lgoogloader | 588a87d450987dfb3a72361c012b36285a5b3087cc8c282b6f2de46ae95291f2

Resubmissions

30-08-2023 08:39

230830-kkpstsdg7v 10

28-09-2022 16:23

220928-tv38msged4 8

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20230712-en
resource tags

arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
submitted
30-08-2023 08:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

61fc044a34211_Thu167fb182622.exe
Size

879KB
MD5

cc722fd0bd387cf472350dc2dd7ddd1e
SHA1

49d288ddbb09265a586dd8d6629c130be7063afa
SHA256

588a87d450987dfb3a72361c012b36285a5b3087cc8c282b6f2de46ae95291f2
SHA512

893375a8816bc333a9521b50d26b4018d1a3181b502dac73cef3357755651d833744a42bfd7f2daeb6e15d420600b91cdb910a0a1fb1a28d5012697a1f92733b
SSDEEP

24576:S88Sk1iPd8yvsuKbzMBpyZELPSqEZU9g+Aua:xlWiFxEuKbooZyPSqEZU9g7

Score

10^/10

lgoogloader downloader persistence

Malware Config

Signatures

Detects LgoogLoader payload 1 IoCs

resource	yara_rule
behavioral1/memory/2728-29-0x0000000000570000-0x000000000057D000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Executes dropped EXE 3 IoCs

pid	Process
2912	Sul.exe.pif
2824	Sul.exe.pif
2728	Sul.exe.pif

Loads dropped DLL 3 IoCs

pid	Process
2520	cmd.exe
2912	Sul.exe.pif
2824	Sul.exe.pif

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\QWE00000.gol\\\""	61fc044a34211_Thu167fb182622.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2824 set thread context of 2728	2824	Sul.exe.pif	39

Enumerates processes with tasklist 1 TTPs 1 IoCs

Process Discovery

T1057

pid	Process
2028	tasklist.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2028	tasklist.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2912	Sul.exe.pif
2912	Sul.exe.pif
2912	Sul.exe.pif
2824	Sul.exe.pif
2824	Sul.exe.pif
2824	Sul.exe.pif

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
2912	Sul.exe.pif
2912	Sul.exe.pif
2912	Sul.exe.pif
2824	Sul.exe.pif
2824	Sul.exe.pif
2824	Sul.exe.pif

Suspicious use of WriteProcessMemory 45 IoCs

description	pid	Process	procid_target
PID 2212 wrote to memory of 2448	2212	61fc044a34211_Thu167fb182622.exe	28
PID 2212 wrote to memory of 2448	2212	61fc044a34211_Thu167fb182622.exe	28
PID 2212 wrote to memory of 2448	2212	61fc044a34211_Thu167fb182622.exe	28
PID 2212 wrote to memory of 2448	2212	61fc044a34211_Thu167fb182622.exe	28
PID 2448 wrote to memory of 2520	2448	cmd.exe	30
PID 2448 wrote to memory of 2520	2448	cmd.exe	30
PID 2448 wrote to memory of 2520	2448	cmd.exe	30
PID 2448 wrote to memory of 2520	2448	cmd.exe	30
PID 2520 wrote to memory of 2028	2520	cmd.exe	31
PID 2520 wrote to memory of 2028	2520	cmd.exe	31
PID 2520 wrote to memory of 2028	2520	cmd.exe	31
PID 2520 wrote to memory of 2028	2520	cmd.exe	31
PID 2520 wrote to memory of 2020	2520	cmd.exe	32
PID 2520 wrote to memory of 2020	2520	cmd.exe	32
PID 2520 wrote to memory of 2020	2520	cmd.exe	32
PID 2520 wrote to memory of 2020	2520	cmd.exe	32
PID 2520 wrote to memory of 2832	2520	cmd.exe	34
PID 2520 wrote to memory of 2832	2520	cmd.exe	34
PID 2520 wrote to memory of 2832	2520	cmd.exe	34
PID 2520 wrote to memory of 2832	2520	cmd.exe	34
PID 2520 wrote to memory of 2912	2520	cmd.exe	35
PID 2520 wrote to memory of 2912	2520	cmd.exe	35
PID 2520 wrote to memory of 2912	2520	cmd.exe	35
PID 2520 wrote to memory of 2912	2520	cmd.exe	35
PID 2520 wrote to memory of 3064	2520	cmd.exe	36
PID 2520 wrote to memory of 3064	2520	cmd.exe	36
PID 2520 wrote to memory of 3064	2520	cmd.exe	36
PID 2520 wrote to memory of 3064	2520	cmd.exe	36
PID 2912 wrote to memory of 2824	2912	Sul.exe.pif	37
PID 2912 wrote to memory of 2824	2912	Sul.exe.pif	37
PID 2912 wrote to memory of 2824	2912	Sul.exe.pif	37
PID 2912 wrote to memory of 2824	2912	Sul.exe.pif	37
PID 2212 wrote to memory of 2852	2212	61fc044a34211_Thu167fb182622.exe	38
PID 2212 wrote to memory of 2852	2212	61fc044a34211_Thu167fb182622.exe	38
PID 2212 wrote to memory of 2852	2212	61fc044a34211_Thu167fb182622.exe	38
PID 2212 wrote to memory of 2852	2212	61fc044a34211_Thu167fb182622.exe	38
PID 2212 wrote to memory of 2852	2212	61fc044a34211_Thu167fb182622.exe	38
PID 2212 wrote to memory of 2852	2212	61fc044a34211_Thu167fb182622.exe	38
PID 2212 wrote to memory of 2852	2212	61fc044a34211_Thu167fb182622.exe	38
PID 2824 wrote to memory of 2728	2824	Sul.exe.pif	39
PID 2824 wrote to memory of 2728	2824	Sul.exe.pif	39
PID 2824 wrote to memory of 2728	2824	Sul.exe.pif	39
PID 2824 wrote to memory of 2728	2824	Sul.exe.pif	39
PID 2824 wrote to memory of 2728	2824	Sul.exe.pif	39
PID 2824 wrote to memory of 2728	2824	Sul.exe.pif	39

C:\Users\Admin\AppData\Local\Temp\61fc044a34211_Thu167fb182622.exe
"C:\Users\Admin\AppData\Local\Temp\61fc044a34211_Thu167fb182622.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:2212
- C:\Windows\SysWOW64\cmd.exe
  cmd /c cmd < Esistenza.wbk
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2448
- - C:\Windows\SysWOW64\cmd.exe
    cmd
    3⤵
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2520
  - - C:\Windows\SysWOW64\tasklist.exe
      tasklist /FI "imagename eq BullGuardCore.exe"
      4⤵
      Enumerates processes with tasklist
      Suspicious use of AdjustPrivilegeToken
      PID:2028
  - - C:\Windows\SysWOW64\find.exe
      find /I /N "bullguardcore.exe"
      4⤵
      PID:2020
  - - C:\Windows\SysWOW64\findstr.exe
      findstr /V /R "^tDPdzRbUMNXkpbEMSMKZXPerlnGmckXJGXqJvnomwNbPoElbkyeDIDcfALyUkXmAQhFkvUdzDkXpshUFgogfpxwrCLpKzhhtgXYVZZwdO$" Impaziente.wbk
      4⤵
      PID:2832
  - - C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
      Sul.exe.pif J
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of FindShellTrayWindow
      Suspicious use of SendNotifyMessage
      Suspicious use of WriteProcessMemory
      PID:2912
    - - C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
        
        C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif J
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        Suspicious use of FindShellTrayWindow
        Suspicious use of SendNotifyMessage
        Suspicious use of WriteProcessMemory
        
        PID:2824
      - C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
        
        C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif
        6⤵
        Executes dropped EXE
        
        PID:2728
  - - C:\Windows\SysWOW64\waitfor.exe
      waitfor /t 10 citDNEKXehVmhlzMlgdNbKGouCJxkZjiUQRiy
      4⤵
      PID:3064
- C:\Windows\SysWOW64\rundll32.exe
  rundll32
  2⤵
  PID:2852

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Esistenza.wbk

Filesize
620B

MD5
b2a2f85b4201446b23a250f68051b4dc

SHA1
8fc39fbfb341e55a6fda1ef3e0cfd25b2b8fdba5

SHA256
910165a85877eca36cb0e43aac5a42b643627aa7de90676cbdefcbf32fba4ade

SHA512
188b1ec9f2be6994de6e74f2385b3e0849968324cca1787b237d4eef381c9ffadc2c34c3f3131026d0ec1f89da6563455fe3f3d315d7d4673d303c38b2d0d32c

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Impaziente.wbk

Filesize
872KB

MD5
662676b6ae749090c43a0c5507b16131

SHA1
0aec9044c592c79aa2a44f66b73ed0c5cb62fd68

SHA256
4dd868c3015b92c1b8b520c0459c952090e08b4ba8d81d259e1b0630156dada4

SHA512
ec363e232c544f904286831f19bcc20ec0180da0e28bb2480eeccfaac7b4722e9ae5f050fec4fb7de18f6b35092e1296fd8e62022daa0b583eaba8fc4ea253f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\J

Filesize
855KB

MD5
4008d7f17a08efd3fbd18e4e1ba29e00

SHA1
53e25946589981cb36b0e9fb5b26fc334d4f9424

SHA256
752cf7d34bc7433f590cdf45e0bb3922ca7ba2220a7ec09df7f1f6c9644dee3b

SHA512
39e2bfad68403808924cece9c6ab43b0dc4aada62850a8c70b8e9481d825bcc90fa8a91688e3b559d4e5a517bc21931cef8037d585063885d5c948809d961978

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Riflettere.wbk

Filesize
855KB

MD5
4008d7f17a08efd3fbd18e4e1ba29e00

SHA1
53e25946589981cb36b0e9fb5b26fc334d4f9424

SHA256
752cf7d34bc7433f590cdf45e0bb3922ca7ba2220a7ec09df7f1f6c9644dee3b

SHA512
39e2bfad68403808924cece9c6ab43b0dc4aada62850a8c70b8e9481d825bcc90fa8a91688e3b559d4e5a517bc21931cef8037d585063885d5c948809d961978

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

Filesize
872KB

MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

Filesize
872KB

MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

Filesize
872KB

MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
C:\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

Filesize
872KB

MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

Filesize
872KB

MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

Filesize
872KB

MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
\Users\Admin\AppData\Local\Temp\QWE00000.gol\Sul.exe.pif

Filesize
872KB

MD5
ce2797f5c8d43d08a41645d706569d22

SHA1
f8b412bc15829da6e4f16b89112bd67076481424

SHA256
fa1a71dfe8956425fba11e24423abd6761340a0663a819ada76b854af432b075

SHA512
ff2ffcacbcacfb970182ed667fc65f319a555e6cac20ffcbe28ba5fe15fca0b4f8896b46ced5e27ae4d0c2ef569d4b54c103f65c2c5e4def748bb5da71899de9

Download Submit
memory/2728-22-0x00000000FFFDE000-0x00000000FFFDF000-memory.dmp

Filesize
4KB

Download
memory/2728-29-0x0000000000570000-0x000000000057D000-memory.dmp

Filesize
52KB

Download
memory/2728-28-0x0000000000540000-0x0000000000549000-memory.dmp

Filesize
36KB

Download

Resubmissions

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads