Analysis

  • max time kernel
    150s
  • max time network
    139s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-06-2022 14:00

General

  • Target

    Magniber4.msi

  • Size

    11.4MB

  • MD5

    e449d2609f4c5410a31b73aef43f052e

  • SHA1

    b48b1f8388d66e1098543adbe9a1ad2733eaeeaa

  • SHA256

    bcbac6ef0f3344da0981454d5dbea7a958e288fd0c4995ae5cb46e3959949b20

  • SHA512

    98d9fefe04f183b6ed231abfe1df33b0d7eaaaa9ae613f315ed21928e34848b68c5f1d24acde944c276f013459d5059ba13a953fa648e1b7e6427ef691d2e620

Malware Config

Signatures

  • Detect magniber ransomware 2 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

  • Process spawned unexpected child process 20 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
  • Deletes System State backups 3 TTPs 5 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Deletes backup catalog 3 TTPs 5 IoCs

    Uses wbadmin.exe to inhibit system recovery.

  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies extensions of user files
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:3032
    • C:\Windows\system32\msiexec.exe
      msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Magniber4.msi
      2⤵
      • Enumerates connected drives
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      PID:4476
    • C:\Windows\System32\cmd.exe
      /c fodhelper.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4012
      • C:\Windows\System32\fodhelper.exe
        fodhelper.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3380
        • C:\Windows\system32\wscript.exe
          "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
          4⤵
            PID:308
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
      • Modifies registry class
      PID:3472
      • C:\Windows\System32\cmd.exe
        /c fodhelper.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3976
        • C:\Windows\System32\fodhelper.exe
          fodhelper.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3640
          • C:\Windows\system32\wscript.exe
            "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
            4⤵
              PID:5008
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:3352
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:3576
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
            • Modifies registry class
            PID:4492
            • C:\Windows\System32\cmd.exe
              /c fodhelper.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1944
              • C:\Windows\System32\fodhelper.exe
                fodhelper.exe
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4276
                • C:\Windows\system32\wscript.exe
                  "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
                  4⤵
                    PID:3140
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:3868
              • C:\Windows\System32\cmd.exe
                /c fodhelper.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2700
                • C:\Windows\System32\fodhelper.exe
                  fodhelper.exe
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:2696
                  • C:\Windows\system32\wscript.exe
                    "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
                    4⤵
                      PID:5072
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                1⤵
                  PID:3260
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 3260 -s 924
                    2⤵
                    • Program crash
                    PID:804
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                  • Modifies registry class
                  PID:2748
                • C:\Windows\system32\taskhostw.exe
                  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                  1⤵
                  • Modifies registry class
                  PID:2412
                • C:\Windows\system32\sihost.exe
                  sihost.exe
                  1⤵
                  • Modifies registry class
                  PID:2328
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                  1⤵
                  • Modifies registry class
                  PID:2320
                  • C:\Windows\System32\cmd.exe
                    /c fodhelper.exe
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3564
                    • C:\Windows\System32\fodhelper.exe
                      fodhelper.exe
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:1940
                      • C:\Windows\system32\wscript.exe
                        "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
                        4⤵
                          PID:508
                  • C:\Windows\system32\msiexec.exe
                    C:\Windows\system32\msiexec.exe /V
                    1⤵
                    • Enumerates connected drives
                    • Drops file in Windows directory
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:4864
                    • C:\Windows\system32\srtasks.exe
                      C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                      2⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2188
                    • C:\Windows\System32\MsiExec.exe
                      C:\Windows\System32\MsiExec.exe -Embedding 703B508AAD2EE4B64DA2D190D994838E
                      2⤵
                      • Loads dropped DLL
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of WriteProcessMemory
                      PID:4600
                  • C:\Windows\system32\vssvc.exe
                    C:\Windows\system32\vssvc.exe
                    1⤵
                    • Checks SCSI registry key(s)
                    • Suspicious use of AdjustPrivilegeToken
                    PID:3532
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -pss -s 404 -p 3260 -ip 3260
                    1⤵
                      PID:2312
                    • C:\Windows\system32\bcdedit.exe
                      bcdedit /set {default} bootstatuspolicy ignoreallfailures
                      1⤵
                      • Process spawned unexpected child process
                      • Modifies boot configuration data using bcdedit
                      PID:4960
                    • C:\Windows\system32\bcdedit.exe
                      bcdedit /set {default} bootstatuspolicy ignoreallfailures
                      1⤵
                      • Process spawned unexpected child process
                      • Modifies boot configuration data using bcdedit
                      PID:1812
                    • C:\Windows\system32\bcdedit.exe
                      bcdedit /set {default} recoveryenabled no
                      1⤵
                      • Process spawned unexpected child process
                      • Modifies boot configuration data using bcdedit
                      PID:1408
                    • C:\Windows\system32\bcdedit.exe
                      bcdedit /set {default} recoveryenabled no
                      1⤵
                      • Process spawned unexpected child process
                      • Modifies boot configuration data using bcdedit
                      PID:1668
                    • C:\Windows\system32\wbadmin.exe
                      wbadmin delete catalog -quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Deletes backup catalog
                      PID:4756
                    • C:\Windows\system32\wbadmin.exe
                      wbadmin delete catalog -quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Deletes backup catalog
                      PID:4348
                    • C:\Windows\system32\wbadmin.exe
                      wbadmin delete systemstatebackup -quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Deletes System State backups
                      PID:364
                    • C:\Windows\system32\wbadmin.exe
                      wbadmin delete systemstatebackup -quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Deletes System State backups
                      • Drops file in Windows directory
                      PID:1960
                    • C:\Windows\system32\wbengine.exe
                      "C:\Windows\system32\wbengine.exe"
                      1⤵
                        PID:1712
                      • C:\Windows\System32\vdsldr.exe
                        C:\Windows\System32\vdsldr.exe -Embedding
                        1⤵
                          PID:800
                        • C:\Windows\System32\vds.exe
                          C:\Windows\System32\vds.exe
                          1⤵
                          • Checks SCSI registry key(s)
                          PID:2280
                        • C:\Windows\system32\bcdedit.exe
                          bcdedit /set {default} bootstatuspolicy ignoreallfailures
                          1⤵
                          • Process spawned unexpected child process
                          • Modifies boot configuration data using bcdedit
                          PID:2096
                        • C:\Windows\system32\bcdedit.exe
                          bcdedit /set {default} recoveryenabled no
                          1⤵
                          • Process spawned unexpected child process
                          • Modifies boot configuration data using bcdedit
                          PID:1748
                        • C:\Windows\system32\wbadmin.exe
                          wbadmin delete catalog -quiet
                          1⤵
                          • Process spawned unexpected child process
                          • Deletes backup catalog
                          PID:2816
                        • C:\Windows\system32\wbadmin.exe
                          wbadmin delete systemstatebackup -quiet
                          1⤵
                          • Process spawned unexpected child process
                          • Deletes System State backups
                          PID:2204
                        • C:\Windows\system32\bcdedit.exe
                          bcdedit /set {default} bootstatuspolicy ignoreallfailures
                          1⤵
                          • Process spawned unexpected child process
                          • Modifies boot configuration data using bcdedit
                          PID:380
                        • C:\Windows\system32\bcdedit.exe
                          bcdedit /set {default} recoveryenabled no
                          1⤵
                          • Process spawned unexpected child process
                          • Modifies boot configuration data using bcdedit
                          PID:4332
                        • C:\Windows\system32\wbadmin.exe
                          wbadmin delete catalog -quiet
                          1⤵
                          • Process spawned unexpected child process
                          • Deletes backup catalog
                          PID:672
                        • C:\Windows\system32\wbadmin.exe
                          wbadmin delete systemstatebackup -quiet
                          1⤵
                          • Process spawned unexpected child process
                          • Deletes System State backups
                          PID:4004
                        • C:\Windows\system32\bcdedit.exe
                          bcdedit /set {default} bootstatuspolicy ignoreallfailures
                          1⤵
                          • Process spawned unexpected child process
                          • Modifies boot configuration data using bcdedit
                          PID:2624
                        • C:\Windows\system32\bcdedit.exe
                          bcdedit /set {default} recoveryenabled no
                          1⤵
                          • Process spawned unexpected child process
                          • Modifies boot configuration data using bcdedit
                          PID:5060
                        • C:\Windows\system32\wbadmin.exe
                          wbadmin delete systemstatebackup -quiet
                          1⤵
                          • Process spawned unexpected child process
                          • Deletes System State backups
                          PID:1072
                        • C:\Windows\system32\wbadmin.exe
                          wbadmin delete catalog -quiet
                          1⤵
                          • Process spawned unexpected child process
                          • Deletes backup catalog
                          PID:3640

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Public\bqbpvcoufgj.vbe

                          Filesize

                          862B

                          MD5

                          8c6010b5f4a5f819f36fa9a4179cf583

                          SHA1

                          7e5e759f3a8593c7be0dcfa97538308c0f5f1709

                          SHA256

                          9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

                          SHA512

                          098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

                        • C:\Users\Public\bqbpvcoufgj.vbe

                          Filesize

                          862B

                          MD5

                          8c6010b5f4a5f819f36fa9a4179cf583

                          SHA1

                          7e5e759f3a8593c7be0dcfa97538308c0f5f1709

                          SHA256

                          9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

                          SHA512

                          098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

                        • C:\Users\Public\bqbpvcoufgj.vbe

                          Filesize

                          862B

                          MD5

                          8c6010b5f4a5f819f36fa9a4179cf583

                          SHA1

                          7e5e759f3a8593c7be0dcfa97538308c0f5f1709

                          SHA256

                          9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

                          SHA512

                          098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

                        • C:\Users\Public\bqbpvcoufgj.vbe

                          Filesize

                          862B

                          MD5

                          8c6010b5f4a5f819f36fa9a4179cf583

                          SHA1

                          7e5e759f3a8593c7be0dcfa97538308c0f5f1709

                          SHA256

                          9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

                          SHA512

                          098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

                        • C:\Users\Public\bqbpvcoufgj.vbe

                          Filesize

                          862B

                          MD5

                          8c6010b5f4a5f819f36fa9a4179cf583

                          SHA1

                          7e5e759f3a8593c7be0dcfa97538308c0f5f1709

                          SHA256

                          9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

                          SHA512

                          098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

                        • C:\Windows\Installer\MSIF211.tmp

                          Filesize

                          99KB

                          MD5

                          6e2b8071887c4662bb95923b7c14acf7

                          SHA1

                          3e186c237a37987037b96bd32761b58c56238c7d

                          SHA256

                          2f6e10671dd552e2adfad918f363c76a08de7baa6df381af7c441d4ec10f4ffb

                          SHA512

                          0c2e90416abd56296430b8b631bd2c2608e122203cec44158353897c56922fff82c4574377ef5ece8b9b2609fe2d7b5355acd2e6f74df159d61eaea5882fbf4d

                        • C:\Windows\Installer\MSIF211.tmp

                          Filesize

                          99KB

                          MD5

                          6e2b8071887c4662bb95923b7c14acf7

                          SHA1

                          3e186c237a37987037b96bd32761b58c56238c7d

                          SHA256

                          2f6e10671dd552e2adfad918f363c76a08de7baa6df381af7c441d4ec10f4ffb

                          SHA512

                          0c2e90416abd56296430b8b631bd2c2608e122203cec44158353897c56922fff82c4574377ef5ece8b9b2609fe2d7b5355acd2e6f74df159d61eaea5882fbf4d

                        • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

                          Filesize

                          23.0MB

                          MD5

                          268830ad22d3f2846be8322eefbfae2c

                          SHA1

                          672f0cad7677bf3b44e40eeba65f103b91e4ae3d

                          SHA256

                          1e87729d5ea9ce7de543c6b6f5506d97b6a4699f3eada3fb20803fbe82cb3b2b

                          SHA512

                          13ec9577b62f45e81c7b418b7abaf4a22e97018d854ce912c4e70fb41244ef8614720896211a8285a08ea434f42dc1f9006794e62d01c127ed8deee8851dcafb

                        • \??\Volume{c8b84e5a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{f2d022db-9551-4dc6-ade8-5472e7ebd8a8}_OnDiskSnapshotProp

                          Filesize

                          5KB

                          MD5

                          b201712ec8c6f5869debec2dd6a43e1f

                          SHA1

                          d265c3c4c0ef99b4419eb65d765705370437f2d1

                          SHA256

                          a0459430e8fc545f6cc6c35d3b40b55bbd1af66c14b32dbbe1996ce79605512a

                          SHA512

                          a4ca2d7fc487d489b3bda594961b47912de49a6ad99cf572a728888d2a6eabac8bb93919cf58ce87376cad760f6f9d580befd67f12dfe071f0f99ff496da6ac0

                        • memory/4600-135-0x000001CAA2B30000-0x000001CAA2B3A000-memory.dmp

                          Filesize

                          40KB

                        • memory/4600-134-0x000001CAA0710000-0x000001CAA0724000-memory.dmp

                          Filesize

                          80KB