Overview

overview

10

Static

static

5

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

lv copy.exe

windows7-x64

9

lv copy.exe

windows10-2004-x64

9

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

4_ico.exe

windows7-x64

9

4_ico.exe

windows10-2004-x64

9

6_ico.exe

windows7-x64

9

6_ico.exe

windows10-2004-x64

9

vpn_ico.exe

windows7-x64

9

vpn_ico.exe

windows10-2004-x64

9

lv.exe

windows7-x64

9

lv.exe

windows10-2004-x64

9

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

4_ico.exe

windows7-x64

9

4_ico.exe

windows10-2004-x64

9

6_ico.exe

windows7-x64

9

6_ico.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2024 14:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lv.exe

  • Size

    5.4MB

  • MD5

    1b7cdcf968378f1570c403453548bdee

  • SHA1

    0b156f2887877e8044f6fd0419267fc6fd9073dd

  • SHA256

    fd8d41e704959eca30dd3561f04651a45ec4f5e6817ab9b1eeea7695164190cb

  • SHA512

    608866a339f0ba3e8159b23d3b2347071d3c475264c0e1f439a5bdf777073961db44d45ee1c26b5f74e48d943702f43e030deb751a2bca3092639558113f8327

  • SSDEEP

    98304:Sk7hFM/xP1NQVO3sD6JjfaqphAFvAoqnTtQrNtwsfyyQy8+cRZIMf2B9GzIEsmxn:5tFgZB3UESqpeFvAoqTtefyyQypGH2vc

Score
9/10
discoveryevasionspywarestealer

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lv.exe
    "C:\Users\Admin\AppData\Local\Temp\lv.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:876
    • C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Drops startup file
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1732
      • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        PID:3592
    • C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3520
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\lmvabqh & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:512
        • C:\Windows\SysWOW64\timeout.exe
          timeout 2
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:4040
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\lmvabqh & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:3988
        • C:\Windows\SysWOW64\timeout.exe
          timeout 2
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:2468
    • C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2688
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\iqwsbql.vbs"
        3⤵
        • Blocklisted process makes network request
        • System Location Discovery: System Language Discovery
        PID:4720

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\lmvabqh\46173476.txt
    Filesize

    44B

    MD5

    b6618d05ffe83fce30ef03dfe38bb6db

    SHA1

    8136bd1b0f5f486bd06b98811dc269e3657cdb26

    SHA256

    1bdefa32eb50688ab99938efe2f633a64c2cb0643f1eef46cdd1b3097ccf7956

    SHA512

    c98f765552602b42ce91865c6283bc490fadef3b7ecd6a348bbc01c14e6ae18a3665b272e8364c4f92c54549afc90dd118494a0a6750f83456b32609e8fb57b9

    Download Submit

  • C:\ProgramData\lmvabqh\8372422.txt
    Filesize

    148B

    MD5

    c672c5ffd1a94b729484cc279d2a8a93

    SHA1

    3e3ce8ad41d3ffe36d461a21ded8fead5d11e88b

    SHA256

    087e2c68049f6d81393d62c9fbca232111ec9e0411f5cc9ab1e718475581eaea

    SHA512

    969821c1ea8ae7b400e0e603326a3eb76ad22c21572a12b34e50f97f174f53456e937872c1a5980f7401d702c56c00ec0c5fa4d9cdc38b7d2c6200037f12aae3

    Download Submit

  • C:\ProgramData\lmvabqh\Files\_INFOR~1.TXT
    Filesize

    110B

    MD5

    fb76747f427541e69374c9504f5c3e1f

    SHA1

    a7556b78069743c8c202526e784d9c2b28ee872f

    SHA256

    fd1920f1b0710ed5c951739b5c5a0323836b157fac8f2cd9b79b3a9b95d81010

    SHA512

    f0487fc2445da25f82dee5af26b193b88f11e93c5f8c00dfdf25ab9bb281b004c411f757961c34f133dd291be2682c92f189056f5c1965162242eb8f46c5deb8

    Download Submit

  • C:\ProgramData\lmvabqh\GB_202~1.ZIP
    Filesize

    256B

    MD5

    4be053303ced89f1d0109eb47f164b28

    SHA1

    6ff68d92477022903c006a86847da0094a43c0c1

    SHA256

    d191241123070aee3e396ebdc97534bcaa0574648d64972293fe3bc90a2e03e3

    SHA512

    d90a57ecceac7eb881037c39d3cc05cbb6ba12a40368df72faa7cfe7b6ff3035b8477a04e55288eba28c2e5a40c3a03424203ffec519f452cf04bb3006963b5b

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\E938.tmp
    Filesize

    289B

    MD5

    59386c53f2570f0e370e2ece30ccce7a

    SHA1

    b2fe2bc41bc2c07a33ebbc2e3ec6e30229215d69

    SHA256

    3b845724fd74dd2034ec56d4a2ecacc2dd49e0b388bf68f2e9546b9f8fa8065f

    SHA512

    3dd155da349193d5b1c185c52b2bd5b66edcff318d4fb051799523c490f6a95c9da85ab8dc203334b4630c978b0cb6fa70fcc54497e33ea1b9c91f4497541569

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
    Filesize

    1.8MB

    MD5

    da509e5deddf831d53657daa6085ea0a

    SHA1

    f1a38af68df429d77f81a5abbaec373e61dce0b0

    SHA256

    7df6bdb1020248fbb52f6f8c62a8276a95f5d0bec293d21e0e390841cd408e85

    SHA512

    a9af03ab6203bf87cc4165a551426d4b1fd7b40b98405bfe7c542c4f35af5f782192853de8614b9e32eac4cafba52431e080f36cdc2aaa865d110278eed2ec75

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
    Filesize

    1.9MB

    MD5

    2eb51d3e2d13e8959ddc71ff8ee3aacd

    SHA1

    a51e336a81b2f908ca64106c6a4f9ab2c506f540

    SHA256

    13ff9c54fa7e2e665141c18d927f6c59ad50d9ae7c47ff4286f9859dfca65a91

    SHA512

    c81f4ae9f0cddb46bcda6878336110852d7fd352a0e2eafa3645e80a6f177ca02984e52440a8204db49db1796277895c7985c922420245324994025e56d15e81

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
    Filesize

    1.7MB

    MD5

    56ed2b9d99b2f0761afe93f24c562120

    SHA1

    027f049b8e45de59c040b8a9677b00da568abbff

    SHA256

    f8ee05196cc8a9b76ddca11ef3cb9b61d9e697743187c1a8aa37c9a022519f44

    SHA512

    0029b266ed0b44db406b14afc6c6b8714e886f90f379420e790f0d016afca3e8a1469ad9124f38799c6e658b329a38fd460f9f4924ed861e291427e118db7263

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\iqwsbql.vbs
    Filesize

    145B

    MD5

    0d632a9e17184913b42e45fa3cd9717d

    SHA1

    305528632dfde19390056358eaae24d716ddc03b

    SHA256

    db92392cd2345040c3d0e59a9bf2cdca99793f741f5478a3bb03bde54c981aff

    SHA512

    d68aba3081d52154bafa25f365f1087046b62dfcaf247c30c33a257980577b8442d46f293fa125cb36fd4633dba6f52aedac4c7ae7d52b522e9338b490d79a1e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsaB8F1.tmp\UAC.dll
    Filesize

    14KB

    MD5

    adb29e6b186daa765dc750128649b63d

    SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

    SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

    Download Submit

  • memory/1732-23-0x00000000001E1000-0x00000000001F1000-memory.dmp

    Filesize

    64KB

    Download

  • memory/1732-34-0x00000000001E0000-0x0000000000671000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/1732-17-0x00000000001E0000-0x0000000000671000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/1732-22-0x0000000077BA4000-0x0000000077BA6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/1732-24-0x00000000001E0000-0x0000000000671000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/2688-73-0x0000000000DF0000-0x0000000001262000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2688-71-0x0000000000DF0000-0x0000000001262000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2688-79-0x0000000000DF0000-0x0000000001262000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2688-29-0x0000000000DF1000-0x0000000000E03000-memory.dmp

    Filesize

    72KB

    Download

  • memory/2688-20-0x0000000000DF0000-0x0000000001262000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2688-72-0x0000000000DF0000-0x0000000001262000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2688-30-0x0000000000DF0000-0x0000000001262000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2688-83-0x0000000000DF0000-0x0000000001262000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/3520-39-0x00000000003B1000-0x00000000003C9000-memory.dmp

    Filesize

    96KB

    Download

  • memory/3520-70-0x00000000003B0000-0x000000000084F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3520-35-0x0000000004D40000-0x0000000004D41000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3520-38-0x0000000004D10000-0x0000000004D11000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3520-56-0x00000000003B0000-0x000000000084F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3520-37-0x0000000004D50000-0x0000000004D51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3520-21-0x00000000003B0000-0x000000000084F000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3520-36-0x0000000004D30000-0x0000000004D31000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3592-40-0x00000000002C0000-0x0000000000751000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3592-74-0x00000000002C0000-0x0000000000751000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3592-85-0x00000000002C0000-0x0000000000751000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3592-92-0x00000000002C0000-0x0000000000751000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3592-93-0x00000000002C0000-0x0000000000751000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3592-94-0x00000000002C0000-0x0000000000751000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3592-95-0x00000000002C0000-0x0000000000751000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3592-96-0x00000000002C0000-0x0000000000751000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3592-97-0x00000000002C0000-0x0000000000751000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3592-98-0x00000000002C0000-0x0000000000751000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3592-99-0x00000000002C0000-0x0000000000751000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3592-100-0x00000000002C0000-0x0000000000751000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3592-101-0x00000000002C0000-0x0000000000751000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3592-102-0x00000000002C0000-0x0000000000751000-memory.dmp

    Filesize

    4.6MB

    Download

  • memory/3592-103-0x00000000002C0000-0x0000000000751000-memory.dmp

    Filesize

    4.6MB

    Download