⤵
                    PID:2168
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
                    2⤵
                      PID:2932
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
                      2⤵
                        PID:1432
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
                        2⤵
                          PID:3000
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
                          2⤵
                            PID:1528

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • memory/1528-134-0x0000000000400000-0x000000000043E000-memory.dmp
                          Filesize

                          248KB

                          Download
                        • memory/1528-135-0x0000000000403980-mapping.dmp
                          Download
                        • memory/1528-136-0x0000000000400000-0x000000000043E000-memory.dmp
                          Filesize

                          248KB

                          Download
                        • memory/1528-138-0x0000000000400000-0x000000000043E000-memory.dmp
                          Filesize

                          248KB

                          Download
                        • memory/1528-139-0x0000000001130000-0x0000000001139000-memory.dmp
                          Filesize

                          36KB

                          Download
                        • memory/1528-140-0x0000000001150000-0x000000000115D000-memory.dmp
                          Filesize

                          52KB

                          Download
                        • memory/2620-132-0x000002C332040000-0x000002C3320EE000-memory.dmp
                          Filesize

                          696KB

                          Download
                        • memory/2620-133-0x00007FF980870000-0x00007FF981331000-memory.dmp
                          Filesize

                          10.8MB

                          Download
                        • memory/2620-137-0x00007FF980870000-0x00007FF981331000-memory.dmp
                          Filesize

                          10.8MB

                          Download