Analysis
-
max time kernel
162s -
max time network
155s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 08:30
Static task
static1
Behavioral task
behavioral1
Sample
LVvoucher.exe
Resource
win7-en-20211208
General
-
Target
LVvoucher.exe
-
Size
779KB
-
MD5
4f2cf362036af705349843df3419ae5d
-
SHA1
49dfd4b26e8c9f2cc76df24c55e6616f438bf422
-
SHA256
77604e2646be4fb59a16e33ca5e78a73ec5045b8f1cce6f5ba16c11304b1c2ee
-
SHA512
8b5682f5955cdb1e1218735d100234f571f27a2b793cedd68572e8e62a1cef0cf716327b44fbaa3f29bc792a5e842bbfc8320ed175580333dc57eff8cf7fb586
Malware Config
Extracted
formbook
4.1
oh75
denizgidam.com
6cc06.com
charlottewaldburgzeil.com
medijanus.com
qingdaoyiersan.com
datcabilgisayar.xyz
111439d.com
xn--1ruo40k.com
wu6enxwcx5h3.xyz
vnscloud.net
brtka.xyz
showztime.com
promocoesdedezenbro.com
wokpy.com
chnowuk.online
rockshotscafe.com
pelrjy.com
nato-riness.com
feixiang-chem.com
thcoinexchange.com
fuelrescuereponse.com
digitaltunic.com
cellefill.com
paulbau.com
camillebeckman.xyz
ilico-media.com
603sa.com
firstechfedcu.com
koreaglp.com
thebeardedbrocksblends.com
musumeya-kotora.com
tocoteacanada.com
travelwitharden.com
diversamenteclinica.com
bw613.com
qe46.com
spectrumelectrolysis.com
maloyenterprises.com
inovasyon.xyz
remijoe.com
petsgallie.com
metagiphydownload.online
tigerdieect.com
jamedomp.com
peninsularbottling.com
1383fx.com
pandeymasala.online
spoilnet.com
itweu.com
ankxbi.icu
lm-safe-keepingyuchand92.xyz
dreamdsjoceo.com
providentview.com
newchinafortpayne.com
wu6bvnrlz4ra.xyz
intrasvp.com
ghoul-ambrose.com
alltenexpress.com
oniray.com
sistemaparadrogaria.com
zeidrei514-nifty.xyz
excaliburteacher.com
jennyandsteven.com
zakcotransportationllc.com
wwwccsuresults.com
Signatures
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/3828-130-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/372-148-0x0000000000B80000-0x0000000000BAF000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
LVvoucher.exeLVvoucher.exenetsh.exedescription pid process target process PID 912 set thread context of 3828 912 LVvoucher.exe LVvoucher.exe PID 3828 set thread context of 3056 3828 LVvoucher.exe Explorer.EXE PID 372 set thread context of 3056 372 netsh.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
LVvoucher.exepowershell.exenetsh.exepid process 3828 LVvoucher.exe 3828 LVvoucher.exe 3828 LVvoucher.exe 3828 LVvoucher.exe 772 powershell.exe 772 powershell.exe 772 powershell.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe 372 netsh.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3056 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
LVvoucher.exenetsh.exepid process 3828 LVvoucher.exe 3828 LVvoucher.exe 3828 LVvoucher.exe 372 netsh.exe 372 netsh.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
LVvoucher.exepowershell.exenetsh.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3828 LVvoucher.exe Token: SeDebugPrivilege 772 powershell.exe Token: SeDebugPrivilege 372 netsh.exe Token: SeShutdownPrivilege 3056 Explorer.EXE Token: SeCreatePagefilePrivilege 3056 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
LVvoucher.exeExplorer.EXEnetsh.exedescription pid process target process PID 912 wrote to memory of 772 912 LVvoucher.exe powershell.exe PID 912 wrote to memory of 772 912 LVvoucher.exe powershell.exe PID 912 wrote to memory of 772 912 LVvoucher.exe powershell.exe PID 912 wrote to memory of 3856 912 LVvoucher.exe schtasks.exe PID 912 wrote to memory of 3856 912 LVvoucher.exe schtasks.exe PID 912 wrote to memory of 3856 912 LVvoucher.exe schtasks.exe PID 912 wrote to memory of 3828 912 LVvoucher.exe LVvoucher.exe PID 912 wrote to memory of 3828 912 LVvoucher.exe LVvoucher.exe PID 912 wrote to memory of 3828 912 LVvoucher.exe LVvoucher.exe PID 912 wrote to memory of 3828 912 LVvoucher.exe LVvoucher.exe PID 912 wrote to memory of 3828 912 LVvoucher.exe LVvoucher.exe PID 912 wrote to memory of 3828 912 LVvoucher.exe LVvoucher.exe PID 3056 wrote to memory of 372 3056 Explorer.EXE netsh.exe PID 3056 wrote to memory of 372 3056 Explorer.EXE netsh.exe PID 3056 wrote to memory of 372 3056 Explorer.EXE netsh.exe PID 372 wrote to memory of 1020 372 netsh.exe cmd.exe PID 372 wrote to memory of 1020 372 netsh.exe cmd.exe PID 372 wrote to memory of 1020 372 netsh.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UcgxBJ.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UcgxBJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmp6AA8.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\netsh.exe"C:\Windows\SysWOW64\netsh.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmp6AA8.tmpMD5
351bd97f7f56332469eba2deec77c90d
SHA16f7e870cee2ab689fa6deec145826a6db2bf01a5
SHA256d6e4306136824997cf6951d3bd4e0c5e8d0035325eedeaf797c83dfcae63d772
SHA5120eaab0294beac6e0c5e924fbed98b265f53cb610257b2896a508e05bad9e447efeb1948df4440fe694b732395f84c95107674089ef754b81c93af3bc7aaf61dc
-
memory/372-377-0x0000000003390000-0x0000000003522000-memory.dmpFilesize
1.6MB
-
memory/372-149-0x0000000003530000-0x0000000003850000-memory.dmpFilesize
3.1MB
-
memory/372-147-0x0000000000EB0000-0x0000000000ECE000-memory.dmpFilesize
120KB
-
memory/372-148-0x0000000000B80000-0x0000000000BAF000-memory.dmpFilesize
188KB
-
memory/772-156-0x0000000009640000-0x0000000009673000-memory.dmpFilesize
204KB
-
memory/772-141-0x0000000007E20000-0x0000000008170000-memory.dmpFilesize
3.3MB
-
memory/772-363-0x00000000098D0000-0x00000000098D8000-memory.dmpFilesize
32KB
-
memory/772-358-0x00000000098E0000-0x00000000098FA000-memory.dmpFilesize
104KB
-
memory/772-129-0x0000000004A70000-0x0000000004AA6000-memory.dmpFilesize
216KB
-
memory/772-201-0x0000000004BA3000-0x0000000004BA4000-memory.dmpFilesize
4KB
-
memory/772-131-0x0000000007530000-0x0000000007B58000-memory.dmpFilesize
6.2MB
-
memory/772-133-0x0000000004BA2000-0x0000000004BA3000-memory.dmpFilesize
4KB
-
memory/772-132-0x0000000004BA0000-0x0000000004BA1000-memory.dmpFilesize
4KB
-
memory/772-135-0x00000000073B0000-0x00000000073D2000-memory.dmpFilesize
136KB
-
memory/772-136-0x0000000007CB0000-0x0000000007D16000-memory.dmpFilesize
408KB
-
memory/772-137-0x0000000007BD0000-0x0000000007C36000-memory.dmpFilesize
408KB
-
memory/772-164-0x0000000009960000-0x00000000099F4000-memory.dmpFilesize
592KB
-
memory/772-163-0x000000007EAA0000-0x000000007EAA1000-memory.dmpFilesize
4KB
-
memory/772-162-0x0000000009770000-0x0000000009815000-memory.dmpFilesize
660KB
-
memory/772-157-0x0000000009600000-0x000000000961E000-memory.dmpFilesize
120KB
-
memory/772-142-0x0000000007C80000-0x0000000007C9C000-memory.dmpFilesize
112KB
-
memory/772-143-0x00000000082B0000-0x00000000082FB000-memory.dmpFilesize
300KB
-
memory/772-144-0x00000000085B0000-0x0000000008626000-memory.dmpFilesize
472KB
-
memory/912-123-0x00000000071B0000-0x00000000071BC000-memory.dmpFilesize
48KB
-
memory/912-121-0x0000000004AF0000-0x0000000004FEE000-memory.dmpFilesize
5.0MB
-
memory/912-120-0x0000000004B90000-0x0000000004C22000-memory.dmpFilesize
584KB
-
memory/912-118-0x0000000000200000-0x00000000002CA000-memory.dmpFilesize
808KB
-
memory/912-124-0x00000000074E0000-0x000000000757C000-memory.dmpFilesize
624KB
-
memory/912-122-0x0000000004B20000-0x0000000004B2A000-memory.dmpFilesize
40KB
-
memory/912-125-0x00000000077A0000-0x000000000780A000-memory.dmpFilesize
424KB
-
memory/912-119-0x0000000004FF0000-0x00000000054EE000-memory.dmpFilesize
5.0MB
-
memory/3056-140-0x0000000005C10000-0x0000000005D3D000-memory.dmpFilesize
1.2MB
-
memory/3056-378-0x0000000005D40000-0x0000000005EB9000-memory.dmpFilesize
1.5MB
-
memory/3828-139-0x0000000000BE0000-0x0000000000BF4000-memory.dmpFilesize
80KB
-
memory/3828-138-0x0000000001040000-0x0000000001360000-memory.dmpFilesize
3.1MB
-
memory/3828-130-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB