Analysis
-
max time kernel
150s -
max time network
140s -
platform
windows10_x64 -
resource
win10v20210410 -
submitted
23-04-2021 09:18
Static task
static1
Behavioral task
behavioral1
Sample
SO.xlsm.com.exe
Resource
win7v20210408
General
-
Target
SO.xlsm.com.exe
-
Size
1000KB
-
MD5
1897e7a63a0424946e9274d83b405de2
-
SHA1
e15588e0c4ab4e12206e370b0b122b2b42ecf837
-
SHA256
b4751ea85e4bdc57c69f0dfd09e9622e31eb23bac589d7ee409eceaca56ea280
-
SHA512
66f07acbc89ff62dbdbed06efaaa7721f6bd46d9b94a86ba9f2bca3f5552977b8bd9ad375764036a8f6eaa6f74029dabd30e6602ab6f11a719eebec97338560e
Malware Config
Extracted
formbook
4.1
http://www.hollandhousedesigns.design/vns/
sparkspressworld.com
everydayresidency.com
thebosscollectionn.com
milkweedmagic.com
worklesshours.com
romeosfurnituremadera.com
unclepetesproduce.com
athleticamackay.com
9nhl.com
powellassetmanagement.com
jxlamp.com
onpointpetproducts.com
buymysoft.com
nazertrader.com
goprj.com
keeptalkservice.com
aolei1688.com
donstackl.com
almasorchids.com
pj5bwn.com
featuredshop2020.com
connectmheduaction.com
kcastleint.com
quintessentialmiss.com
forenvid.com
vetementsbd.com
fabrizioamadori.net
remaxplatinumva.com
drivecart.net
ordertds.com
huayuanjiajiao.com
islamiportal.com
innergardenhealing.space
wlwmwntor.com
wiitendo.com
ceschandigarh.com
mitchellche.com
levaporz.com
eraophthalmica.com
gnzywyht.com
bobbinsbroider.com
pollygen.com
xn--kbrsotocheckup-5fcc.com
theunprofessionalpodcast.com
lendini.site
digitalpardis.com
meenaveen.com
yihuafence.com
mercadoaria.com
domennyarendi44.net
juandiegopalacio.com
meltdownfitnesstulsa.com
xn--laclnicadelvnculo-gvbi.com
paripartners378.com
valadecia.com
womenring.com
ocarlosresolve.com
vedicherbsindia.com
nonnearrapate.com
viplending.net
angelbeatsgamingclan.com
rigmodisc.com
page-id-78613.com
yapadaihindi.com
Signatures
-
Formbook Payload 7 IoCs
Processes:
resource yara_rule behavioral2/memory/3784-119-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/3784-120-0x000000000041EBB0-mapping.dmp formbook behavioral2/memory/4008-121-0x0000000000400000-0x00000000008AECCF-memory.dmp formbook behavioral2/memory/4008-122-0x000000000041EBB0-mapping.dmp formbook behavioral2/memory/4008-125-0x0000000000400000-0x00000000008AF000-memory.dmp formbook behavioral2/memory/2144-133-0x0000000002D90000-0x0000000002DBE000-memory.dmp formbook behavioral2/memory/4056-140-0x0000000000FC0000-0x0000000000FEE000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
ummvhsex.pifpid process 2448 ummvhsex.pif -
Suspicious use of SetThreadContext 6 IoCs
Processes:
ummvhsex.pifRegSvcs.exeRegSvcs.execmstp.exedescription pid process target process PID 2448 set thread context of 3784 2448 ummvhsex.pif RegSvcs.exe PID 2448 set thread context of 4008 2448 ummvhsex.pif RegSvcs.exe PID 3784 set thread context of 3048 3784 RegSvcs.exe Explorer.EXE PID 4008 set thread context of 3048 4008 RegSvcs.exe Explorer.EXE PID 4008 set thread context of 3048 4008 RegSvcs.exe Explorer.EXE PID 2144 set thread context of 3048 2144 cmstp.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 4056 ipconfig.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
RegSvcs.exeRegSvcs.execmstp.exeipconfig.exepid process 3784 RegSvcs.exe 3784 RegSvcs.exe 4008 RegSvcs.exe 4008 RegSvcs.exe 3784 RegSvcs.exe 3784 RegSvcs.exe 4008 RegSvcs.exe 4008 RegSvcs.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 4008 RegSvcs.exe 4008 RegSvcs.exe 4056 ipconfig.exe 4056 ipconfig.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe 2144 cmstp.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3048 Explorer.EXE -
Suspicious behavior: MapViewOfSection 9 IoCs
Processes:
RegSvcs.exeRegSvcs.execmstp.exepid process 3784 RegSvcs.exe 4008 RegSvcs.exe 3784 RegSvcs.exe 3784 RegSvcs.exe 2144 cmstp.exe 4008 RegSvcs.exe 4008 RegSvcs.exe 4008 RegSvcs.exe 2144 cmstp.exe -
Suspicious use of AdjustPrivilegeToken 12 IoCs
Processes:
RegSvcs.exeRegSvcs.exeExplorer.EXEcmstp.exeipconfig.exedescription pid process Token: SeDebugPrivilege 3784 RegSvcs.exe Token: SeDebugPrivilege 4008 RegSvcs.exe Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeDebugPrivilege 2144 cmstp.exe Token: SeDebugPrivilege 4056 ipconfig.exe Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE Token: SeShutdownPrivilege 3048 Explorer.EXE Token: SeCreatePagefilePrivilege 3048 Explorer.EXE -
Suspicious use of WriteProcessMemory 23 IoCs
Processes:
SO.xlsm.com.exeummvhsex.pifExplorer.EXEcmstp.exedescription pid process target process PID 2204 wrote to memory of 2448 2204 SO.xlsm.com.exe ummvhsex.pif PID 2204 wrote to memory of 2448 2204 SO.xlsm.com.exe ummvhsex.pif PID 2204 wrote to memory of 2448 2204 SO.xlsm.com.exe ummvhsex.pif PID 2448 wrote to memory of 4008 2448 ummvhsex.pif RegSvcs.exe PID 2448 wrote to memory of 4008 2448 ummvhsex.pif RegSvcs.exe PID 2448 wrote to memory of 4008 2448 ummvhsex.pif RegSvcs.exe PID 2448 wrote to memory of 3784 2448 ummvhsex.pif RegSvcs.exe PID 2448 wrote to memory of 3784 2448 ummvhsex.pif RegSvcs.exe PID 2448 wrote to memory of 3784 2448 ummvhsex.pif RegSvcs.exe PID 2448 wrote to memory of 3784 2448 ummvhsex.pif RegSvcs.exe PID 2448 wrote to memory of 3784 2448 ummvhsex.pif RegSvcs.exe PID 2448 wrote to memory of 3784 2448 ummvhsex.pif RegSvcs.exe PID 2448 wrote to memory of 4008 2448 ummvhsex.pif RegSvcs.exe PID 2448 wrote to memory of 4008 2448 ummvhsex.pif RegSvcs.exe PID 3048 wrote to memory of 2144 3048 Explorer.EXE cmstp.exe PID 3048 wrote to memory of 2144 3048 Explorer.EXE cmstp.exe PID 3048 wrote to memory of 2144 3048 Explorer.EXE cmstp.exe PID 2144 wrote to memory of 768 2144 cmstp.exe cmd.exe PID 2144 wrote to memory of 768 2144 cmstp.exe cmd.exe PID 2144 wrote to memory of 768 2144 cmstp.exe cmd.exe PID 3048 wrote to memory of 4056 3048 Explorer.EXE ipconfig.exe PID 3048 wrote to memory of 4056 3048 Explorer.EXE ipconfig.exe PID 3048 wrote to memory of 4056 3048 Explorer.EXE ipconfig.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SO.xlsm.com.exe"C:\Users\Admin\AppData\Local\Temp\SO.xlsm.com.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\57992106\ummvhsex.pif"C:\Users\Admin\57992106\ummvhsex.pif" smlhxxnpxo.scp3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\cmstp.exe"C:\Windows\SysWOW64\cmstp.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
-
C:\Windows\SysWOW64\ipconfig.exe"C:\Windows\SysWOW64\ipconfig.exe"2⤵
- Gathers network information
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\57992106\cnrxxvsq.xmlMD5
8ba6d1bcca58443c729743475e797e1b
SHA1a270f64248909dc7fef1637d29297f3b3512cbeb
SHA256c1771a56fdd00339066ffad9a8d0ed247dcaaafa0076f30e5477ce769c802048
SHA5124f5506ea2c0a0349edbdfaa3a19fa7f300fdc6cde15f53e1c17d1cb6e998294e07809336382004d5e3f805cbef49c2df8aa2d74bea7c68aafee60310e009f40a
-
C:\Users\Admin\57992106\smlhxxnpxo.scpMD5
66c7ff0768ddb64f4504146a56ed004b
SHA188507bd159e02bddfb5153cff306a49407c8d650
SHA256bf8823d58e7a374fec3f69a38ec91e93c0598e0bf27c9aa4c2a21aaca05a77e9
SHA5129d4bb287ca55d2cc486bb5c51a438443828f5891497b196a2da0f9ca349742680c3a6022b742c137adb9fbc8892b46afa97407593b1d2f492a27e6525b9387fb
-
C:\Users\Admin\57992106\ummvhsex.pifMD5
6b57334b6cde8f40e11ad21b9e878adf
SHA14a6e4ad50297b3d941a392fac503a6731fab6eac
SHA2560ce3edfd31e07ed4e16495a92e107ca5b60e2e6ae938de2a57a565d2d7d256db
SHA5128d0fb7a156d07b416b4d102eabb0ba06cac3696ca3205f0d69a21077c6011adf192cc30530c3716ad0fba92cfeb50d9dbf96f6a65c4955fde093a37d167e05ff
-
C:\Users\Admin\57992106\ummvhsex.pifMD5
6b57334b6cde8f40e11ad21b9e878adf
SHA14a6e4ad50297b3d941a392fac503a6731fab6eac
SHA2560ce3edfd31e07ed4e16495a92e107ca5b60e2e6ae938de2a57a565d2d7d256db
SHA5128d0fb7a156d07b416b4d102eabb0ba06cac3696ca3205f0d69a21077c6011adf192cc30530c3716ad0fba92cfeb50d9dbf96f6a65c4955fde093a37d167e05ff
-
memory/768-134-0x0000000000000000-mapping.dmp
-
memory/2144-131-0x0000000000000000-mapping.dmp
-
memory/2144-142-0x0000000004BC0000-0x0000000004C53000-memory.dmpFilesize
588KB
-
memory/2144-135-0x0000000004DF0000-0x0000000005110000-memory.dmpFilesize
3.1MB
-
memory/2144-133-0x0000000002D90000-0x0000000002DBE000-memory.dmpFilesize
184KB
-
memory/2144-132-0x0000000000B20000-0x0000000000B36000-memory.dmpFilesize
88KB
-
memory/2448-114-0x0000000000000000-mapping.dmp
-
memory/3048-137-0x0000000006560000-0x0000000006647000-memory.dmpFilesize
924KB
-
memory/3048-143-0x00000000069B0000-0x0000000006A73000-memory.dmpFilesize
780KB
-
memory/3048-130-0x00000000030A0000-0x0000000003199000-memory.dmpFilesize
996KB
-
memory/3048-128-0x0000000006860000-0x00000000069A8000-memory.dmpFilesize
1.3MB
-
memory/3784-127-0x00000000016C0000-0x00000000016D4000-memory.dmpFilesize
80KB
-
memory/3784-119-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/3784-120-0x000000000041EBB0-mapping.dmp
-
memory/3784-124-0x00000000016F0000-0x0000000001A10000-memory.dmpFilesize
3.1MB
-
memory/4008-121-0x0000000000400000-0x00000000008AECCF-memory.dmpFilesize
4.7MB
-
memory/4008-122-0x000000000041EBB0-mapping.dmp
-
memory/4008-125-0x0000000000400000-0x00000000008AF000-memory.dmpFilesize
4.7MB
-
memory/4008-136-0x00000000016D0000-0x00000000016E4000-memory.dmpFilesize
80KB
-
memory/4008-126-0x00000000017A0000-0x0000000001AC0000-memory.dmpFilesize
3.1MB
-
memory/4008-129-0x0000000001690000-0x00000000016A4000-memory.dmpFilesize
80KB
-
memory/4056-138-0x0000000000000000-mapping.dmp
-
memory/4056-139-0x0000000001010000-0x000000000101B000-memory.dmpFilesize
44KB
-
memory/4056-141-0x00000000039F0000-0x0000000003D10000-memory.dmpFilesize
3.1MB
-
memory/4056-140-0x0000000000FC0000-0x0000000000FEE000-memory.dmpFilesize
184KB