lgoogloader | 101387858898c5dc0102bfd2b57fe50707dd002c093a4dc596bf3e7e854f6880

General

Target

8463849a48326c8b46c38717c30a7acc.exe
Size

220KB
MD5

8463849a48326c8b46c38717c30a7acc
SHA1

5c81ea3b2a013b8736872f2d667ba4bc42f4544e
SHA256

101387858898c5dc0102bfd2b57fe50707dd002c093a4dc596bf3e7e854f6880
SHA512

32ecc9c2bc1ae18dae8ac3a832e375faad7d1b426f826872b17d54b766fd2411048960a19c85a2ec8371f3497396514f517216d903074bdb81487dc441247d20
SSDEEP

3072:vLQ3jFFRmQukKxwumnIU2bQ3/Ksg+O/J/Ksg+O/XWf+/Ksg+O/Ti:XQukK6hn3/Ksgz/KsgE+/Ksgk

Score

10^/10

lgoogloader downloader persistence

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4372-140-0x0000000002F40000-0x0000000002F4D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

8463849a48326c8b46c38717c30a7acc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	8463849a48326c8b46c38717c30a7acc.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

8463849a48326c8b46c38717c30a7acc.exe

description pid process target process

PID 1508 set thread context of 4372 1508 8463849a48326c8b46c38717c30a7acc.exe AddInProcess32.exe

description	pid	process	target process
PID 1508 set thread context of 4372	1508	8463849a48326c8b46c38717c30a7acc.exe	AddInProcess32.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

Processes:

8463849a48326c8b46c38717c30a7acc.exe

pid	process
1508	8463849a48326c8b46c38717c30a7acc.exe
1508	8463849a48326c8b46c38717c30a7acc.exe
1508	8463849a48326c8b46c38717c30a7acc.exe
1508	8463849a48326c8b46c38717c30a7acc.exe
1508	8463849a48326c8b46c38717c30a7acc.exe
1508	8463849a48326c8b46c38717c30a7acc.exe
1508	8463849a48326c8b46c38717c30a7acc.exe
1508	8463849a48326c8b46c38717c30a7acc.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

8463849a48326c8b46c38717c30a7acc.exe

pid process

1508 8463849a48326c8b46c38717c30a7acc.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

8463849a48326c8b46c38717c30a7acc.exe

description	pid	process
Token: SeDebugPrivilege	1508	8463849a48326c8b46c38717c30a7acc.exe
Token: SeLoadDriverPrivilege	1508	8463849a48326c8b46c38717c30a7acc.exe
Token: SeDebugPrivilege	1508	8463849a48326c8b46c38717c30a7acc.exe

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

8463849a48326c8b46c38717c30a7acc.exe

description	pid	process	target process
PID 1508 wrote to memory of 3472	1508	8463849a48326c8b46c38717c30a7acc.exe	RegAsm.exe
PID 1508 wrote to memory of 3472	1508	8463849a48326c8b46c38717c30a7acc.exe	RegAsm.exe
PID 1508 wrote to memory of 4364	1508	8463849a48326c8b46c38717c30a7acc.exe	ilasm.exe
PID 1508 wrote to memory of 4364	1508	8463849a48326c8b46c38717c30a7acc.exe	ilasm.exe
PID 1508 wrote to memory of 3840	1508	8463849a48326c8b46c38717c30a7acc.exe	aspnet_regiis.exe
PID 1508 wrote to memory of 3840	1508	8463849a48326c8b46c38717c30a7acc.exe	aspnet_regiis.exe
PID 1508 wrote to memory of 2912	1508	8463849a48326c8b46c38717c30a7acc.exe	AddInUtil.exe
PID 1508 wrote to memory of 2912	1508	8463849a48326c8b46c38717c30a7acc.exe	AddInUtil.exe
PID 1508 wrote to memory of 4372	1508	8463849a48326c8b46c38717c30a7acc.exe	AddInProcess32.exe
PID 1508 wrote to memory of 4372	1508	8463849a48326c8b46c38717c30a7acc.exe	AddInProcess32.exe
PID 1508 wrote to memory of 4372	1508	8463849a48326c8b46c38717c30a7acc.exe	AddInProcess32.exe
PID 1508 wrote to memory of 4372	1508	8463849a48326c8b46c38717c30a7acc.exe	AddInProcess32.exe
PID 1508 wrote to memory of 4372	1508	8463849a48326c8b46c38717c30a7acc.exe	AddInProcess32.exe
PID 1508 wrote to memory of 4372	1508	8463849a48326c8b46c38717c30a7acc.exe	AddInProcess32.exe
PID 1508 wrote to memory of 4372	1508	8463849a48326c8b46c38717c30a7acc.exe	AddInProcess32.exe
PID 1508 wrote to memory of 4372	1508	8463849a48326c8b46c38717c30a7acc.exe	AddInProcess32.exe
PID 1508 wrote to memory of 4372	1508	8463849a48326c8b46c38717c30a7acc.exe	AddInProcess32.exe
PID 1508 wrote to memory of 4372	1508	8463849a48326c8b46c38717c30a7acc.exe	AddInProcess32.exe
PID 1508 wrote to memory of 4372	1508	8463849a48326c8b46c38717c30a7acc.exe	AddInProcess32.exe

C:\Users\Admin\AppData\Local\Temp\8463849a48326c8b46c38717c30a7acc.exe
"C:\Users\Admin\AppData\Local\Temp\8463849a48326c8b46c38717c30a7acc.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
2⤵
PID:3472

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
2⤵
PID:4364

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
2⤵
PID:3840

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
2⤵
PID:2912

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
2⤵
PID:4372

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1508-132-0x000002331DA30000-0x000002331DA68000-memory.dmp

Filesize
224KB

Download
memory/1508-133-0x00007FF9D4C80000-0x00007FF9D5741000-memory.dmp

Filesize
10.8MB

Download
memory/1508-137-0x00007FF9D4C80000-0x00007FF9D5741000-memory.dmp

Filesize
10.8MB

Download
memory/4372-134-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4372-135-0x00000000004046C6-mapping.dmp

Download
memory/4372-136-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4372-138-0x0000000000400000-0x000000000043F000-memory.dmp

Filesize
252KB

Download
memory/4372-139-0x0000000001480000-0x0000000001489000-memory.dmp

Filesize
36KB

Download
memory/4372-140-0x0000000002F40000-0x0000000002F4D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads