magniber | 6719d9d705ee6563f8fe93d28bf23f71db531ef43b07c794975531e8ab8705fe

Analysis

max time kernel
149s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
27-06-2022 14:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Magniber19.msi
Size

11.4MB
MD5

81eb662dd4e085d5e0f33b8c63d36a48
SHA1

526b36826281b4328cdb2dd57a0fe7aac9b7fab0
SHA256

6719d9d705ee6563f8fe93d28bf23f71db531ef43b07c794975531e8ab8705fe
SHA512

5ae12ed62314cfaaf12c889cc18fdea633e86ccae966a09a838eef756945593b1807de1a9abadeba5affffdaedb88c1019a23da8bc6198b807f35220c2e556b1

Score

10^/10

magniber evasion ransomware

Malware Config

Signatures

Detect magniber ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4164-135-0x00000211CADE0000-0x00000211CADE9000-memory.dmp	family_magniber
behavioral2/memory/928-134-0x000001FEC7710000-0x000001FEC7721000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 20 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4608	3288	bcdedit.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5028	3288	bcdedit.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	3288	wbadmin.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2440	3288	wbadmin.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	3288	bcdedit.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5080	3288	bcdedit.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4236	3288	wbadmin.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4680	3288	wbadmin.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4040	3288	bcdedit.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2328	3288	wbadmin.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1968	3288	wbadmin.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1456	3288	bcdedit.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1548	3288	bcdedit.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	60	3288	bcdedit.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3036	3288	wbadmin.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1852	3288	wbadmin.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	496	3288	bcdedit.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4144	3288	bcdedit.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1956	3288	wbadmin.exe	105
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4136	3288	wbadmin.exe	105

Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	Process
4608	bcdedit.exe
5028	bcdedit.exe
384	bcdedit.exe
5080	bcdedit.exe
4040	bcdedit.exe
1456	bcdedit.exe
1548	bcdedit.exe
60	bcdedit.exe
496	bcdedit.exe
4144	bcdedit.exe

Deletes System State backups 3 TTPs 5 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

wbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exe

pid	Process
2440	wbadmin.exe
4680	wbadmin.exe
2328	wbadmin.exe
3036	wbadmin.exe
1956	wbadmin.exe

Deletes backup catalog 3 TTPs 5 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

wbadmin.exewbadmin.exewbadmin.exewbadmin.exewbadmin.exe

pid	Process
4288	wbadmin.exe
4236	wbadmin.exe
1968	wbadmin.exe
1852	wbadmin.exe
4136	wbadmin.exe

Modifies extensions of user files 3 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\CompareResize.crw => C:\Users\Admin\Pictures\CompareResize.crw.xbywtqe	svchost.exe
File renamed	C:\Users\Admin\Pictures\RemoveSwitch.png => C:\Users\Admin\Pictures\RemoveSwitch.png.xbywtqe	svchost.exe
File renamed	C:\Users\Admin\Pictures\SaveLock.tif => C:\Users\Admin\Pictures\SaveLock.tif.xbywtqe	svchost.exe

Loads dropped DLL 1 IoCs

Processes:

MsiExec.exe

pid	Process
928	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe

Drops file in Windows directory 10 IoCs

Processes:

wbadmin.exewbadmin.exemsiexec.exe

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File created	C:\Windows\Installer\e581865.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI19FB.tmp	msiexec.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Installer\e581865.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
4876	3388	WerFault.exe	59

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vssvc.exevds.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005a4eb8c89d443e990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005a4eb8c80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809005a4eb8c8000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Modifies registry class 37 IoCs

Processes:

sihost.exesvchost.exesvchost.exeRuntimeBroker.exetaskhostw.exeRuntimeBroker.exeExplorer.EXE

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\oijwgytxiub.vbe"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\oijwgytxiub.vbe"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\oijwgytxiub.vbe"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\oijwgytxiub.vbe"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\oijwgytxiub.vbe"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	taskhostw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\oijwgytxiub.vbe"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\oijwgytxiub.vbe"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

msiexec.exeMsiExec.exe

pid	Process
5076	msiexec.exe
5076	msiexec.exe
928	MsiExec.exe
928	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
3032	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exemsiexec.exevssvc.exeExplorer.EXEsrtasks.exe

description	pid	Process
Token: SeShutdownPrivilege	4164	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4164	msiexec.exe
Token: SeSecurityPrivilege	5076	msiexec.exe
Token: SeCreateTokenPrivilege	4164	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	4164	msiexec.exe
Token: SeLockMemoryPrivilege	4164	msiexec.exe
Token: SeIncreaseQuotaPrivilege	4164	msiexec.exe
Token: SeMachineAccountPrivilege	4164	msiexec.exe
Token: SeTcbPrivilege	4164	msiexec.exe
Token: SeSecurityPrivilege	4164	msiexec.exe
Token: SeTakeOwnershipPrivilege	4164	msiexec.exe
Token: SeLoadDriverPrivilege	4164	msiexec.exe
Token: SeSystemProfilePrivilege	4164	msiexec.exe
Token: SeSystemtimePrivilege	4164	msiexec.exe
Token: SeProfSingleProcessPrivilege	4164	msiexec.exe
Token: SeIncBasePriorityPrivilege	4164	msiexec.exe
Token: SeCreatePagefilePrivilege	4164	msiexec.exe
Token: SeCreatePermanentPrivilege	4164	msiexec.exe
Token: SeBackupPrivilege	4164	msiexec.exe
Token: SeRestorePrivilege	4164	msiexec.exe
Token: SeShutdownPrivilege	4164	msiexec.exe
Token: SeDebugPrivilege	4164	msiexec.exe
Token: SeAuditPrivilege	4164	msiexec.exe
Token: SeSystemEnvironmentPrivilege	4164	msiexec.exe
Token: SeChangeNotifyPrivilege	4164	msiexec.exe
Token: SeRemoteShutdownPrivilege	4164	msiexec.exe
Token: SeUndockPrivilege	4164	msiexec.exe
Token: SeSyncAgentPrivilege	4164	msiexec.exe
Token: SeEnableDelegationPrivilege	4164	msiexec.exe
Token: SeManageVolumePrivilege	4164	msiexec.exe
Token: SeImpersonatePrivilege	4164	msiexec.exe
Token: SeCreateGlobalPrivilege	4164	msiexec.exe
Token: SeBackupPrivilege	3632	vssvc.exe
Token: SeRestorePrivilege	3632	vssvc.exe
Token: SeAuditPrivilege	3632	vssvc.exe
Token: SeBackupPrivilege	5076	msiexec.exe
Token: SeRestorePrivilege	5076	msiexec.exe
Token: SeRestorePrivilege	5076	msiexec.exe
Token: SeTakeOwnershipPrivilege	5076	msiexec.exe
Token: SeRestorePrivilege	5076	msiexec.exe
Token: SeTakeOwnershipPrivilege	5076	msiexec.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeBackupPrivilege	3436	srtasks.exe
Token: SeRestorePrivilege	3436	srtasks.exe
Token: SeSecurityPrivilege	3436	srtasks.exe
Token: SeTakeOwnershipPrivilege	3436	srtasks.exe
Token: SeBackupPrivilege	3436	srtasks.exe
Token: SeRestorePrivilege	3436	srtasks.exe
Token: SeSecurityPrivilege	3436	srtasks.exe
Token: SeTakeOwnershipPrivilege	3436	srtasks.exe
Token: SeShutdownPrivilege	3032	Explorer.EXE
Token: SeCreatePagefilePrivilege	3032	Explorer.EXE
Token: SeShutdownPrivilege	3032	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
4164	msiexec.exe
4164	msiexec.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

msiexec.exeMsiExec.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.exe

description	pid	Process	procid_target
PID 5076 wrote to memory of 3436	5076	msiexec.exe	93
PID 5076 wrote to memory of 3436	5076	msiexec.exe	93
PID 5076 wrote to memory of 928	5076	msiexec.exe	95
PID 5076 wrote to memory of 928	5076	msiexec.exe	95
PID 928 wrote to memory of 2456	928	MsiExec.exe	32
PID 928 wrote to memory of 2472	928	MsiExec.exe	33
PID 928 wrote to memory of 2700	928	MsiExec.exe	63
PID 928 wrote to memory of 3032	928	MsiExec.exe	61
PID 928 wrote to memory of 3180	928	MsiExec.exe	60
PID 928 wrote to memory of 3388	928	MsiExec.exe	59
PID 928 wrote to memory of 3540	928	MsiExec.exe	57
PID 928 wrote to memory of 3604	928	MsiExec.exe	36
PID 928 wrote to memory of 3688	928	MsiExec.exe	56
PID 928 wrote to memory of 3996	928	MsiExec.exe	37
PID 928 wrote to memory of 4488	928	MsiExec.exe	54
PID 928 wrote to memory of 4164	928	MsiExec.exe	80
PID 2884 wrote to memory of 4984	2884	cmd.exe	102
PID 2884 wrote to memory of 4984	2884	cmd.exe	102
PID 4984 wrote to memory of 1528	4984	fodhelper.exe	104
PID 4984 wrote to memory of 1528	4984	fodhelper.exe	104
PID 2644 wrote to memory of 2760	2644	cmd.exe	119
PID 2644 wrote to memory of 2760	2644	cmd.exe	119
PID 2760 wrote to memory of 2436	2760	fodhelper.exe	120
PID 2760 wrote to memory of 2436	2760	fodhelper.exe	120
PID 3232 wrote to memory of 1272	3232	cmd.exe	131
PID 3232 wrote to memory of 1272	3232	cmd.exe	131
PID 1272 wrote to memory of 2180	1272	fodhelper.exe	133
PID 1272 wrote to memory of 2180	1272	fodhelper.exe	133
PID 2212 wrote to memory of 4412	2212	cmd.exe	144
PID 2212 wrote to memory of 4412	2212	cmd.exe	144
PID 4412 wrote to memory of 1152	4412	fodhelper.exe	145
PID 4412 wrote to memory of 1152	4412	fodhelper.exe	145
PID 2196 wrote to memory of 2080	2196	cmd.exe	156
PID 2196 wrote to memory of 2080	2196	cmd.exe	156
PID 2080 wrote to memory of 64	2080	fodhelper.exe	157
PID 2080 wrote to memory of 64	2080	fodhelper.exe	157

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2456
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2644
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2760
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\oijwgytxiub.vbe
      4⤵
      PID:2436

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2472

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3604
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3232
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1272
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\oijwgytxiub.vbe
      4⤵
      PID:2180

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3996

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4488
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4412
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\oijwgytxiub.vbe
      4⤵
      PID:1152

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3688

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3540

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3388
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3388 -s 928
  2⤵
  - Program crash
  PID:4876

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies extensions of user files
- Modifies registry class
PID:3180

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3032
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Magniber19.msi
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:4164
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2884
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4984
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\oijwgytxiub.vbe
      4⤵
      PID:1528

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2700
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2080
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\oijwgytxiub.vbe
      4⤵
      PID:64

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5076
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3436
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding D3A9C7258F4888059D77E5F2C273639F
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:928

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:3632

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 432 -p 3388 -ip 3388
1⤵
PID:3836

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4608

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:5028

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4288

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:2440

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:4264

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:3296

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1428

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:384

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:5080

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4236

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:4680

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4040

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:2328

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:1968

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1456

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1548

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:60

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:3036

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:1852

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:496

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4144

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:1956

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4136

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\oijwgytxiub.vbe

Filesize
890B

MD5
cf789792f5985fff20086c8029c8b4b9

SHA1
bc1e3d8351b7818d5148c0d9ef31db6e1ea081f1

SHA256
bd8533b3e84cbe360a0151bb36bf272edfb80870a2d66a49bdcfa3d0aaa1354d

SHA512
ae8cca1a64db466d30bf627b651b6de548da8a61ac1fa4b1edd13a175e1dd51832f282a4cba854c2f3405b94b8ca6c8861372a574c78bae47ed2b18bce1fb4d4

Download Submit
C:\Users\Public\oijwgytxiub.vbe

Filesize
890B

MD5
cf789792f5985fff20086c8029c8b4b9

SHA1
bc1e3d8351b7818d5148c0d9ef31db6e1ea081f1

SHA256
bd8533b3e84cbe360a0151bb36bf272edfb80870a2d66a49bdcfa3d0aaa1354d

SHA512
ae8cca1a64db466d30bf627b651b6de548da8a61ac1fa4b1edd13a175e1dd51832f282a4cba854c2f3405b94b8ca6c8861372a574c78bae47ed2b18bce1fb4d4

Download Submit
C:\Users\Public\oijwgytxiub.vbe

Filesize
890B

MD5
cf789792f5985fff20086c8029c8b4b9

SHA1
bc1e3d8351b7818d5148c0d9ef31db6e1ea081f1

SHA256
bd8533b3e84cbe360a0151bb36bf272edfb80870a2d66a49bdcfa3d0aaa1354d

SHA512
ae8cca1a64db466d30bf627b651b6de548da8a61ac1fa4b1edd13a175e1dd51832f282a4cba854c2f3405b94b8ca6c8861372a574c78bae47ed2b18bce1fb4d4

Download Submit
C:\Users\Public\oijwgytxiub.vbe

Filesize
890B

MD5
cf789792f5985fff20086c8029c8b4b9

SHA1
bc1e3d8351b7818d5148c0d9ef31db6e1ea081f1

SHA256
bd8533b3e84cbe360a0151bb36bf272edfb80870a2d66a49bdcfa3d0aaa1354d

SHA512
ae8cca1a64db466d30bf627b651b6de548da8a61ac1fa4b1edd13a175e1dd51832f282a4cba854c2f3405b94b8ca6c8861372a574c78bae47ed2b18bce1fb4d4

Download Submit
C:\Users\Public\oijwgytxiub.vbe

Filesize
890B

MD5
cf789792f5985fff20086c8029c8b4b9

SHA1
bc1e3d8351b7818d5148c0d9ef31db6e1ea081f1

SHA256
bd8533b3e84cbe360a0151bb36bf272edfb80870a2d66a49bdcfa3d0aaa1354d

SHA512
ae8cca1a64db466d30bf627b651b6de548da8a61ac1fa4b1edd13a175e1dd51832f282a4cba854c2f3405b94b8ca6c8861372a574c78bae47ed2b18bce1fb4d4

Download Submit
C:\Users\Public\oijwgytxiub.vbe

Filesize
890B

MD5
cf789792f5985fff20086c8029c8b4b9

SHA1
bc1e3d8351b7818d5148c0d9ef31db6e1ea081f1

SHA256
bd8533b3e84cbe360a0151bb36bf272edfb80870a2d66a49bdcfa3d0aaa1354d

SHA512
ae8cca1a64db466d30bf627b651b6de548da8a61ac1fa4b1edd13a175e1dd51832f282a4cba854c2f3405b94b8ca6c8861372a574c78bae47ed2b18bce1fb4d4

Download Submit
C:\Windows\Installer\MSI19FB.tmp

Filesize
87KB

MD5
e9ecf34886bc310d5d11b6aa816cee49

SHA1
e3576b03b4cdf9bcc67890915ac9a79cf3631ff7

SHA256
9e2dd8eb67b7f8318545d0d57c7dbfca4a88d43e016e6d44d5f063392667a1a2

SHA512
be19a5d8d5d6ef0613adb1f3cdc2756bc36b5afa91a6006b3a5bb674c3c3989eb3fb302858c2d83771438edec36069331758faa87f396267fdf5317f2a71de36

Download Submit
C:\Windows\Installer\MSI19FB.tmp

Filesize
87KB

MD5
e9ecf34886bc310d5d11b6aa816cee49

SHA1
e3576b03b4cdf9bcc67890915ac9a79cf3631ff7

SHA256
9e2dd8eb67b7f8318545d0d57c7dbfca4a88d43e016e6d44d5f063392667a1a2

SHA512
be19a5d8d5d6ef0613adb1f3cdc2756bc36b5afa91a6006b3a5bb674c3c3989eb3fb302858c2d83771438edec36069331758faa87f396267fdf5317f2a71de36

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
097813787c05fa7437dabdc1435b6015

SHA1
c14c98f62663d432c7e9d534a5d4f7ccb8d50f26

SHA256
0eb27a77d4f0d53e4f864a31db2c37e61a9c1c5f37c0c0325cb651f753ae91ed

SHA512
d075f72f6c89f1a9d2818b6349789a98a662b3dda2fec4453e42fd3a6fe2783f3054a1fd50d49a2d820e8de97a13f5fcf39885860b596d65d8a2e1d640bf2ed4

Download Submit
\??\Volume{c8b84e5a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{4b9b0332-1ddd-47c2-af99-c7225714b6e5}_OnDiskSnapshotProp

Filesize
5KB

MD5
df2c83b6736719c3f1b7428d13d4bcd1

SHA1
653887f04f6be7e0002315928af80c3f40129669

SHA256
23780ebef8ce6e998fbeb041efc16bb9e5eef045999919a1cc83759f12cb2475

SHA512
a148d10ebf23c48dad9d527362013464b4130357efb7fe87064bb434939e2816096cf8317dd3fa24b4bfc4847e7e1309995a6cdd1ab71739a14e5e3cd172580f

Download Submit
memory/64-153-0x0000000000000000-mapping.dmp

Download
memory/928-134-0x000001FEC7710000-0x000001FEC7721000-memory.dmp

Filesize
68KB

Download
memory/928-131-0x0000000000000000-mapping.dmp

Download
memory/1152-150-0x0000000000000000-mapping.dmp

Download
memory/1272-147-0x0000000000000000-mapping.dmp

Download
memory/1528-142-0x0000000000000000-mapping.dmp

Download
memory/2080-152-0x0000000000000000-mapping.dmp

Download
memory/2180-148-0x0000000000000000-mapping.dmp

Download
memory/2436-145-0x0000000000000000-mapping.dmp

Download
memory/2760-144-0x0000000000000000-mapping.dmp

Download
memory/3436-130-0x0000000000000000-mapping.dmp

Download
memory/4164-135-0x00000211CADE0000-0x00000211CADE9000-memory.dmp

Filesize
36KB

Download
memory/4412-149-0x0000000000000000-mapping.dmp

Download
memory/4984-141-0x0000000000000000-mapping.dmp

Download