Overview

overview

10

Static

static

LVvoucher.exe

windows7_x64

10

LVvoucher.exe

windows10_x64

10

Analysis

  • max time kernel
    180s
  • max time network
    179s
  • platform
    windows10_x64
  • resource
    win10-en-20211208
  • submitted
    28-01-2022 08:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    LVvoucher.exe

  • Size

    779KB

  • MD5

    4f2cf362036af705349843df3419ae5d

  • SHA1

    49dfd4b26e8c9f2cc76df24c55e6616f438bf422

  • SHA256

    77604e2646be4fb59a16e33ca5e78a73ec5045b8f1cce6f5ba16c11304b1c2ee

  • SHA512

    8b5682f5955cdb1e1218735d100234f571f27a2b793cedd68572e8e62a1cef0cf716327b44fbaa3f29bc792a5e842bbfc8320ed175580333dc57eff8cf7fb586

Score
10/10
formbookoh75ratspywarestealersuricatatrojan

Malware Config

Extracted

Family

formbook

Version

4.1

Campaign

oh75

Decoy

denizgidam.com

6cc06.com

charlottewaldburgzeil.com

medijanus.com

qingdaoyiersan.com

datcabilgisayar.xyz

111439d.com

xn--1ruo40k.com

wu6enxwcx5h3.xyz

vnscloud.net

brtka.xyz

showztime.com

promocoesdedezenbro.com

wokpy.com

chnowuk.online

rockshotscafe.com

pelrjy.com

nato-riness.com

feixiang-chem.com

thcoinexchange.com

Signatures

  • Formbook

    Formbook is a data stealing malware which is capable of stealing data.

    trojanspywarestealerformbook
  • suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata: ET MALWARE FormBook CnC Checkin (GET)

    suricata
  • Formbook Payload 2 IoCs
    rat
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3028
    • C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe
      "C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UcgxBJ.exe"
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:3312
      • C:\Windows\SysWOW64\schtasks.exe
        "C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UcgxBJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEE25.tmp"
        3⤵
        • Creates scheduled task(s)
        PID:3892
      • C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe
        "C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"
        3⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of AdjustPrivilegeToken
        PID:2028
    • C:\Windows\SysWOW64\cmmon32.exe
      "C:\Windows\SysWOW64\cmmon32.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:1300
      • C:\Windows\SysWOW64\cmd.exe
        /c del "C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"
        3⤵
          PID:1516

    Network

    MITRE ATT&CK Matrix ATT&CK v6

    Initial Access

    Execution

    Scheduled Task

    1
    T1053

    Persistence

    Scheduled Task

    1
    T1053

    Privilege Escalation

    Scheduled Task

    1
    T1053

    Defense Evasion

    Credential Access

    Discovery

    System Information Discovery

    1
    T1082

    Lateral Movement

    Collection

    Exfiltration

    Command and Control

    Impact

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\tmpEE25.tmp
      MD5

      b5b1b22ec218c98228bc6927cf369774

      SHA1

      9f21c385222fa326524b42eb42244ea4c00acee4

      SHA256

      ffcb5c441addf94c820f22d06f98c0a127ed76f13e55fb4c1a944fdd86d91442

      SHA512

      feca218c64ebcdb0e7535f00b60457a56b9d0157d2943130a7c20ab7e3dd36192d3e0721d3b99e830277f8d319bf0f34dc35d8e85fe37223af3833407b110c3a

      Download Submit
    • memory/1300-163-0x0000000004760000-0x0000000004A80000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/1300-161-0x0000000003200000-0x000000000322F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/1300-377-0x0000000004B20000-0x0000000004BB3000-memory.dmp
      Filesize

      588KB

      Download
    • memory/1300-159-0x0000000000F50000-0x0000000000F5C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2028-141-0x0000000001480000-0x00000000017A0000-memory.dmp
      Filesize

      3.1MB

      Download
    • memory/2028-130-0x0000000000400000-0x000000000042F000-memory.dmp
      Filesize

      188KB

      Download
    • memory/2028-142-0x0000000000D00000-0x0000000000E4A000-memory.dmp
      Filesize

      1.3MB

      Download
    • memory/2672-124-0x00000000077B0000-0x000000000784C000-memory.dmp
      Filesize

      624KB

      Download
    • memory/2672-121-0x00000000028A0000-0x00000000028AA000-memory.dmp
      Filesize

      40KB

      Download
    • memory/2672-123-0x0000000004F40000-0x0000000004F4C000-memory.dmp
      Filesize

      48KB

      Download
    • memory/2672-119-0x0000000005370000-0x000000000586E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/2672-118-0x00000000003F0000-0x00000000004BA000-memory.dmp
      Filesize

      808KB

      Download
    • memory/2672-125-0x0000000007940000-0x00000000079AA000-memory.dmp
      Filesize

      424KB

      Download
    • memory/2672-120-0x0000000004D10000-0x0000000004DA2000-memory.dmp
      Filesize

      584KB

      Download
    • memory/2672-122-0x0000000004E70000-0x000000000536E000-memory.dmp
      Filesize

      5.0MB

      Download
    • memory/3028-378-0x0000000004F90000-0x000000000510D000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/3028-143-0x0000000004E10000-0x0000000004F8A000-memory.dmp
      Filesize

      1.5MB

      Download
    • memory/3312-139-0x0000000007F20000-0x0000000007F3C000-memory.dmp
      Filesize

      112KB

      Download
    • memory/3312-160-0x00000000099E0000-0x0000000009A85000-memory.dmp
      Filesize

      660KB

      Download
    • memory/3312-137-0x0000000008150000-0x00000000084A0000-memory.dmp
      Filesize

      3.3MB

      Download
    • memory/3312-136-0x0000000007FE0000-0x0000000008046000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3312-135-0x0000000007840000-0x00000000078A6000-memory.dmp
      Filesize

      408KB

      Download
    • memory/3312-144-0x0000000008870000-0x00000000088E6000-memory.dmp
      Filesize

      472KB

      Download
    • memory/3312-153-0x00000000098A0000-0x00000000098D3000-memory.dmp
      Filesize

      204KB

      Download
    • memory/3312-154-0x0000000009880000-0x000000000989E000-memory.dmp
      Filesize

      120KB

      Download
    • memory/3312-134-0x0000000007670000-0x0000000007692000-memory.dmp
      Filesize

      136KB

      Download
    • memory/3312-140-0x0000000008520000-0x000000000856B000-memory.dmp
      Filesize

      300KB

      Download
    • memory/3312-162-0x000000007F610000-0x000000007F611000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3312-133-0x0000000004E32000-0x0000000004E33000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3312-132-0x0000000004E30000-0x0000000004E31000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3312-164-0x0000000009BC0000-0x0000000009C54000-memory.dmp
      Filesize

      592KB

      Download
    • memory/3312-173-0x0000000004E33000-0x0000000004E34000-memory.dmp
      Filesize

      4KB

      Download
    • memory/3312-358-0x0000000008A70000-0x0000000008A8A000-memory.dmp
      Filesize

      104KB

      Download
    • memory/3312-363-0x0000000008A20000-0x0000000008A28000-memory.dmp
      Filesize

      32KB

      Download
    • memory/3312-131-0x00000000078B0000-0x0000000007ED8000-memory.dmp
      Filesize

      6.2MB

      Download
    • memory/3312-129-0x0000000004CC0000-0x0000000004CF6000-memory.dmp
      Filesize

      216KB

      Download