magniber | bcbac6ef0f3344da0981454d5dbea7a958e288fd0c4995ae5cb46e3959949b20

Analysis

max time kernel
150s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
27-06-2022 14:00

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Magniber4.msi
Size

11.4MB
MD5

e449d2609f4c5410a31b73aef43f052e
SHA1

b48b1f8388d66e1098543adbe9a1ad2733eaeeaa
SHA256

bcbac6ef0f3344da0981454d5dbea7a958e288fd0c4995ae5cb46e3959949b20
SHA512

98d9fefe04f183b6ed231abfe1df33b0d7eaaaa9ae613f315ed21928e34848b68c5f1d24acde944c276f013459d5059ba13a953fa648e1b7e6427ef691d2e620

Score

10^/10

magniber evasion ransomware

Malware Config

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral2/memory/4600-134-0x000001CAA0710000-0x000001CAA0724000-memory.dmp	family_magniber
behavioral2/memory/4600-135-0x000001CAA2B30000-0x000001CAA2B3A000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 20 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4960	4736	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1812	4736	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1408	4736	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1668	4736	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	4736	wbadmin.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4348	4736	wbadmin.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	364	4736	wbadmin.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1960	4736	wbadmin.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2096	4736	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1748	4736	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2816	4736	wbadmin.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2204	4736	wbadmin.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	380	4736	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4332	4736	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	672	4736	wbadmin.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4004	4736	wbadmin.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2624	4736	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5060	4736	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1072	4736	wbadmin.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3640	4736	wbadmin.exe	104

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4960	bcdedit.exe
1812	bcdedit.exe
1408	bcdedit.exe
1668	bcdedit.exe
2096	bcdedit.exe
1748	bcdedit.exe
380	bcdedit.exe
4332	bcdedit.exe
2624	bcdedit.exe
5060	bcdedit.exe

Deletes System State backups 3 TTPs 5 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
364	wbadmin.exe
1960	wbadmin.exe
2204	wbadmin.exe
4004	wbadmin.exe
1072	wbadmin.exe

Deletes backup catalog 3 TTPs 5 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4756	wbadmin.exe
4348	wbadmin.exe
2816	wbadmin.exe
672	wbadmin.exe
3640	wbadmin.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File opened for modification	C:\Users\Admin\Pictures\PopRestore.tiff	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\PopRestore.tiff => C:\Users\Admin\Pictures\PopRestore.tiff.krkzauuz	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\InstallGroup.tif => C:\Users\Admin\Pictures\InstallGroup.tif.krkzauuz	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\InstallLimit.tif => C:\Users\Admin\Pictures\InstallLimit.tif.krkzauuz	Explorer.EXE

Loads dropped DLL 1 IoCs

pid	Process
4600	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e57f03c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57f03c.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIF211.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
804	3260	WerFault.exe	44

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005a4eb8c89d443e990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005a4eb8c80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809005a4eb8c8000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe"	taskhostw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4864	msiexec.exe
4864	msiexec.exe
4600	MsiExec.exe
4600	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3032	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4476	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4476	msiexec.exe
Token: SeSecurityPrivilege	4864	msiexec.exe
Token: SeCreateTokenPrivilege	4476	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4476	msiexec.exe
Token: SeLockMemoryPrivilege	4476	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4476	msiexec.exe
Token: SeMachineAccountPrivilege	4476	msiexec.exe
Token: SeTcbPrivilege	4476	msiexec.exe
Token: SeSecurityPrivilege	4476	msiexec.exe
Token: SeTakeOwnershipPrivilege	4476	msiexec.exe
Token: SeLoadDriverPrivilege	4476	msiexec.exe
Token: SeSystemProfilePrivilege	4476	msiexec.exe
Token: SeSystemtimePrivilege	4476	msiexec.exe
Token: SeProfSingleProcessPrivilege	4476	msiexec.exe
Token: SeIncBasePriorityPrivilege	4476	msiexec.exe
Token: SeCreatePagefilePrivilege	4476	msiexec.exe
Token: SeCreatePermanentPrivilege	4476	msiexec.exe
Token: SeBackupPrivilege	4476	msiexec.exe
Token: SeRestorePrivilege	4476	msiexec.exe
Token: SeShutdownPrivilege	4476	msiexec.exe
Token: SeDebugPrivilege	4476	msiexec.exe
Token: SeAuditPrivilege	4476	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4476	msiexec.exe
Token: SeChangeNotifyPrivilege	4476	msiexec.exe
Token: SeRemoteShutdownPrivilege	4476	msiexec.exe
Token: SeUndockPrivilege	4476	msiexec.exe
Token: SeSyncAgentPrivilege	4476	msiexec.exe
Token: SeEnableDelegationPrivilege	4476	msiexec.exe
Token: SeManageVolumePrivilege	4476	msiexec.exe
Token: SeImpersonatePrivilege	4476	msiexec.exe
Token: SeCreateGlobalPrivilege	4476	msiexec.exe
Token: SeBackupPrivilege	3532	vssvc.exe
Token: SeRestorePrivilege	3532	vssvc.exe
Token: SeAuditPrivilege	3532	vssvc.exe
Token: SeBackupPrivilege	4864	msiexec.exe
Token: SeRestorePrivilege	4864	msiexec.exe
Token: SeRestorePrivilege	4864	msiexec.exe
Token: SeTakeOwnershipPrivilege	4864	msiexec.exe
Token: SeRestorePrivilege	4864	msiexec.exe
Token: SeTakeOwnershipPrivilege	4864	msiexec.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeBackupPrivilege	2188	srtasks.exe
Token: SeRestorePrivilege	2188	srtasks.exe
Token: SeSecurityPrivilege	2188	srtasks.exe
Token: SeTakeOwnershipPrivilege	2188	srtasks.exe
Token: SeBackupPrivilege	2188	srtasks.exe
Token: SeRestorePrivilege	2188	srtasks.exe
Token: SeSecurityPrivilege	2188	srtasks.exe
Token: SeTakeOwnershipPrivilege	2188	srtasks.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4476	msiexec.exe
4476	msiexec.exe

Suspicious use of WriteProcessMemory 36 IoCs

description	pid	Process	procid_target
PID 4864 wrote to memory of 2188	4864	msiexec.exe	92
PID 4864 wrote to memory of 2188	4864	msiexec.exe	92
PID 4864 wrote to memory of 4600	4864	msiexec.exe	94
PID 4864 wrote to memory of 4600	4864	msiexec.exe	94
PID 4600 wrote to memory of 2320	4600	MsiExec.exe	55
PID 4600 wrote to memory of 2328	4600	MsiExec.exe	54
PID 4600 wrote to memory of 2412	4600	MsiExec.exe	53
PID 4600 wrote to memory of 3032	4600	MsiExec.exe	21
PID 4600 wrote to memory of 2748	4600	MsiExec.exe	45
PID 4600 wrote to memory of 3260	4600	MsiExec.exe	44
PID 4600 wrote to memory of 3352	4600	MsiExec.exe	24
PID 4600 wrote to memory of 3472	4600	MsiExec.exe	22
PID 4600 wrote to memory of 3576	4600	MsiExec.exe	25
PID 4600 wrote to memory of 3868	4600	MsiExec.exe	43
PID 4600 wrote to memory of 4492	4600	MsiExec.exe	41
PID 4600 wrote to memory of 4476	4600	MsiExec.exe	79
PID 2700 wrote to memory of 2696	2700	cmd.exe	101
PID 2700 wrote to memory of 2696	2700	cmd.exe	101
PID 2696 wrote to memory of 5072	2696	fodhelper.exe	103
PID 2696 wrote to memory of 5072	2696	fodhelper.exe	103
PID 3976 wrote to memory of 3640	3976	cmd.exe	107
PID 3976 wrote to memory of 3640	3976	cmd.exe	107
PID 3640 wrote to memory of 5008	3640	fodhelper.exe	108
PID 3640 wrote to memory of 5008	3640	fodhelper.exe	108
PID 4012 wrote to memory of 3380	4012	cmd.exe	131
PID 4012 wrote to memory of 3380	4012	cmd.exe	131
PID 3380 wrote to memory of 308	3380	fodhelper.exe	132
PID 3380 wrote to memory of 308	3380	fodhelper.exe	132
PID 3564 wrote to memory of 1940	3564	cmd.exe	143
PID 3564 wrote to memory of 1940	3564	cmd.exe	143
PID 1940 wrote to memory of 508	1940	fodhelper.exe	145
PID 1940 wrote to memory of 508	1940	fodhelper.exe	145
PID 1944 wrote to memory of 4276	1944	cmd.exe	156
PID 1944 wrote to memory of 4276	1944	cmd.exe	156
PID 4276 wrote to memory of 3140	4276	fodhelper.exe	157
PID 4276 wrote to memory of 3140	4276	fodhelper.exe	157

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3032
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Magniber4.msi
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4476
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4012
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3380
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
      4⤵
      PID:308

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3472
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3976
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3640
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
      4⤵
      PID:5008

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3352

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3576

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4492
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1944
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4276
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
      4⤵
      PID:3140

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3868
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2700
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2696
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
      4⤵
      PID:5072

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3260
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3260 -s 924
  2⤵
  - Program crash
  PID:804

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:2748

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2412

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2328

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2320
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3564
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1940
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
      4⤵
      PID:508

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:2188
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 703B508AAD2EE4B64DA2D190D994838E
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4600

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3532

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3260 -ip 3260
1⤵
PID:2312

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4960

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1812

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1408

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1668

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4756

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4348

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:364

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:1960

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:1712

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:800

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2280

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2096

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1748

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:2816

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:2204

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:380

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4332

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:672

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:4004

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2624

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:5060

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:1072

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:3640

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\bqbpvcoufgj.vbe

Filesize
862B

MD5
8c6010b5f4a5f819f36fa9a4179cf583

SHA1
7e5e759f3a8593c7be0dcfa97538308c0f5f1709

SHA256
9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

SHA512
098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

Download Submit
C:\Users\Public\bqbpvcoufgj.vbe

Filesize
862B

MD5
8c6010b5f4a5f819f36fa9a4179cf583

SHA1
7e5e759f3a8593c7be0dcfa97538308c0f5f1709

SHA256
9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

SHA512
098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

Download Submit
C:\Users\Public\bqbpvcoufgj.vbe

Filesize
862B

MD5
8c6010b5f4a5f819f36fa9a4179cf583

SHA1
7e5e759f3a8593c7be0dcfa97538308c0f5f1709

SHA256
9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

SHA512
098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

Download Submit
C:\Users\Public\bqbpvcoufgj.vbe

Filesize
862B

MD5
8c6010b5f4a5f819f36fa9a4179cf583

SHA1
7e5e759f3a8593c7be0dcfa97538308c0f5f1709

SHA256
9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

SHA512
098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

Download Submit
C:\Users\Public\bqbpvcoufgj.vbe

Filesize
862B

MD5
8c6010b5f4a5f819f36fa9a4179cf583

SHA1
7e5e759f3a8593c7be0dcfa97538308c0f5f1709

SHA256
9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

SHA512
098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

Download Submit
C:\Windows\Installer\MSIF211.tmp

Filesize
99KB

MD5
6e2b8071887c4662bb95923b7c14acf7

SHA1
3e186c237a37987037b96bd32761b58c56238c7d

SHA256
2f6e10671dd552e2adfad918f363c76a08de7baa6df381af7c441d4ec10f4ffb

SHA512
0c2e90416abd56296430b8b631bd2c2608e122203cec44158353897c56922fff82c4574377ef5ece8b9b2609fe2d7b5355acd2e6f74df159d61eaea5882fbf4d

Download Submit
C:\Windows\Installer\MSIF211.tmp

Filesize
99KB

MD5
6e2b8071887c4662bb95923b7c14acf7

SHA1
3e186c237a37987037b96bd32761b58c56238c7d

SHA256
2f6e10671dd552e2adfad918f363c76a08de7baa6df381af7c441d4ec10f4ffb

SHA512
0c2e90416abd56296430b8b631bd2c2608e122203cec44158353897c56922fff82c4574377ef5ece8b9b2609fe2d7b5355acd2e6f74df159d61eaea5882fbf4d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
268830ad22d3f2846be8322eefbfae2c

SHA1
672f0cad7677bf3b44e40eeba65f103b91e4ae3d

SHA256
1e87729d5ea9ce7de543c6b6f5506d97b6a4699f3eada3fb20803fbe82cb3b2b

SHA512
13ec9577b62f45e81c7b418b7abaf4a22e97018d854ce912c4e70fb41244ef8614720896211a8285a08ea434f42dc1f9006794e62d01c127ed8deee8851dcafb

Download Submit
\??\Volume{c8b84e5a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f2d022db-9551-4dc6-ade8-5472e7ebd8a8}_OnDiskSnapshotProp

Filesize
5KB

MD5
b201712ec8c6f5869debec2dd6a43e1f

SHA1
d265c3c4c0ef99b4419eb65d765705370437f2d1

SHA256
a0459430e8fc545f6cc6c35d3b40b55bbd1af66c14b32dbbe1996ce79605512a

SHA512
a4ca2d7fc487d489b3bda594961b47912de49a6ad99cf572a728888d2a6eabac8bb93919cf58ce87376cad760f6f9d580befd67f12dfe071f0f99ff496da6ac0

Download Submit
memory/4600-135-0x000001CAA2B30000-0x000001CAA2B3A000-memory.dmp

Filesize
40KB

Download
memory/4600-134-0x000001CAA0710000-0x000001CAA0724000-memory.dmp

Filesize
80KB

Download