Analysis Overview
SHA256
857f1fa5de679da0a0717dec356f61c66a6ed75beb8c848fb4cad1a32514ac13
Threat Level: Known bad
The file 8463849a48326c8b46c38717c30a7acc.bin was found to be: Known bad.
Malicious Activity Summary
Detects LgoogLoader payload
LgoogLoader
Sets service image path in registry
Suspicious use of SetThreadContext
Program crash
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-01-30 18:57
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-01-30 18:57
Reported
2023-01-30 18:59
Platform
win7-20220812-en
Max time kernel
43s
Max time network
46s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\101387858898c5dc0102bfd2b57fe50707dd002c093a4dc596bf3e7e854f6880.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 752 wrote to memory of 940 | N/A | C:\Users\Admin\AppData\Local\Temp\101387858898c5dc0102bfd2b57fe50707dd002c093a4dc596bf3e7e854f6880.exe | C:\Windows\system32\WerFault.exe |
| PID 752 wrote to memory of 940 | N/A | C:\Users\Admin\AppData\Local\Temp\101387858898c5dc0102bfd2b57fe50707dd002c093a4dc596bf3e7e854f6880.exe | C:\Windows\system32\WerFault.exe |
| PID 752 wrote to memory of 940 | N/A | C:\Users\Admin\AppData\Local\Temp\101387858898c5dc0102bfd2b57fe50707dd002c093a4dc596bf3e7e854f6880.exe | C:\Windows\system32\WerFault.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\101387858898c5dc0102bfd2b57fe50707dd002c093a4dc596bf3e7e854f6880.exe
"C:\Users\Admin\AppData\Local\Temp\101387858898c5dc0102bfd2b57fe50707dd002c093a4dc596bf3e7e854f6880.exe"
C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 752 -s 716
Network
Files
memory/752-54-0x00000000012B0000-0x00000000012E8000-memory.dmp
memory/752-55-0x000007FEFC161000-0x000007FEFC163000-memory.dmp
memory/940-56-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-01-30 18:57
Reported
2023-01-30 18:59
Platform
win10v2004-20220812-en
Max time kernel
91s
Max time network
147s
Command Line
Signatures
Detects LgoogLoader payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
LgoogLoader
Sets service image path in registry
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" | C:\Users\Admin\AppData\Local\Temp\101387858898c5dc0102bfd2b57fe50707dd002c093a4dc596bf3e7e854f6880.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4728 set thread context of 736 | N/A | C:\Users\Admin\AppData\Local\Temp\101387858898c5dc0102bfd2b57fe50707dd002c093a4dc596bf3e7e854f6880.exe | C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe |
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: LoadsDriver
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\101387858898c5dc0102bfd2b57fe50707dd002c093a4dc596bf3e7e854f6880.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\101387858898c5dc0102bfd2b57fe50707dd002c093a4dc596bf3e7e854f6880.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\101387858898c5dc0102bfd2b57fe50707dd002c093a4dc596bf3e7e854f6880.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\101387858898c5dc0102bfd2b57fe50707dd002c093a4dc596bf3e7e854f6880.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\101387858898c5dc0102bfd2b57fe50707dd002c093a4dc596bf3e7e854f6880.exe
"C:\Users\Admin\AppData\Local\Temp\101387858898c5dc0102bfd2b57fe50707dd002c093a4dc596bf3e7e854f6880.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 185.17.0.79:6666 | tcp | |
| N/A | 93.184.220.29:80 | tcp | |
| N/A | 8.253.208.113:80 | tcp | |
| N/A | 8.253.208.113:80 | tcp | |
| N/A | 8.253.208.113:80 | tcp | |
| N/A | 8.253.208.113:80 | tcp | |
| N/A | 104.80.225.205:443 | tcp |
Files
memory/4728-132-0x000002D20BC70000-0x000002D20BCA8000-memory.dmp
memory/4728-133-0x00007FFFCEC30000-0x00007FFFCF6F1000-memory.dmp
memory/736-134-0x0000000000400000-0x000000000043F000-memory.dmp
memory/736-135-0x00000000004046C6-mapping.dmp
memory/736-136-0x0000000000400000-0x000000000043F000-memory.dmp
memory/4728-137-0x00007FFFCEC30000-0x00007FFFCF6F1000-memory.dmp
memory/736-138-0x0000000000400000-0x000000000043F000-memory.dmp
memory/736-139-0x0000000002EB0000-0x0000000002EB9000-memory.dmp
memory/736-140-0x0000000002ED0000-0x0000000002EDD000-memory.dmp