Overview

overview

10

Static

static

3

file.exe

windows7-x64

5

file.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    143s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230703-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-07-2023 09:03

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    file.exe

  • Size

    561KB

  • MD5

    651230dae2c0dc316d24bcf5d999c001

  • SHA1

    7e76383fa315e43e54e1f25ae4d72d550e208127

  • SHA256

    fb5e26fb2c6209e4ec7ff82659fbdb03e68fe1adf088166cea4dc479af5ba151

  • SHA512

    02c1f4bff17d72fccf04e3f21be9a5a387d43715780b985922032f3a656cc5ff233d40be9ff39449604cf47e41d33e273a4bd21b3042e1513b971339d1c11a62

  • SSDEEP

    12288:41CCeUe/mB0Km1Tqy/y7R2upCFmg58ROh9YG2m7PHY:47eHmB0Km1Jy7RF8yRS9z2g/Y

Score
10/10
lgoogloaderdownloader

Malware Config

Signatures

  • Detects LgoogLoader payload 2 IoCs
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • Uses the VBS compiler for execution 1 TTPs
  • Suspicious use of SetThreadContext 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 29 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 39 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\file.exe
    "C:\Users\Admin\AppData\Local\Temp\file.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:980
    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe
      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\WsatConfig.exe"
      2⤵
        PID:1180
      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
        2⤵
          PID:3892
        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe
          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ComSvcConfig.exe"
          2⤵
            PID:1984
          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
            2⤵
              PID:3752
            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
              2⤵
                PID:3880
              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe
                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AppLaunch.exe"
                2⤵
                  PID:2968
                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
                  2⤵
                    PID:3696
                  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe
                    "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regiis.exe"
                    2⤵
                      PID:4732
                    • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe
                      "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\InstallUtil.exe"
                      2⤵
                        PID:2984
                      • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
                        "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
                        2⤵
                          PID:1252
                        • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
                          "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
                          2⤵
                            PID:4280
                          • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
                            "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
                            2⤵
                              PID:1520
                            • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
                              "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
                              2⤵
                                PID:4148
                              • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe
                                "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInUtil.exe"
                                2⤵
                                  PID:1828
                                • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
                                  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
                                  2⤵
                                    PID:1212

                                Network

                                MITRE ATT&CK Enterprise v15

                                Replay Monitor

                                Loading Replay Monitor...

                                Downloads

                                • memory/980-136-0x0000022EF9C10000-0x0000022EF9CA0000-memory.dmp

                                  Filesize

                                  576KB

                                  Download

                                • memory/980-137-0x0000022EFBA70000-0x0000022EFBA8A000-memory.dmp

                                  Filesize

                                  104KB

                                  Download

                                • memory/980-138-0x00007FFBF5DF0000-0x00007FFBF68B1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/980-139-0x0000022EFBB30000-0x0000022EFBB40000-memory.dmp

                                  Filesize

                                  64KB

                                  Download

                                • memory/980-143-0x00007FFBF5DF0000-0x00007FFBF68B1000-memory.dmp

                                  Filesize

                                  10.8MB

                                  Download

                                • memory/1212-140-0x0000000000400000-0x000000000043E000-memory.dmp

                                  Filesize

                                  248KB

                                  Download

                                • memory/1212-142-0x0000000000400000-0x000000000043E000-memory.dmp

                                  Filesize

                                  248KB

                                  Download

                                • memory/1212-144-0x0000000000400000-0x000000000043E000-memory.dmp

                                  Filesize

                                  248KB

                                  Download

                                • memory/1212-145-0x0000000000960000-0x0000000000969000-memory.dmp

                                  Filesize

                                  36KB

                                  Download

                                • memory/1212-146-0x0000000000980000-0x000000000098D000-memory.dmp

                                  Filesize

                                  52KB

                                  Download

                                • memory/1212-147-0x0000000000980000-0x000000000098D000-memory.dmp

                                  Filesize

                                  52KB

                                  Download