lgoogloader | ae5bf7d05d5714bf2758fd5c127f405de0c02223643a22279bcbf03fb648cd2d

General

Target

79b79167999cd38863c16ba5de372081.exe
Size

539KB
MD5

79b79167999cd38863c16ba5de372081
SHA1

b3d276a972f6ed0805fe339624e68b2845d3154c
SHA256

ae5bf7d05d5714bf2758fd5c127f405de0c02223643a22279bcbf03fb648cd2d
SHA512

218275c9d88cad809c88cf36fdf750dd68e3ca7c5b6005c722be0874028ccd38728ef6ac15a4c9beef6827d2351c50ff9aa7ffe00cf6435f33b5f598ffd5ff11
SSDEEP

12288:4IgQ0KaWFEEHXSz/yUToiGBYn4sBcL005M14p0UgQkDbm7PH/:4IgLK1FqnToiUYn4s0Sg0UsDbg//

Score

10^/10

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral1/memory/2628-65-0x0000000000130000-0x000000000013D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2800 set thread context of 2628	2800	79b79167999cd38863c16ba5de372081.exe	33

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2800	79b79167999cd38863c16ba5de372081.exe
2800	79b79167999cd38863c16ba5de372081.exe
2800	79b79167999cd38863c16ba5de372081.exe
2800	79b79167999cd38863c16ba5de372081.exe
2800	79b79167999cd38863c16ba5de372081.exe
2800	79b79167999cd38863c16ba5de372081.exe
2800	79b79167999cd38863c16ba5de372081.exe
2800	79b79167999cd38863c16ba5de372081.exe
2800	79b79167999cd38863c16ba5de372081.exe
2800	79b79167999cd38863c16ba5de372081.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2800	79b79167999cd38863c16ba5de372081.exe

Suspicious use of WriteProcessMemory 26 IoCs

description	pid	Process	procid_target
PID 2800 wrote to memory of 2388	2800	79b79167999cd38863c16ba5de372081.exe	28
PID 2800 wrote to memory of 2388	2800	79b79167999cd38863c16ba5de372081.exe	28
PID 2800 wrote to memory of 2388	2800	79b79167999cd38863c16ba5de372081.exe	28
PID 2800 wrote to memory of 2404	2800	79b79167999cd38863c16ba5de372081.exe	29
PID 2800 wrote to memory of 2404	2800	79b79167999cd38863c16ba5de372081.exe	29
PID 2800 wrote to memory of 2404	2800	79b79167999cd38863c16ba5de372081.exe	29
PID 2800 wrote to memory of 2424	2800	79b79167999cd38863c16ba5de372081.exe	30
PID 2800 wrote to memory of 2424	2800	79b79167999cd38863c16ba5de372081.exe	30
PID 2800 wrote to memory of 2424	2800	79b79167999cd38863c16ba5de372081.exe	30
PID 2800 wrote to memory of 1132	2800	79b79167999cd38863c16ba5de372081.exe	31
PID 2800 wrote to memory of 1132	2800	79b79167999cd38863c16ba5de372081.exe	31
PID 2800 wrote to memory of 1132	2800	79b79167999cd38863c16ba5de372081.exe	31
PID 2800 wrote to memory of 1844	2800	79b79167999cd38863c16ba5de372081.exe	32
PID 2800 wrote to memory of 1844	2800	79b79167999cd38863c16ba5de372081.exe	32
PID 2800 wrote to memory of 1844	2800	79b79167999cd38863c16ba5de372081.exe	32
PID 2800 wrote to memory of 2628	2800	79b79167999cd38863c16ba5de372081.exe	33
PID 2800 wrote to memory of 2628	2800	79b79167999cd38863c16ba5de372081.exe	33
PID 2800 wrote to memory of 2628	2800	79b79167999cd38863c16ba5de372081.exe	33
PID 2800 wrote to memory of 2628	2800	79b79167999cd38863c16ba5de372081.exe	33
PID 2800 wrote to memory of 2628	2800	79b79167999cd38863c16ba5de372081.exe	33
PID 2800 wrote to memory of 2628	2800	79b79167999cd38863c16ba5de372081.exe	33
PID 2800 wrote to memory of 2628	2800	79b79167999cd38863c16ba5de372081.exe	33
PID 2800 wrote to memory of 2628	2800	79b79167999cd38863c16ba5de372081.exe	33
PID 2800 wrote to memory of 2628	2800	79b79167999cd38863c16ba5de372081.exe	33
PID 2800 wrote to memory of 2628	2800	79b79167999cd38863c16ba5de372081.exe	33
PID 2800 wrote to memory of 2628	2800	79b79167999cd38863c16ba5de372081.exe	33

C:\Users\Admin\AppData\Local\Temp\79b79167999cd38863c16ba5de372081.exe
"C:\Users\Admin\AppData\Local\Temp\79b79167999cd38863c16ba5de372081.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
  2⤵
  PID:2388
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:2404
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:2424
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:1132
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\regtlibv12.exe"
  2⤵
  PID:1844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  PID:2628

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2628-60-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-62-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2628-64-0x0000000000100000-0x0000000000109000-memory.dmp

Filesize
36KB

Download
memory/2628-65-0x0000000000130000-0x000000000013D000-memory.dmp

Filesize
52KB

Download
memory/2800-54-0x0000000000110000-0x000000000019A000-memory.dmp

Filesize
552KB

Download
memory/2800-55-0x000007FEF5510000-0x000007FEF5EFC000-memory.dmp

Filesize
9.9MB

Download
memory/2800-56-0x000000001AE60000-0x000000001AEE0000-memory.dmp

Filesize
512KB

Download
memory/2800-57-0x0000000000500000-0x0000000000508000-memory.dmp

Filesize
32KB

Download
memory/2800-58-0x00000000006B0000-0x00000000006CA000-memory.dmp

Filesize
104KB

Download
memory/2800-59-0x000000001B1C0000-0x000000001B242000-memory.dmp

Filesize
520KB

Download
memory/2800-63-0x000007FEF5510000-0x000007FEF5EFC000-memory.dmp

Filesize
9.9MB

Download

Analysis

Sharing