lgoogloader | 5e4066557c99489eedd7b360f985b50433dcd35f6c3a1a64731d9ec351d49895

Analysis

max time kernel
144s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
24/05/2023, 18:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

M7R65203.exe
Size

479KB
MD5

e409bb37559c91b0f0e8e18303cd9674
SHA1

b3270898a5594f61f0e507d09602c722c8076ed0
SHA256

5e4066557c99489eedd7b360f985b50433dcd35f6c3a1a64731d9ec351d49895
SHA512

7abf1da3052aaef0eac7d41e1ec387ecbd5ae5799b4c6f8f3f145677424e927508322b5cade2270838ace4dea8d217c75198673bd48a8f3bacde75d536118da4
SSDEEP

12288:1G96r5g9LqY0yJKxOhwB3o6OvYkrKC4U4N157sAb:1NrALdJK4wB462Y11U4N1lb

Score

10^/10

lgoogloader downloader persistence

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral2/memory/3028-141-0x0000000001570000-0x000000000157D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	M7R65203.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 520 set thread context of 3028	520	M7R65203.exe	98

Suspicious behavior: EnumeratesProcesses 26 IoCs

pid	Process
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe
520	M7R65203.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
520	M7R65203.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	520	M7R65203.exe
Token: SeLoadDriverPrivilege	520	M7R65203.exe
Token: SeDebugPrivilege	520	M7R65203.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 520 wrote to memory of 3512	520	M7R65203.exe	85
PID 520 wrote to memory of 3512	520	M7R65203.exe	85
PID 520 wrote to memory of 3124	520	M7R65203.exe	86
PID 520 wrote to memory of 3124	520	M7R65203.exe	86
PID 520 wrote to memory of 4896	520	M7R65203.exe	87
PID 520 wrote to memory of 4896	520	M7R65203.exe	87
PID 520 wrote to memory of 4120	520	M7R65203.exe	88
PID 520 wrote to memory of 4120	520	M7R65203.exe	88
PID 520 wrote to memory of 1420	520	M7R65203.exe	89
PID 520 wrote to memory of 1420	520	M7R65203.exe	89
PID 520 wrote to memory of 2564	520	M7R65203.exe	90
PID 520 wrote to memory of 2564	520	M7R65203.exe	90
PID 520 wrote to memory of 3572	520	M7R65203.exe	91
PID 520 wrote to memory of 3572	520	M7R65203.exe	91
PID 520 wrote to memory of 512	520	M7R65203.exe	92
PID 520 wrote to memory of 512	520	M7R65203.exe	92
PID 520 wrote to memory of 4756	520	M7R65203.exe	93
PID 520 wrote to memory of 4756	520	M7R65203.exe	93
PID 520 wrote to memory of 2672	520	M7R65203.exe	94
PID 520 wrote to memory of 2672	520	M7R65203.exe	94
PID 520 wrote to memory of 4696	520	M7R65203.exe	95
PID 520 wrote to memory of 4696	520	M7R65203.exe	95
PID 520 wrote to memory of 1708	520	M7R65203.exe	96
PID 520 wrote to memory of 1708	520	M7R65203.exe	96
PID 520 wrote to memory of 2208	520	M7R65203.exe	97
PID 520 wrote to memory of 2208	520	M7R65203.exe	97
PID 520 wrote to memory of 3028	520	M7R65203.exe	98
PID 520 wrote to memory of 3028	520	M7R65203.exe	98
PID 520 wrote to memory of 3028	520	M7R65203.exe	98
PID 520 wrote to memory of 3028	520	M7R65203.exe	98
PID 520 wrote to memory of 3028	520	M7R65203.exe	98
PID 520 wrote to memory of 3028	520	M7R65203.exe	98
PID 520 wrote to memory of 3028	520	M7R65203.exe	98
PID 520 wrote to memory of 3028	520	M7R65203.exe	98
PID 520 wrote to memory of 3028	520	M7R65203.exe	98
PID 520 wrote to memory of 3028	520	M7R65203.exe	98

C:\Users\Admin\AppData\Local\Temp\M7R65203.exe
"C:\Users\Admin\AppData\Local\Temp\M7R65203.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:520
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
  2⤵
  PID:3512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:3124
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
  2⤵
  PID:4896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:4120
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1420
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:2564
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3572
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:512
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
  2⤵
  PID:4756
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:2672
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
  2⤵
  PID:4696
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
  2⤵
  PID:1708
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2208
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  PID:3028

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/520-133-0x00000230E0150000-0x00000230E01CC000-memory.dmp

Filesize
496KB

Download
memory/520-134-0x00000230E1E40000-0x00000230E1E50000-memory.dmp

Filesize
64KB

Download
memory/3028-136-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-138-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/3028-140-0x0000000001550000-0x0000000001559000-memory.dmp

Filesize
36KB

Download
memory/3028-141-0x0000000001570000-0x000000000157D000-memory.dmp

Filesize
52KB

Download