lgoogloader | 9f800400f5ed4b80a6d032a437e3b7fc8fa53978854726fdfc0f2737c1237596

General

Target

1231.exe
Size

493KB
MD5

8e92c683e644b7e88184427d1b8625bb
SHA1

8b57d61299f7eaa32df979f54483ff72b47ba8f6
SHA256

9f800400f5ed4b80a6d032a437e3b7fc8fa53978854726fdfc0f2737c1237596
SHA512

027a5b35ef52be102fe4447be581140fc3cdbfd73d4531f1ebfab75672c84946dd9a4dd5ac144d9cf5e9b60a2890e0a975b254674d58ee24e3cbfc5282521dde
SSDEEP

12288:86dbSjl1WZ1oIL0WoxG3arMd9sG3SOH5:PmBMIIoWCN4Hsk7Z

Score

10^/10

lgoogloader discovery downloader persistence

Malware Config

Signatures

Detects LgoogLoader payload 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/848-13-0x00000000012B0000-0x00000000012BD000-memory.dmp	family_lgoogloader
behavioral2/memory/848-14-0x00000000012B0000-0x00000000012BD000-memory.dmp	family_lgoogloader

LgoogLoader
A downloader capable of dropping and executing other malware families.
downloader lgoogloader

Sets service image path in registry 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

1231.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys"	1231.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059
Suspicious use of SetThreadContext 1 IoCs

Processes:

1231.exe

description pid process target process

PID 5044 set thread context of 848 5044 1231.exe jsc.exe
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
discovery

System Language Discovery
T1614.001

Processes:

jsc.exe

description ioc process

Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe

description	pid	process	target process
PID 5044 set thread context of 848	5044	1231.exe	jsc.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	jsc.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

Processes:

1231.exe

pid	process
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe
5044	1231.exe

Suspicious behavior: LoadsDriver 1 IoCs

Processes:

1231.exe

pid process

5044 1231.exe
Suspicious use of AdjustPrivilegeToken 3 IoCs

Processes:

1231.exe

description pid process

Token: SeDebugPrivilege 5044 1231.exe
Token: SeLoadDriverPrivilege 5044 1231.exe
Token: SeDebugPrivilege 5044 1231.exe

description	pid	process
Token: SeDebugPrivilege	5044	1231.exe
Token: SeLoadDriverPrivilege	5044	1231.exe
Token: SeDebugPrivilege	5044	1231.exe

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

1231.exe

description	pid	process	target process
PID 5044 wrote to memory of 3144	5044	1231.exe	vbc.exe
PID 5044 wrote to memory of 3144	5044	1231.exe	vbc.exe
PID 5044 wrote to memory of 2536	5044	1231.exe	aspnet_regsql.exe
PID 5044 wrote to memory of 2536	5044	1231.exe	aspnet_regsql.exe
PID 5044 wrote to memory of 3148	5044	1231.exe	CasPol.exe
PID 5044 wrote to memory of 3148	5044	1231.exe	CasPol.exe
PID 5044 wrote to memory of 1840	5044	1231.exe	csc.exe
PID 5044 wrote to memory of 1840	5044	1231.exe	csc.exe
PID 5044 wrote to memory of 4956	5044	1231.exe	ngentask.exe
PID 5044 wrote to memory of 4956	5044	1231.exe	ngentask.exe
PID 5044 wrote to memory of 4524	5044	1231.exe	dfsvc.exe
PID 5044 wrote to memory of 4524	5044	1231.exe	dfsvc.exe
PID 5044 wrote to memory of 4792	5044	1231.exe	ilasm.exe
PID 5044 wrote to memory of 4792	5044	1231.exe	ilasm.exe
PID 5044 wrote to memory of 4576	5044	1231.exe	RegAsm.exe
PID 5044 wrote to memory of 4576	5044	1231.exe	RegAsm.exe
PID 5044 wrote to memory of 3700	5044	1231.exe	aspnet_wp.exe
PID 5044 wrote to memory of 3700	5044	1231.exe	aspnet_wp.exe
PID 5044 wrote to memory of 4840	5044	1231.exe	AddInProcess.exe
PID 5044 wrote to memory of 4840	5044	1231.exe	AddInProcess.exe
PID 5044 wrote to memory of 848	5044	1231.exe	jsc.exe
PID 5044 wrote to memory of 848	5044	1231.exe	jsc.exe
PID 5044 wrote to memory of 848	5044	1231.exe	jsc.exe
PID 5044 wrote to memory of 848	5044	1231.exe	jsc.exe
PID 5044 wrote to memory of 848	5044	1231.exe	jsc.exe
PID 5044 wrote to memory of 848	5044	1231.exe	jsc.exe
PID 5044 wrote to memory of 848	5044	1231.exe	jsc.exe
PID 5044 wrote to memory of 848	5044	1231.exe	jsc.exe
PID 5044 wrote to memory of 848	5044	1231.exe	jsc.exe
PID 5044 wrote to memory of 848	5044	1231.exe	jsc.exe

C:\Users\Admin\AppData\Local\Temp\1231.exe
"C:\Users\Admin\AppData\Local\Temp\1231.exe"
1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"
  2⤵
  PID:3144
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"
  2⤵
  PID:2536
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"
  2⤵
  PID:3148
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"
  2⤵
  PID:1840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"
  2⤵
  PID:4956
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"
  2⤵
  PID:4524
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"
  2⤵
  PID:4792
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"
  2⤵
  PID:4576
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"
  2⤵
  PID:3700
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"
  2⤵
  PID:4840
- C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe
  "C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  PID:848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/848-11-0x0000000000F50000-0x0000000000F59000-memory.dmp

Filesize
36KB

Download
memory/848-7-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-9-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-10-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/848-13-0x00000000012B0000-0x00000000012BD000-memory.dmp

Filesize
52KB

Download
memory/848-14-0x00000000012B0000-0x00000000012BD000-memory.dmp

Filesize
52KB

Download
memory/5044-1-0x00000232DFBC0000-0x00000232DFC3E000-memory.dmp

Filesize
504KB

Download
memory/5044-2-0x00000232FA040000-0x00000232FA0B6000-memory.dmp

Filesize
472KB

Download
memory/5044-3-0x00000232E0020000-0x00000232E0098000-memory.dmp

Filesize
480KB

Download
memory/5044-4-0x00000232FA0C0000-0x00000232FA0DE000-memory.dmp

Filesize
120KB

Download
memory/5044-5-0x00007FFA287E0000-0x00007FFA292A1000-memory.dmp

Filesize
10.8MB

Download
memory/5044-0-0x00007FFA287E3000-0x00007FFA287E5000-memory.dmp

Filesize
8KB

Download
memory/5044-12-0x00007FFA287E0000-0x00007FFA292A1000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads