lgoogloader | de823b703cefdd77b5acbe06b19e8d0f844d0930f9c3609237d1fbd15a73c9cc

Analysis

max time kernel
141s
max time network
146s
platform
windows10-2004_x64
resource
win10v2004-20230703-en
resource tags

arch:x64arch:x86image:win10v2004-20230703-enlocale:en-usos:windows10-2004-x64system
submitted
28-07-2023 07:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b4fd2f6ea8eb477d5a35414f7c196719.exe
Size

533KB
MD5

b4fd2f6ea8eb477d5a35414f7c196719
SHA1

061cad3050117c5956b4b701e5f6e396aa696067
SHA256

de823b703cefdd77b5acbe06b19e8d0f844d0930f9c3609237d1fbd15a73c9cc
SHA512

1745b469d67cd7f89c2496728ebfeecb6a32dae01549d0918027b30ddf325cc9eec11d671cfe6931ddf9b73af80f92262856b1a55bf8b01d2c22e5e7163da500
SSDEEP

12288:uVIjEbiFS+LbnoBnQqmi8feE0H/7v6r13BnbNxk+4ivuqY4J4:uVIjEWFS+LbKQq9dJORRAcbY+4

Score

10^/10

lgoogloader downloader

Malware Config

Signatures

Detects LgoogLoader payload 2 IoCs

resource	yara_rule
behavioral2/memory/1356-146-0x00000000015D0000-0x00000000015DD000-memory.dmp	family_lgoogloader
behavioral2/memory/1356-147-0x00000000015D0000-0x00000000015DD000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2008 set thread context of 1356	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	101

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe
2008	b4fd2f6ea8eb477d5a35414f7c196719.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe

Suspicious use of WriteProcessMemory 42 IoCs

description	pid	Process	procid_target
PID 2008 wrote to memory of 2332	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	84
PID 2008 wrote to memory of 2332	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	84
PID 2008 wrote to memory of 1428	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	85
PID 2008 wrote to memory of 1428	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	85
PID 2008 wrote to memory of 2160	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	86
PID 2008 wrote to memory of 2160	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	86
PID 2008 wrote to memory of 4464	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	87
PID 2008 wrote to memory of 4464	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	87
PID 2008 wrote to memory of 2320	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	88
PID 2008 wrote to memory of 2320	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	88
PID 2008 wrote to memory of 2444	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	89
PID 2008 wrote to memory of 2444	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	89
PID 2008 wrote to memory of 4288	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	90
PID 2008 wrote to memory of 4288	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	90
PID 2008 wrote to memory of 5088	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	91
PID 2008 wrote to memory of 5088	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	91
PID 2008 wrote to memory of 4488	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	92
PID 2008 wrote to memory of 4488	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	92
PID 2008 wrote to memory of 4704	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	94
PID 2008 wrote to memory of 4704	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	94
PID 2008 wrote to memory of 3400	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	95
PID 2008 wrote to memory of 3400	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	95
PID 2008 wrote to memory of 2460	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	96
PID 2008 wrote to memory of 2460	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	96
PID 2008 wrote to memory of 4248	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	97
PID 2008 wrote to memory of 4248	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	97
PID 2008 wrote to memory of 3432	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	98
PID 2008 wrote to memory of 3432	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	98
PID 2008 wrote to memory of 428	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	99
PID 2008 wrote to memory of 428	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	99
PID 2008 wrote to memory of 3344	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	100
PID 2008 wrote to memory of 3344	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	100
PID 2008 wrote to memory of 1356	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	101
PID 2008 wrote to memory of 1356	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	101
PID 2008 wrote to memory of 1356	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	101
PID 2008 wrote to memory of 1356	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	101
PID 2008 wrote to memory of 1356	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	101
PID 2008 wrote to memory of 1356	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	101
PID 2008 wrote to memory of 1356	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	101
PID 2008 wrote to memory of 1356	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	101
PID 2008 wrote to memory of 1356	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	101
PID 2008 wrote to memory of 1356	2008	b4fd2f6ea8eb477d5a35414f7c196719.exe	101

C:\Users\Admin\AppData\Local\Temp\b4fd2f6ea8eb477d5a35414f7c196719.exe
"C:\Users\Admin\AppData\Local\Temp\b4fd2f6ea8eb477d5a35414f7c196719.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2008
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:2332
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
  2⤵
  PID:1428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
  2⤵
  PID:2160
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_state.exe"
  2⤵
  PID:4464
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
  2⤵
  PID:2320
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ServiceModelReg.exe"
  2⤵
  PID:2444
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_compiler.exe"
  2⤵
  PID:4288
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\SMSvcHost.exe"
  2⤵
  PID:5088
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\MSBuild.exe"
  2⤵
  PID:4488
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe"
  2⤵
  PID:4704
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\EdmGen.exe"
  2⤵
  PID:3400
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegSvcs.exe"
  2⤵
  PID:2460
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\DataSvcUtil.exe"
  2⤵
  PID:4248
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\cvtres.exe"
  2⤵
  PID:3432
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:428
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\Microsoft.Workflow.Compiler.exe"
  2⤵
  PID:3344
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  PID:1356

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scripting

T1064

Persistence

Privilege Escalation

Defense Evasion

Scripting

T1064

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1356-139-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-141-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-143-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1356-145-0x00000000015B0000-0x00000000015B9000-memory.dmp

Filesize
36KB

Download
memory/1356-146-0x00000000015D0000-0x00000000015DD000-memory.dmp

Filesize
52KB

Download
memory/1356-147-0x00000000015D0000-0x00000000015DD000-memory.dmp

Filesize
52KB

Download
memory/2008-133-0x00000265E0C20000-0x00000265E0CAA000-memory.dmp

Filesize
552KB

Download
memory/2008-135-0x00007FF852B00000-0x00007FF8535C1000-memory.dmp

Filesize
10.8MB

Download
memory/2008-136-0x00007FF85D780000-0x00007FF85D799000-memory.dmp

Filesize
100KB

Download
memory/2008-137-0x00000265FB4B0000-0x00000265FB4C0000-memory.dmp

Filesize
64KB

Download
memory/2008-142-0x00007FF85D780000-0x00007FF85D799000-memory.dmp

Filesize
100KB

Download
memory/2008-144-0x00007FF852B00000-0x00007FF8535C1000-memory.dmp

Filesize
10.8MB

Download