Overview

overview

10

Static

static

3

file.exe

windows7-x64

8

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    61s
  • max time network
    127s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05-06-2023 20:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    30KB

  • MD5

    2cec8b52f960c604e0d2abe39e984de3

  • SHA1

    296052155e7adab51195943bded45fce3a49a5e5

  • SHA256

    dcffc23486ddb6873a0b9149092ddf77c737a018e06ff7638b60e06c06e57b59

  • SHA512

    e27a82f73042a175245f00544dfc7dd358999b3bf66db42de67bdbf8ed8dbda09cd123a90e9b503e87667f9efed11d2109bd478370a37b19b1431f18992aa819

  • SSDEEP

    384:tP8qP946MVd4/ezNZUG9bxcz6MQ6B7LMQD6X4Fi1EU96B2Jq29N6a2QG3KUzVGlh:mq2VmA6BnOX4O968vXMGlBCjfUN3eYeU

Score
10/10
lgoogloaderdownloaderpersistence

Malware Config

Signatures

  • Detects LgoogLoader payload 1 IoCs
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 56 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Sets service image path in registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2372
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
      2⤵
        PID:332
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
        2⤵
          PID:1884
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
          2⤵
            PID:3304
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
            2⤵
              PID:2388
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
              2⤵
                PID:2848
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
                2⤵
                  PID:896
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
                  2⤵
                    PID:400
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
                    2⤵
                      PID:2648
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
                      2⤵
                        PID:2624
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
                        2⤵
                          PID:2960
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
                          2⤵
                            PID:4428
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
                            2⤵
                              PID:1916
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                              2⤵
                                PID:2004
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
                                2⤵
                                  PID:3040
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                                  2⤵
                                    PID:4668
                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
                                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
                                    2⤵
                                      PID:1564
                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
                                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
                                      2⤵
                                        PID:1288
                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
                                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
                                        2⤵
                                          PID:4520
                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
                                          2⤵
                                            PID:3300
                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
                                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
                                            2⤵
                                              PID:3920
                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
                                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
                                              2⤵
                                                PID:3904
                                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
                                                2⤵
                                                  PID:4036
                                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
                                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
                                                  2⤵
                                                    PID:3924
                                                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
                                                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
                                                    2⤵
                                                      PID:3152
                                                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
                                                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
                                                      2⤵
                                                        PID:3372
                                                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
                                                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
                                                        2⤵
                                                          PID:3216
                                                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                                                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
                                                          2⤵
                                                            PID:3284
                                                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
                                                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
                                                            2⤵
                                                              PID:3260
                                                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                                                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
                                                              2⤵
                                                                PID:5048

                                                            Network

                                                            MITRE ATT&CK Enterprise v6

                                                            Replay Monitor

                                                            Loading Replay Monitor...

                                                            Downloads

                                                            • memory/2372-133-0x0000021264930000-0x000002126493C000-memory.dmp

                                                              Filesize

                                                              48KB

                                                              Download

                                                            • memory/2372-134-0x000002127F330000-0x000002127F858000-memory.dmp

                                                              Filesize

                                                              5.2MB

                                                              Download

                                                            • memory/2372-135-0x00000212665D0000-0x00000212665E0000-memory.dmp

                                                              Filesize

                                                              64KB

                                                              Download

                                                            • memory/5048-137-0x0000000000400000-0x0000000000434000-memory.dmp

                                                              Filesize

                                                              208KB

                                                              Download

                                                            • memory/5048-139-0x0000000000400000-0x0000000000434000-memory.dmp

                                                              Filesize

                                                              208KB

                                                              Download

                                                            • memory/5048-140-0x0000000000400000-0x0000000000434000-memory.dmp

                                                              Filesize

                                                              208KB

                                                              Download

                                                            • memory/5048-141-0x0000000001420000-0x0000000001429000-memory.dmp

                                                              Filesize

                                                              36KB

                                                              Download

                                                            • memory/5048-142-0x0000000001440000-0x000000000144D000-memory.dmp

                                                              Filesize

                                                              52KB

                                                              Download