lgoogloader | dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59

Analysis

max time kernel
135s
max time network
145s
platform
windows10-2004_x64
resource
win10v2004-20230221-en
resource tags

arch:x64arch:x86image:win10v2004-20230221-enlocale:en-usos:windows10-2004-x64system
submitted
05-06-2023 11:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
Size

30KB
MD5

2cec8b52f960c604e0d2abe39e984de3
SHA1

296052155e7adab51195943bded45fce3a49a5e5
SHA256

dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59
SHA512

e27a82f73042a175245f00544dfc7dd358999b3bf66db42de67bdbf8ed8dbda09cd123a90e9b503e87667f9efed11d2109bd478370a37b19b1431f18992aa819
SSDEEP

384:tP8qP946MVd4/ezNZUG9bxcz6MQ6B7LMQD6X4Fi1EU96B2Jq29N6a2QG3KUzVGlh:mq2VmA6BnOX4O968vXMGlBCjfUN3eYeU

Score

10^/10

lgoogloader downloader persistence

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral1/memory/1432-142-0x0000000000A20000-0x0000000000A2D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2752 set thread context of 1432	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	93

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
Token: SeDebugPrivilege	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
Token: SeLoadDriverPrivilege	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe

Suspicious use of WriteProcessMemory 30 IoCs

description	pid	Process	procid_target
PID 2752 wrote to memory of 1300	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	84
PID 2752 wrote to memory of 1300	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	84
PID 2752 wrote to memory of 544	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	85
PID 2752 wrote to memory of 544	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	85
PID 2752 wrote to memory of 568	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	86
PID 2752 wrote to memory of 568	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	86
PID 2752 wrote to memory of 452	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	87
PID 2752 wrote to memory of 452	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	87
PID 2752 wrote to memory of 628	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	88
PID 2752 wrote to memory of 628	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	88
PID 2752 wrote to memory of 4284	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	89
PID 2752 wrote to memory of 4284	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	89
PID 2752 wrote to memory of 1692	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	90
PID 2752 wrote to memory of 1692	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	90
PID 2752 wrote to memory of 1456	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	91
PID 2752 wrote to memory of 1456	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	91
PID 2752 wrote to memory of 1460	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	92
PID 2752 wrote to memory of 1460	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	92
PID 2752 wrote to memory of 1448	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	94
PID 2752 wrote to memory of 1448	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	94
PID 2752 wrote to memory of 1432	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	93
PID 2752 wrote to memory of 1432	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	93
PID 2752 wrote to memory of 1432	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	93
PID 2752 wrote to memory of 1432	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	93
PID 2752 wrote to memory of 1432	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	93
PID 2752 wrote to memory of 1432	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	93
PID 2752 wrote to memory of 1432	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	93
PID 2752 wrote to memory of 1432	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	93
PID 2752 wrote to memory of 1432	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	93
PID 2752 wrote to memory of 1432	2752	dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe	93

C:\Users\Admin\AppData\Local\Temp\dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe
"C:\Users\Admin\AppData\Local\Temp\dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2752
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
  2⤵
  PID:1300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
  2⤵
  PID:544
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:568
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:452
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
  2⤵
  PID:628
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4284
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:1692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:1456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
  2⤵
  PID:1460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:1432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:1448

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1432-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1432-142-0x0000000000A20000-0x0000000000A2D000-memory.dmp

Filesize
52KB

Download
memory/1432-141-0x0000000000A00000-0x0000000000A09000-memory.dmp

Filesize
36KB

Download
memory/2752-133-0x0000016C0A940000-0x0000016C0A94C000-memory.dmp

Filesize
48KB

Download
memory/2752-134-0x0000016C25500000-0x0000016C25A28000-memory.dmp

Filesize
5.2MB

Download
memory/2752-135-0x0000016C24FC0000-0x0000016C24FD0000-memory.dmp

Filesize
64KB

Download