lgoogloader | def47cbe5de9b42a8024427f3183ed92d42aea9dffb1ed8b0aa8fd49d26fa26e

Analysis

max time kernel
84s
max time network
143s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
12-06-2023 11:20

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3dea18962bbc54787a0715e84b9d463a.exe
Size

402KB
MD5

3dea18962bbc54787a0715e84b9d463a
SHA1

111a364cab17d093538d1f35e99bef22b034eb73
SHA256

def47cbe5de9b42a8024427f3183ed92d42aea9dffb1ed8b0aa8fd49d26fa26e
SHA512

1367ef4488c7b298e108d04317261b867cde43050af240217714ac49b8c41f63c4e26201a6b892c76175d34304c838169d4e2f737b545211bc2841371783c25b
SSDEEP

3072:FDeHrC2edASgrXx0ooARRMkAHFIxobrvZkJv6SjaFvVmuLyRpPS68urGh3Lzs/v6:tx2egmooARiXCFT2Fp6SQaofZA9

Score

10^/10

lgoogloader downloader persistence

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral2/memory/1120-142-0x0000000001190000-0x000000000119D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	3dea18962bbc54787a0715e84b9d463a.exe

Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1764 set thread context of 1120	1764	3dea18962bbc54787a0715e84b9d463a.exe	113

Suspicious behavior: EnumeratesProcesses 60 IoCs

pid	Process
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe
1764	3dea18962bbc54787a0715e84b9d463a.exe

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
1764	3dea18962bbc54787a0715e84b9d463a.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1764	3dea18962bbc54787a0715e84b9d463a.exe
Token: SeDebugPrivilege	1764	3dea18962bbc54787a0715e84b9d463a.exe
Token: SeLoadDriverPrivilege	1764	3dea18962bbc54787a0715e84b9d463a.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2144	1764	3dea18962bbc54787a0715e84b9d463a.exe	83
PID 1764 wrote to memory of 2144	1764	3dea18962bbc54787a0715e84b9d463a.exe	83
PID 1764 wrote to memory of 4820	1764	3dea18962bbc54787a0715e84b9d463a.exe	84
PID 1764 wrote to memory of 4820	1764	3dea18962bbc54787a0715e84b9d463a.exe	84
PID 1764 wrote to memory of 2316	1764	3dea18962bbc54787a0715e84b9d463a.exe	85
PID 1764 wrote to memory of 2316	1764	3dea18962bbc54787a0715e84b9d463a.exe	85
PID 1764 wrote to memory of 2780	1764	3dea18962bbc54787a0715e84b9d463a.exe	86
PID 1764 wrote to memory of 2780	1764	3dea18962bbc54787a0715e84b9d463a.exe	86
PID 1764 wrote to memory of 1992	1764	3dea18962bbc54787a0715e84b9d463a.exe	87
PID 1764 wrote to memory of 1992	1764	3dea18962bbc54787a0715e84b9d463a.exe	87
PID 1764 wrote to memory of 2020	1764	3dea18962bbc54787a0715e84b9d463a.exe	88
PID 1764 wrote to memory of 2020	1764	3dea18962bbc54787a0715e84b9d463a.exe	88
PID 1764 wrote to memory of 4448	1764	3dea18962bbc54787a0715e84b9d463a.exe	89
PID 1764 wrote to memory of 4448	1764	3dea18962bbc54787a0715e84b9d463a.exe	89
PID 1764 wrote to memory of 4772	1764	3dea18962bbc54787a0715e84b9d463a.exe	90
PID 1764 wrote to memory of 4772	1764	3dea18962bbc54787a0715e84b9d463a.exe	90
PID 1764 wrote to memory of 768	1764	3dea18962bbc54787a0715e84b9d463a.exe	91
PID 1764 wrote to memory of 768	1764	3dea18962bbc54787a0715e84b9d463a.exe	91
PID 1764 wrote to memory of 1884	1764	3dea18962bbc54787a0715e84b9d463a.exe	92
PID 1764 wrote to memory of 1884	1764	3dea18962bbc54787a0715e84b9d463a.exe	92
PID 1764 wrote to memory of 2008	1764	3dea18962bbc54787a0715e84b9d463a.exe	94
PID 1764 wrote to memory of 2008	1764	3dea18962bbc54787a0715e84b9d463a.exe	94
PID 1764 wrote to memory of 2692	1764	3dea18962bbc54787a0715e84b9d463a.exe	93
PID 1764 wrote to memory of 2692	1764	3dea18962bbc54787a0715e84b9d463a.exe	93
PID 1764 wrote to memory of 1648	1764	3dea18962bbc54787a0715e84b9d463a.exe	95
PID 1764 wrote to memory of 1648	1764	3dea18962bbc54787a0715e84b9d463a.exe	95
PID 1764 wrote to memory of 1468	1764	3dea18962bbc54787a0715e84b9d463a.exe	96
PID 1764 wrote to memory of 1468	1764	3dea18962bbc54787a0715e84b9d463a.exe	96
PID 1764 wrote to memory of 4996	1764	3dea18962bbc54787a0715e84b9d463a.exe	97
PID 1764 wrote to memory of 4996	1764	3dea18962bbc54787a0715e84b9d463a.exe	97
PID 1764 wrote to memory of 4840	1764	3dea18962bbc54787a0715e84b9d463a.exe	98
PID 1764 wrote to memory of 4840	1764	3dea18962bbc54787a0715e84b9d463a.exe	98
PID 1764 wrote to memory of 3436	1764	3dea18962bbc54787a0715e84b9d463a.exe	99
PID 1764 wrote to memory of 3436	1764	3dea18962bbc54787a0715e84b9d463a.exe	99
PID 1764 wrote to memory of 3764	1764	3dea18962bbc54787a0715e84b9d463a.exe	100
PID 1764 wrote to memory of 3764	1764	3dea18962bbc54787a0715e84b9d463a.exe	100
PID 1764 wrote to memory of 1892	1764	3dea18962bbc54787a0715e84b9d463a.exe	101
PID 1764 wrote to memory of 1892	1764	3dea18962bbc54787a0715e84b9d463a.exe	101
PID 1764 wrote to memory of 1828	1764	3dea18962bbc54787a0715e84b9d463a.exe	102
PID 1764 wrote to memory of 1828	1764	3dea18962bbc54787a0715e84b9d463a.exe	102
PID 1764 wrote to memory of 5036	1764	3dea18962bbc54787a0715e84b9d463a.exe	103
PID 1764 wrote to memory of 5036	1764	3dea18962bbc54787a0715e84b9d463a.exe	103
PID 1764 wrote to memory of 5036	1764	3dea18962bbc54787a0715e84b9d463a.exe	103
PID 1764 wrote to memory of 4352	1764	3dea18962bbc54787a0715e84b9d463a.exe	104
PID 1764 wrote to memory of 4352	1764	3dea18962bbc54787a0715e84b9d463a.exe	104
PID 1764 wrote to memory of 5044	1764	3dea18962bbc54787a0715e84b9d463a.exe	105
PID 1764 wrote to memory of 5044	1764	3dea18962bbc54787a0715e84b9d463a.exe	105
PID 1764 wrote to memory of 5032	1764	3dea18962bbc54787a0715e84b9d463a.exe	106
PID 1764 wrote to memory of 5032	1764	3dea18962bbc54787a0715e84b9d463a.exe	106
PID 1764 wrote to memory of 3472	1764	3dea18962bbc54787a0715e84b9d463a.exe	107
PID 1764 wrote to memory of 3472	1764	3dea18962bbc54787a0715e84b9d463a.exe	107
PID 1764 wrote to memory of 5000	1764	3dea18962bbc54787a0715e84b9d463a.exe	108
PID 1764 wrote to memory of 5000	1764	3dea18962bbc54787a0715e84b9d463a.exe	108
PID 1764 wrote to memory of 3012	1764	3dea18962bbc54787a0715e84b9d463a.exe	109
PID 1764 wrote to memory of 3012	1764	3dea18962bbc54787a0715e84b9d463a.exe	109
PID 1764 wrote to memory of 3524	1764	3dea18962bbc54787a0715e84b9d463a.exe	110
PID 1764 wrote to memory of 3524	1764	3dea18962bbc54787a0715e84b9d463a.exe	110
PID 1764 wrote to memory of 4408	1764	3dea18962bbc54787a0715e84b9d463a.exe	111
PID 1764 wrote to memory of 4408	1764	3dea18962bbc54787a0715e84b9d463a.exe	111
PID 1764 wrote to memory of 3288	1764	3dea18962bbc54787a0715e84b9d463a.exe	112
PID 1764 wrote to memory of 3288	1764	3dea18962bbc54787a0715e84b9d463a.exe	112
PID 1764 wrote to memory of 1120	1764	3dea18962bbc54787a0715e84b9d463a.exe	113
PID 1764 wrote to memory of 1120	1764	3dea18962bbc54787a0715e84b9d463a.exe	113
PID 1764 wrote to memory of 1120	1764	3dea18962bbc54787a0715e84b9d463a.exe	113

C:\Users\Admin\AppData\Local\Temp\3dea18962bbc54787a0715e84b9d463a.exe
"C:\Users\Admin\AppData\Local\Temp\3dea18962bbc54787a0715e84b9d463a.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
  2⤵
  PID:2144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
  2⤵
  PID:4820
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
  2⤵
  PID:2316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
  2⤵
  PID:2780
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:1992
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:2020
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:4448
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
  2⤵
  PID:4772
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:768
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
  2⤵
  PID:1884
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regbrowsers.exe"
  2⤵
  PID:2692
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:2008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
  2⤵
  PID:1648
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
  2⤵
  PID:1468
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4996
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
  2⤵
  PID:4840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
  2⤵
  PID:3436
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
  2⤵
  PID:3764
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:1892
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
  2⤵
  PID:1828
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:5036
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
  2⤵
  PID:4352
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:5044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:5032
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:3472
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
  2⤵
  PID:5000
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3012
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
  2⤵
  PID:3524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
  2⤵
  PID:4408
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:3288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  PID:1120

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scripting

T1064

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1120-137-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1120-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1120-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1120-141-0x0000000000C60000-0x0000000000C69000-memory.dmp

Filesize
36KB

Download
memory/1120-142-0x0000000001190000-0x000000000119D000-memory.dmp

Filesize
52KB

Download
memory/1764-133-0x000001AF99160000-0x000001AF991C8000-memory.dmp

Filesize
416KB

Download
memory/1764-134-0x000001AFB35E0000-0x000001AFB35F0000-memory.dmp

Filesize
64KB

Download
memory/1764-135-0x000001AFB3B20000-0x000001AFB4048000-memory.dmp

Filesize
5.2MB

Download