Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
08-05-2024 07:35
Static task
static1
Behavioral task
behavioral1
Sample
LS24SDE.exe
Resource
win7-20240221-en
General
-
Target
LS24SDE.exe
-
Size
634KB
-
MD5
70625bcdbd35c6873bfef64197312647
-
SHA1
64864eed1451eae8d076458fb6bc005137d1e7c4
-
SHA256
0445cc730c308b40378c9133d394004d55dfdcb03db7d26485736471af6ba41e
-
SHA512
f2f709d3586c95daa1cf50715974fb0f55252142edcba96ee069b2e9ad10feb7ee83d56a68a0e7c0cc4792aacd944b4fe10de5b8459b23d80ce4f6ea2172725f
-
SSDEEP
12288:biETpbMlZRJIC/6GEmg3NQOqRK5sK3LIsbqZBma+LTpkh8WINLKtlcPK5S4T:HbmJIC/3DRTK3wmpmtQK5p
Malware Config
Extracted
formbook
4.1
jn17
hynasty.com
africacementreview.com
5280micropantry.com
qcyu2.us
jl777-web.com
hcwsports.com
update-number-au.com
ymymvip.top
postds.buzz
dogwifnobrim.com
usapubpong.com
shopscoopido.com
medical-equipment.company
onyagu.com
tldrparent.com
jvpeople.com
seangalbraithphotography.com
ptt-gov.art
mutcosmeticsec.com
metameme.online
mwintallation.com
luxury-collectables.com
4uprofreefavorite.lat
asopiti.com
egmrm.club
optimaenergy.cloud
zb1zq9.vip
landavacations.com
lilwef.site
smart-beds-15979.bond
vedicloud.com
floodedbasementcleanupnovimi.us
barakehlocal.com
music-europe.com
johnasian.com
jinhengbinguan.com
lkiu.xyz
cma-graphic.com
beatamin.club
ybqo.cc
salahtimeonline.com
lsdlj.com
hhhky.top
synfuturedefi.app
268120.com
mecpu.com
6bi0d.us
sjmsd.loan
green-vending-co.com
jgrlum.shop
gamedaemons.site
odysseyeurope.com
obet2359.com
manegociation.com
divainparfaumsnl.shop
colissimo-portail.com
mthfrgeneawareness.xyz
santeportailameli.info
davidonej.com
nyarapiyo.com
xn--lrxq61dxlf.top
in2glass.com
groda.art
mememeclothingshop.com
erocom.link
Signatures
-
Formbook payload 4 IoCs
Processes:
resource yara_rule behavioral2/memory/1492-21-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1492-39-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/1492-74-0x0000000000400000-0x000000000042F000-memory.dmp formbook behavioral2/memory/2780-75-0x0000000001130000-0x000000000115F000-memory.dmp formbook -
Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs
Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
LS24SDE.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000\Control Panel\International\Geo\Nation LS24SDE.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
LS24SDE.exeLS24SDE.exewscript.exedescription pid process target process PID 4120 set thread context of 1492 4120 LS24SDE.exe LS24SDE.exe PID 1492 set thread context of 3520 1492 LS24SDE.exe Explorer.EXE PID 1492 set thread context of 3520 1492 LS24SDE.exe Explorer.EXE PID 2780 set thread context of 3520 2780 wscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 2 IoCs
Processes:
Explorer.EXEdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-4018855536-2201274732-320770143-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
powershell.exeLS24SDE.exewscript.exepid process 2444 powershell.exe 1492 LS24SDE.exe 1492 LS24SDE.exe 1492 LS24SDE.exe 1492 LS24SDE.exe 2444 powershell.exe 1492 LS24SDE.exe 1492 LS24SDE.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe 2780 wscript.exe -
Suspicious behavior: MapViewOfSection 6 IoCs
Processes:
LS24SDE.exewscript.exepid process 1492 LS24SDE.exe 1492 LS24SDE.exe 1492 LS24SDE.exe 1492 LS24SDE.exe 2780 wscript.exe 2780 wscript.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
powershell.exeLS24SDE.exeExplorer.EXEwscript.exedescription pid process Token: SeDebugPrivilege 2444 powershell.exe Token: SeDebugPrivilege 1492 LS24SDE.exe Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeDebugPrivilege 2780 wscript.exe Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE Token: SeShutdownPrivilege 3520 Explorer.EXE Token: SeCreatePagefilePrivilege 3520 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3520 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
LS24SDE.exeLS24SDE.exewscript.exedescription pid process target process PID 4120 wrote to memory of 2444 4120 LS24SDE.exe powershell.exe PID 4120 wrote to memory of 2444 4120 LS24SDE.exe powershell.exe PID 4120 wrote to memory of 2444 4120 LS24SDE.exe powershell.exe PID 4120 wrote to memory of 2456 4120 LS24SDE.exe schtasks.exe PID 4120 wrote to memory of 2456 4120 LS24SDE.exe schtasks.exe PID 4120 wrote to memory of 2456 4120 LS24SDE.exe schtasks.exe PID 4120 wrote to memory of 1492 4120 LS24SDE.exe LS24SDE.exe PID 4120 wrote to memory of 1492 4120 LS24SDE.exe LS24SDE.exe PID 4120 wrote to memory of 1492 4120 LS24SDE.exe LS24SDE.exe PID 4120 wrote to memory of 1492 4120 LS24SDE.exe LS24SDE.exe PID 4120 wrote to memory of 1492 4120 LS24SDE.exe LS24SDE.exe PID 4120 wrote to memory of 1492 4120 LS24SDE.exe LS24SDE.exe PID 1492 wrote to memory of 2780 1492 LS24SDE.exe wscript.exe PID 1492 wrote to memory of 2780 1492 LS24SDE.exe wscript.exe PID 1492 wrote to memory of 2780 1492 LS24SDE.exe wscript.exe PID 2780 wrote to memory of 1688 2780 wscript.exe cmd.exe PID 2780 wrote to memory of 1688 2780 wscript.exe cmd.exe PID 2780 wrote to memory of 1688 2780 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3520 -
C:\Users\Admin\AppData\Local\Temp\LS24SDE.exe"C:\Users\Admin\AppData\Local\Temp\LS24SDE.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4120 -
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" Add-MpPreference -ExclusionPath "C:\Users\Admin\AppData\Roaming\mIsRPVu.exe"3⤵
- Command and Scripting Interpreter: PowerShell
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2444 -
C:\Windows\SysWOW64\schtasks.exe"C:\Windows\System32\schtasks.exe" /Create /TN "Updates\mIsRPVu" /XML "C:\Users\Admin\AppData\Local\Temp\tmp613A.tmp"3⤵
- Creates scheduled task(s)
PID:2456 -
C:\Users\Admin\AppData\Local\Temp\LS24SDE.exe"C:\Users\Admin\AppData\Local\Temp\LS24SDE.exe"3⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1492 -
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2780 -
C:\Windows\SysWOW64\cmd.exe/c del "C:\Users\Admin\AppData\Local\Temp\LS24SDE.exe"5⤵PID:1688
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82
-
Filesize
1KB
MD5045fc609cbb3250b4b3ee5f66db9e6de
SHA12feaf1ed19330dce7166712de26bfc2d8737ecee
SHA256b1195c55170e4a49c01da7f9b10e3d6d16d350e41a5446141c336cd4be971b1f
SHA512f76b52a33d8b6b0c16674659c0d6814ad036e8ad22316764a41814d57ba45bfc2e9f3c6f11f75587ebc64a3263cd129b833954c9427842454f2b2c5f589893d7