Overview

overview

10

Static

static

LVpromo.exe

windows7_x64

10

LVpromo.exe

windows10_x64

10

Analysis

  • max time kernel
    152s
  • max time network
    155s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    26-01-2022 09:59

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LVpromo.exe

  • Size

    769KB

  • MD5

    77e85ad8891096baba68e44b43f2f820

  • SHA1

    11517a0e9f4c5f39170f8083436ff6156b5ecf7b

  • SHA256

    01622d3e6d14184769fc2b052e32588b7bbd86f5a61e511f395db4695d7018a9

  • SHA512

    7c6727fe6a9a2092e576d75cb4ad2cf22f9b2fcba394049430e236590a38d9a90590f52ea89ea96a82e8226e61a70b6e41ab89a7fc6fca9fed13ddcabf4c6a7a

Score
10/10
formbookoh75ratspywarestealertrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oh75

Decoy

denizgidam.com

6cc06.com

charlottewaldburgzeil.com

medijanus.com

qingdaoyiersan.com

datcabilgisayar.xyz

111439d.com

xn--1ruo40k.com

wu6enxwcx5h3.xyz

vnscloud.net

brtka.xyz

showztime.com

promocoesdedezenbro.com

wokpy.com

chnowuk.online

rockshotscafe.com

pelrjy.com

nato-riness.com

feixiang-chem.com

thcoinexchange.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • Formbook Payload 3 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious behavior: EnumeratesProcesses 47 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3036
    • C:\Users\Admin\AppData\Local\Temp\LVpromo.exe
      "C:\Users\Admin\AppData\Local\Temp\LVpromo.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2504
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DhcJUDDVFUzIJt.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3584
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DhcJUDDVFUzIJt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp509D.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:1028
      • C:\Users\Admin\AppData\Local\Temp\LVpromo.exe
        "C:\Users\Admin\AppData\Local\Temp\LVpromo.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:604
    • C:\Windows\SysWOW64\ipconfig.exe
      "C:\Windows\SysWOW64\ipconfig.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Gathers network information
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:408
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\LVpromo.exe"
        3⤵
          PID:1936

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Command-Line Interface

    1
    T1059

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    2
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmp509D.tmp
      MD5

      2ff7c9a9163a88d3251fd3f11743abf2

      SHA1

      9fb6f5f3f1e36a2c149e3098edfee24c74e6500f

      SHA256

      be7bfd5a8795babdc878d5d5a2258bf7e9e04781d7c2ff362fc610f14f808b80

      SHA512

      a8fcea1da920432341d860262fc9c19d0fcaca2047cfe33aee93b8c98970ad22b76e2f5a32d3cfe702c587ef1cf68d1ed71ca447cbd9030bf4cbe996e7910341

      Download Submit
    • memory/408-374-0x0000000000BD0000-0x0000000000C63000-memory.dmp
      Filesize

      588KB

      Download
    • memory/408-189-0x0000000000A00000-0x0000000000A2F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/408-191-0x0000000002DA0000-0x00000000030C0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/408-187-0x0000000000D90000-0x0000000000D9B000-memory.dmp
      Filesize

      44KB

      Download
    • memory/604-136-0x0000000001490000-0x00000000017B0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/604-137-0x0000000001150000-0x00000000012E2000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/604-127-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2504-121-0x0000000007AA0000-0x0000000007B3C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2504-118-0x00000000050F0000-0x0000000005182000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2504-120-0x0000000007760000-0x000000000776C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2504-116-0x00000000056A0000-0x0000000005B9E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/2504-122-0x0000000007B40000-0x0000000007BAA000-memory.dmp
      Filesize

      424KB

      Download
    • memory/2504-117-0x00000000051A0000-0x0000000005232000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2504-119-0x0000000005170000-0x000000000517A000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2504-115-0x0000000000720000-0x00000000007E6000-memory.dmp
      Filesize

      792KB

      Download
    • memory/3036-375-0x0000000002370000-0x0000000002481000-memory.dmp
      Filesize

      1.1MB

      Download
    • memory/3036-138-0x0000000005F30000-0x00000000060C5000-memory.dmp
      Filesize

      1.6MB

      Download
    • memory/3584-126-0x0000000004380000-0x00000000043B6000-memory.dmp
      Filesize

      216KB

      Download
    • memory/3584-157-0x00000000090B0000-0x0000000009155000-memory.dmp
      Filesize

      660KB

      Download
    • memory/3584-139-0x00000000075B0000-0x00000000075CC000-memory.dmp
      Filesize

      112KB

      Download
    • memory/3584-133-0x0000000006EB0000-0x0000000006F16000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3584-140-0x00000000080A0000-0x00000000080EB000-memory.dmp
      Filesize

      300KB

      Download
    • memory/3584-141-0x0000000007EB0000-0x0000000007F26000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3584-150-0x0000000008F80000-0x0000000008FB3000-memory.dmp
      Filesize

      204KB

      Download
    • memory/3584-151-0x000000007ED20000-0x000000007ED21000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3584-152-0x0000000008F40000-0x0000000008F5E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3584-134-0x00000000077B0000-0x0000000007B00000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3584-158-0x0000000009270000-0x0000000009304000-memory.dmp
      Filesize

      592KB

      Download
    • memory/3584-185-0x00000000068F3000-0x00000000068F4000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3584-132-0x00000000075D0000-0x0000000007636000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3584-131-0x0000000006D10000-0x0000000006D32000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3584-128-0x00000000068F0000-0x00000000068F1000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3584-355-0x0000000006A40000-0x0000000006A5A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3584-360-0x0000000006A30000-0x0000000006A38000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3584-129-0x00000000068F2000-0x00000000068F3000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3584-130-0x0000000006F30000-0x0000000007558000-memory.dmp
      Filesize

      6.2MB

      Download