lgoogloader | ae5bf7d05d5714bf2758fd5c127f405de0c02223643a22279bcbf03fb648cd2d

Analysis

max time kernel
143s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
24-07-2023 15:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

79b79167999cd38863c16ba5de372081.exe
Size

539KB
MD5

79b79167999cd38863c16ba5de372081
SHA1

b3d276a972f6ed0805fe339624e68b2845d3154c
SHA256

ae5bf7d05d5714bf2758fd5c127f405de0c02223643a22279bcbf03fb648cd2d
SHA512

218275c9d88cad809c88cf36fdf750dd68e3ca7c5b6005c722be0874028ccd38728ef6ac15a4c9beef6827d2351c50ff9aa7ffe00cf6435f33b5f598ffd5ff11
SSDEEP

12288:4IgQ0KaWFEEHXSz/yUToiGBYn4sBcL005M14p0UgQkDbm7PH/:4IgLK1FqnToiUYn4s0Sg0UsDbg//

Score

10^/10

lgoogloader downloader

Malware Config

Signatures

Detects LgoogLoader payload 2 IoCs

resource	yara_rule
behavioral2/memory/5072-146-0x0000000000EB0000-0x0000000000EBD000-memory.dmp	family_lgoogloader
behavioral2/memory/5072-147-0x0000000000EB0000-0x0000000000EBD000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 3320 set thread context of 5072	3320	79b79167999cd38863c16ba5de372081.exe	97

Suspicious behavior: EnumeratesProcesses 24 IoCs

pid	Process
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe
3320	79b79167999cd38863c16ba5de372081.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3320	79b79167999cd38863c16ba5de372081.exe

Suspicious use of WriteProcessMemory 34 IoCs

description	pid	Process	procid_target
PID 3320 wrote to memory of 1844	3320	79b79167999cd38863c16ba5de372081.exe	85
PID 3320 wrote to memory of 1844	3320	79b79167999cd38863c16ba5de372081.exe	85
PID 3320 wrote to memory of 4356	3320	79b79167999cd38863c16ba5de372081.exe	86
PID 3320 wrote to memory of 4356	3320	79b79167999cd38863c16ba5de372081.exe	86
PID 3320 wrote to memory of 4432	3320	79b79167999cd38863c16ba5de372081.exe	87
PID 3320 wrote to memory of 4432	3320	79b79167999cd38863c16ba5de372081.exe	87
PID 3320 wrote to memory of 1496	3320	79b79167999cd38863c16ba5de372081.exe	88
PID 3320 wrote to memory of 1496	3320	79b79167999cd38863c16ba5de372081.exe	88
PID 3320 wrote to memory of 5056	3320	79b79167999cd38863c16ba5de372081.exe	89
PID 3320 wrote to memory of 5056	3320	79b79167999cd38863c16ba5de372081.exe	89
PID 3320 wrote to memory of 1736	3320	79b79167999cd38863c16ba5de372081.exe	90
PID 3320 wrote to memory of 1736	3320	79b79167999cd38863c16ba5de372081.exe	90
PID 3320 wrote to memory of 1900	3320	79b79167999cd38863c16ba5de372081.exe	91
PID 3320 wrote to memory of 1900	3320	79b79167999cd38863c16ba5de372081.exe	91
PID 3320 wrote to memory of 4316	3320	79b79167999cd38863c16ba5de372081.exe	92
PID 3320 wrote to memory of 4316	3320	79b79167999cd38863c16ba5de372081.exe	92
PID 3320 wrote to memory of 1488	3320	79b79167999cd38863c16ba5de372081.exe	93
PID 3320 wrote to memory of 1488	3320	79b79167999cd38863c16ba5de372081.exe	93
PID 3320 wrote to memory of 860	3320	79b79167999cd38863c16ba5de372081.exe	94
PID 3320 wrote to memory of 860	3320	79b79167999cd38863c16ba5de372081.exe	94
PID 3320 wrote to memory of 1836	3320	79b79167999cd38863c16ba5de372081.exe	95
PID 3320 wrote to memory of 1836	3320	79b79167999cd38863c16ba5de372081.exe	95
PID 3320 wrote to memory of 3048	3320	79b79167999cd38863c16ba5de372081.exe	96
PID 3320 wrote to memory of 3048	3320	79b79167999cd38863c16ba5de372081.exe	96
PID 3320 wrote to memory of 5072	3320	79b79167999cd38863c16ba5de372081.exe	97
PID 3320 wrote to memory of 5072	3320	79b79167999cd38863c16ba5de372081.exe	97
PID 3320 wrote to memory of 5072	3320	79b79167999cd38863c16ba5de372081.exe	97
PID 3320 wrote to memory of 5072	3320	79b79167999cd38863c16ba5de372081.exe	97
PID 3320 wrote to memory of 5072	3320	79b79167999cd38863c16ba5de372081.exe	97
PID 3320 wrote to memory of 5072	3320	79b79167999cd38863c16ba5de372081.exe	97
PID 3320 wrote to memory of 5072	3320	79b79167999cd38863c16ba5de372081.exe	97
PID 3320 wrote to memory of 5072	3320	79b79167999cd38863c16ba5de372081.exe	97
PID 3320 wrote to memory of 5072	3320	79b79167999cd38863c16ba5de372081.exe	97
PID 3320 wrote to memory of 5072	3320	79b79167999cd38863c16ba5de372081.exe	97

C:\Users\Admin\AppData\Local\Temp\79b79167999cd38863c16ba5de372081.exe
"C:\Users\Admin\AppData\Local\Temp\79b79167999cd38863c16ba5de372081.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:1844
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
  2⤵
  PID:4356
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:4432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.exe"
  2⤵
  PID:1496
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
  2⤵
  PID:5056
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
  2⤵
  PID:1736
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
  2⤵
  PID:1900
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
  2⤵
  PID:4316
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
  2⤵
  PID:1488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:860
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:1836
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
  2⤵
  PID:3048
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess32.exe"
  2⤵
  PID:5072

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3320-136-0x00000211A2340000-0x00000211A23CA000-memory.dmp

Filesize
552KB

Download
memory/3320-137-0x00007FFC361D0000-0x00007FFC36C91000-memory.dmp

Filesize
10.8MB

Download
memory/3320-138-0x00000211BC950000-0x00000211BC960000-memory.dmp

Filesize
64KB

Download
memory/3320-139-0x00000211BC930000-0x00000211BC94A000-memory.dmp

Filesize
104KB

Download
memory/3320-142-0x00007FFC361D0000-0x00007FFC36C91000-memory.dmp

Filesize
10.8MB

Download
memory/5072-140-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-144-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/5072-145-0x0000000000A70000-0x0000000000A79000-memory.dmp

Filesize
36KB

Download
memory/5072-146-0x0000000000EB0000-0x0000000000EBD000-memory.dmp

Filesize
52KB

Download
memory/5072-147-0x0000000000EB0000-0x0000000000EBD000-memory.dmp

Filesize
52KB

Download