lgoogloader | 634d5e07d0d4165838809b9821aad24c2d837b304599ae21b49d48a25599972c

Analysis

max time kernel
142s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2023 08:20

Target

4d9408686911e97c20712070a341fe60.exe
Size

82KB
MD5

4d9408686911e97c20712070a341fe60
SHA1

981cb7944589fc455440dcc4798051f115860403
SHA256

634d5e07d0d4165838809b9821aad24c2d837b304599ae21b49d48a25599972c
SHA512

593e757da3072935c95afcaa507accc041a05a1f0254194071d47ea8f56529bdaecf49f98b011adfa1a35319ff47b385bc5e24dc00bb8521a0d3fbe1ea4509c9
SSDEEP

1536:LmNVk0zXG4gl+aJqT7iqPFUbP/GUq/Xxp+CA/WbTp:LyW07G4glB8T77dEXGUS3+C6WbTp

Score

10^/10

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral2/memory/3696-143-0x0000000002C50000-0x0000000002C5D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3616 set thread context of 3696	3616	4d9408686911e97c20712070a341fe60.exe	88

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
672	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3616	4d9408686911e97c20712070a341fe60.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 3616 wrote to memory of 3696	3616	4d9408686911e97c20712070a341fe60.exe	88
PID 3616 wrote to memory of 3696	3616	4d9408686911e97c20712070a341fe60.exe	88
PID 3616 wrote to memory of 3696	3616	4d9408686911e97c20712070a341fe60.exe	88
PID 3616 wrote to memory of 3696	3616	4d9408686911e97c20712070a341fe60.exe	88
PID 3616 wrote to memory of 3696	3616	4d9408686911e97c20712070a341fe60.exe	88
PID 3616 wrote to memory of 3696	3616	4d9408686911e97c20712070a341fe60.exe	88
PID 3616 wrote to memory of 3696	3616	4d9408686911e97c20712070a341fe60.exe	88
PID 3616 wrote to memory of 3696	3616	4d9408686911e97c20712070a341fe60.exe	88
PID 3616 wrote to memory of 3696	3616	4d9408686911e97c20712070a341fe60.exe	88
PID 3616 wrote to memory of 3696	3616	4d9408686911e97c20712070a341fe60.exe	88
PID 3616 wrote to memory of 3696	3616	4d9408686911e97c20712070a341fe60.exe	88

C:\Users\Admin\AppData\Local\Temp\4d9408686911e97c20712070a341fe60.exe
"C:\Users\Admin\AppData\Local\Temp\4d9408686911e97c20712070a341fe60.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3616
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:3696

memory/3616-133-0x000001FC7BFA0000-0x000001FC7BFB8000-memory.dmp

Filesize
96KB

Download
memory/3616-134-0x000001FC7DD10000-0x000001FC7DD86000-memory.dmp

Filesize
472KB

Download
memory/3616-135-0x00007FF8389D0000-0x00007FF839491000-memory.dmp

Filesize
10.8MB

Download
memory/3616-136-0x000001FC7DEB0000-0x000001FC7DEC0000-memory.dmp

Filesize
64KB

Download
memory/3616-137-0x000001FC7C3C0000-0x000001FC7C3DE000-memory.dmp

Filesize
120KB

Download
memory/3616-144-0x00007FF8389D0000-0x00007FF839491000-memory.dmp

Filesize
10.8MB

Download
memory/3616-145-0x000001FC7DEB0000-0x000001FC7DEC0000-memory.dmp

Filesize
64KB

Download
memory/3696-139-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3696-140-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3696-141-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/3696-142-0x0000000002C30000-0x0000000002C39000-memory.dmp

Filesize
36KB

Download
memory/3696-143-0x0000000002C50000-0x0000000002C5D000-memory.dmp

Filesize
52KB

Download