Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    30s
  • max time network
    32s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    09-06-2023 11:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    50KB

  • MD5

    9d846bb9fbd2e4ce0a2344b02d535e9c

  • SHA1

    91bb1d20302d740b733d155bd42556038b900380

  • SHA256

    ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07

  • SHA512

    bd07b8443719dafadad2106dceeb5eec060b0606f3b9344495506ddcb40eebbac0b115430efe6b45a87579b120512b4a07e8d1903c11f8291d1712fe35fc1596

  • SSDEEP

    768:7eX7e/XWwa+6NMLh2J84nhRDsMx1zO1fu8iSUKWay0CE5qb4rafuPg:iS/XWwP6NkohRoE1zOFoKWarefuPg

Score
10/10
lgoogloaderdownloaderpersistence

Malware Config

Signatures

  • Detects LgoogLoader payload 1 IoCs
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 29 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Sets service image path in registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:904
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
      2⤵
        PID:1068
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
        2⤵
          PID:1720
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
          2⤵
            PID:852
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
            2⤵
              PID:1392
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
              2⤵
                PID:1944
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
                2⤵
                  PID:1396
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
                  2⤵
                    PID:336

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • memory/336-58-0x0000000000400000-0x0000000000434000-memory.dmp

                  Filesize

                  208KB

                  Download

                • memory/336-60-0x0000000000400000-0x0000000000434000-memory.dmp

                  Filesize

                  208KB

                  Download

                • memory/336-61-0x0000000000240000-0x0000000000249000-memory.dmp

                  Filesize

                  36KB

                  Download

                • memory/336-62-0x0000000000270000-0x000000000027D000-memory.dmp

                  Filesize

                  52KB

                  Download

                • memory/904-54-0x0000000000830000-0x0000000000840000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/904-55-0x000000001B260000-0x000000001B2E0000-memory.dmp

                  Filesize

                  512KB

                  Download

                • memory/904-56-0x0000000002070000-0x00000000020E8000-memory.dmp

                  Filesize

                  480KB

                  Download