magniber | b9669bea10051a80e268a97e455404a0f50c310ed92d26965d8b097429c0adcf

Analysis

max time kernel
149s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
27-06-2022 14:10

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Magniber11.msi
Size

11.4MB
MD5

43db7b2265449e9e7fbe92cf64489312
SHA1

d5b15d33a6406c603622f4bf98729f63c71c7933
SHA256

b9669bea10051a80e268a97e455404a0f50c310ed92d26965d8b097429c0adcf
SHA512

a9751360b4ca881fa2b621832222f74d4482a5295522dc8367b73bae0fd5712edd26eea4d02b4407b884a2a89bc77cb941e6daaaa00d37a9c73cc352bb0b2eb3

Score

10^/10

magniber evasion ransomware

Malware Config

Signatures

Detect magniber ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/408-134-0x0000019519BD0000-0x0000019519BE4000-memory.dmp	family_magniber
behavioral2/memory/408-135-0x000001951A400000-0x000001951A40A000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 16 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exewbadmin.exebcdedit.exewbadmin.exebcdedit.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3984	1904	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4264	1904	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3276	1904	wbadmin.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3124	1904	wbadmin.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1916	1904	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1964	1904	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1104	1904	wbadmin.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	1904	wbadmin.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1260	1904	wbadmin.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3892	1904	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4112	1904	wbadmin.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3456	1904	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4964	1904	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	392	1904	bcdedit.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3724	1904	wbadmin.exe	104
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3380	1904	wbadmin.exe	104

Modifies boot configuration data using bcdedit 1 TTPs 8 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	Process
3984	bcdedit.exe
4264	bcdedit.exe
1916	bcdedit.exe
1964	bcdedit.exe
3892	bcdedit.exe
3456	bcdedit.exe
4964	bcdedit.exe
392	bcdedit.exe

Deletes System State backups 3 TTPs 4 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

wbadmin.exewbadmin.exewbadmin.exewbadmin.exe

pid	Process
3124	wbadmin.exe
1104	wbadmin.exe
4112	wbadmin.exe
3380	wbadmin.exe

Deletes backup catalog 3 TTPs 4 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

wbadmin.exewbadmin.exewbadmin.exewbadmin.exe

pid	Process
3276	wbadmin.exe
2356	wbadmin.exe
1260	wbadmin.exe
3724	wbadmin.exe

Modifies extensions of user files 4 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sihost.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\InstallGroup.tif => C:\Users\Admin\Pictures\InstallGroup.tif.krkzauuz	sihost.exe
File renamed	C:\Users\Admin\Pictures\InstallLimit.tif => C:\Users\Admin\Pictures\InstallLimit.tif.krkzauuz	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\PopRestore.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\PopRestore.tiff => C:\Users\Admin\Pictures\PopRestore.tiff.krkzauuz	sihost.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid	Process
408	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe

Drops file in Windows directory 10 IoCs

Processes:

wbadmin.exewbadmin.exemsiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\MSIE290.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File created	C:\Windows\Installer\e57e0cb.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e57e0cb.msi	msiexec.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4856	3260	WerFault.exe	55

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exevds.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005a4eb8c89d443e990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005a4eb8c80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809005a4eb8c8000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe

Modifies registry class 32 IoCs

Processes:

taskhostw.exeRuntimeBroker.exesvchost.exeRuntimeBroker.exeExplorer.EXERuntimeBroker.exesihost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\bqbpvcoufgj.vbe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	svchost.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exeMsiExec.exe

pid	Process
4552	msiexec.exe
4552	msiexec.exe
408	MsiExec.exe
408	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
3032	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeExplorer.EXEsrtasks.exe

description	pid	Process
Token: SeShutdownPrivilege	4280	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4280	msiexec.exe
Token: SeSecurityPrivilege	4552	msiexec.exe
Token: SeCreateTokenPrivilege	4280	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4280	msiexec.exe
Token: SeLockMemoryPrivilege	4280	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4280	msiexec.exe
Token: SeMachineAccountPrivilege	4280	msiexec.exe
Token: SeTcbPrivilege	4280	msiexec.exe
Token: SeSecurityPrivilege	4280	msiexec.exe
Token: SeTakeOwnershipPrivilege	4280	msiexec.exe
Token: SeLoadDriverPrivilege	4280	msiexec.exe
Token: SeSystemProfilePrivilege	4280	msiexec.exe
Token: SeSystemtimePrivilege	4280	msiexec.exe
Token: SeProfSingleProcessPrivilege	4280	msiexec.exe
Token: SeIncBasePriorityPrivilege	4280	msiexec.exe
Token: SeCreatePagefilePrivilege	4280	msiexec.exe
Token: SeCreatePermanentPrivilege	4280	msiexec.exe
Token: SeBackupPrivilege	4280	msiexec.exe
Token: SeRestorePrivilege	4280	msiexec.exe
Token: SeShutdownPrivilege	4280	msiexec.exe
Token: SeDebugPrivilege	4280	msiexec.exe
Token: SeAuditPrivilege	4280	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4280	msiexec.exe
Token: SeChangeNotifyPrivilege	4280	msiexec.exe
Token: SeRemoteShutdownPrivilege	4280	msiexec.exe
Token: SeUndockPrivilege	4280	msiexec.exe
Token: SeSyncAgentPrivilege	4280	msiexec.exe
Token: SeEnableDelegationPrivilege	4280	msiexec.exe
Token: SeManageVolumePrivilege	4280	msiexec.exe
Token: SeImpersonatePrivilege	4280	msiexec.exe
Token: SeCreateGlobalPrivilege	4280	msiexec.exe
Token: SeBackupPrivilege	2364	vssvc.exe
Token: SeRestorePrivilege	2364	vssvc.exe
Token: SeAuditPrivilege	2364	vssvc.exe
Token: SeBackupPrivilege	4552	msiexec.exe
Token: SeRestorePrivilege	4552	msiexec.exe
Token: SeRestorePrivilege	4552	msiexec.exe
Token: SeTakeOwnershipPrivilege	4552	msiexec.exe
Token: SeRestorePrivilege	4552	msiexec.exe
Token: SeTakeOwnershipPrivilege	4552	msiexec.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeBackupPrivilege	4160	srtasks.exe
Token: SeRestorePrivilege	4160	srtasks.exe
Token: SeSecurityPrivilege	4160	srtasks.exe
Token: SeTakeOwnershipPrivilege	4160	srtasks.exe
Token: SeBackupPrivilege	4160	srtasks.exe
Token: SeRestorePrivilege	4160	srtasks.exe
Token: SeSecurityPrivilege	4160	srtasks.exe
Token: SeTakeOwnershipPrivilege	4160	srtasks.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
4280	msiexec.exe
4280	msiexec.exe

Suspicious use of WriteProcessMemory 32 IoCs

Processes:

msiexec.exeMsiExec.execmd.exefodhelper.execmd.exefodhelper.execmd.execmd.exefodhelper.exefodhelper.exe

description	pid	Process	procid_target
PID 4552 wrote to memory of 4160	4552	msiexec.exe	92
PID 4552 wrote to memory of 4160	4552	msiexec.exe	92
PID 4552 wrote to memory of 408	4552	msiexec.exe	94
PID 4552 wrote to memory of 408	4552	msiexec.exe	94
PID 408 wrote to memory of 2320	408	MsiExec.exe	62
PID 408 wrote to memory of 2328	408	MsiExec.exe	61
PID 408 wrote to memory of 2412	408	MsiExec.exe	60
PID 408 wrote to memory of 3032	408	MsiExec.exe	56
PID 408 wrote to memory of 2748	408	MsiExec.exe	32
PID 408 wrote to memory of 3260	408	MsiExec.exe	55
PID 408 wrote to memory of 3352	408	MsiExec.exe	33
PID 408 wrote to memory of 3472	408	MsiExec.exe	34
PID 408 wrote to memory of 3576	408	MsiExec.exe	36
PID 408 wrote to memory of 3868	408	MsiExec.exe	54
PID 408 wrote to memory of 4492	408	MsiExec.exe	52
PID 408 wrote to memory of 4280	408	MsiExec.exe	79
PID 3120 wrote to memory of 2300	3120	cmd.exe	101
PID 3120 wrote to memory of 2300	3120	cmd.exe	101
PID 2300 wrote to memory of 4992	2300	fodhelper.exe	103
PID 2300 wrote to memory of 4992	2300	fodhelper.exe	103
PID 3808 wrote to memory of 4864	3808	cmd.exe	119
PID 3808 wrote to memory of 4864	3808	cmd.exe	119
PID 4864 wrote to memory of 4832	4864	fodhelper.exe	120
PID 4864 wrote to memory of 4832	4864	fodhelper.exe	120
PID 1444 wrote to memory of 4080	1444	cmd.exe	131
PID 1444 wrote to memory of 4080	1444	cmd.exe	131
PID 2044 wrote to memory of 4868	2044	cmd.exe	134
PID 2044 wrote to memory of 4868	2044	cmd.exe	134
PID 4080 wrote to memory of 4848	4080	fodhelper.exe	135
PID 4080 wrote to memory of 4848	4080	fodhelper.exe	135
PID 4868 wrote to memory of 3840	4868	fodhelper.exe	136
PID 4868 wrote to memory of 3840	4868	fodhelper.exe	136

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:2748

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3352

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3472

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3576

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4492
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1444
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4080
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
      4⤵
      PID:4848

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3868
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3808
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4864
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
      4⤵
      PID:4832

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3260
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3260 -s 1172
  2⤵
  - Program crash
  PID:4856

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3032
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Magniber11.msi
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4280

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2412
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3120
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2300
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
      4⤵
      PID:4992

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
PID:2328
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2044
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4868
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
      4⤵
      PID:3840

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2320

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4552
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:4160
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 87D52803D4884EE0EC61ED86C5192B4E
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:408

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2364

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 404 -p 3260 -ip 3260
1⤵
PID:768

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3984

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4264

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:3276

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:3124

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:4208

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3452

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3728

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1916

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1964

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:1104

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:2356

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:1260

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3892

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:4112

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3456

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4964

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:392

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:3724

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:3380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\bqbpvcoufgj.vbe

Filesize
862B

MD5
8c6010b5f4a5f819f36fa9a4179cf583

SHA1
7e5e759f3a8593c7be0dcfa97538308c0f5f1709

SHA256
9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

SHA512
098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

Download Submit
C:\Users\Public\bqbpvcoufgj.vbe

Filesize
862B

MD5
8c6010b5f4a5f819f36fa9a4179cf583

SHA1
7e5e759f3a8593c7be0dcfa97538308c0f5f1709

SHA256
9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

SHA512
098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

Download Submit
C:\Users\Public\bqbpvcoufgj.vbe

Filesize
862B

MD5
8c6010b5f4a5f819f36fa9a4179cf583

SHA1
7e5e759f3a8593c7be0dcfa97538308c0f5f1709

SHA256
9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

SHA512
098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

Download Submit
C:\Users\Public\bqbpvcoufgj.vbe

Filesize
862B

MD5
8c6010b5f4a5f819f36fa9a4179cf583

SHA1
7e5e759f3a8593c7be0dcfa97538308c0f5f1709

SHA256
9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

SHA512
098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

Download Submit
C:\Windows\Installer\MSIE290.tmp

Filesize
99KB

MD5
6e2b8071887c4662bb95923b7c14acf7

SHA1
3e186c237a37987037b96bd32761b58c56238c7d

SHA256
2f6e10671dd552e2adfad918f363c76a08de7baa6df381af7c441d4ec10f4ffb

SHA512
0c2e90416abd56296430b8b631bd2c2608e122203cec44158353897c56922fff82c4574377ef5ece8b9b2609fe2d7b5355acd2e6f74df159d61eaea5882fbf4d

Download Submit
C:\Windows\Installer\MSIE290.tmp

Filesize
99KB

MD5
6e2b8071887c4662bb95923b7c14acf7

SHA1
3e186c237a37987037b96bd32761b58c56238c7d

SHA256
2f6e10671dd552e2adfad918f363c76a08de7baa6df381af7c441d4ec10f4ffb

SHA512
0c2e90416abd56296430b8b631bd2c2608e122203cec44158353897c56922fff82c4574377ef5ece8b9b2609fe2d7b5355acd2e6f74df159d61eaea5882fbf4d

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
0f5625db804ebf9cbef599bb7415cc2e

SHA1
6d8fb5ae9d3bce8570a39e18f39a36cf554aa0b4

SHA256
333def8401c2531f6fe46bb2427ae7b12854ee5c550608e4841fad041e352c46

SHA512
f8bab82d15322f2a843c066d15297e401156625f840c3b881520d4e3e8b73ccc9cb4a38761f26f58d85afa60f71016aa92d52a4f8d69f299fc57648a5a638859

Download Submit
\??\Volume{c8b84e5a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{00d4a0ca-bfd2-4fb4-bb15-31e3a2ea3e93}_OnDiskSnapshotProp

Filesize
5KB

MD5
6d9f1ee83a5c1b7666fa4962fa9832d1

SHA1
f3a248d5e1a34b9f0ab4670d85fa6e61f85c2dc3

SHA256
27d553779c7d44355aaab3f27b8467e9d132711010e1a05edf086e2acb5a8a3d

SHA512
3c84649f4115f0f41c6e68179ce0c1d694f5f03f85ac632ff0a35d10502adc5fc611db8320e7db0a26f9d36f49166ca68ce0157859333f78fc99e12e770bb37e

Download Submit
memory/408-135-0x000001951A400000-0x000001951A40A000-memory.dmp

Filesize
40KB

Download
memory/408-134-0x0000019519BD0000-0x0000019519BE4000-memory.dmp

Filesize
80KB

Download
memory/408-131-0x0000000000000000-mapping.dmp

Download
memory/2300-138-0x0000000000000000-mapping.dmp

Download
memory/3840-149-0x0000000000000000-mapping.dmp

Download
memory/4080-146-0x0000000000000000-mapping.dmp

Download
memory/4160-130-0x0000000000000000-mapping.dmp

Download
memory/4832-144-0x0000000000000000-mapping.dmp

Download
memory/4848-148-0x0000000000000000-mapping.dmp

Download
memory/4864-143-0x0000000000000000-mapping.dmp

Download
memory/4868-147-0x0000000000000000-mapping.dmp

Download
memory/4992-139-0x0000000000000000-mapping.dmp

Download