Analysis
-
max time kernel
180s -
max time network
179s -
platform
windows10_x64 -
resource
win10-en-20211208 -
submitted
28-01-2022 08:30
Static task
static1
Behavioral task
behavioral1
Sample
LVvoucher.exe
Resource
win7-en-20211208
General
-
Target
LVvoucher.exe
-
Size
779KB
-
MD5
4f2cf362036af705349843df3419ae5d
-
SHA1
49dfd4b26e8c9f2cc76df24c55e6616f438bf422
-
SHA256
77604e2646be4fb59a16e33ca5e78a73ec5045b8f1cce6f5ba16c11304b1c2ee
-
SHA512
8b5682f5955cdb1e1218735d100234f571f27a2b793cedd68572e8e62a1cef0cf716327b44fbaa3f29bc792a5e842bbfc8320ed175580333dc57eff8cf7fb586
Malware Config
Extracted
formbook
4.1
oh75
denizgidam.com
6cc06.com
charlottewaldburgzeil.com
medijanus.com
qingdaoyiersan.com
datcabilgisayar.xyz
111439d.com
xn--1ruo40k.com
wu6enxwcx5h3.xyz
vnscloud.net
brtka.xyz
showztime.com
promocoesdedezenbro.com
wokpy.com
chnowuk.online
rockshotscafe.com
pelrjy.com
nato-riness.com
feixiang-chem.com
thcoinexchange.com
fuelrescuereponse.com
digitaltunic.com
cellefill.com
paulbau.com
camillebeckman.xyz
ilico-media.com
603sa.com
firstechfedcu.com
koreaglp.com
thebeardedbrocksblends.com
musumeya-kotora.com
tocoteacanada.com
travelwitharden.com
diversamenteclinica.com
bw613.com
qe46.com
spectrumelectrolysis.com
maloyenterprises.com
inovasyon.xyz
remijoe.com
petsgallie.com
metagiphydownload.online
tigerdieect.com
jamedomp.com
peninsularbottling.com
1383fx.com
pandeymasala.online
spoilnet.com
itweu.com
ankxbi.icu
lm-safe-keepingyuchand92.xyz
dreamdsjoceo.com
providentview.com
newchinafortpayne.com
wu6bvnrlz4ra.xyz
intrasvp.com
ghoul-ambrose.com
alltenexpress.com
oniray.com
sistemaparadrogaria.com
zeidrei514-nifty.xyz
excaliburteacher.com
jennyandsteven.com
zakcotransportationllc.com
wwwccsuresults.com
Signatures
-
suricata: ET MALWARE FormBook CnC Checkin (GET)
suricata: ET MALWARE FormBook CnC Checkin (GET)
-
Formbook Payload 2 IoCs
Processes:
resource yara_rule behavioral2/memory/2028-130-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1300-161-0x0000000003200000-0x000000000322F000-memory.dmp formbook -
Suspicious use of SetThreadContext 3 IoCs
Processes:
LVvoucher.exeLVvoucher.execmmon32.exedescription pid process target process PID 2672 set thread context of 2028 2672 LVvoucher.exe LVvoucher.exe PID 2028 set thread context of 3028 2028 LVvoucher.exe Explorer.EXE PID 1300 set thread context of 3028 1300 cmmon32.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 43 IoCs
Processes:
powershell.exeLVvoucher.execmmon32.exepid process 3312 powershell.exe 2028 LVvoucher.exe 2028 LVvoucher.exe 2028 LVvoucher.exe 2028 LVvoucher.exe 3312 powershell.exe 3312 powershell.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe 1300 cmmon32.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3028 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
LVvoucher.execmmon32.exepid process 2028 LVvoucher.exe 2028 LVvoucher.exe 2028 LVvoucher.exe 1300 cmmon32.exe 1300 cmmon32.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
powershell.exeLVvoucher.execmmon32.exeExplorer.EXEdescription pid process Token: SeDebugPrivilege 3312 powershell.exe Token: SeDebugPrivilege 2028 LVvoucher.exe Token: SeDebugPrivilege 1300 cmmon32.exe Token: SeShutdownPrivilege 3028 Explorer.EXE Token: SeCreatePagefilePrivilege 3028 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
LVvoucher.exeExplorer.EXEcmmon32.exedescription pid process target process PID 2672 wrote to memory of 3312 2672 LVvoucher.exe powershell.exe PID 2672 wrote to memory of 3312 2672 LVvoucher.exe powershell.exe PID 2672 wrote to memory of 3312 2672 LVvoucher.exe powershell.exe PID 2672 wrote to memory of 3892 2672 LVvoucher.exe schtasks.exe PID 2672 wrote to memory of 3892 2672 LVvoucher.exe schtasks.exe PID 2672 wrote to memory of 3892 2672 LVvoucher.exe schtasks.exe PID 2672 wrote to memory of 2028 2672 LVvoucher.exe LVvoucher.exe PID 2672 wrote to memory of 2028 2672 LVvoucher.exe LVvoucher.exe PID 2672 wrote to memory of 2028 2672 LVvoucher.exe LVvoucher.exe PID 2672 wrote to memory of 2028 2672 LVvoucher.exe LVvoucher.exe PID 2672 wrote to memory of 2028 2672 LVvoucher.exe LVvoucher.exe PID 2672 wrote to memory of 2028 2672 LVvoucher.exe LVvoucher.exe PID 3028 wrote to memory of 1300 3028 Explorer.EXE cmmon32.exe PID 3028 wrote to memory of 1300 3028 Explorer.EXE cmmon32.exe PID 3028 wrote to memory of 1300 3028 Explorer.EXE cmmon32.exe PID 1300 wrote to memory of 1516 1300 cmmon32.exe cmd.exe PID 1300 wrote to memory of 1516 1300 cmmon32.exe cmd.exe PID 1300 wrote to memory of 1516 1300 cmmon32.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\UcgxBJ.exe"3⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\UcgxBJ" /XML "C:\Users\Admin\AppData\Local\Temp\tmpEE25.tmp"3⤵
- Creates scheduled task(s)
-
C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmmon32.exe"C:\Windows\SysWOW64\cmmon32.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\LVvoucher.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\tmpEE25.tmpMD5
b5b1b22ec218c98228bc6927cf369774
SHA19f21c385222fa326524b42eb42244ea4c00acee4
SHA256ffcb5c441addf94c820f22d06f98c0a127ed76f13e55fb4c1a944fdd86d91442
SHA512feca218c64ebcdb0e7535f00b60457a56b9d0157d2943130a7c20ab7e3dd36192d3e0721d3b99e830277f8d319bf0f34dc35d8e85fe37223af3833407b110c3a
-
memory/1300-163-0x0000000004760000-0x0000000004A80000-memory.dmpFilesize
3.1MB
-
memory/1300-161-0x0000000003200000-0x000000000322F000-memory.dmpFilesize
188KB
-
memory/1300-377-0x0000000004B20000-0x0000000004BB3000-memory.dmpFilesize
588KB
-
memory/1300-159-0x0000000000F50000-0x0000000000F5C000-memory.dmpFilesize
48KB
-
memory/2028-141-0x0000000001480000-0x00000000017A0000-memory.dmpFilesize
3.1MB
-
memory/2028-130-0x0000000000400000-0x000000000042F000-memory.dmpFilesize
188KB
-
memory/2028-142-0x0000000000D00000-0x0000000000E4A000-memory.dmpFilesize
1.3MB
-
memory/2672-124-0x00000000077B0000-0x000000000784C000-memory.dmpFilesize
624KB
-
memory/2672-121-0x00000000028A0000-0x00000000028AA000-memory.dmpFilesize
40KB
-
memory/2672-123-0x0000000004F40000-0x0000000004F4C000-memory.dmpFilesize
48KB
-
memory/2672-119-0x0000000005370000-0x000000000586E000-memory.dmpFilesize
5.0MB
-
memory/2672-118-0x00000000003F0000-0x00000000004BA000-memory.dmpFilesize
808KB
-
memory/2672-125-0x0000000007940000-0x00000000079AA000-memory.dmpFilesize
424KB
-
memory/2672-120-0x0000000004D10000-0x0000000004DA2000-memory.dmpFilesize
584KB
-
memory/2672-122-0x0000000004E70000-0x000000000536E000-memory.dmpFilesize
5.0MB
-
memory/3028-378-0x0000000004F90000-0x000000000510D000-memory.dmpFilesize
1.5MB
-
memory/3028-143-0x0000000004E10000-0x0000000004F8A000-memory.dmpFilesize
1.5MB
-
memory/3312-139-0x0000000007F20000-0x0000000007F3C000-memory.dmpFilesize
112KB
-
memory/3312-160-0x00000000099E0000-0x0000000009A85000-memory.dmpFilesize
660KB
-
memory/3312-137-0x0000000008150000-0x00000000084A0000-memory.dmpFilesize
3.3MB
-
memory/3312-136-0x0000000007FE0000-0x0000000008046000-memory.dmpFilesize
408KB
-
memory/3312-135-0x0000000007840000-0x00000000078A6000-memory.dmpFilesize
408KB
-
memory/3312-144-0x0000000008870000-0x00000000088E6000-memory.dmpFilesize
472KB
-
memory/3312-153-0x00000000098A0000-0x00000000098D3000-memory.dmpFilesize
204KB
-
memory/3312-154-0x0000000009880000-0x000000000989E000-memory.dmpFilesize
120KB
-
memory/3312-134-0x0000000007670000-0x0000000007692000-memory.dmpFilesize
136KB
-
memory/3312-140-0x0000000008520000-0x000000000856B000-memory.dmpFilesize
300KB
-
memory/3312-162-0x000000007F610000-0x000000007F611000-memory.dmpFilesize
4KB
-
memory/3312-133-0x0000000004E32000-0x0000000004E33000-memory.dmpFilesize
4KB
-
memory/3312-132-0x0000000004E30000-0x0000000004E31000-memory.dmpFilesize
4KB
-
memory/3312-164-0x0000000009BC0000-0x0000000009C54000-memory.dmpFilesize
592KB
-
memory/3312-173-0x0000000004E33000-0x0000000004E34000-memory.dmpFilesize
4KB
-
memory/3312-358-0x0000000008A70000-0x0000000008A8A000-memory.dmpFilesize
104KB
-
memory/3312-363-0x0000000008A20000-0x0000000008A28000-memory.dmpFilesize
32KB
-
memory/3312-131-0x00000000078B0000-0x0000000007ED8000-memory.dmpFilesize
6.2MB
-
memory/3312-129-0x0000000004CC0000-0x0000000004CF6000-memory.dmpFilesize
216KB