Overview

overview

10

Static

static

1

tmp.exe

windows7-x64

1

tmp.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    89s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231222-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/02/2024, 07:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    tmp.exe

  • Size

    63KB

  • MD5

    cbfbeaf0a6e70056f43406053cd61f1e

  • SHA1

    b7088a9f29b8ab84aedaffec81441580775d5393

  • SHA256

    fa776a4e5e0653f7856a19c3a9fbdad306eb9365cb553bc223d8075be5f5cd3b

  • SHA512

    2930b11123191108d66e1bba5cb43f34ca963c424f6dd9c61751db62cef3039773dd100c179909d30099953513ca6eb07e29732af7928d2602c35a8020271c5c

  • SSDEEP

    1536:7PlU35kjwNUMhTsjJOCq29suranxH2ufS/TGfb1eis:7P2jU+Tsjs22gaxH2zTGAb

Score
10/10
lgoogloaderdownloaderevasiontrojan

Malware Config

Signatures

  • Detects LgoogLoader payload 1 IoCs
  • LgoogLoader

    A downloader capable of dropping and executing other malware families.

    downloaderlgoogloader
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 2 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Windows security modification 2 TTPs 3 IoCs
    evasiontrojan
  • Checks whether UAC is enabled 1 TTPs 2 IoCs
    evasiontrojan
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 17 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\tmp.exe
    "C:\Users\Admin\AppData\Local\Temp\tmp.exe"
    1⤵
    • UAC bypass
    • Windows security bypass
    • Checks computer location settings
    • Windows security modification
    • Checks whether UAC is enabled
    • Suspicious use of SetThreadContext
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    • System policy modification
    PID:2316
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Local\Temp\tmp.exe" -Force
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4760
    • C:\Windows\SysWOW64\calc.exe
      "C:\Windows\SYSWOW64\calc.exe"
      2⤵
        PID:2176
      • C:\Windows\SysWOW64\ping.exe
        "C:\Windows\SYSWOW64\ping.exe"
        2⤵
        • Runs ping.exe
        PID:316

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_ojcgsnda.tcc.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/316-9-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/316-19-0x0000000001320000-0x000000000132D000-memory.dmp

      Filesize

      52KB

      Download

    • memory/316-13-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/316-10-0x0000000000400000-0x000000000043D000-memory.dmp

      Filesize

      244KB

      Download

    • memory/316-18-0x0000000000FF0000-0x0000000000FF9000-memory.dmp

      Filesize

      36KB

      Download

    • memory/2316-4-0x0000000005610000-0x00000000056A2000-memory.dmp

      Filesize

      584KB

      Download

    • memory/2316-7-0x0000000005B60000-0x0000000005B70000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2316-8-0x000000000A230000-0x000000000A34A000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/2316-6-0x00000000055C0000-0x00000000055CA000-memory.dmp

      Filesize

      40KB

      Download

    • memory/2316-62-0x00000000753B0000-0x0000000075B60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/2316-5-0x0000000001520000-0x0000000001530000-memory.dmp

      Filesize

      64KB

      Download

    • memory/2316-3-0x0000000005BC0000-0x0000000006164000-memory.dmp

      Filesize

      5.6MB

      Download

    • memory/2316-0-0x0000000000B60000-0x0000000000B74000-memory.dmp

      Filesize

      80KB

      Download

    • memory/2316-1-0x00000000015A0000-0x00000000015BA000-memory.dmp

      Filesize

      104KB

      Download

    • memory/2316-2-0x00000000753B0000-0x0000000075B60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4760-21-0x00000000059F0000-0x0000000005A56000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4760-47-0x0000000006690000-0x00000000066AE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4760-17-0x0000000005310000-0x0000000005938000-memory.dmp

      Filesize

      6.2MB

      Download

    • memory/4760-20-0x0000000005250000-0x0000000005272000-memory.dmp

      Filesize

      136KB

      Download

    • memory/4760-15-0x0000000002820000-0x0000000002830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4760-22-0x0000000005A60000-0x0000000005AC6000-memory.dmp

      Filesize

      408KB

      Download

    • memory/4760-11-0x0000000002830000-0x0000000002866000-memory.dmp

      Filesize

      216KB

      Download

    • memory/4760-32-0x0000000005C00000-0x0000000005F54000-memory.dmp

      Filesize

      3.3MB

      Download

    • memory/4760-33-0x00000000060D0000-0x00000000060EE000-memory.dmp

      Filesize

      120KB

      Download

    • memory/4760-34-0x0000000006130000-0x000000000617C000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4760-35-0x000000007FCD0000-0x000000007FCE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4760-36-0x00000000066B0000-0x00000000066E2000-memory.dmp

      Filesize

      200KB

      Download

    • memory/4760-37-0x0000000071270000-0x00000000712BC000-memory.dmp

      Filesize

      304KB

      Download

    • memory/4760-16-0x0000000002820000-0x0000000002830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4760-48-0x0000000002820000-0x0000000002830000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4760-49-0x00000000072B0000-0x0000000007353000-memory.dmp

      Filesize

      652KB

      Download

    • memory/4760-50-0x0000000007A50000-0x00000000080CA000-memory.dmp

      Filesize

      6.5MB

      Download

    • memory/4760-51-0x0000000007410000-0x000000000742A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4760-52-0x0000000007480000-0x000000000748A000-memory.dmp

      Filesize

      40KB

      Download

    • memory/4760-53-0x0000000007690000-0x0000000007726000-memory.dmp

      Filesize

      600KB

      Download

    • memory/4760-54-0x0000000007610000-0x0000000007621000-memory.dmp

      Filesize

      68KB

      Download

    • memory/4760-55-0x0000000007640000-0x000000000764E000-memory.dmp

      Filesize

      56KB

      Download

    • memory/4760-56-0x0000000007650000-0x0000000007664000-memory.dmp

      Filesize

      80KB

      Download

    • memory/4760-57-0x0000000007750000-0x000000000776A000-memory.dmp

      Filesize

      104KB

      Download

    • memory/4760-58-0x0000000007730000-0x0000000007738000-memory.dmp

      Filesize

      32KB

      Download

    • memory/4760-61-0x00000000753B0000-0x0000000075B60000-memory.dmp

      Filesize

      7.7MB

      Download

    • memory/4760-12-0x00000000753B0000-0x0000000075B60000-memory.dmp

      Filesize

      7.7MB

      Download