Overview

overview

10

Static

static

5

file.exe

windows7-x64

10

file.exe

windows10-2004-x64

10

lv copy.exe

windows7-x64

9

lv copy.exe

windows10-2004-x64

9

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

4_ico.exe

windows7-x64

9

4_ico.exe

windows10-2004-x64

9

6_ico.exe

windows7-x64

9

6_ico.exe

windows10-2004-x64

9

vpn_ico.exe

windows7-x64

9

vpn_ico.exe

windows10-2004-x64

9

lv.exe

windows7-x64

9

lv.exe

windows10-2004-x64

9

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

$PLUGINSDIR/UAC.dll

windows7-x64

3

$PLUGINSDIR/UAC.dll

windows10-2004-x64

3

$PLUGINSDI...fo.dll

windows7-x64

3

$PLUGINSDI...fo.dll

windows10-2004-x64

3

$PLUGINSDI...gs.dll

windows7-x64

3

$PLUGINSDI...gs.dll

windows10-2004-x64

3

4_ico.exe

windows7-x64

9

4_ico.exe

windows10-2004-x64

9

6_ico.exe

windows7-x64

9

6_ico.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    142s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-11-2024 14:02

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    lv copy.exe

  • Size

    5.2MB

  • MD5

    d72e60a71c1d3b8cd8510261264f29f1

  • SHA1

    0d4cfe1fd9450f9e688f7c5f80f463b959131daa

  • SHA256

    0524df18b564697341478dd952698549a4bdf343ccc0035247d228e52d487be5

  • SHA512

    ecffe12aa5a30956232765e6420fe3a7503d5ef88d68dbec339109e4db9df1ebc45a17906c7d858064b519e9fd4eb29d092c12560c8464a576699a014881befd

  • SSDEEP

    98304:JUrGzKIv0B8uDCHRB9nX7aYNOR7vIN/p1xmfG0ROvHioVwFOBr4jpWH:JqGeIsB8uDCxTXWoOk/paGHHhV6AQA

Score
9/10
discoveryevasionspywarestealer

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 4 IoCs
    evasion
  • Blocklisted process makes network request 2 IoCs
  • Checks BIOS information in registry 2 TTPs 8 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 4 IoCs
  • Identifies Wine through registry keys 2 TTPs 4 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Loads dropped DLL 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Legitimate hosting services abused for malware hosting/C2 1 TTPs 2 IoCs
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 2 IoCs
    evasion
  • Modifies registry class 1 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 8 IoCs
  • Suspicious use of WriteProcessMemory 27 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\lv copy.exe
    "C:\Users\Admin\AppData\Local\Temp\lv copy.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:212
    • C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Drops startup file
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:3452
      • C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe
        "C:\Users\Admin\AppData\Roaming\Smart Clock\SmartClock.exe"
        3⤵
        • Identifies VirtualBox via ACPI registry values (likely anti-VM)
        • Checks BIOS information in registry
        • Executes dropped EXE
        • Identifies Wine through registry keys
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: AddClipboardFormatListener
        • Suspicious behavior: EnumeratesProcesses
        PID:1336
    • C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2412
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\gxwrhlmtefb & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2756
        • C:\Windows\SysWOW64\timeout.exe
          timeout 2
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:960
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\gxwrhlmtefb & timeout 2 & del /f /q "C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2680
        • C:\Windows\SysWOW64\timeout.exe
          timeout 2
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:4500
    • C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
      "C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Checks computer location settings
      • Executes dropped EXE
      • Identifies Wine through registry keys
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • System Location Discovery: System Language Discovery
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:1520
      • C:\Windows\SysWOW64\WScript.exe
        "C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\giujkcjckfky.vbs"
        3⤵
        • Blocklisted process makes network request
        • System Location Discovery: System Language Discovery
        PID:3872

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\gxwrhlmtefb\46173476.txt
    Filesize

    44B

    MD5

    620a02dcf62d02df67945511af870571

    SHA1

    cbd25dbfcaf2a91d8863f4fc65af0fd60ddfbb13

    SHA256

    b2cd6cc5e5cdf9fb04a5919ef8acef5a4bc77105984df8e12f9993e3e8cac5ed

    SHA512

    755722519465a01921013f1d9aeeacb334ae3526d0ac8452629052592773d39ea6df3f3eb0db849e4257ab694b8cfe5df0857355ae76c4e12cd326b218acf376

    Download Submit

  • C:\ProgramData\gxwrhlmtefb\8372422.txt
    Filesize

    148B

    MD5

    c672c5ffd1a94b729484cc279d2a8a93

    SHA1

    3e3ce8ad41d3ffe36d461a21ded8fead5d11e88b

    SHA256

    087e2c68049f6d81393d62c9fbca232111ec9e0411f5cc9ab1e718475581eaea

    SHA512

    969821c1ea8ae7b400e0e603326a3eb76ad22c21572a12b34e50f97f174f53456e937872c1a5980f7401d702c56c00ec0c5fa4d9cdc38b7d2c6200037f12aae3

    Download Submit

  • C:\ProgramData\gxwrhlmtefb\Files\_INFOR~1.TXT
    Filesize

    110B

    MD5

    7792d461e3051a6b3cc9244a668f8563

    SHA1

    36432443327febc55cb83aa8b0707160937839cd

    SHA256

    b6de828bcda7c1955643535835033cf06023a04793a3d55ce544f60daafa0e86

    SHA512

    dcb6d4351c5c7be545fb9e415e91da76446e5e291c15809e2fc47ea98e04eeed7186b0ef8de0670977b5c6d415cbe0c34addb458ac1d6df03b94e25b98f9e915

    Download Submit

  • C:\ProgramData\gxwrhlmtefb\GB_202~1.ZIP
    Filesize

    256B

    MD5

    c5e536f9141c63e52fc42633e8be2fca

    SHA1

    f117b3c5224459cfa338cbf17fa40e1f3dd06345

    SHA256

    f50cb58aa2509df1806d55b27bc9fc1c9e1d955de0ceec137fba8179d07f49cb

    SHA512

    0f9974defe3eee0cea2a1eabebbc566d90b4f2dae53dcd31e3a6091e3dba2efdf16456a62a2772cc7cce8702cc2ae038aaea1cf96145c6000b75b376e1b74d13

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\New Feature\4_ico.exe
    Filesize

    1.7MB

    MD5

    4b0a39a47c09c113c7cc19f22cbd390d

    SHA1

    727e84f5048e40b5d9120bf55079ffdda1a053ba

    SHA256

    3fcb3fc79d77343d4ef6e4cec384f4b4ecf7dc033d47c7bd5b5f0d5d539e2f28

    SHA512

    82e810d0ecd9a20fa391ca09cf41c1f213cc154eb1e4db9f9f0929cef21a808b46551e14f5ae18e26d4ae463288747d3faab851bd9d984428a516441c30d6dc7

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\New Feature\6_ico.exe
    Filesize

    1.8MB

    MD5

    ea76b0ed25810be48b08272f9655b05b

    SHA1

    0c3c4bd83deac0bd5fbf13b1c3e51f88a59b6f58

    SHA256

    d71d470b0aea1b94099395751178d2ef0068816a8a1c2638686e8063fd6adf59

    SHA512

    ec4a766b712bbbb36a3f10ccae09babcea7e30e7f161d31365d09e5751b3c345d554f5a293dccdcb279704c9156aed3cd3de27efbf8edfa1b2d298b83050c1b9

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\New Feature\vpn_ico.exe
    Filesize

    1.7MB

    MD5

    bdb4c5b8c4c698e57631a3fa67609c7b

    SHA1

    30152fadedf4f7dbbe9ffe59c9e45724a1bd790b

    SHA256

    f50692b2d081d70f7f61acc5a412da98a76d62a2833630c0d9ce780c65369305

    SHA512

    aac48cedfed3c22359eb0276912348879ad0d9552ff20ea03e87119f2c4bf79c232c3a6c519ff7c1ab82e8786a1ac2f1ff423fbf1a75018e8a216d6b60460d8e

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\giujkcjckfky.vbs
    Filesize

    145B

    MD5

    64def7f7b8972df32c7f7da76c5be746

    SHA1

    b01bf36791c864882d84f00ac41b4b12c8163bac

    SHA256

    81f46e3a4cfa624b18b42cfbfa2dd0f5b0e26943710cbcc3e8e1f99ee7337f73

    SHA512

    ba57503e7fdb214635e540536ba2ed6cf8d1242469f7cd6c4750eeb17291b1ba06a4413aa96df0555584c49f150e5be1f1e84dbcac284b151edb977bd59e9d64

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\nsk9F2F.tmp\UAC.dll
    Filesize

    14KB

    MD5

    adb29e6b186daa765dc750128649b63d

    SHA1

    160cbdc4cb0ac2c142d361df138c537aa7e708c9

    SHA256

    2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

    SHA512

    b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

    Download Submit

  • memory/1336-89-0x0000000000480000-0x00000000008FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1336-90-0x0000000000480000-0x00000000008FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1336-99-0x0000000000480000-0x00000000008FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1336-98-0x0000000000480000-0x00000000008FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1336-97-0x0000000000480000-0x00000000008FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1336-40-0x0000000000480000-0x00000000008FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1336-96-0x0000000000480000-0x00000000008FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1336-95-0x0000000000480000-0x00000000008FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1336-94-0x0000000000480000-0x00000000008FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1336-93-0x0000000000480000-0x00000000008FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1336-92-0x0000000000480000-0x00000000008FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1336-91-0x0000000000480000-0x00000000008FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1336-88-0x0000000000480000-0x00000000008FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1336-87-0x0000000000480000-0x00000000008FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1336-74-0x0000000000480000-0x00000000008FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1336-73-0x0000000000480000-0x00000000008FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/1520-36-0x00000000052E0000-0x00000000052E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1520-35-0x0000000005300000-0x0000000005301000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1520-72-0x0000000000970000-0x0000000000DE1000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1520-41-0x0000000000970000-0x0000000000DE1000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1520-79-0x0000000000970000-0x0000000000DE1000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1520-21-0x0000000000970000-0x0000000000DE1000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/1520-34-0x0000000005310000-0x0000000005311000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1520-33-0x00000000052F0000-0x00000000052F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1520-71-0x0000000000970000-0x0000000000DE1000-memory.dmp

    Filesize

    4.4MB

    Download

  • memory/2412-20-0x0000000000CA0000-0x0000000001121000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/2412-56-0x0000000004D90000-0x0000000004D91000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2412-70-0x0000000000CA0000-0x0000000001121000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/2412-37-0x0000000000CA1000-0x0000000000CB9000-memory.dmp

    Filesize

    96KB

    Download

  • memory/2412-39-0x0000000000CA0000-0x0000000001121000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/3452-23-0x00000000772F4000-0x00000000772F6000-memory.dmp

    Filesize

    8KB

    Download

  • memory/3452-32-0x0000000000380000-0x00000000007FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/3452-24-0x0000000000381000-0x0000000000391000-memory.dmp

    Filesize

    64KB

    Download

  • memory/3452-25-0x0000000000380000-0x00000000007FA000-memory.dmp

    Filesize

    4.5MB

    Download

  • memory/3452-15-0x0000000000380000-0x00000000007FA000-memory.dmp

    Filesize

    4.5MB

    Download