Overview

overview

10

Static

static

3

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    82s
  • max time network
    143s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-06-2023 11:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    50KB

  • MD5

    9d846bb9fbd2e4ce0a2344b02d535e9c

  • SHA1

    91bb1d20302d740b733d155bd42556038b900380

  • SHA256

    ad6dd2baa672f859b2da3916317449966604627dbf0991f2872db0f7c8b9ae07

  • SHA512

    bd07b8443719dafadad2106dceeb5eec060b0606f3b9344495506ddcb40eebbac0b115430efe6b45a87579b120512b4a07e8d1903c11f8291d1712fe35fc1596

  • SSDEEP

    768:7eX7e/XWwa+6NMLh2J84nhRDsMx1zO1fu8iSUKWay0CE5qb4rafuPg:iS/XWwP6NkohRoE1zOFoKWarefuPg

Score
10/10
lgoogloaderdownloaderpersistence

Malware Config

Signatures

  • Detects LgoogLoader payload 1 IoCs
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 24 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 35 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Sets service image path in registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1416
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
      2⤵
        PID:1444
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
        2⤵
          PID:3132
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
          2⤵
            PID:3980
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
            2⤵
              PID:3252
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
              2⤵
                PID:3208
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
                2⤵
                  PID:1420
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
                  2⤵
                    PID:4888
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
                    2⤵
                      PID:4960
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
                      2⤵
                        PID:5052
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
                        2⤵
                          PID:1220
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
                          2⤵
                            PID:3848
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
                            2⤵
                              PID:3844
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
                              2⤵
                                PID:5028

                            Network

                            MITRE ATT&CK Enterprise v6

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • memory/1416-133-0x000002C78F690000-0x000002C78F6A0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/1416-134-0x000002C7AA0E0000-0x000002C7AA608000-memory.dmp

                              Filesize

                              5.2MB

                              Download

                            • memory/1416-135-0x000002C78FAD0000-0x000002C78FAE0000-memory.dmp

                              Filesize

                              64KB

                              Download

                            • memory/5028-137-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                              Download

                            • memory/5028-139-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                              Download

                            • memory/5028-140-0x0000000000400000-0x0000000000434000-memory.dmp

                              Filesize

                              208KB

                              Download

                            • memory/5028-141-0x0000000001420000-0x0000000001429000-memory.dmp

                              Filesize

                              36KB

                              Download

                            • memory/5028-142-0x0000000001440000-0x000000000144D000-memory.dmp

                              Filesize

                              52KB

                              Download