lgoogloader | e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025

General

Target

e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe
Size

1.2MB
MD5

8c9e184323c1067391db30439d42309f
SHA1

6fbe4c6ec78ba5976f0c3a760bf560bcadec5544
SHA256

e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025
SHA512

1cd3822a20924c27207220879c3650bed1e4dab9717224d76ad96ec0aa9664e6b6966a5c2593724ab7d296eeb1bb61864259b034a4791c91f2e8b26ba8860b9a
SSDEEP

12288:EVEHF11PvAeHV/K4dQwDoJvvQ6/XQUtF/8eNcXD1EzAqsoykRNmx09Lp0KGjr2+C:ESDGntl+ICZWxkD9SR7

Score

10^/10

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral1/memory/2988-143-0x00000000017B0000-0x00000000017BD000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2208 set thread context of 2988	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	87

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe
2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe
2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe
2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe
2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe
2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe
2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe
2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe
Token: SeLoadDriverPrivilege	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe
Token: SeDebugPrivilege	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 2208 wrote to memory of 4048	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	83
PID 2208 wrote to memory of 4048	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	83
PID 2208 wrote to memory of 3080	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	84
PID 2208 wrote to memory of 3080	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	84
PID 2208 wrote to memory of 3004	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	85
PID 2208 wrote to memory of 3004	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	85
PID 2208 wrote to memory of 2020	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	86
PID 2208 wrote to memory of 2020	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	86
PID 2208 wrote to memory of 2988	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	87
PID 2208 wrote to memory of 2988	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	87
PID 2208 wrote to memory of 2988	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	87
PID 2208 wrote to memory of 2988	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	87
PID 2208 wrote to memory of 2988	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	87
PID 2208 wrote to memory of 2988	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	87
PID 2208 wrote to memory of 2988	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	87
PID 2208 wrote to memory of 2988	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	87
PID 2208 wrote to memory of 2988	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	87
PID 2208 wrote to memory of 2988	2208	e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe	87

C:\Users\Admin\AppData\Local\Temp\e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe
"C:\Users\Admin\AppData\Local\Temp\e405f3facfec4741b7a25d5490bf7fe55ba525f4d17706a6e3d8b00b2a725025.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:4048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
  2⤵
  PID:3080
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:3004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:2988

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2208-133-0x000001B7CFD60000-0x000001B7CFEA0000-memory.dmp

Filesize
1.2MB

Download
memory/2208-134-0x000001B7EB4D0000-0x000001B7EB546000-memory.dmp

Filesize
472KB

Download
memory/2208-135-0x000001B7D1BE0000-0x000001B7D1BFE000-memory.dmp

Filesize
120KB

Download
memory/2208-136-0x000001B7EB4C0000-0x000001B7EB4D0000-memory.dmp

Filesize
64KB

Download
memory/2988-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2988-142-0x0000000001310000-0x0000000001319000-memory.dmp

Filesize
36KB

Download
memory/2988-143-0x00000000017B0000-0x00000000017BD000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing