magniber | 66c4f54da6542339de036872e80306f345b8572a71e782434245455e03541465

Analysis

max time kernel
105s
max time network
118s
platform
windows11_x64
resource
win11
submitted
23-08-2021 16:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e84e3a6b5db3f402f912a7afb328cb61.dll
Size

21KB
MD5

e84e3a6b5db3f402f912a7afb328cb61
SHA1

f57f4f7d2358c5b00a9a39fcdbb0d668e503dedc
SHA256

66c4f54da6542339de036872e80306f345b8572a71e782434245455e03541465
SHA512

1c60484518b489beb748641ee3983c698ed6253c63abc7818cf76e7fd76944977f1b83c7a762bd16f40945adf646b80de4058f59d775b708b276f754bbf63c91

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://74c48610421492a0b8dstzaaeww.xurvsjipiyubcsta.onion/dstzaaeww Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://74c48610421492a0b8dstzaaeww.laygive.site/dstzaaeww http://74c48610421492a0b8dstzaaeww.loglook.club/dstzaaeww http://74c48610421492a0b8dstzaaeww.tankmy.space/dstzaaeww http://74c48610421492a0b8dstzaaeww.gorise.uno/dstzaaeww Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://74c48610421492a0b8dstzaaeww.xurvsjipiyubcsta.onion/dstzaaeww

http://74c48610421492a0b8dstzaaeww.laygive.site/dstzaaeww

http://74c48610421492a0b8dstzaaeww.loglook.club/dstzaaeww

http://74c48610421492a0b8dstzaaeww.tankmy.space/dstzaaeww

http://74c48610421492a0b8dstzaaeww.gorise.uno/dstzaaeww

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 4 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3452	4776	cmd.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3464	4776	cmd.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4328	4776	vssadmin.exe	41
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3832	4776	vssadmin.exe	41

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	sihclient.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WaaSMedicAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WaaSMedicAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WaaSMedicAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	WaaSMedicAgent.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\57C8EDB95DF3F0AD4EE2DC2B8CFD4157	sihclient.exe

Drops file in Windows directory 9 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SoftwareDistribution\Download\d62540ea7d8b4a9d1958e44f689fb27e\Windows10.0-KB5004342-x64-NDP48.cab	svchost.exe
File opened for modification	C:\Windows\WinSxS\pending.xml	TiWorker.exe
File created	C:\Windows\SoftwareDistribution\Download\d62540ea7d8b4a9d1958e44f689fb27e\BIT522E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\SLS\522D76A4-93E1-47F8-B8CE-07C937AD1A1E\sls.cab	sihclient.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d62540ea7d8b4a9d1958e44f689fb27e\BITDF10.tmp	svchost.exe
File created	C:\Windows\SoftwareDistribution\Download\d62540ea7d8b4a9d1958e44f689fb27e\BITDF10.tmp	svchost.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TiWorker.exe
File opened for modification	C:\Windows\SoftwareDistribution\Download\d62540ea7d8b4a9d1958e44f689fb27e\BIT522E.tmp	svchost.exe
File opened for modification	C:\Windows\SoftwareDistribution\SLS\E7A50285-D08D-499D-9FF8-180FDC2332BC\sls.cab	sihclient.exe

Interacts with shadow copies 2 TTPs 2 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4328	vssadmin.exe
3832	vssadmin.exe

Modifies data under HKEY_USERS 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\Root	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\trust	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\SmartCardRoot	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\trust\Certificates	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\Disallowed\CTLs	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	WaaSMedicAgent.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4584	rundll32.exe
4584	rundll32.exe

Suspicious behavior: MapViewOfSection 13 IoCs

pid	Process
4584	rundll32.exe
4584	rundll32.exe
4584	rundll32.exe
4584	rundll32.exe
4584	rundll32.exe
4584	rundll32.exe
4584	rundll32.exe
4584	rundll32.exe
4584	rundll32.exe
4584	rundll32.exe
4584	rundll32.exe
4584	rundll32.exe
4584	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3716	WMIC.exe
Token: SeSecurityPrivilege	3716	WMIC.exe
Token: SeTakeOwnershipPrivilege	3716	WMIC.exe
Token: SeLoadDriverPrivilege	3716	WMIC.exe
Token: SeSystemProfilePrivilege	3716	WMIC.exe
Token: SeSystemtimePrivilege	3716	WMIC.exe
Token: SeProfSingleProcessPrivilege	3716	WMIC.exe
Token: SeIncBasePriorityPrivilege	3716	WMIC.exe
Token: SeCreatePagefilePrivilege	3716	WMIC.exe
Token: SeBackupPrivilege	3716	WMIC.exe
Token: SeRestorePrivilege	3716	WMIC.exe
Token: SeShutdownPrivilege	3716	WMIC.exe
Token: SeDebugPrivilege	3716	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3716	WMIC.exe
Token: SeRemoteShutdownPrivilege	3716	WMIC.exe
Token: SeUndockPrivilege	3716	WMIC.exe
Token: SeManageVolumePrivilege	3716	WMIC.exe
Token: 33	3716	WMIC.exe
Token: 34	3716	WMIC.exe
Token: 35	3716	WMIC.exe
Token: 36	3716	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3856	WMIC.exe
Token: SeSecurityPrivilege	3856	WMIC.exe
Token: SeTakeOwnershipPrivilege	3856	WMIC.exe
Token: SeLoadDriverPrivilege	3856	WMIC.exe
Token: SeSystemProfilePrivilege	3856	WMIC.exe
Token: SeSystemtimePrivilege	3856	WMIC.exe
Token: SeProfSingleProcessPrivilege	3856	WMIC.exe
Token: SeIncBasePriorityPrivilege	3856	WMIC.exe
Token: SeCreatePagefilePrivilege	3856	WMIC.exe
Token: SeBackupPrivilege	3856	WMIC.exe
Token: SeRestorePrivilege	3856	WMIC.exe
Token: SeShutdownPrivilege	3856	WMIC.exe
Token: SeDebugPrivilege	3856	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3856	WMIC.exe
Token: SeRemoteShutdownPrivilege	3856	WMIC.exe
Token: SeUndockPrivilege	3856	WMIC.exe
Token: SeManageVolumePrivilege	3856	WMIC.exe
Token: 33	3856	WMIC.exe
Token: 34	3856	WMIC.exe
Token: 35	3856	WMIC.exe
Token: 36	3856	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3716	WMIC.exe
Token: SeSecurityPrivilege	3716	WMIC.exe
Token: SeTakeOwnershipPrivilege	3716	WMIC.exe
Token: SeLoadDriverPrivilege	3716	WMIC.exe
Token: SeSystemProfilePrivilege	3716	WMIC.exe
Token: SeSystemtimePrivilege	3716	WMIC.exe
Token: SeProfSingleProcessPrivilege	3716	WMIC.exe
Token: SeIncBasePriorityPrivilege	3716	WMIC.exe
Token: SeCreatePagefilePrivilege	3716	WMIC.exe
Token: SeBackupPrivilege	3716	WMIC.exe
Token: SeRestorePrivilege	3716	WMIC.exe
Token: SeShutdownPrivilege	3716	WMIC.exe
Token: SeDebugPrivilege	3716	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3716	WMIC.exe
Token: SeRemoteShutdownPrivilege	3716	WMIC.exe
Token: SeUndockPrivilege	3716	WMIC.exe
Token: SeManageVolumePrivilege	3716	WMIC.exe
Token: 33	3716	WMIC.exe
Token: 34	3716	WMIC.exe
Token: 35	3716	WMIC.exe
Token: 36	3716	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3856	WMIC.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 4584 wrote to memory of 2992	4584	rundll32.exe	81
PID 4584 wrote to memory of 2992	4584	rundll32.exe	81
PID 4584 wrote to memory of 3764	4584	rundll32.exe	84
PID 4584 wrote to memory of 3764	4584	rundll32.exe	84
PID 2992 wrote to memory of 3716	2992	cmd.exe	86
PID 2992 wrote to memory of 3716	2992	cmd.exe	86
PID 3764 wrote to memory of 3856	3764	cmd.exe	85
PID 3764 wrote to memory of 3856	3764	cmd.exe	85
PID 3464 wrote to memory of 852	3464	cmd.exe	94
PID 3464 wrote to memory of 852	3464	cmd.exe	94
PID 3452 wrote to memory of 868	3452	cmd.exe	93
PID 3452 wrote to memory of 868	3452	cmd.exe	93
PID 852 wrote to memory of 700	852	ComputerDefaults.exe	96
PID 852 wrote to memory of 700	852	ComputerDefaults.exe	96
PID 868 wrote to memory of 1084	868	ComputerDefaults.exe	95
PID 868 wrote to memory of 1084	868	ComputerDefaults.exe	95

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\e84e3a6b5db3f402f912a7afb328cb61.dll,#1
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4584
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3716
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3764
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3856

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3452
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:868
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1084

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3464
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:700

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv fxGCPoqzUkqRX7Y2Kt3T4A.0.2
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:788

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4328

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3832

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3732

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:2572

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ef2d0c230005592815820ade12af185e fxGCPoqzUkqRX7Y2Kt3T4A.0.1.0.3.0
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:1632

C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
1⤵
- Drops file in Windows directory
PID:1900

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ef2d0c230005592815820ade12af185e fxGCPoqzUkqRX7Y2Kt3T4A.0.1.0.3.0
1⤵
- Drops file in System32 directory
- Modifies data under HKEY_USERS
PID:4136

C:\Windows\System32\WaaSMedicAgent.exe
C:\Windows\System32\WaaSMedicAgent.exe ef2d0c230005592815820ade12af185e fxGCPoqzUkqRX7Y2Kt3T4A.0.1.0.3.0
1⤵
- Modifies data under HKEY_USERS
PID:2160

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2460-168-0x00000259A2DF0000-0x00000259A2DF4000-memory.dmp

Filesize
16KB

Download
memory/2460-167-0x00000259A2AE0000-0x00000259A2AF0000-memory.dmp

Filesize
64KB

Download
memory/2460-166-0x00000259A2A60000-0x00000259A2A70000-memory.dmp

Filesize
64KB

Download
memory/4584-153-0x0000024F26C80000-0x0000024F26C81000-memory.dmp

Filesize
4KB

Download
memory/4584-147-0x0000024F26760000-0x0000024F26761000-memory.dmp

Filesize
4KB

Download
memory/4584-156-0x0000024F27650000-0x0000024F27654000-memory.dmp

Filesize
16KB

Download
memory/4584-154-0x0000024F26C90000-0x0000024F26C91000-memory.dmp

Filesize
4KB

Download
memory/4584-155-0x0000024F27640000-0x0000024F27641000-memory.dmp

Filesize
4KB

Download
memory/4584-161-0x0000024F29160000-0x0000024F29161000-memory.dmp

Filesize
4KB

Download
memory/4584-152-0x0000024F26C60000-0x0000024F26C61000-memory.dmp

Filesize
4KB

Download
memory/4584-151-0x0000024F26C30000-0x0000024F26C31000-memory.dmp

Filesize
4KB

Download
memory/4584-150-0x0000024F26C20000-0x0000024F26C21000-memory.dmp

Filesize
4KB

Download
memory/4584-149-0x0000024F26C10000-0x0000024F26C11000-memory.dmp

Filesize
4KB

Download
memory/4584-146-0x0000024F26750000-0x0000024F26751000-memory.dmp

Filesize
4KB

Download
memory/4584-148-0x0000024F26C00000-0x0000024F26C01000-memory.dmp

Filesize
4KB

Download