Overview

overview

10

Static

static

LVvoucher.exe

windows7_x64

3

LVvoucher.exe

windows10_x64

10

Analysis

  • max time kernel
    119s
  • max time network
    119s
  • platform
    windows7_x64
  • resource
    win7-en-20211208
  • submitted
    28-01-2022 08:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LVvoucher.exe

  • Size

    779KB

  • MD5

    4f2cf362036af705349843df3419ae5d

  • SHA1

    49dfd4b26e8c9f2cc76df24c55e6616f438bf422

  • SHA256

    77604e2646be4fb59a16e33ca5e78a73ec5045b8f1cce6f5ba16c11304b1c2ee

  • SHA512

    8b5682f5955cdb1e1218735d100234f571f27a2b793cedd68572e8e62a1cef0cf716327b44fbaa3f29bc792a5e842bbfc8320ed175580333dc57eff8cf7fb586

Score
3/10

Malware Config

Signatures

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe
    "C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"
    1⤵
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1892
    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UcgxBJ.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:1116
    • C:\Windows\SysWOW64\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UcgxBJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpBB4.tmp"
      2⤵
      • Creates scheduled task(s)
      PID:428
    • C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe
      "C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"
      2⤵
        PID:1524
      • C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe
        "C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"
        2⤵
          PID:1484
        • C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe
          "C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"
          2⤵
            PID:1456
          • C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe
            "C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"
            2⤵
              PID:1984
            • C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe
              "C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"
              2⤵
                PID:1732

            Network

            MITRE ATT&CK Matrix ATT&CK v6

            Initial Access

            Execution

            Scheduled Task

            1
            T1053

            Persistence

            Scheduled Task

            1
            T1053

            Privilege Escalation

            Scheduled Task

            1
            T1053

            Defense Evasion

            Credential Access

            Discovery

            System Information Discovery

            1
            T1082

            Lateral Movement

            Collection

            Exfiltration

            Command and Control

            Impact

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\tmpBB4.tmp
              MD5

              0844c8162e61ac7b12151cfdad0fc627

              SHA1

              b7be8446adf1ae750771978da6f33b6a0e6b235c

              SHA256

              06eaa857ac42144a5d42b8fdbdf3db4bfbb2ae6dabb68385df2e40cdf7892385

              SHA512

              fd687c38c8ca74d5e3a3e859ae2ef522b78394bf383aad68fbb50ee1951f9121a69a17c60b1019bb59b90f39f47377ae7ddf91ed597c71f7bfba23ce10a22fc7

              Download Submit
            • memory/1116-61-0x0000000002640000-0x000000000328A000-memory.dmp
              Filesize

              12.3MB

              Download
            • memory/1116-62-0x0000000002640000-0x000000000328A000-memory.dmp
              Filesize

              12.3MB

              Download
            • memory/1116-63-0x0000000002640000-0x000000000328A000-memory.dmp
              Filesize

              12.3MB

              Download
            • memory/1892-54-0x0000000000350000-0x000000000041A000-memory.dmp
              Filesize

              808KB

              Download
            • memory/1892-55-0x0000000076C61000-0x0000000076C63000-memory.dmp
              Filesize

              8KB

              Download
            • memory/1892-56-0x0000000004E90000-0x0000000004E91000-memory.dmp
              Filesize

              4KB

              Download
            • memory/1892-57-0x0000000000450000-0x000000000045C000-memory.dmp
              Filesize

              48KB

              Download
            • memory/1892-58-0x00000000052E0000-0x000000000534A000-memory.dmp
              Filesize

              424KB

              Download