lgoogloader | f6b889372577c64227b230609e8404d4629288ec1ae4df7376d6005361d3d69a | Triage

Analysis

max time kernel
91s
max time network
125s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
23-01-2023 14:40

Sharing

Report Analysis Logs

General

Target

357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
Size

614KB
MD5

5a2b7e55e12b6be111413e81cbc829d8
SHA1

feee5eea1ba33a666fb61f876c80230d97ba8b47
SHA256

357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51
SHA512

9e1c78e83a0c4342cf4f560eb4c81c3a7ca52f360adf594ddc654f9a1f56837b6339da3c2d74a4b525865832d937d181b8f13137c1870b05b87dcf4cfce8fc20
SSDEEP

12288:6rxXmSBr7wHt5c/yq1HcmZCqsyKEJgnzAS6n2jj:6JYvcRd1ZC1XE4MSHf

Score

10^/10

lgoogloader downloader persistence

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/1740-142-0x00000000011F0000-0x00000000011FD000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Sets service image path in registry 2 TTPs 1 IoCs

Registry Run Keys / Startup Folder

Modify Registry

Processes:

357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

description	pid	process	target process
PID 1196 set thread context of 1740	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	jsc.exe

Suspicious behavior: EnumeratesProcesses 42 IoCs

Processes:

357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

pid	process
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

pid process

1196 357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

description	pid	process
Token: SeDebugPrivilege	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
Token: SeLoadDriverPrivilege	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
Token: SeDebugPrivilege	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

Suspicious use of WriteProcessMemory 53 IoCs

Processes:

357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe

description	pid	process	target process
PID 1196 wrote to memory of 4332	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	AddInProcess.exe
PID 1196 wrote to memory of 4332	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	AddInProcess.exe
PID 1196 wrote to memory of 4432	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	aspnet_state.exe
PID 1196 wrote to memory of 4432	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	aspnet_state.exe
PID 1196 wrote to memory of 3796	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	AppLaunch.exe
PID 1196 wrote to memory of 3796	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	AppLaunch.exe
PID 1196 wrote to memory of 1448	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	ngentask.exe
PID 1196 wrote to memory of 1448	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	ngentask.exe
PID 1196 wrote to memory of 1440	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Microsoft.Workflow.Compiler.exe
PID 1196 wrote to memory of 1440	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	Microsoft.Workflow.Compiler.exe
PID 1196 wrote to memory of 1376	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	ilasm.exe
PID 1196 wrote to memory of 1376	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	ilasm.exe
PID 1196 wrote to memory of 1136	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	dfsvc.exe
PID 1196 wrote to memory of 1136	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	dfsvc.exe
PID 1196 wrote to memory of 1516	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	EdmGen.exe
PID 1196 wrote to memory of 1516	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	EdmGen.exe
PID 1196 wrote to memory of 1716	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	MSBuild.exe
PID 1196 wrote to memory of 1716	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	MSBuild.exe
PID 1196 wrote to memory of 4992	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	aspnet_compiler.exe
PID 1196 wrote to memory of 4992	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	aspnet_compiler.exe
PID 1196 wrote to memory of 4976	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	csc.exe
PID 1196 wrote to memory of 4976	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	csc.exe
PID 1196 wrote to memory of 4972	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	aspnet_wp.exe
PID 1196 wrote to memory of 4972	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	aspnet_wp.exe
PID 1196 wrote to memory of 4908	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	CasPol.exe
PID 1196 wrote to memory of 4908	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	CasPol.exe
PID 1196 wrote to memory of 4936	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	AddInUtil.exe
PID 1196 wrote to memory of 4936	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	AddInUtil.exe
PID 1196 wrote to memory of 4892	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	mscorsvw.exe
PID 1196 wrote to memory of 4892	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	mscorsvw.exe
PID 1196 wrote to memory of 3500	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	DataSvcUtil.exe
PID 1196 wrote to memory of 3500	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	DataSvcUtil.exe
PID 1196 wrote to memory of 4928	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	InstallUtil.exe
PID 1196 wrote to memory of 4928	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	InstallUtil.exe
PID 1196 wrote to memory of 4956	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	RegAsm.exe
PID 1196 wrote to memory of 4956	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	RegAsm.exe
PID 1196 wrote to memory of 4864	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	aspnet_regbrowsers.exe
PID 1196 wrote to memory of 4864	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	aspnet_regbrowsers.exe
PID 1196 wrote to memory of 4968	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	SMSvcHost.exe
PID 1196 wrote to memory of 4968	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	SMSvcHost.exe
PID 1196 wrote to memory of 4856	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	ngen.exe
PID 1196 wrote to memory of 4856	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	ngen.exe
PID 1196 wrote to memory of 1740	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	jsc.exe
PID 1196 wrote to memory of 1740	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	jsc.exe
PID 1196 wrote to memory of 1740	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	jsc.exe
PID 1196 wrote to memory of 1740	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	jsc.exe
PID 1196 wrote to memory of 1740	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	jsc.exe
PID 1196 wrote to memory of 1740	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	jsc.exe
PID 1196 wrote to memory of 1740	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	jsc.exe
PID 1196 wrote to memory of 1740	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	jsc.exe
PID 1196 wrote to memory of 1740	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	jsc.exe
PID 1196 wrote to memory of 1740	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	jsc.exe
PID 1196 wrote to memory of 1740	1196	357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe	jsc.exe

C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe
"C:\Users\Admin\AppData\Local\Temp\357454521efaa0849a2ee13d2f3531082ac56d110a10b137654d5777cf724d51.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1196

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
2⤵
PID:4332

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
2⤵
PID:4432

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
2⤵
PID:3796

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
2⤵
PID:1448

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
2⤵
PID:1440

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
2⤵
PID:1376

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
2⤵
PID:1136

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
2⤵
PID:1516

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
2⤵
PID:1716

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
2⤵
PID:4992

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
2⤵
PID:4976

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
2⤵
PID:4972

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
2⤵
PID:4908

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
2⤵
PID:4936

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
2⤵
PID:4892

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
2⤵
PID:3500

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
2⤵
PID:4928

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
2⤵
PID:4956

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
2⤵
PID:4864

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
2⤵
PID:4968

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
2⤵
PID:4856

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
2⤵
PID:1740

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

Privilege Escalation

Defense Evasion

Modify Registry

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1196-132-0x000001D935940000-0x000001D9359DC000-memory.dmp

Filesize
624KB

Download
memory/1196-133-0x000001D94FDE0000-0x000001D94FE56000-memory.dmp

Filesize
472KB

Download
memory/1196-134-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/1196-135-0x000001D935DA0000-0x000001D935DBE000-memory.dmp

Filesize
120KB

Download
memory/1196-138-0x00007FFFEE480000-0x00007FFFEEF41000-memory.dmp

Filesize
10.8MB

Download
memory/1740-136-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1740-137-0x0000000000403980-mapping.dmp

Download
memory/1740-139-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1740-140-0x0000000000400000-0x0000000000442000-memory.dmp

Filesize
264KB

Download
memory/1740-141-0x00000000011D0000-0x00000000011D9000-memory.dmp

Filesize
36KB

Download
memory/1740-142-0x00000000011F0000-0x00000000011FD000-memory.dmp

Filesize
52KB

Download