magniber | f66e9e0a8847f5c0d3a11e1f61fe70f236688474760038e2bc1fbcc637b08fd1

Analysis

max time kernel
151s
max time network
145s
platform
windows10_x64
resource
win10v20210408
submitted
29-08-2021 11:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1.dll
Size

38KB
MD5

f6202e6f4b35f20f7c186d0440a85db9
SHA1

fe9211e7e811e1826dd401a2a7f1ac92ac8613ad
SHA256

f66e9e0a8847f5c0d3a11e1f61fe70f236688474760038e2bc1fbcc637b08fd1
SHA512

85a43634be204d888d319b398b742b086cffe0db391588bb304851644c8ef15c27434e794b821e0ed002b540dc41dc83333942867632ce271baa1182a24d3583

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://78146e4834b06a607svbdthwdw.ntjflrx6uhwcmfhnn3yewv2wfhtqtjyfkvyrvjz4wuo6uw33yw7sfiid.onion/svbdthwdw Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://78146e4834b06a607svbdthwdw.upquote.xyz/svbdthwdw http://78146e4834b06a607svbdthwdw.armythe.club/svbdthwdw http://78146e4834b06a607svbdthwdw.aredata.site/svbdthwdw http://78146e4834b06a607svbdthwdw.whorest.top/svbdthwdw Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://78146e4834b06a607svbdthwdw.ntjflrx6uhwcmfhnn3yewv2wfhtqtjyfkvyrvjz4wuo6uw33yw7sfiid.onion/svbdthwdw

http://78146e4834b06a607svbdthwdw.upquote.xyz/svbdthwdw

http://78146e4834b06a607svbdthwdw.armythe.club/svbdthwdw

http://78146e4834b06a607svbdthwdw.aredata.site/svbdthwdw

http://78146e4834b06a607svbdthwdw.whorest.top/svbdthwdw

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 3 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	2708	cmd.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1332	2708	cmd.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3560	2708	vssadmin.exe	90

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RequestAdd.tiff => C:\Users\Admin\Pictures\RequestAdd.tiff.svbdthwdw	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\StopUninstall.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\StopUninstall.tiff => C:\Users\Admin\Pictures\StopUninstall.tiff.svbdthwdw	rundll32.exe
File renamed	C:\Users\Admin\Pictures\TraceSet.tif => C:\Users\Admin\Pictures\TraceSet.tif.svbdthwdw	rundll32.exe
File renamed	C:\Users\Admin\Pictures\EnterExport.raw => C:\Users\Admin\Pictures\EnterExport.raw.svbdthwdw	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ReadOptimize.raw => C:\Users\Admin\Pictures\ReadOptimize.raw.svbdthwdw	rundll32.exe
File renamed	C:\Users\Admin\Pictures\UnregisterMerge.raw => C:\Users\Admin\Pictures\UnregisterMerge.raw.svbdthwdw	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\RequestAdd.tiff	rundll32.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Control Panel\International\Geo\Nation	cmd.exe

Suspicious use of SetThreadContext 64 IoCs

description	pid	Process
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe
PID 632 set thread context of 0	632	rundll32.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\ESE.TXT	MicrosoftEdge.exe

Interacts with shadow copies 2 TTPs 1 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3560	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 3 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	browser_broker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000\Software\Microsoft\Internet Explorer\Main	MicrosoftEdgeCP.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA\Certificates	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{AEBA21FA-782A-4A90-978D-B7216 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\SubSysId = "0"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\History	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\RACProvisionStatus-001 = "1"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\PrivacyAdvanced = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3\{A8A88C49-5EB2-4990-A1A2-08760 = 1a3761592352350c7a5f20172f1e1a190e2b017313371312141a152a	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-3624 = "microsoft.microsoftedge_8wekyb3d8bbwe"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\TypedURLs\url2 = "https://login.aliexpress.com/"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "{A5BC6182-9220-4F43-9414-C7669AC3F2B2}"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\Meta\generator$Telligent	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead\FileVersion = "2016061511"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FavOrder\TreeView = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ServiceUI	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\ExtensionsStore\datastore\usage\dscc_inventory\Extension = "5"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery\ReadingStorePending = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VersionHigh = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\InternetRegistry	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\ACGStatus\ACGPolicyState = "8"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\PendingRecovery	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\CIStatus	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\Wow64-DeviceId = "0"	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content\CachePrefix	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main\DisallowDefaultBrowserPrompt = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BrowserEmulation\CVListXMLVersionLow = "395205405"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft\SystemCertificates\CA	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\BingPageData\RulesFileNextUpdateDate = "336406004"	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Content	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Recovery\Active	MicrosoftEdge.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-3624051433-2125758914-1423191267-1740899205-1073925389-3782572162-737981194\Children\S-1-15-2-3624 = "microsoft.microsoftedge_8wekyb3d8bbwe/001"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Rating\Rating Prompt Shown = "0"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\RACProvisionStatus-121 = "1"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Settings\Cache\Cookies	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Protected - It is a violation of Windows Policy to modif = 010000002240705d5ce64479b49f9f94bf6fb587820bf2e93014f2af3166407a372c1adf2ba62edb47d43bc5fa75a411964b32ac59fb40ded59fec00cbd6	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Software\Microsoft	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Internet Explorer\Main\OperationalData = "1"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = a4b9cf3bda9cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Internet Settings\Zones\3	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\FlipAhead	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\Internet Settings\Cache\Content	MicrosoftEdgeCP.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\121\ACGStatus\DynamicCodePolicy = 05000000	MicrosoftEdgeCP.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\UserStateMigration\EdgeMigration\ManagerHistoryComplete = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\GPU\VendorId = "0"	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\OnlineHistory\NextBrowserDataLogTime = 2057d8a00c9dd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\DataStore\OneTimeCleanup = "1"	MicrosoftEdge.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\006\ACGStatus\ACGPolicyState = "6"	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\Children\001\CIStatus	MicrosoftEdgeCP.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\Main	MicrosoftEdge.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\CIStatus\CIStatusTimestamp = b0f74956da9cd701	MicrosoftEdge.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\Local Settings	MicrosoftEdge.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2200	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
632	rundll32.exe
632	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2428	Process not Found

Suspicious behavior: MapViewOfSection 10 IoCs

pid	Process
632	rundll32.exe
632	rundll32.exe
632	rundll32.exe
632	rundll32.exe
632	rundll32.exe
632	rundll32.exe
632	rundll32.exe
632	rundll32.exe
280	MicrosoftEdgeCP.exe
280	MicrosoftEdgeCP.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeIncreaseQuotaPrivilege	2348	wmic.exe
Token: SeSecurityPrivilege	2348	wmic.exe
Token: SeTakeOwnershipPrivilege	2348	wmic.exe
Token: SeLoadDriverPrivilege	2348	wmic.exe
Token: SeSystemProfilePrivilege	2348	wmic.exe
Token: SeSystemtimePrivilege	2348	wmic.exe
Token: SeProfSingleProcessPrivilege	2348	wmic.exe
Token: SeIncBasePriorityPrivilege	2348	wmic.exe
Token: SeCreatePagefilePrivilege	2348	wmic.exe
Token: SeBackupPrivilege	2348	wmic.exe
Token: SeRestorePrivilege	2348	wmic.exe
Token: SeShutdownPrivilege	2348	wmic.exe
Token: SeDebugPrivilege	2348	wmic.exe
Token: SeSystemEnvironmentPrivilege	2348	wmic.exe
Token: SeRemoteShutdownPrivilege	2348	wmic.exe
Token: SeUndockPrivilege	2348	wmic.exe
Token: SeManageVolumePrivilege	2348	wmic.exe
Token: 33	2348	wmic.exe
Token: 34	2348	wmic.exe
Token: 35	2348	wmic.exe
Token: 36	2348	wmic.exe
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeShutdownPrivilege	2428	Process not Found
Token: SeCreatePagefilePrivilege	2428	Process not Found
Token: SeIncreaseQuotaPrivilege	976	WMIC.exe
Token: SeSecurityPrivilege	976	WMIC.exe
Token: SeTakeOwnershipPrivilege	976	WMIC.exe
Token: SeLoadDriverPrivilege	976	WMIC.exe
Token: SeSystemProfilePrivilege	976	WMIC.exe
Token: SeSystemtimePrivilege	976	WMIC.exe
Token: SeProfSingleProcessPrivilege	976	WMIC.exe
Token: SeIncBasePriorityPrivilege	976	WMIC.exe
Token: SeCreatePagefilePrivilege	976	WMIC.exe

Suspicious use of FindShellTrayWindow 8 IoCs

pid	Process
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found
2428	Process not Found

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2428	Process not Found

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2428	Process not Found
632	MicrosoftEdge.exe
280	MicrosoftEdgeCP.exe
280	MicrosoftEdgeCP.exe

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2428	Process not Found

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 632 wrote to memory of 2200	632	rundll32.exe	78
PID 632 wrote to memory of 2200	632	rundll32.exe	78
PID 632 wrote to memory of 2148	632	rundll32.exe	79
PID 632 wrote to memory of 2148	632	rundll32.exe	79
PID 632 wrote to memory of 2348	632	rundll32.exe	81
PID 632 wrote to memory of 2348	632	rundll32.exe	81
PID 632 wrote to memory of 3884	632	rundll32.exe	82
PID 632 wrote to memory of 3884	632	rundll32.exe	82
PID 632 wrote to memory of 2396	632	rundll32.exe	83
PID 632 wrote to memory of 2396	632	rundll32.exe	83
PID 2396 wrote to memory of 976	2396	cmd.exe	87
PID 2396 wrote to memory of 976	2396	cmd.exe	87
PID 3884 wrote to memory of 3908	3884	cmd.exe	89
PID 3884 wrote to memory of 3908	3884	cmd.exe	89
PID 1920 wrote to memory of 836	1920	cmd.exe	98
PID 1920 wrote to memory of 836	1920	cmd.exe	98
PID 1332 wrote to memory of 3796	1332	cmd.exe	99
PID 1332 wrote to memory of 3796	1332	cmd.exe	99
PID 280 wrote to memory of 2168	280	MicrosoftEdgeCP.exe	107
PID 280 wrote to memory of 2168	280	MicrosoftEdgeCP.exe	107
PID 280 wrote to memory of 2168	280	MicrosoftEdgeCP.exe	107
PID 280 wrote to memory of 2168	280	MicrosoftEdgeCP.exe	107
PID 280 wrote to memory of 2168	280	MicrosoftEdgeCP.exe	107
PID 280 wrote to memory of 2168	280	MicrosoftEdgeCP.exe	107

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\1.dll,#1
1⤵
- Modifies extensions of user files
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:632
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2200
- C:\Windows\system32\cmd.exe
  cmd /c "start http://78146e4834b06a607svbdthwdw.upquote.xyz/svbdthwdw^&1^&52269738^&96^&367^&2215063"
  2⤵
  - Checks computer location settings
  PID:2148
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2348
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3908
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:976

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1920
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:836

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1332
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3796

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3560

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1556

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
1⤵
- Drops file in Windows directory
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious use of SetWindowsHookEx
PID:632

C:\Windows\system32\browser_broker.exe
C:\Windows\system32\browser_broker.exe -Embedding
1⤵
- Modifies Internet Explorer settings
PID:3992

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:2016

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:280

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies Internet Explorer settings
- Modifies registry class
PID:2168

C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
"C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
1⤵
- Modifies registry class
PID:4244

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/632-124-0x000001D95A220000-0x000001D95A221000-memory.dmp

Filesize
4KB

Download
memory/632-119-0x000001D95A0A0000-0x000001D95A0A1000-memory.dmp

Filesize
4KB

Download
memory/632-125-0x000001D95A230000-0x000001D95A231000-memory.dmp

Filesize
4KB

Download
memory/632-126-0x000001D95DA20000-0x000001D95DA21000-memory.dmp

Filesize
4KB

Download
memory/632-127-0x000001D95DA30000-0x000001D95DA35000-memory.dmp

Filesize
20KB

Download
memory/632-120-0x000001D95A0B0000-0x000001D95A0B1000-memory.dmp

Filesize
4KB

Download
memory/632-121-0x000001D95A0C0000-0x000001D95A0C1000-memory.dmp

Filesize
4KB

Download
memory/632-122-0x000001D95A200000-0x000001D95A201000-memory.dmp

Filesize
4KB

Download
memory/632-123-0x000001D95A210000-0x000001D95A211000-memory.dmp

Filesize
4KB

Download
memory/632-137-0x000001D95F550000-0x000001D95F551000-memory.dmp

Filesize
4KB

Download
memory/632-116-0x000001D95A070000-0x000001D95A071000-memory.dmp

Filesize
4KB

Download
memory/632-117-0x000001D95A080000-0x000001D95A081000-memory.dmp

Filesize
4KB

Download
memory/632-118-0x000001D95A090000-0x000001D95A091000-memory.dmp

Filesize
4KB

Download
memory/632-115-0x000001D95A060000-0x000001D95A061000-memory.dmp

Filesize
4KB

Download
memory/632-114-0x000001D95A2F0000-0x000001D95A59C000-memory.dmp

Filesize
2.7MB

Download
memory/3776-128-0x0000027C9E500000-0x0000027C9E508000-memory.dmp

Filesize
32KB

Download
memory/3776-130-0x0000027C9E4F0000-0x0000027C9E4F8000-memory.dmp

Filesize
32KB

Download
memory/3776-129-0x0000027C9E4F0000-0x0000027C9E4F1000-memory.dmp

Filesize
4KB

Download