lgoogloader | fed161ae617fd483308f66110a4b43594e39602c7ba11dbb7fb6e79fd6f4fbbf

Analysis

max time kernel
30s
max time network
32s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
09-06-2023 08:54

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

file.exe
Size

42KB
MD5

fea015b6e2f3c5dfed94fbd3935fb365
SHA1

0ab3ccbef0de345f6fc3edb3e0320f77ddfa4255
SHA256

fed161ae617fd483308f66110a4b43594e39602c7ba11dbb7fb6e79fd6f4fbbf
SHA512

f237b3fcf5292271fd0801db18a5d94215d405265999d68e7f071d243b02876f49e8b94150e70ef5a17e5fe14d9c3d9faee8f28efd58bcd918e1e8d9e6dbdcf1
SSDEEP

768:JOIW7du3neRXZHxjim11Nvw4/bTTay0CE5qb4rafFf9:JOdu3nIPR11R/bTTarefFf9

Score

10^/10

lgoogloader downloader persistence

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral1/memory/1836-62-0x0000000000130000-0x000000000013D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	file.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 680 set thread context of 1836	680	file.exe	36

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
680	file.exe
680	file.exe
680	file.exe
680	file.exe
680	file.exe
680	file.exe
680	file.exe
680	file.exe
680	file.exe
680	file.exe
680	file.exe
680	file.exe
680	file.exe
680	file.exe
680	file.exe
680	file.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
680	file.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	680	file.exe
Token: SeDebugPrivilege	680	file.exe
Token: SeLoadDriverPrivilege	680	file.exe

Suspicious use of WriteProcessMemory 39 IoCs

description	pid	Process	procid_target
PID 680 wrote to memory of 876	680	file.exe	28
PID 680 wrote to memory of 876	680	file.exe	28
PID 680 wrote to memory of 876	680	file.exe	28
PID 680 wrote to memory of 1004	680	file.exe	29
PID 680 wrote to memory of 1004	680	file.exe	29
PID 680 wrote to memory of 1004	680	file.exe	29
PID 680 wrote to memory of 1720	680	file.exe	30
PID 680 wrote to memory of 1720	680	file.exe	30
PID 680 wrote to memory of 1720	680	file.exe	30
PID 680 wrote to memory of 1724	680	file.exe	31
PID 680 wrote to memory of 1724	680	file.exe	31
PID 680 wrote to memory of 1724	680	file.exe	31
PID 680 wrote to memory of 1332	680	file.exe	32
PID 680 wrote to memory of 1332	680	file.exe	32
PID 680 wrote to memory of 1332	680	file.exe	32
PID 680 wrote to memory of 1252	680	file.exe	33
PID 680 wrote to memory of 1252	680	file.exe	33
PID 680 wrote to memory of 1252	680	file.exe	33
PID 680 wrote to memory of 1108	680	file.exe	34
PID 680 wrote to memory of 1108	680	file.exe	34
PID 680 wrote to memory of 1108	680	file.exe	34
PID 680 wrote to memory of 1108	680	file.exe	34
PID 680 wrote to memory of 1108	680	file.exe	34
PID 680 wrote to memory of 1108	680	file.exe	34
PID 680 wrote to memory of 1108	680	file.exe	34
PID 680 wrote to memory of 744	680	file.exe	35
PID 680 wrote to memory of 744	680	file.exe	35
PID 680 wrote to memory of 744	680	file.exe	35
PID 680 wrote to memory of 1836	680	file.exe	36
PID 680 wrote to memory of 1836	680	file.exe	36
PID 680 wrote to memory of 1836	680	file.exe	36
PID 680 wrote to memory of 1836	680	file.exe	36
PID 680 wrote to memory of 1836	680	file.exe	36
PID 680 wrote to memory of 1836	680	file.exe	36
PID 680 wrote to memory of 1836	680	file.exe	36
PID 680 wrote to memory of 1836	680	file.exe	36
PID 680 wrote to memory of 1836	680	file.exe	36
PID 680 wrote to memory of 1836	680	file.exe	36
PID 680 wrote to memory of 1836	680	file.exe	36

C:\Users\Admin\AppData\Local\Temp\file.exe
"C:\Users\Admin\AppData\Local\Temp\file.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:876
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
  2⤵
  PID:1004
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:1720
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
  2⤵
  PID:1724
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:1332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:1252
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SetupCache\v4.7.03062\SetupUtility.exe"
  2⤵
  PID:1108
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
  2⤵
  PID:744
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  PID:1836

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/680-54-0x0000000000EF0000-0x0000000000EFE000-memory.dmp

Filesize
56KB

Download
memory/680-55-0x000000001B3E0000-0x000000001B460000-memory.dmp

Filesize
512KB

Download
memory/680-56-0x0000000000C50000-0x0000000000CC8000-memory.dmp

Filesize
480KB

Download
memory/1836-58-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1836-61-0x0000000000100000-0x0000000000109000-memory.dmp

Filesize
36KB

Download
memory/1836-62-0x0000000000130000-0x000000000013D000-memory.dmp

Filesize
52KB

Download