Analysis
-
max time kernel
150s -
max time network
139s -
platform
windows10-2004_x64 -
resource
win10v2004-20220414-en -
submitted
27-06-2022 14:00
Static task
static1
Behavioral task
behavioral1
Sample
Magniber4.msi
Resource
win7-20220414-en
Behavioral task
behavioral2
Sample
Magniber4.msi
Resource
win10v2004-20220414-en
General
-
Target
Magniber4.msi
-
Size
11.4MB
-
MD5
e449d2609f4c5410a31b73aef43f052e
-
SHA1
b48b1f8388d66e1098543adbe9a1ad2733eaeeaa
-
SHA256
bcbac6ef0f3344da0981454d5dbea7a958e288fd0c4995ae5cb46e3959949b20
-
SHA512
98d9fefe04f183b6ed231abfe1df33b0d7eaaaa9ae613f315ed21928e34848b68c5f1d24acde944c276f013459d5059ba13a953fa648e1b7e6427ef691d2e620
Malware Config
Signatures
-
Detect magniber ransomware 2 IoCs
resource yara_rule behavioral2/memory/4600-134-0x000001CAA0710000-0x000001CAA0724000-memory.dmp family_magniber behavioral2/memory/4600-135-0x000001CAA2B30000-0x000001CAA2B3A000-memory.dmp family_magniber -
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process 20 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4960 4736 bcdedit.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1812 4736 bcdedit.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1408 4736 bcdedit.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1668 4736 bcdedit.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4756 4736 wbadmin.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4348 4736 wbadmin.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 364 4736 wbadmin.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1960 4736 wbadmin.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2096 4736 bcdedit.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1748 4736 bcdedit.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2816 4736 wbadmin.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2204 4736 wbadmin.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 380 4736 bcdedit.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4332 4736 bcdedit.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 672 4736 wbadmin.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4004 4736 wbadmin.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2624 4736 bcdedit.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5060 4736 bcdedit.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1072 4736 wbadmin.exe 104 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3640 4736 wbadmin.exe 104 -
Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
pid Process 4960 bcdedit.exe 1812 bcdedit.exe 1408 bcdedit.exe 1668 bcdedit.exe 2096 bcdedit.exe 1748 bcdedit.exe 380 bcdedit.exe 4332 bcdedit.exe 2624 bcdedit.exe 5060 bcdedit.exe -
pid Process 364 wbadmin.exe 1960 wbadmin.exe 2204 wbadmin.exe 4004 wbadmin.exe 1072 wbadmin.exe -
pid Process 4756 wbadmin.exe 4348 wbadmin.exe 2816 wbadmin.exe 672 wbadmin.exe 3640 wbadmin.exe -
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
description ioc Process File opened for modification C:\Users\Admin\Pictures\PopRestore.tiff Explorer.EXE File renamed C:\Users\Admin\Pictures\PopRestore.tiff => C:\Users\Admin\Pictures\PopRestore.tiff.krkzauuz Explorer.EXE File renamed C:\Users\Admin\Pictures\InstallGroup.tif => C:\Users\Admin\Pictures\InstallGroup.tif.krkzauuz Explorer.EXE File renamed C:\Users\Admin\Pictures\InstallLimit.tif => C:\Users\Admin\Pictures\InstallLimit.tif.krkzauuz Explorer.EXE -
Loads dropped DLL 1 IoCs
pid Process 4600 MsiExec.exe -
Enumerates connected drives 3 TTPs 48 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\F: msiexec.exe File opened (read-only) \??\P: msiexec.exe -
Drops file in Windows directory 7 IoCs
description ioc Process File created C:\Windows\Installer\e57f03c.msi msiexec.exe File opened for modification C:\Windows\Installer\e57f03c.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File opened for modification C:\Windows\Installer\MSIF211.tmp msiexec.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.3.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.2.etl wbadmin.exe File opened for modification C:\Windows\Logs\WindowsBackup\WBEngine.1.etl wbadmin.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 804 3260 WerFault.exe 44 -
Checks SCSI registry key(s) 3 TTPs 9 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName vds.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005a4eb8c89d443e990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005a4eb8c80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809005a4eb8c8000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 vds.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName vds.exe -
Modifies registry class 42 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer svchost.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer svchost.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer taskhostw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" sihost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe" svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute svchost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe" sihost.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings RuntimeBroker.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\ Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" svchost.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe" taskhostw.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\ Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute svchost.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings sihost.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings taskhostw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" taskhostw.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute sihost.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer sihost.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute taskhostw.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings svchost.exe Key created \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6" RuntimeBroker.exe Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe" Explorer.EXE Set value (str) \REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute Explorer.EXE -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 4864 msiexec.exe 4864 msiexec.exe 4600 MsiExec.exe 4600 MsiExec.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3032 Explorer.EXE -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeShutdownPrivilege 4476 msiexec.exe Token: SeIncreaseQuotaPrivilege 4476 msiexec.exe Token: SeSecurityPrivilege 4864 msiexec.exe Token: SeCreateTokenPrivilege 4476 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 4476 msiexec.exe Token: SeLockMemoryPrivilege 4476 msiexec.exe Token: SeIncreaseQuotaPrivilege 4476 msiexec.exe Token: SeMachineAccountPrivilege 4476 msiexec.exe Token: SeTcbPrivilege 4476 msiexec.exe Token: SeSecurityPrivilege 4476 msiexec.exe Token: SeTakeOwnershipPrivilege 4476 msiexec.exe Token: SeLoadDriverPrivilege 4476 msiexec.exe Token: SeSystemProfilePrivilege 4476 msiexec.exe Token: SeSystemtimePrivilege 4476 msiexec.exe Token: SeProfSingleProcessPrivilege 4476 msiexec.exe Token: SeIncBasePriorityPrivilege 4476 msiexec.exe Token: SeCreatePagefilePrivilege 4476 msiexec.exe Token: SeCreatePermanentPrivilege 4476 msiexec.exe Token: SeBackupPrivilege 4476 msiexec.exe Token: SeRestorePrivilege 4476 msiexec.exe Token: SeShutdownPrivilege 4476 msiexec.exe Token: SeDebugPrivilege 4476 msiexec.exe Token: SeAuditPrivilege 4476 msiexec.exe Token: SeSystemEnvironmentPrivilege 4476 msiexec.exe Token: SeChangeNotifyPrivilege 4476 msiexec.exe Token: SeRemoteShutdownPrivilege 4476 msiexec.exe Token: SeUndockPrivilege 4476 msiexec.exe Token: SeSyncAgentPrivilege 4476 msiexec.exe Token: SeEnableDelegationPrivilege 4476 msiexec.exe Token: SeManageVolumePrivilege 4476 msiexec.exe Token: SeImpersonatePrivilege 4476 msiexec.exe Token: SeCreateGlobalPrivilege 4476 msiexec.exe Token: SeBackupPrivilege 3532 vssvc.exe Token: SeRestorePrivilege 3532 vssvc.exe Token: SeAuditPrivilege 3532 vssvc.exe Token: SeBackupPrivilege 4864 msiexec.exe Token: SeRestorePrivilege 4864 msiexec.exe Token: SeRestorePrivilege 4864 msiexec.exe Token: SeTakeOwnershipPrivilege 4864 msiexec.exe Token: SeRestorePrivilege 4864 msiexec.exe Token: SeTakeOwnershipPrivilege 4864 msiexec.exe Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeBackupPrivilege 2188 srtasks.exe Token: SeRestorePrivilege 2188 srtasks.exe Token: SeSecurityPrivilege 2188 srtasks.exe Token: SeTakeOwnershipPrivilege 2188 srtasks.exe Token: SeBackupPrivilege 2188 srtasks.exe Token: SeRestorePrivilege 2188 srtasks.exe Token: SeSecurityPrivilege 2188 srtasks.exe Token: SeTakeOwnershipPrivilege 2188 srtasks.exe Token: SeShutdownPrivilege 3032 Explorer.EXE Token: SeCreatePagefilePrivilege 3032 Explorer.EXE Token: SeShutdownPrivilege 3032 Explorer.EXE -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 4476 msiexec.exe 4476 msiexec.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4864 wrote to memory of 2188 4864 msiexec.exe 92 PID 4864 wrote to memory of 2188 4864 msiexec.exe 92 PID 4864 wrote to memory of 4600 4864 msiexec.exe 94 PID 4864 wrote to memory of 4600 4864 msiexec.exe 94 PID 4600 wrote to memory of 2320 4600 MsiExec.exe 55 PID 4600 wrote to memory of 2328 4600 MsiExec.exe 54 PID 4600 wrote to memory of 2412 4600 MsiExec.exe 53 PID 4600 wrote to memory of 3032 4600 MsiExec.exe 21 PID 4600 wrote to memory of 2748 4600 MsiExec.exe 45 PID 4600 wrote to memory of 3260 4600 MsiExec.exe 44 PID 4600 wrote to memory of 3352 4600 MsiExec.exe 24 PID 4600 wrote to memory of 3472 4600 MsiExec.exe 22 PID 4600 wrote to memory of 3576 4600 MsiExec.exe 25 PID 4600 wrote to memory of 3868 4600 MsiExec.exe 43 PID 4600 wrote to memory of 4492 4600 MsiExec.exe 41 PID 4600 wrote to memory of 4476 4600 MsiExec.exe 79 PID 2700 wrote to memory of 2696 2700 cmd.exe 101 PID 2700 wrote to memory of 2696 2700 cmd.exe 101 PID 2696 wrote to memory of 5072 2696 fodhelper.exe 103 PID 2696 wrote to memory of 5072 2696 fodhelper.exe 103 PID 3976 wrote to memory of 3640 3976 cmd.exe 107 PID 3976 wrote to memory of 3640 3976 cmd.exe 107 PID 3640 wrote to memory of 5008 3640 fodhelper.exe 108 PID 3640 wrote to memory of 5008 3640 fodhelper.exe 108 PID 4012 wrote to memory of 3380 4012 cmd.exe 131 PID 4012 wrote to memory of 3380 4012 cmd.exe 131 PID 3380 wrote to memory of 308 3380 fodhelper.exe 132 PID 3380 wrote to memory of 308 3380 fodhelper.exe 132 PID 3564 wrote to memory of 1940 3564 cmd.exe 143 PID 3564 wrote to memory of 1940 3564 cmd.exe 143 PID 1940 wrote to memory of 508 1940 fodhelper.exe 145 PID 1940 wrote to memory of 508 1940 fodhelper.exe 145 PID 1944 wrote to memory of 4276 1944 cmd.exe 156 PID 1944 wrote to memory of 4276 1944 cmd.exe 156 PID 4276 wrote to memory of 3140 4276 fodhelper.exe 157 PID 4276 wrote to memory of 3140 4276 fodhelper.exe 157
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3032 -
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Magniber4.msi2⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4476
-
-
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
PID:4012 -
C:\Windows\System32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Windows\system32\wscript.exe"wscript.exe" \Users\Public\bqbpvcoufgj.vbe4⤵PID:308
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:3472 -
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3976 -
C:\Windows\System32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
PID:3640 -
C:\Windows\system32\wscript.exe"wscript.exe" \Users\Public\bqbpvcoufgj.vbe4⤵PID:5008
-
-
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3352
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:3576
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:4492 -
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1944 -
C:\Windows\System32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
PID:4276 -
C:\Windows\system32\wscript.exe"wscript.exe" \Users\Public\bqbpvcoufgj.vbe4⤵PID:3140
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
PID:3868 -
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Windows\System32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Windows\system32\wscript.exe"wscript.exe" \Users\Public\bqbpvcoufgj.vbe4⤵PID:5072
-
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3260
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3260 -s 9242⤵
- Program crash
PID:804
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
- Modifies registry class
PID:2748
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
- Modifies registry class
PID:2412
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Modifies registry class
PID:2328
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
- Modifies registry class
PID:2320 -
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3564 -
C:\Windows\System32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\system32\wscript.exe"wscript.exe" \Users\Public\bqbpvcoufgj.vbe4⤵PID:508
-
-
-
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵
- Suspicious use of AdjustPrivilegeToken
PID:2188
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 703B508AAD2EE4B64DA2D190D994838E2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4600
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3532
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 404 -p 3260 -ip 32601⤵PID:2312
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4960
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1812
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1408
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1668
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4756
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4348
-
C:\Windows\system32\wbadmin.exewbadmin delete systemstatebackup -quiet1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:364
-
C:\Windows\system32\wbadmin.exewbadmin delete systemstatebackup -quiet1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:1960
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵PID:1712
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵PID:800
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
PID:2280
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2096
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1748
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:2816
-
C:\Windows\system32\wbadmin.exewbadmin delete systemstatebackup -quiet1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:2204
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:380
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4332
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:672
-
C:\Windows\system32\wbadmin.exewbadmin delete systemstatebackup -quiet1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:4004
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2624
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:5060
-
C:\Windows\system32\wbadmin.exewbadmin delete systemstatebackup -quiet1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:1072
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:3640
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
862B
MD58c6010b5f4a5f819f36fa9a4179cf583
SHA17e5e759f3a8593c7be0dcfa97538308c0f5f1709
SHA2569b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05
SHA512098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf
-
Filesize
862B
MD58c6010b5f4a5f819f36fa9a4179cf583
SHA17e5e759f3a8593c7be0dcfa97538308c0f5f1709
SHA2569b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05
SHA512098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf
-
Filesize
862B
MD58c6010b5f4a5f819f36fa9a4179cf583
SHA17e5e759f3a8593c7be0dcfa97538308c0f5f1709
SHA2569b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05
SHA512098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf
-
Filesize
862B
MD58c6010b5f4a5f819f36fa9a4179cf583
SHA17e5e759f3a8593c7be0dcfa97538308c0f5f1709
SHA2569b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05
SHA512098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf
-
Filesize
862B
MD58c6010b5f4a5f819f36fa9a4179cf583
SHA17e5e759f3a8593c7be0dcfa97538308c0f5f1709
SHA2569b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05
SHA512098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf
-
Filesize
99KB
MD56e2b8071887c4662bb95923b7c14acf7
SHA13e186c237a37987037b96bd32761b58c56238c7d
SHA2562f6e10671dd552e2adfad918f363c76a08de7baa6df381af7c441d4ec10f4ffb
SHA5120c2e90416abd56296430b8b631bd2c2608e122203cec44158353897c56922fff82c4574377ef5ece8b9b2609fe2d7b5355acd2e6f74df159d61eaea5882fbf4d
-
Filesize
99KB
MD56e2b8071887c4662bb95923b7c14acf7
SHA13e186c237a37987037b96bd32761b58c56238c7d
SHA2562f6e10671dd552e2adfad918f363c76a08de7baa6df381af7c441d4ec10f4ffb
SHA5120c2e90416abd56296430b8b631bd2c2608e122203cec44158353897c56922fff82c4574377ef5ece8b9b2609fe2d7b5355acd2e6f74df159d61eaea5882fbf4d
-
Filesize
23.0MB
MD5268830ad22d3f2846be8322eefbfae2c
SHA1672f0cad7677bf3b44e40eeba65f103b91e4ae3d
SHA2561e87729d5ea9ce7de543c6b6f5506d97b6a4699f3eada3fb20803fbe82cb3b2b
SHA51213ec9577b62f45e81c7b418b7abaf4a22e97018d854ce912c4e70fb41244ef8614720896211a8285a08ea434f42dc1f9006794e62d01c127ed8deee8851dcafb
-
\??\Volume{c8b84e5a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f2d022db-9551-4dc6-ade8-5472e7ebd8a8}_OnDiskSnapshotProp
Filesize5KB
MD5b201712ec8c6f5869debec2dd6a43e1f
SHA1d265c3c4c0ef99b4419eb65d765705370437f2d1
SHA256a0459430e8fc545f6cc6c35d3b40b55bbd1af66c14b32dbbe1996ce79605512a
SHA512a4ca2d7fc487d489b3bda594961b47912de49a6ad99cf572a728888d2a6eabac8bb93919cf58ce87376cad760f6f9d580befd67f12dfe071f0f99ff496da6ac0