lgoogloader | e8483e9918697dc2fd3b4fc0fde38795851312dd38c1a6c83acdcaba47f8de7b

General

Target

194e670dffccd5785da26231d032e808.exe
Size

403KB
MD5

194e670dffccd5785da26231d032e808
SHA1

0a6ce468233b96041edc69330a0efa4b90194b4f
SHA256

e8483e9918697dc2fd3b4fc0fde38795851312dd38c1a6c83acdcaba47f8de7b
SHA512

935183ef75fd7acf057773d96b9e41ea419a2705afa21193b13b763655d8659db5be141aad210e0afa241036b0d0610444de40b68168ccf711059be14ad8c890
SSDEEP

3072:eZSUo1eprSwrXx0ooARRMkAHFIxobrvZkJv6SjaFvVmuLyRpPS68urGh3Lzs/vqq:enpNmooARiXCFT2Fp6SQaofZAC

Score

10^/10

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral2/memory/4112-142-0x0000000001650000-0x000000000165D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	194e670dffccd5785da26231d032e808.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1176 set thread context of 4112	1176	194e670dffccd5785da26231d032e808.exe	86

Suspicious behavior: EnumeratesProcesses 16 IoCs

pid	Process
1176	194e670dffccd5785da26231d032e808.exe
1176	194e670dffccd5785da26231d032e808.exe
1176	194e670dffccd5785da26231d032e808.exe
1176	194e670dffccd5785da26231d032e808.exe
1176	194e670dffccd5785da26231d032e808.exe
1176	194e670dffccd5785da26231d032e808.exe
1176	194e670dffccd5785da26231d032e808.exe
1176	194e670dffccd5785da26231d032e808.exe
1176	194e670dffccd5785da26231d032e808.exe
1176	194e670dffccd5785da26231d032e808.exe
1176	194e670dffccd5785da26231d032e808.exe
1176	194e670dffccd5785da26231d032e808.exe
1176	194e670dffccd5785da26231d032e808.exe
1176	194e670dffccd5785da26231d032e808.exe
1176	194e670dffccd5785da26231d032e808.exe
1176	194e670dffccd5785da26231d032e808.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1176	194e670dffccd5785da26231d032e808.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1176	194e670dffccd5785da26231d032e808.exe
Token: SeDebugPrivilege	1176	194e670dffccd5785da26231d032e808.exe
Token: SeLoadDriverPrivilege	1176	194e670dffccd5785da26231d032e808.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 1176 wrote to memory of 4456	1176	194e670dffccd5785da26231d032e808.exe	78
PID 1176 wrote to memory of 4456	1176	194e670dffccd5785da26231d032e808.exe	78
PID 1176 wrote to memory of 3148	1176	194e670dffccd5785da26231d032e808.exe	79
PID 1176 wrote to memory of 3148	1176	194e670dffccd5785da26231d032e808.exe	79
PID 1176 wrote to memory of 3300	1176	194e670dffccd5785da26231d032e808.exe	80
PID 1176 wrote to memory of 3300	1176	194e670dffccd5785da26231d032e808.exe	80
PID 1176 wrote to memory of 3896	1176	194e670dffccd5785da26231d032e808.exe	81
PID 1176 wrote to memory of 3896	1176	194e670dffccd5785da26231d032e808.exe	81
PID 1176 wrote to memory of 3892	1176	194e670dffccd5785da26231d032e808.exe	82
PID 1176 wrote to memory of 3892	1176	194e670dffccd5785da26231d032e808.exe	82
PID 1176 wrote to memory of 3364	1176	194e670dffccd5785da26231d032e808.exe	83
PID 1176 wrote to memory of 3364	1176	194e670dffccd5785da26231d032e808.exe	83
PID 1176 wrote to memory of 3840	1176	194e670dffccd5785da26231d032e808.exe	84
PID 1176 wrote to memory of 3840	1176	194e670dffccd5785da26231d032e808.exe	84
PID 1176 wrote to memory of 3996	1176	194e670dffccd5785da26231d032e808.exe	85
PID 1176 wrote to memory of 3996	1176	194e670dffccd5785da26231d032e808.exe	85
PID 1176 wrote to memory of 4112	1176	194e670dffccd5785da26231d032e808.exe	86
PID 1176 wrote to memory of 4112	1176	194e670dffccd5785da26231d032e808.exe	86
PID 1176 wrote to memory of 4112	1176	194e670dffccd5785da26231d032e808.exe	86
PID 1176 wrote to memory of 4112	1176	194e670dffccd5785da26231d032e808.exe	86
PID 1176 wrote to memory of 4112	1176	194e670dffccd5785da26231d032e808.exe	86
PID 1176 wrote to memory of 4112	1176	194e670dffccd5785da26231d032e808.exe	86
PID 1176 wrote to memory of 4112	1176	194e670dffccd5785da26231d032e808.exe	86
PID 1176 wrote to memory of 4112	1176	194e670dffccd5785da26231d032e808.exe	86
PID 1176 wrote to memory of 4112	1176	194e670dffccd5785da26231d032e808.exe	86
PID 1176 wrote to memory of 4112	1176	194e670dffccd5785da26231d032e808.exe	86

C:\Users\Admin\AppData\Local\Temp\194e670dffccd5785da26231d032e808.exe
"C:\Users\Admin\AppData\Local\Temp\194e670dffccd5785da26231d032e808.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
  2⤵
  PID:4456
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:3148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
  2⤵
  PID:3300
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
  2⤵
  PID:3896
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
  2⤵
  PID:3892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
  2⤵
  PID:3364
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:3996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  PID:4112

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

1

T1064

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

Scripting

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1176-133-0x0000021672C00000-0x0000021672C6A000-memory.dmp

Filesize
424KB

Download
memory/1176-134-0x0000021675810000-0x0000021675D38000-memory.dmp

Filesize
5.2MB

Download
memory/1176-135-0x00000216752D0000-0x00000216752E0000-memory.dmp

Filesize
64KB

Download
memory/4112-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/4112-141-0x0000000001630000-0x0000000001639000-memory.dmp

Filesize
36KB

Download
memory/4112-142-0x0000000001650000-0x000000000165D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing