lgoogloader | 634d5e07d0d4165838809b9821aad24c2d837b304599ae21b49d48a25599972c

Analysis

max time kernel
145s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
13-07-2023 11:03

Target

tmp.exe
Size

82KB
MD5

4d9408686911e97c20712070a341fe60
SHA1

981cb7944589fc455440dcc4798051f115860403
SHA256

634d5e07d0d4165838809b9821aad24c2d837b304599ae21b49d48a25599972c
SHA512

593e757da3072935c95afcaa507accc041a05a1f0254194071d47ea8f56529bdaecf49f98b011adfa1a35319ff47b385bc5e24dc00bb8521a0d3fbe1ea4509c9
SSDEEP

1536:LmNVk0zXG4gl+aJqT7iqPFUbP/GUq/Xxp+CA/WbTp:LyW07G4glB8T77dEXGUS3+C6WbTp

Score

10^/10

Detects LgoogLoader payload 2 IoCs

resource	yara_rule
behavioral2/memory/2576-145-0x00000000025D0000-0x00000000025DD000-memory.dmp	family_lgoogloader
behavioral2/memory/2576-146-0x00000000025D0000-0x00000000025DD000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 448 set thread context of 2576	448	tmp.exe	86

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
660	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	448	tmp.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 448 wrote to memory of 2576	448	tmp.exe	86
PID 448 wrote to memory of 2576	448	tmp.exe	86
PID 448 wrote to memory of 2576	448	tmp.exe	86
PID 448 wrote to memory of 2576	448	tmp.exe	86
PID 448 wrote to memory of 2576	448	tmp.exe	86
PID 448 wrote to memory of 2576	448	tmp.exe	86
PID 448 wrote to memory of 2576	448	tmp.exe	86
PID 448 wrote to memory of 2576	448	tmp.exe	86
PID 448 wrote to memory of 2576	448	tmp.exe	86
PID 448 wrote to memory of 2576	448	tmp.exe	86
PID 448 wrote to memory of 2576	448	tmp.exe	86

C:\Users\Admin\AppData\Local\Temp\tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:448
- C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework\v4.0.30319\CasPol.exe"
  2⤵
  PID:2576

memory/448-143-0x0000022FDBF40000-0x0000022FDBF50000-memory.dmp

Filesize
64KB

Download
memory/448-134-0x0000022FDBD60000-0x0000022FDBDD6000-memory.dmp

Filesize
472KB

Download
memory/448-135-0x00007FFDF6E00000-0x00007FFDF78C1000-memory.dmp

Filesize
10.8MB

Download
memory/448-136-0x0000022FDBF40000-0x0000022FDBF50000-memory.dmp

Filesize
64KB

Download
memory/448-137-0x0000022FC1C90000-0x0000022FC1CAE000-memory.dmp

Filesize
120KB

Download
memory/448-142-0x00007FFDF6E00000-0x00007FFDF78C1000-memory.dmp

Filesize
10.8MB

Download
memory/448-133-0x0000022FC1850000-0x0000022FC1868000-memory.dmp

Filesize
96KB

Download
memory/2576-139-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2576-140-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2576-141-0x0000000000400000-0x0000000000439000-memory.dmp

Filesize
228KB

Download
memory/2576-144-0x00000000025B0000-0x00000000025B9000-memory.dmp

Filesize
36KB

Download
memory/2576-145-0x00000000025D0000-0x00000000025DD000-memory.dmp

Filesize
52KB

Download
memory/2576-146-0x00000000025D0000-0x00000000025DD000-memory.dmp

Filesize
52KB

Download