Analysis
-
max time kernel
148s -
max time network
134s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
27-01-2022 07:16
Static task
static1
Behavioral task
behavioral1
Sample
LVpromo.exe
Resource
win7-en-20211208
General
-
Target
LVpromo.exe
-
Size
769KB
-
MD5
77e85ad8891096baba68e44b43f2f820
-
SHA1
11517a0e9f4c5f39170f8083436ff6156b5ecf7b
-
SHA256
01622d3e6d14184769fc2b052e32588b7bbd86f5a61e511f395db4695d7018a9
-
SHA512
7c6727fe6a9a2092e576d75cb4ad2cf22f9b2fcba394049430e236590a38d9a90590f52ea89ea96a82e8226e61a70b6e41ab89a7fc6fca9fed13ddcabf4c6a7a
Malware Config
Extracted
formbook
4.1
oh75
denizgidam.com
6cc06.com
charlottewaldburgzeil.com
medijanus.com
qingdaoyiersan.com
datcabilgisayar.xyz
111439d.com
xn--1ruo40k.com
wu6enxwcx5h3.xyz
vnscloud.net
brtka.xyz
showztime.com
promocoesdedezenbro.com
wokpy.com
chnowuk.online
rockshotscafe.com
pelrjy.com
nato-riness.com
feixiang-chem.com
thcoinexchange.com
fuelrescuereponse.com
digitaltunic.com
cellefill.com
paulbau.com
camillebeckman.xyz
ilico-media.com
603sa.com
firstechfedcu.com
koreaglp.com
thebeardedbrocksblends.com
musumeya-kotora.com
tocoteacanada.com
travelwitharden.com
diversamenteclinica.com
bw613.com
qe46.com
spectrumelectrolysis.com
maloyenterprises.com
inovasyon.xyz
remijoe.com
petsgallie.com
metagiphydownload.online
tigerdieect.com
jamedomp.com
peninsularbottling.com
1383fx.com
pandeymasala.online
spoilnet.com
itweu.com
ankxbi.icu
lm-safe-keepingyuchand92.xyz
dreamdsjoceo.com
providentview.com
newchinafortpayne.com
wu6bvnrlz4ra.xyz
intrasvp.com
ghoul-ambrose.com
alltenexpress.com
oniray.com
sistemaparadrogaria.com
zeidrei514-nifty.xyz
excaliburteacher.com
jennyandsteven.com
zakcotransportationllc.com
wwwccsuresults.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/676-127-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/676-139-0x0000000001310000-0x00000000014A0000-memory.dmp formbook behavioral2/memory/1296-177-0x0000000000B50000-0x0000000000B7F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
LVpromo.exeLVpromo.execmstp.exedescription pid process target process PID 2564 set thread context of 676 2564 LVpromo.exe LVpromo.exe PID 676 set thread context of 3040 676 LVpromo.exe Explorer.EXE PID 1296 set thread context of 3040 1296 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 49 IoCs
Processes:
powershell.exeLVpromo.execmstp.exepid process 2920 powershell.exe 2920 powershell.exe 676 LVpromo.exe 676 LVpromo.exe 676 LVpromo.exe 676 LVpromo.exe 2920 powershell.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe 1296 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3040 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
LVpromo.execmstp.exepid process 676 LVpromo.exe 676 LVpromo.exe 676 LVpromo.exe 1296 cmstp.exe 1296 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exeLVpromo.execmstp.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 2920 powershell.exe Token: SeDebugPrivilege 676 LVpromo.exe Token: SeDebugPrivilege 1296 cmstp.exe Token: SeShutdownPrivilege 3040 Explorer.EXE Token: SeCreatePagefilePrivilege 3040 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
LVpromo.exeExplorer.EXEcmstp.exedescription pid process target process PID 2564 wrote to memory of 2920 2564 LVpromo.exe powershell.exe PID 2564 wrote to memory of 2920 2564 LVpromo.exe powershell.exe PID 2564 wrote to memory of 2920 2564 LVpromo.exe powershell.exe PID 2564 wrote to memory of 512 2564 LVpromo.exe schtasks.exe PID 2564 wrote to memory of 512 2564 LVpromo.exe schtasks.exe PID 2564 wrote to memory of 512 2564 LVpromo.exe schtasks.exe PID 2564 wrote to memory of 676 2564 LVpromo.exe LVpromo.exe PID 2564 wrote to memory of 676 2564 LVpromo.exe LVpromo.exe PID 2564 wrote to memory of 676 2564 LVpromo.exe LVpromo.exe PID 2564 wrote to memory of 676 2564 LVpromo.exe LVpromo.exe PID 2564 wrote to memory of 676 2564 LVpromo.exe LVpromo.exe PID 2564 wrote to memory of 676 2564 LVpromo.exe LVpromo.exe PID 3040 wrote to memory of 1296 3040 Explorer.EXE cmstp.exe PID 3040 wrote to memory of 1296 3040 Explorer.EXE cmstp.exe PID 3040 wrote to memory of 1296 3040 Explorer.EXE cmstp.exe PID 1296 wrote to memory of 3624 1296 cmstp.exe cmd.exe PID 1296 wrote to memory of 3624 1296 cmstp.exe cmd.exe PID 1296 wrote to memory of 3624 1296 cmstp.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LVpromo.exe"C:\Users\Admin\AppData\Local\Temp\LVpromo.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\DhcJUDDVFUzIJt.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\DhcJUDDVFUzIJt" /XML "C:\Users\Admin\AppData\Local\Temp\tmp291F.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\LVpromo.exe"C:\Users\Admin\AppData\Local\Temp\LVpromo.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\LVpromo.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp291F.tmpMD5
2ff7c9a9163a88d3251fd3f11743abf2
SHA19fb6f5f3f1e36a2c149e3098edfee24c74e6500f
SHA256be7bfd5a8795babdc878d5d5a2258bf7e9e04781d7c2ff362fc610f14f808b80
SHA512a8fcea1da920432341d860262fc9c19d0fcaca2047cfe33aee93b8c98970ad22b76e2f5a32d3cfe702c587ef1cf68d1ed71ca447cbd9030bf4cbe996e7910341
-
memory/676-138-0x00000000014A0000-0x00000000017C0000-memory.dmpFilesize
3.1MB
-
memory/676-139-0x0000000001310000-0x00000000014A0000-memory.dmpFilesize
1.6MB
-
memory/676-127-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/1296-180-0x0000000004D80000-0x00000000050A0000-memory.dmpFilesize
3.1MB
-
memory/1296-374-0x0000000004BE0000-0x0000000004D7C000-memory.dmpFilesize
1.6MB
-
memory/1296-175-0x00000000010B0000-0x00000000010C6000-memory.dmpFilesize
88KB
-
memory/1296-177-0x0000000000B50000-0x0000000000B7F000-memory.dmpFilesize
188KB
-
memory/2564-120-0x0000000006A70000-0x0000000006A7C000-memory.dmpFilesize
48KB
-
memory/2564-121-0x0000000007400000-0x000000000749C000-memory.dmpFilesize
624KB
-
memory/2564-122-0x0000000007360000-0x00000000073CA000-memory.dmpFilesize
424KB
-
memory/2564-119-0x0000000004DD0000-0x0000000004DDA000-memory.dmpFilesize
40KB
-
memory/2564-118-0x0000000004E00000-0x00000000052FE000-memory.dmpFilesize
5.0MB
-
memory/2564-115-0x00000000004D0000-0x0000000000596000-memory.dmpFilesize
792KB
-
memory/2564-117-0x0000000004E00000-0x0000000004E92000-memory.dmpFilesize
584KB
-
memory/2564-116-0x0000000005300000-0x00000000057FE000-memory.dmpFilesize
5.0MB
-
memory/2920-136-0x0000000004780000-0x000000000479C000-memory.dmpFilesize
112KB
-
memory/2920-157-0x0000000008E10000-0x0000000008EB5000-memory.dmpFilesize
660KB
-
memory/2920-133-0x0000000006DC0000-0x0000000006E26000-memory.dmpFilesize
408KB
-
memory/2920-137-0x0000000006D50000-0x0000000006D9B000-memory.dmpFilesize
300KB
-
memory/2920-131-0x0000000006862000-0x0000000006863000-memory.dmpFilesize
4KB
-
memory/2920-130-0x0000000006860000-0x0000000006861000-memory.dmpFilesize
4KB
-
memory/2920-141-0x0000000007BD0000-0x0000000007C46000-memory.dmpFilesize
472KB
-
memory/2920-126-0x00000000068B0000-0x00000000068E6000-memory.dmpFilesize
216KB
-
memory/2920-150-0x000000007EC30000-0x000000007EC31000-memory.dmpFilesize
4KB
-
memory/2920-151-0x0000000008CE0000-0x0000000008D13000-memory.dmpFilesize
204KB
-
memory/2920-152-0x0000000008CA0000-0x0000000008CBE000-memory.dmpFilesize
120KB
-
memory/2920-134-0x0000000007650000-0x00000000079A0000-memory.dmpFilesize
3.3MB
-
memory/2920-158-0x0000000009010000-0x00000000090A4000-memory.dmpFilesize
592KB
-
memory/2920-174-0x0000000006863000-0x0000000006864000-memory.dmpFilesize
4KB
-
memory/2920-132-0x0000000006C20000-0x0000000006C86000-memory.dmpFilesize
408KB
-
memory/2920-129-0x0000000006830000-0x0000000006852000-memory.dmpFilesize
136KB
-
memory/2920-128-0x0000000006F20000-0x0000000007548000-memory.dmpFilesize
6.2MB
-
memory/2920-355-0x0000000007DD0000-0x0000000007DEA000-memory.dmpFilesize
104KB
-
memory/2920-360-0x0000000007DB0000-0x0000000007DB8000-memory.dmpFilesize
32KB
-
memory/3040-140-0x0000000005F10000-0x000000000606D000-memory.dmpFilesize
1.4MB
-
memory/3040-375-0x00000000060B0000-0x00000000061EB000-memory.dmpFilesize
1.2MB