Analysis
-
max time kernel
147s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
15-10-2024 16:46
Static task
static1
Behavioral task
behavioral1
Sample
1231.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1231.exe
Resource
win10v2004-20241007-en
General
-
Target
1231.exe
-
Size
493KB
-
MD5
8e92c683e644b7e88184427d1b8625bb
-
SHA1
8b57d61299f7eaa32df979f54483ff72b47ba8f6
-
SHA256
9f800400f5ed4b80a6d032a437e3b7fc8fa53978854726fdfc0f2737c1237596
-
SHA512
027a5b35ef52be102fe4447be581140fc3cdbfd73d4531f1ebfab75672c84946dd9a4dd5ac144d9cf5e9b60a2890e0a975b254674d58ee24e3cbfc5282521dde
-
SSDEEP
12288:86dbSjl1WZ1oIL0WoxG3arMd9sG3SOH5:PmBMIIoWCN4Hsk7Z
Malware Config
Signatures
-
Detects LgoogLoader payload 2 IoCs
resource yara_rule behavioral2/memory/848-13-0x00000000012B0000-0x00000000012BD000-memory.dmp family_lgoogloader behavioral2/memory/848-14-0x00000000012B0000-0x00000000012BD000-memory.dmp family_lgoogloader -
LgoogLoader
A downloader capable of dropping and executing other malware families.
-
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\TaskKill\ImagePath = "\\??\\C:\\Users\\Admin\\AppData\\Local\\Temp\\Иисус.sys" 1231.exe -
Uses the VBS compiler for execution 1 TTPs
-
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5044 set thread context of 848 5044 1231.exe 96 -
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jsc.exe -
Suspicious behavior: EnumeratesProcesses 20 IoCs
pid Process 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe 5044 1231.exe -
Suspicious behavior: LoadsDriver 1 IoCs
pid Process 5044 1231.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 5044 1231.exe Token: SeLoadDriverPrivilege 5044 1231.exe Token: SeDebugPrivilege 5044 1231.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 5044 wrote to memory of 3144 5044 1231.exe 85 PID 5044 wrote to memory of 3144 5044 1231.exe 85 PID 5044 wrote to memory of 2536 5044 1231.exe 86 PID 5044 wrote to memory of 2536 5044 1231.exe 86 PID 5044 wrote to memory of 3148 5044 1231.exe 87 PID 5044 wrote to memory of 3148 5044 1231.exe 87 PID 5044 wrote to memory of 1840 5044 1231.exe 88 PID 5044 wrote to memory of 1840 5044 1231.exe 88 PID 5044 wrote to memory of 4956 5044 1231.exe 89 PID 5044 wrote to memory of 4956 5044 1231.exe 89 PID 5044 wrote to memory of 4524 5044 1231.exe 90 PID 5044 wrote to memory of 4524 5044 1231.exe 90 PID 5044 wrote to memory of 4792 5044 1231.exe 91 PID 5044 wrote to memory of 4792 5044 1231.exe 91 PID 5044 wrote to memory of 4576 5044 1231.exe 93 PID 5044 wrote to memory of 4576 5044 1231.exe 93 PID 5044 wrote to memory of 3700 5044 1231.exe 94 PID 5044 wrote to memory of 3700 5044 1231.exe 94 PID 5044 wrote to memory of 4840 5044 1231.exe 95 PID 5044 wrote to memory of 4840 5044 1231.exe 95 PID 5044 wrote to memory of 848 5044 1231.exe 96 PID 5044 wrote to memory of 848 5044 1231.exe 96 PID 5044 wrote to memory of 848 5044 1231.exe 96 PID 5044 wrote to memory of 848 5044 1231.exe 96 PID 5044 wrote to memory of 848 5044 1231.exe 96 PID 5044 wrote to memory of 848 5044 1231.exe 96 PID 5044 wrote to memory of 848 5044 1231.exe 96 PID 5044 wrote to memory of 848 5044 1231.exe 96 PID 5044 wrote to memory of 848 5044 1231.exe 96 PID 5044 wrote to memory of 848 5044 1231.exe 96
Processes
-
C:\Users\Admin\AppData\Local\Temp\1231.exe"C:\Users\Admin\AppData\Local\Temp\1231.exe"1⤵
- Sets service image path in registry
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5044 -
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe"2⤵PID:3144
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_regsql.exe"2⤵PID:2536
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\CasPol.exe"2⤵PID:3148
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\csc.exe"2⤵PID:1840
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngentask.exe"2⤵PID:4956
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\dfsvc.exe"2⤵PID:4524
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ilasm.exe"2⤵PID:4792
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\RegAsm.exe"2⤵PID:4576
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\aspnet_wp.exe"2⤵PID:3700
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\AddInProcess.exe"2⤵PID:4840
-
-
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"C:\Windows\Microsoft.NET\Framework64\v4.0.30319\jsc.exe"2⤵
- System Location Discovery: System Language Discovery
PID:848
-