magniber | 22c59e19315ba81452b67c271d46980fac9bc1e6082bed6efcc270e669479d51

Resubmissions

19-08-2021 01:57

210819-7xxlq9brfj 10

18-08-2021 02:00

210818-eve5hlsnke 10

Analysis

max time kernel
108s
max time network
118s
platform
windows11_x64
resource
win11
submitted
19-08-2021 01:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

22c59e19315ba81452b67c271d46980fac9bc1e6082bed6efcc270e669479d51.dll
Size

21KB
MD5

f9147aeda18f71043955420e853b8d3c
SHA1

a9c6995a91ac8ac6c76379fd38c3fb973273d3b3
SHA256

22c59e19315ba81452b67c271d46980fac9bc1e6082bed6efcc270e669479d51
SHA512

3e38ce57ada7a3fc22c2caf6a882574427c3d0b73cbfc337853017995f27688a5f344157f893f1a70cec2ced15a4a553010031b54e813cacb430670ecd8c251f

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://5c047c48481492a0b0dgvzumt.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dgvzumt Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://5c047c48481492a0b0dgvzumt.codehes.uno/dgvzumt http://5c047c48481492a0b0dgvzumt.partscs.site/dgvzumt http://5c047c48481492a0b0dgvzumt.uponmix.xyz/dgvzumt http://5c047c48481492a0b0dgvzumt.flysex.space/dgvzumt Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://5c047c48481492a0b0dgvzumt.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dgvzumt

http://5c047c48481492a0b0dgvzumt.codehes.uno/dgvzumt

http://5c047c48481492a0b0dgvzumt.partscs.site/dgvzumt

http://5c047c48481492a0b0dgvzumt.uponmix.xyz/dgvzumt

http://5c047c48481492a0b0dgvzumt.flysex.space/dgvzumt

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1256	4816	cmd.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4480	4816	cmd.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4488	4816	vssadmin.exe	26
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2984	4816	vssadmin.exe	26

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WaaSMedicAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WaaSMedicAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WaaSMedicAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WaaSMedicAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	sihclient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	sihclient.exe

Drops file in Windows directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\Download\d62540ea7d8b4a9d1958e44f689fb27e\BITBFD0.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d62540ea7d8b4a9d1958e44f689fb27e\Windows10.0-KB5004342-x64-NDP48.cab	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File opened for modification	C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab	sihclient.exe
File opened for modification	C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab	sihclient.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4488	vssadmin.exe
2984	vssadmin.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\Disallowed\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\CA	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\Root\CRLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\CA\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\CA\CRLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4704	rundll32.exe
4704	rundll32.exe

Suspicious behavior: MapViewOfSection 14 IoCs

pid	Process
4704	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe
4704	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4688	WMIC.exe
Token: SeSecurityPrivilege	4688	WMIC.exe
Token: SeTakeOwnershipPrivilege	4688	WMIC.exe
Token: SeLoadDriverPrivilege	4688	WMIC.exe
Token: SeSystemProfilePrivilege	4688	WMIC.exe
Token: SeSystemtimePrivilege	4688	WMIC.exe
Token: SeProfSingleProcessPrivilege	4688	WMIC.exe
Token: SeIncBasePriorityPrivilege	4688	WMIC.exe
Token: SeCreatePagefilePrivilege	4688	WMIC.exe
Token: SeBackupPrivilege	4688	WMIC.exe
Token: SeRestorePrivilege	4688	WMIC.exe
Token: SeShutdownPrivilege	4688	WMIC.exe
Token: SeDebugPrivilege	4688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4688	WMIC.exe
Token: SeRemoteShutdownPrivilege	4688	WMIC.exe
Token: SeUndockPrivilege	4688	WMIC.exe
Token: SeManageVolumePrivilege	4688	WMIC.exe
Token: 33	4688	WMIC.exe
Token: 34	4688	WMIC.exe
Token: 35	4688	WMIC.exe
Token: 36	4688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4692	WMIC.exe
Token: SeSecurityPrivilege	4692	WMIC.exe
Token: SeTakeOwnershipPrivilege	4692	WMIC.exe
Token: SeLoadDriverPrivilege	4692	WMIC.exe
Token: SeSystemProfilePrivilege	4692	WMIC.exe
Token: SeSystemtimePrivilege	4692	WMIC.exe
Token: SeProfSingleProcessPrivilege	4692	WMIC.exe
Token: SeIncBasePriorityPrivilege	4692	WMIC.exe
Token: SeCreatePagefilePrivilege	4692	WMIC.exe
Token: SeBackupPrivilege	4692	WMIC.exe
Token: SeRestorePrivilege	4692	WMIC.exe
Token: SeShutdownPrivilege	4692	WMIC.exe
Token: SeDebugPrivilege	4692	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4692	WMIC.exe
Token: SeRemoteShutdownPrivilege	4692	WMIC.exe
Token: SeUndockPrivilege	4692	WMIC.exe
Token: SeManageVolumePrivilege	4692	WMIC.exe
Token: 33	4692	WMIC.exe
Token: 34	4692	WMIC.exe
Token: 35	4692	WMIC.exe
Token: 36	4692	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4688	WMIC.exe
Token: SeSecurityPrivilege	4688	WMIC.exe
Token: SeTakeOwnershipPrivilege	4688	WMIC.exe
Token: SeLoadDriverPrivilege	4688	WMIC.exe
Token: SeSystemProfilePrivilege	4688	WMIC.exe
Token: SeSystemtimePrivilege	4688	WMIC.exe
Token: SeProfSingleProcessPrivilege	4688	WMIC.exe
Token: SeIncBasePriorityPrivilege	4688	WMIC.exe
Token: SeCreatePagefilePrivilege	4688	WMIC.exe
Token: SeBackupPrivilege	4688	WMIC.exe
Token: SeRestorePrivilege	4688	WMIC.exe
Token: SeShutdownPrivilege	4688	WMIC.exe
Token: SeDebugPrivilege	4688	WMIC.exe
Token: SeSystemEnvironmentPrivilege	4688	WMIC.exe
Token: SeRemoteShutdownPrivilege	4688	WMIC.exe
Token: SeUndockPrivilege	4688	WMIC.exe
Token: SeManageVolumePrivilege	4688	WMIC.exe
Token: 33	4688	WMIC.exe
Token: 34	4688	WMIC.exe
Token: 35	4688	WMIC.exe
Token: 36	4688	WMIC.exe
Token: SeIncreaseQuotaPrivilege	4692	WMIC.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4704 wrote to memory of 5012	4704	rundll32.exe	82
PID 4704 wrote to memory of 5012	4704	rundll32.exe	82
PID 4704 wrote to memory of 4220	4704	rundll32.exe	83
PID 4704 wrote to memory of 4220	4704	rundll32.exe	83
PID 5012 wrote to memory of 4688	5012	cmd.exe	86
PID 5012 wrote to memory of 4688	5012	cmd.exe	86
PID 4220 wrote to memory of 4692	4220	cmd.exe	87
PID 4220 wrote to memory of 4692	4220	cmd.exe	87
PID 1256 wrote to memory of 4704	1256	cmd.exe	92
PID 1256 wrote to memory of 4704	1256	cmd.exe	92
PID 4480 wrote to memory of 4612	4480	cmd.exe	93
PID 4480 wrote to memory of 4612	4480	cmd.exe	93
PID 4612 wrote to memory of 4588	4612	ComputerDefaults.exe	94
PID 4612 wrote to memory of 4588	4612	ComputerDefaults.exe	94
PID 4704 wrote to memory of 4688	4704	ComputerDefaults.exe	96
PID 4704 wrote to memory of 4688	4704	ComputerDefaults.exe	96

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\22c59e19315ba81452b67c271d46980fac9bc1e6082bed6efcc270e669479d51.dll,#1
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4704
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5012
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4688
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4220
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:4692

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1256
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4704
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4688

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4480
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4612
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:4588

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4488

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2984

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3032

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4596

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:4476

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv sjuMneG/lkSK2C7c/HduvQ.0.2
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:4636

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe f3a62cb651cc7b970e2dca730e260b2e sjuMneG/lkSK2C7c/HduvQ.0.1.0.3.0
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:836

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1308

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe f3a62cb651cc7b970e2dca730e260b2e sjuMneG/lkSK2C7c/HduvQ.0.1.0.3.0
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:2044

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe f3a62cb651cc7b970e2dca730e260b2e sjuMneG/lkSK2C7c/HduvQ.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:2440

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/4596-168-0x0000015BBA4D0000-0x0000015BBA4D4000-memory.dmp

Filesize
16KB

Download
memory/4596-167-0x0000015BB7EE0000-0x0000015BB7EF0000-memory.dmp

Filesize
64KB

Download
memory/4596-166-0x0000015BB7E60000-0x0000015BB7E70000-memory.dmp

Filesize
64KB

Download
memory/4704-159-0x0000028A89A20000-0x0000028A89A24000-memory.dmp

Filesize
16KB

Download
memory/4704-158-0x0000028A89A10000-0x0000028A89A11000-memory.dmp

Filesize
4KB

Download
memory/4704-150-0x0000028A88F40000-0x0000028A88F41000-memory.dmp

Filesize
4KB

Download
memory/4704-149-0x0000028A88F30000-0x0000028A88F31000-memory.dmp

Filesize
4KB

Download
memory/4704-146-0x0000028A88A70000-0x0000028A88A71000-memory.dmp

Filesize
4KB

Download
memory/4704-156-0x0000028A8B530000-0x0000028A8B531000-memory.dmp

Filesize
4KB

Download
memory/4704-153-0x0000028A88F80000-0x0000028A88F81000-memory.dmp

Filesize
4KB

Download
memory/4704-157-0x0000028A88FB0000-0x0000028A88FB1000-memory.dmp

Filesize
4KB

Download
memory/4704-155-0x0000028A88FA0000-0x0000028A88FA1000-memory.dmp

Filesize
4KB

Download
memory/4704-151-0x0000028A88F50000-0x0000028A88F51000-memory.dmp

Filesize
4KB

Download
memory/4704-148-0x0000028A88F20000-0x0000028A88F21000-memory.dmp

Filesize
4KB

Download
memory/4704-147-0x0000028A88A80000-0x0000028A88A81000-memory.dmp

Filesize
4KB

Download