Overview

overview

10

Static

static

3

7ba6ab30eb...24.exe

windows7-x64

10

7ba6ab30eb...24.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    31s
  • max time network
    33s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    10-06-2023 01:35

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7ba6ab30eb71e8ab3ccdc734633391c092b25160f62173d4b6237da6c55b5a24.exe

  • Size

    45KB

  • MD5

    788f396393dcab0c3dee93fbd2ae8371

  • SHA1

    3ba5c566299ba91072f41cffa8894a237bcff71d

  • SHA256

    7ba6ab30eb71e8ab3ccdc734633391c092b25160f62173d4b6237da6c55b5a24

  • SHA512

    a11266ac7f051fc8ef89ae8a003dd7d27456891e835754d40b706d08c0446d1a176eb2ff3673dfb3a351b8e59856db4902b90d44195c9c3d88a99d3fdaeb35d4

  • SSDEEP

    768:RjFq7GFIOtbLrPg2Eln1eL2HLMGTay0CE5qb4rafyFZ:xF3b/PZEV1eL2rhTarefyFZ

Score
10/10
lgoogloaderdownloaderpersistence

Malware Config

Signatures

  • Detects LgoogLoader payload 1 IoCs
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • Sets service image path in registry 2 TTPs 1 IoCs
    persistence
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 13 IoCs
  • Suspicious behavior: LoadsDriver 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of WriteProcessMemory 51 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7ba6ab30eb71e8ab3ccdc734633391c092b25160f62173d4b6237da6c55b5a24.exe
    "C:\Users\Admin\AppData\Local\Temp\7ba6ab30eb71e8ab3ccdc734633391c092b25160f62173d4b6237da6c55b5a24.exe"
    1⤵
    • Sets service image path in registry
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: LoadsDriver
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2008
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
      2⤵
        PID:1412
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
        2⤵
          PID:340
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
          2⤵
            PID:1416
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
            2⤵
              PID:1852
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
              2⤵
                PID:524
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
                2⤵
                  PID:1444
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
                  2⤵
                    PID:1148
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
                    2⤵
                      PID:1696
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
                      2⤵
                        PID:1716
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                        2⤵
                          PID:1536
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
                          2⤵
                            PID:1864
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
                            2⤵
                              PID:1952
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
                              2⤵
                                PID:1748
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
                                2⤵
                                  PID:1900

                              Network

                              MITRE ATT&CK Enterprise v6

                              Replay Monitor

                              Loading Replay Monitor...

                              Downloads

                              • memory/1900-58-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                                Download

                              • memory/1900-60-0x0000000000400000-0x0000000000434000-memory.dmp

                                Filesize

                                208KB

                                Download

                              • memory/1900-61-0x0000000000110000-0x0000000000119000-memory.dmp

                                Filesize

                                36KB

                                Download

                              • memory/1900-62-0x0000000000140000-0x000000000014D000-memory.dmp

                                Filesize

                                52KB

                                Download

                              • memory/2008-54-0x0000000000320000-0x0000000000330000-memory.dmp

                                Filesize

                                64KB

                                Download

                              • memory/2008-55-0x000000001AEE0000-0x000000001AF60000-memory.dmp

                                Filesize

                                512KB

                                Download

                              • memory/2008-56-0x000000001A6E0000-0x000000001A758000-memory.dmp

                                Filesize

                                480KB

                                Download