Analysis
-
max time kernel
89s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20231222-en -
resource tags
arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system -
submitted
15-02-2024 07:24
Static task
static1
Behavioral task
behavioral1
Sample
tmp.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
tmp.exe
Resource
win10v2004-20231222-en
General
-
Target
tmp.exe
-
Size
63KB
-
MD5
cbfbeaf0a6e70056f43406053cd61f1e
-
SHA1
b7088a9f29b8ab84aedaffec81441580775d5393
-
SHA256
fa776a4e5e0653f7856a19c3a9fbdad306eb9365cb553bc223d8075be5f5cd3b
-
SHA512
2930b11123191108d66e1bba5cb43f34ca963c424f6dd9c61751db62cef3039773dd100c179909d30099953513ca6eb07e29732af7928d2602c35a8020271c5c
-
SSDEEP
1536:7PlU35kjwNUMhTsjJOCq29suranxH2ufS/TGfb1eis:7P2jU+Tsjs22gaxH2zTGAb
Malware Config
Signatures
-
Detects LgoogLoader payload 1 IoCs
resource yara_rule behavioral2/memory/316-19-0x0000000001320000-0x000000000132D000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe -
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\tmp.exe = "0" tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths tmp.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1168293393-3419776239-306423207-1000\Control Panel\International\Geo\Nation tmp.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths tmp.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows Defender\Exclusions\Paths\C:\Users\Admin\AppData\Local\Temp\tmp.exe = "0" tmp.exe -
description ioc Process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA tmp.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2316 set thread context of 316 2316 tmp.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
pid Process 316 ping.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2316 tmp.exe 2316 tmp.exe 4760 powershell.exe 4760 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: SeDebugPrivilege 2316 tmp.exe Token: SeDebugPrivilege 4760 powershell.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 2316 wrote to memory of 4760 2316 tmp.exe 84 PID 2316 wrote to memory of 4760 2316 tmp.exe 84 PID 2316 wrote to memory of 4760 2316 tmp.exe 84 PID 2316 wrote to memory of 2176 2316 tmp.exe 86 PID 2316 wrote to memory of 2176 2316 tmp.exe 86 PID 2316 wrote to memory of 2176 2316 tmp.exe 86 PID 2316 wrote to memory of 316 2316 tmp.exe 87 PID 2316 wrote to memory of 316 2316 tmp.exe 87 PID 2316 wrote to memory of 316 2316 tmp.exe 87 PID 2316 wrote to memory of 316 2316 tmp.exe 87 PID 2316 wrote to memory of 316 2316 tmp.exe 87 PID 2316 wrote to memory of 316 2316 tmp.exe 87 PID 2316 wrote to memory of 316 2316 tmp.exe 87 PID 2316 wrote to memory of 316 2316 tmp.exe 87 PID 2316 wrote to memory of 316 2316 tmp.exe 87 PID 2316 wrote to memory of 316 2316 tmp.exe 87 PID 2316 wrote to memory of 316 2316 tmp.exe 87 -
System policy modification 1 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" tmp.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\tmp.exe"C:\Users\Admin\AppData\Local\Temp\tmp.exe"1⤵
- UAC bypass
- Windows security bypass
- Checks computer location settings
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2316 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\tmp.exe" -Force2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4760
-
-
C:\Windows\SysWOW64\calc.exe"C:\Windows\SYSWOW64\calc.exe"2⤵PID:2176
-
-
C:\Windows\SysWOW64\ping.exe"C:\Windows\SYSWOW64\ping.exe"2⤵
- Runs ping.exe
PID:316
-
Network
-
Remote address:8.8.8.8:53Requestheygirlisheeverythingyouwantedinaman.comIN AResponseheygirlisheeverythingyouwantedinaman.comIN A172.67.190.93heygirlisheeverythingyouwantedinaman.comIN A104.21.57.121
-
Remote address:172.67.190.93:80RequestGET /get/65cd826fa46777f9cb22a64d HTTP/1.1
Host: heygirlisheeverythingyouwantedinaman.com
Connection: close
ResponseHTTP/1.1 200 OK
Content-Type: text/html; charset=utf-8
Transfer-Encoding: chunked
Connection: close
Cache-Control: no-cache, no-store, max-age=0
X-Powered-By: ASP.NET
CF-Cache-Status: DYNAMIC
Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v3?s=r7rPwu0ws0yeEVQ5je7b3zvgg%2BE8NgSimCDfL1PVVTrOlELLjIatcnKJAGF22Qm%2B4FpZ8O5ptghhkBfkf9EUHsPL0S1qWOaOYnS6mBgnI4wiBuagJrUWLu4l0Su0KxeOpvfLS0dITfPiwkpVg2cGHe5d%2BwiZM3Idj6HD"}],"group":"cf-nel","max_age":604800}
NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
Server: cloudflare
CF-RAY: 855bcf924c30632b-LHR
alt-svc: h3=":443"; ma=86400
-
Remote address:8.8.8.8:53Request97.17.167.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request180.178.17.96.in-addr.arpaIN PTRResponse180.178.17.96.in-addr.arpaIN PTRa96-17-178-180deploystaticakamaitechnologiescom
-
Remote address:8.8.8.8:53Request93.190.67.172.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request93.190.67.172.in-addr.arpaIN PTR
-
Remote address:8.8.8.8:53Request2.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request133.211.185.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request241.150.49.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request157.123.68.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request171.39.242.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request240.221.184.93.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request19.229.111.52.in-addr.arpaIN PTRResponse
-
172.67.190.93:80http://heygirlisheeverythingyouwantedinaman.com/get/65cd826fa46777f9cb22a64dhttptmp.exe64.6kB 2.3MB 1249 1675
HTTP Request
GET http://heygirlisheeverythingyouwantedinaman.com/get/65cd826fa46777f9cb22a64dHTTP Response
200
-
86 B 118 B 1 1
DNS Request
heygirlisheeverythingyouwantedinaman.com
DNS Response
172.67.190.93104.21.57.121
-
71 B 145 B 1 1
DNS Request
97.17.167.52.in-addr.arpa
-
72 B 137 B 1 1
DNS Request
180.178.17.96.in-addr.arpa
-
144 B 134 B 2 1
DNS Request
93.190.67.172.in-addr.arpa
DNS Request
93.190.67.172.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
2.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
73 B 147 B 1 1
DNS Request
133.211.185.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
241.150.49.20.in-addr.arpa
-
72 B 146 B 1 1
DNS Request
157.123.68.40.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
171.39.242.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
240.221.184.93.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
19.229.111.52.in-addr.arpa
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82