lgoogloader | 634d5e07d0d4165838809b9821aad24c2d837b304599ae21b49d48a25599972c

Analysis

max time kernel
122s
max time network
128s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
13-07-2023 11:03

Target

tmp.exe
Size

82KB
MD5

4d9408686911e97c20712070a341fe60
SHA1

981cb7944589fc455440dcc4798051f115860403
SHA256

634d5e07d0d4165838809b9821aad24c2d837b304599ae21b49d48a25599972c
SHA512

593e757da3072935c95afcaa507accc041a05a1f0254194071d47ea8f56529bdaecf49f98b011adfa1a35319ff47b385bc5e24dc00bb8521a0d3fbe1ea4509c9
SSDEEP

1536:LmNVk0zXG4gl+aJqT7iqPFUbP/GUq/Xxp+CA/WbTp:LyW07G4glB8T77dEXGUS3+C6WbTp

Score

10^/10

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral1/memory/864-63-0x0000000000250000-0x000000000025D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2260 set thread context of 864	2260	tmp.exe	28

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
464	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2260	tmp.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2260 wrote to memory of 864	2260	tmp.exe	28
PID 2260 wrote to memory of 864	2260	tmp.exe	28
PID 2260 wrote to memory of 864	2260	tmp.exe	28
PID 2260 wrote to memory of 864	2260	tmp.exe	28
PID 2260 wrote to memory of 864	2260	tmp.exe	28
PID 2260 wrote to memory of 864	2260	tmp.exe	28
PID 2260 wrote to memory of 864	2260	tmp.exe	28
PID 2260 wrote to memory of 864	2260	tmp.exe	28
PID 2260 wrote to memory of 864	2260	tmp.exe	28
PID 2260 wrote to memory of 864	2260	tmp.exe	28
PID 2260 wrote to memory of 864	2260	tmp.exe	28
PID 2260 wrote to memory of 864	2260	tmp.exe	28

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2260
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:864

memory/864-59-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/864-61-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/864-63-0x0000000000250000-0x000000000025D000-memory.dmp

Filesize
52KB

Download
memory/864-62-0x0000000000230000-0x0000000000239000-memory.dmp

Filesize
36KB

Download
memory/864-65-0x0000000000250000-0x000000000025D000-memory.dmp

Filesize
52KB

Download
memory/2260-54-0x0000000000BE0000-0x0000000000BF8000-memory.dmp

Filesize
96KB

Download
memory/2260-55-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download
memory/2260-56-0x000000001B250000-0x000000001B2D0000-memory.dmp

Filesize
512KB

Download
memory/2260-57-0x0000000000B50000-0x0000000000BD2000-memory.dmp

Filesize
520KB

Download
memory/2260-64-0x000007FEF5E90000-0x000007FEF687C000-memory.dmp

Filesize
9.9MB

Download