Analysis
-
max time kernel
148s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
08-05-2024 07:35
Static task
static1
Behavioral task
behavioral1
Sample
LS24SDE.exe
Resource
win7-20240221-en
General
-
Target
LS24SDE.exe
-
Size
634KB
-
MD5
70625bcdbd35c6873bfef64197312647
-
SHA1
64864eed1451eae8d076458fb6bc005137d1e7c4
-
SHA256
0445cc730c308b40378c9133d394004d55dfdcb03db7d26485736471af6ba41e
-
SHA512
f2f709d3586c95daa1cf50715974fb0f55252142edcba96ee069b2e9ad10feb7ee83d56a68a0e7c0cc4792aacd944b4fe10de5b8459b23d80ce4f6ea2172725f
-
SSDEEP
12288:biETpbMlZRJIC/6GEmg3NQOqRK5sK3LIsbqZBma+LTpkh8WINLKtlcPK5S4T:HbmJIC/3DRTK3wmpmtQK5p
Malware Config
Extracted
formbook
4.1
jn17
hynasty.com
africacementreview.com
5280micropantry.com
qcyu2.us
jl777-web.com
hcwsports.com
update-number-au.com
ymymvip.top
postds.buzz
dogwifnobrim.com
usapubpong.com
shopscoopido.com
medical-equipment.company
onyagu.com
tldrparent.com
jvpeople.com
seangalbraithphotography.com
ptt-gov.art
mutcosmeticsec.com
metameme.online
mwintallation.com
luxury-collectables.com
4uprofreefavorite.lat
asopiti.com
egmrm.club
optimaenergy.cloud
zb1zq9.vip
landavacations.com
lilwef.site
smart-beds-15979.bond
vedicloud.com
floodedbasementcleanupnovimi.us
barakehlocal.com
music-europe.com
johnasian.com
jinhengbinguan.com
lkiu.xyz
cma-graphic.com
beatamin.club
ybqo.cc
salahtimeonline.com
lsdlj.com
hhhky.top
synfuturedefi.app
268120.com
mecpu.com
6bi0d.us
sjmsd.loan
green-vending-co.com
jgrlum.shop
gamedaemons.site
odysseyeurope.com
obet2359.com
manegociation.com
divainparfaumsnl.shop
colissimo-portail.com
mthfrgeneawareness.xyz
santeportailameli.info
davidonej.com
nyarapiyo.com
xn--lrxq61dxlf.top
in2glass.com
groda.art
mememeclothingshop.com
erocom.link
Signatures
-
Formbook payload 3 IoCs
Processes:
resource yara_rule behavioral1/memory/2796-19-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2796-22-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral1/memory/2440-25-0x0000000000080000-0x00000000000AF000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2544 cmd.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
LS24SDE.exeLS24SDE.exeNETSTAT.EXEdescription pid process target process PID 360 set thread context of 2796 360 LS24SDE.exe LS24SDE.exe PID 2796 set thread context of 1204 2796 LS24SDE.exe Explorer.EXE PID 2796 set thread context of 1204 2796 LS24SDE.exe Explorer.EXE PID 2440 set thread context of 1204 2440 NETSTAT.EXE Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
NETSTAT.EXEpid process 2440 NETSTAT.EXE -
Suspicious behavior: EnumeratesProcesses 32 IoCs
Processes:
LS24SDE.exeLS24SDE.exepowershell.exeNETSTAT.EXEpid process 360 LS24SDE.exe 360 LS24SDE.exe 2796 LS24SDE.exe 2796 LS24SDE.exe 1636 powershell.exe 2796 LS24SDE.exe 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE 2440 NETSTAT.EXE -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
LS24SDE.exeNETSTAT.EXEpid process 2796 LS24SDE.exe 2796 LS24SDE.exe 2796 LS24SDE.exe 2796 LS24SDE.exe 2440 NETSTAT.EXE 2440 NETSTAT.EXE -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
LS24SDE.exeLS24SDE.exepowershell.exeNETSTAT.EXEdescription pid process Token: SeDebugPrivilege 360 LS24SDE.exe Token: SeDebugPrivilege 2796 LS24SDE.exe Token: SeDebugPrivilege 1636 powershell.exe Token: SeDebugPrivilege 2440 NETSTAT.EXE -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
LS24SDE.exeExplorer.EXENETSTAT.EXEdescription pid process target process PID 360 wrote to memory of 1636 360 LS24SDE.exe powershell.exe PID 360 wrote to memory of 1636 360 LS24SDE.exe powershell.exe PID 360 wrote to memory of 1636 360 LS24SDE.exe powershell.exe PID 360 wrote to memory of 1636 360 LS24SDE.exe powershell.exe PID 360 wrote to memory of 2552 360 LS24SDE.exe schtasks.exe PID 360 wrote to memory of 2552 360 LS24SDE.exe schtasks.exe PID 360 wrote to memory of 2552 360 LS24SDE.exe schtasks.exe PID 360 wrote to memory of 2552 360 LS24SDE.exe schtasks.exe PID 360 wrote to memory of 2580 360 LS24SDE.exe LS24SDE.exe PID 360 wrote to memory of 2580 360 LS24SDE.exe LS24SDE.exe PID 360 wrote to memory of 2580 360 LS24SDE.exe LS24SDE.exe PID 360 wrote to memory of 2580 360 LS24SDE.exe LS24SDE.exe PID 360 wrote to memory of 2796 360 LS24SDE.exe LS24SDE.exe PID 360 wrote to memory of 2796 360 LS24SDE.exe LS24SDE.exe PID 360 wrote to memory of 2796 360 LS24SDE.exe LS24SDE.exe PID 360 wrote to memory of 2796 360 LS24SDE.exe LS24SDE.exe PID 360 wrote to memory of 2796 360 LS24SDE.exe LS24SDE.exe PID 360 wrote to memory of 2796 360 LS24SDE.exe LS24SDE.exe PID 360 wrote to memory of 2796 360 LS24SDE.exe LS24SDE.exe PID 1204 wrote to memory of 2440 1204 Explorer.EXE NETSTAT.EXE PID 1204 wrote to memory of 2440 1204 Explorer.EXE NETSTAT.EXE PID 1204 wrote to memory of 2440 1204 Explorer.EXE NETSTAT.EXE PID 1204 wrote to memory of 2440 1204 Explorer.EXE NETSTAT.EXE PID 2440 wrote to memory of 2544 2440 NETSTAT.EXE cmd.exe PID 2440 wrote to memory of 2544 2440 NETSTAT.EXE cmd.exe PID 2440 wrote to memory of 2544 2440 NETSTAT.EXE cmd.exe PID 2440 wrote to memory of 2544 2440 NETSTAT.EXE cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious use of WriteProcessMemory
PID:1204 -
C:\Users\Admin\AppData\Local\Temp\LS24SDE.exe"C:\Users\Admin\AppData\Local\Temp\LS24SDE.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:360 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mIsRPVu.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1636 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mIsRPVu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp46C0.tmp"3⤵
- Creates scheduled task(s)
PID:2552 -
C:\Users\Admin\AppData\Local\Temp\LS24SDE.exe"C:\Users\Admin\AppData\Local\Temp\LS24SDE.exe"3⤵PID:2580
-
C:\Users\Admin\AppData\Local\Temp\LS24SDE.exe"C:\Users\Admin\AppData\Local\Temp\LS24SDE.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
PID:2796 -
C:\Windows\SysWOW64\NETSTAT.EXE"C:\Windows\SysWOW64\NETSTAT.EXE"2⤵
- Suspicious use of SetThreadContext
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2440 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\LS24SDE.exe"3⤵
- Deletes itself
PID:2544
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5d776dea239552a86c07ad817ec58ff1c
SHA1cf6df5153866408bd0fa1cd5a0713ccfe275eece
SHA256e3e2b3dbe46478a2cb9f444eec26c877b8b0db9819765222c7618f5397820926
SHA512cde1002007b77ef809b361cd6e67c3f055eaec08c8145f734d5311896aaf3bf6c37757c1f8b35851624c6cc664fc51d3a6a7cb59d9d3b122ffd64fa586aa7f7b