Analysis
-
max time kernel
150s -
max time network
127s -
platform
windows10_x64 -
resource
win10v20210408 -
submitted
23-04-2021 10:04
Static task
static1
Behavioral task
behavioral1
Sample
SO.xlsm.com.exe
Resource
win7v20210410
General
-
Target
SO.xlsm.com.exe
-
Size
1000KB
-
MD5
1897e7a63a0424946e9274d83b405de2
-
SHA1
e15588e0c4ab4e12206e370b0b122b2b42ecf837
-
SHA256
b4751ea85e4bdc57c69f0dfd09e9622e31eb23bac589d7ee409eceaca56ea280
-
SHA512
66f07acbc89ff62dbdbed06efaaa7721f6bd46d9b94a86ba9f2bca3f5552977b8bd9ad375764036a8f6eaa6f74029dabd30e6602ab6f11a719eebec97338560e
Malware Config
Extracted
formbook
4.1
http://www.hollandhousedesigns.design/vns/
sparkspressworld.com
everydayresidency.com
thebosscollectionn.com
milkweedmagic.com
worklesshours.com
romeosfurnituremadera.com
unclepetesproduce.com
athleticamackay.com
9nhl.com
powellassetmanagement.com
jxlamp.com
onpointpetproducts.com
buymysoft.com
nazertrader.com
goprj.com
keeptalkservice.com
aolei1688.com
donstackl.com
almasorchids.com
pj5bwn.com
featuredshop2020.com
connectmheduaction.com
kcastleint.com
quintessentialmiss.com
forenvid.com
vetementsbd.com
fabrizioamadori.net
remaxplatinumva.com
drivecart.net
ordertds.com
huayuanjiajiao.com
islamiportal.com
innergardenhealing.space
wlwmwntor.com
wiitendo.com
ceschandigarh.com
mitchellche.com
levaporz.com
eraophthalmica.com
gnzywyht.com
bobbinsbroider.com
pollygen.com
xn--kbrsotocheckup-5fcc.com
theunprofessionalpodcast.com
lendini.site
digitalpardis.com
meenaveen.com
yihuafence.com
mercadoaria.com
domennyarendi44.net
juandiegopalacio.com
meltdownfitnesstulsa.com
xn--laclnicadelvnculo-gvbi.com
paripartners378.com
valadecia.com
womenring.com
ocarlosresolve.com
vedicherbsindia.com
nonnearrapate.com
viplending.net
angelbeatsgamingclan.com
rigmodisc.com
page-id-78613.com
yapadaihindi.com
Signatures
-
Formbook Payload 3 IoCs
Processes:
resource yara_rule behavioral2/memory/2648-120-0x000000000041EBB0-mapping.dmp formbook behavioral2/memory/2648-119-0x0000000000400000-0x000000000042E000-memory.dmp formbook behavioral2/memory/928-128-0x0000000002AF0000-0x0000000002B1E000-memory.dmp formbook -
Executes dropped EXE 1 IoCs
Processes:
ummvhsex.pifpid process 3308 ummvhsex.pif -
Suspicious use of SetThreadContext 3 IoCs
Processes:
ummvhsex.pifRegSvcs.exewscript.exedescription pid process target process PID 3308 set thread context of 2648 3308 ummvhsex.pif RegSvcs.exe PID 2648 set thread context of 3000 2648 RegSvcs.exe Explorer.EXE PID 928 set thread context of 3000 928 wscript.exe Explorer.EXE -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious behavior: EnumeratesProcesses 58 IoCs
Processes:
RegSvcs.exewscript.exepid process 2648 RegSvcs.exe 2648 RegSvcs.exe 2648 RegSvcs.exe 2648 RegSvcs.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe 928 wscript.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
Explorer.EXEpid process 3000 Explorer.EXE -
Suspicious behavior: MapViewOfSection 5 IoCs
Processes:
RegSvcs.exewscript.exepid process 2648 RegSvcs.exe 2648 RegSvcs.exe 2648 RegSvcs.exe 928 wscript.exe 928 wscript.exe -
Suspicious use of AdjustPrivilegeToken 10 IoCs
Processes:
RegSvcs.exeExplorer.EXEwscript.exedescription pid process Token: SeDebugPrivilege 2648 RegSvcs.exe Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeDebugPrivilege 928 wscript.exe Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE Token: SeShutdownPrivilege 3000 Explorer.EXE Token: SeCreatePagefilePrivilege 3000 Explorer.EXE -
Suspicious use of UnmapMainImage 1 IoCs
Processes:
Explorer.EXEpid process 3000 Explorer.EXE -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
SO.xlsm.com.exeummvhsex.pifExplorer.EXEwscript.exedescription pid process target process PID 3920 wrote to memory of 3308 3920 SO.xlsm.com.exe ummvhsex.pif PID 3920 wrote to memory of 3308 3920 SO.xlsm.com.exe ummvhsex.pif PID 3920 wrote to memory of 3308 3920 SO.xlsm.com.exe ummvhsex.pif PID 3308 wrote to memory of 2288 3308 ummvhsex.pif RegSvcs.exe PID 3308 wrote to memory of 2288 3308 ummvhsex.pif RegSvcs.exe PID 3308 wrote to memory of 2288 3308 ummvhsex.pif RegSvcs.exe PID 3308 wrote to memory of 2648 3308 ummvhsex.pif RegSvcs.exe PID 3308 wrote to memory of 2648 3308 ummvhsex.pif RegSvcs.exe PID 3308 wrote to memory of 2648 3308 ummvhsex.pif RegSvcs.exe PID 3308 wrote to memory of 2648 3308 ummvhsex.pif RegSvcs.exe PID 3308 wrote to memory of 2648 3308 ummvhsex.pif RegSvcs.exe PID 3308 wrote to memory of 2648 3308 ummvhsex.pif RegSvcs.exe PID 3000 wrote to memory of 928 3000 Explorer.EXE wscript.exe PID 3000 wrote to memory of 928 3000 Explorer.EXE wscript.exe PID 3000 wrote to memory of 928 3000 Explorer.EXE wscript.exe PID 928 wrote to memory of 3724 928 wscript.exe cmd.exe PID 928 wrote to memory of 3724 928 wscript.exe cmd.exe PID 928 wrote to memory of 3724 928 wscript.exe cmd.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SO.xlsm.com.exe"C:\Users\Admin\AppData\Local\Temp\SO.xlsm.com.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\57992106\ummvhsex.pif"C:\Users\Admin\57992106\ummvhsex.pif" smlhxxnpxo.scp3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
-
C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"4⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\wscript.exe"C:\Windows\SysWOW64\wscript.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe/c del "C:\Windows\Microsoft.NET\Framework\v4.0.30319\RegSvcs.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\57992106\cnrxxvsq.xmlMD5
8ba6d1bcca58443c729743475e797e1b
SHA1a270f64248909dc7fef1637d29297f3b3512cbeb
SHA256c1771a56fdd00339066ffad9a8d0ed247dcaaafa0076f30e5477ce769c802048
SHA5124f5506ea2c0a0349edbdfaa3a19fa7f300fdc6cde15f53e1c17d1cb6e998294e07809336382004d5e3f805cbef49c2df8aa2d74bea7c68aafee60310e009f40a
-
C:\Users\Admin\57992106\smlhxxnpxo.scpMD5
66c7ff0768ddb64f4504146a56ed004b
SHA188507bd159e02bddfb5153cff306a49407c8d650
SHA256bf8823d58e7a374fec3f69a38ec91e93c0598e0bf27c9aa4c2a21aaca05a77e9
SHA5129d4bb287ca55d2cc486bb5c51a438443828f5891497b196a2da0f9ca349742680c3a6022b742c137adb9fbc8892b46afa97407593b1d2f492a27e6525b9387fb
-
C:\Users\Admin\57992106\ummvhsex.pifMD5
6b57334b6cde8f40e11ad21b9e878adf
SHA14a6e4ad50297b3d941a392fac503a6731fab6eac
SHA2560ce3edfd31e07ed4e16495a92e107ca5b60e2e6ae938de2a57a565d2d7d256db
SHA5128d0fb7a156d07b416b4d102eabb0ba06cac3696ca3205f0d69a21077c6011adf192cc30530c3716ad0fba92cfeb50d9dbf96f6a65c4955fde093a37d167e05ff
-
C:\Users\Admin\57992106\ummvhsex.pifMD5
6b57334b6cde8f40e11ad21b9e878adf
SHA14a6e4ad50297b3d941a392fac503a6731fab6eac
SHA2560ce3edfd31e07ed4e16495a92e107ca5b60e2e6ae938de2a57a565d2d7d256db
SHA5128d0fb7a156d07b416b4d102eabb0ba06cac3696ca3205f0d69a21077c6011adf192cc30530c3716ad0fba92cfeb50d9dbf96f6a65c4955fde093a37d167e05ff
-
memory/928-127-0x0000000000AC0000-0x0000000000AE7000-memory.dmpFilesize
156KB
-
memory/928-125-0x0000000000000000-mapping.dmp
-
memory/928-128-0x0000000002AF0000-0x0000000002B1E000-memory.dmpFilesize
184KB
-
memory/928-129-0x00000000045A0000-0x00000000048C0000-memory.dmpFilesize
3.1MB
-
memory/928-130-0x00000000044A0000-0x0000000004533000-memory.dmpFilesize
588KB
-
memory/2648-120-0x000000000041EBB0-mapping.dmp
-
memory/2648-119-0x0000000000400000-0x000000000042E000-memory.dmpFilesize
184KB
-
memory/2648-122-0x0000000001480000-0x00000000017A0000-memory.dmpFilesize
3.1MB
-
memory/2648-123-0x0000000001350000-0x0000000001364000-memory.dmpFilesize
80KB
-
memory/3000-124-0x0000000006FA0000-0x00000000070DA000-memory.dmpFilesize
1.2MB
-
memory/3000-131-0x00000000070E0000-0x000000000722C000-memory.dmpFilesize
1.3MB
-
memory/3308-114-0x0000000000000000-mapping.dmp
-
memory/3724-126-0x0000000000000000-mapping.dmp