magniber | fd5979d5ad2b2d68d7e5508c2d4e0147241e379a9115c0771d8bb56e2692db8c

Analysis

max time kernel
150s
max time network
154s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
30/06/2022, 03:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Magniber2.msi
Size

10.6MB
MD5

cb152752867af105819552b9086a8c76
SHA1

f8cd1daef2428e9c01af3e1352e694c2f48d6cdf
SHA256

fd5979d5ad2b2d68d7e5508c2d4e0147241e379a9115c0771d8bb56e2692db8c
SHA512

9bcfa1f55d329149b1025dfd68ac3c5045a764427723d1b7b1e690bf973c99756865a0cfbf7dce17a83552562c3c193fb75bdda8b6f7550a6d24297cdf670f81

Score

10^/10

magniber evasion ransomware

Malware Config

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral2/memory/1716-134-0x000001F498570000-0x000001F498583000-memory.dmp	family_magniber
behavioral2/memory/1716-135-0x000001F498DA0000-0x000001F498DA9000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2720	4344	bcdedit.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1596	4344	bcdedit.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1780	4344	bcdedit.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	4344	wbadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3308	4344	wbadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	4344	wbadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3592	4344	bcdedit.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2236	4344	wbadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3284	4344	bcdedit.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3280	4344	bcdedit.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3256	4344	wbadmin.exe	106
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2356	4344	wbadmin.exe	106

Modifies boot configuration data using bcdedit 1 TTPs 6 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
2720	bcdedit.exe
1596	bcdedit.exe
1780	bcdedit.exe
3592	bcdedit.exe
3284	bcdedit.exe
3280	bcdedit.exe

Deletes System State backups 3 TTPs 3 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3308	wbadmin.exe
2236	wbadmin.exe
2356	wbadmin.exe

Deletes backup catalog 3 TTPs 3 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3648	wbadmin.exe
112	wbadmin.exe
3256	wbadmin.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\LimitSwitch.crw => C:\Users\Admin\Pictures\LimitSwitch.crw.lfphulwgk	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\BackupConnect.png => C:\Users\Admin\Pictures\BackupConnect.png.lfphulwgk	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\SwitchConvertFrom.png => C:\Users\Admin\Pictures\SwitchConvertFrom.png.lfphulwgk	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\SaveConvert.png => C:\Users\Admin\Pictures\SaveConvert.png.lfphulwgk	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\SetSkip.png => C:\Users\Admin\Pictures\SetSkip.png.lfphulwgk	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\ReadSubmit.crw => C:\Users\Admin\Pictures\ReadSubmit.crw.lfphulwgk	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\StepWatch.crw => C:\Users\Admin\Pictures\StepWatch.crw.lfphulwgk	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\SubmitTrace.crw => C:\Users\Admin\Pictures\SubmitTrace.crw.lfphulwgk	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\GetConvert.tif => C:\Users\Admin\Pictures\GetConvert.tif.lfphulwgk	taskhostw.exe

Loads dropped DLL 1 IoCs

pid	Process
1716	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in Windows directory 7 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File created	C:\Windows\Installer\e584d9e.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e584d9e.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI4F63.tmp	msiexec.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
1856	3256	WerFault.exe	48

Checks SCSI registry key(s) 3 TTPs 9 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 00000000040000005a4eb8c89d443e990000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff0000000027010100000800005a4eb8c80000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff0000000007000100006809005a4eb8c8000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff0000000000000000000000005a4eb8c800000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Modifies registry class 17 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\jkytqjnstw.vbe"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\jkytqjnstw.vbe"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript \\Users\\Public\\jkytqjnstw.vbe"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	taskhostw.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1081944012-3634099177-1681222835-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4716	msiexec.exe
4716	msiexec.exe
1716	MsiExec.exe
1716	MsiExec.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2284	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3888	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3888	msiexec.exe
Token: SeSecurityPrivilege	4716	msiexec.exe
Token: SeCreateTokenPrivilege	3888	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	3888	msiexec.exe
Token: SeLockMemoryPrivilege	3888	msiexec.exe
Token: SeIncreaseQuotaPrivilege	3888	msiexec.exe
Token: SeMachineAccountPrivilege	3888	msiexec.exe
Token: SeTcbPrivilege	3888	msiexec.exe
Token: SeSecurityPrivilege	3888	msiexec.exe
Token: SeTakeOwnershipPrivilege	3888	msiexec.exe
Token: SeLoadDriverPrivilege	3888	msiexec.exe
Token: SeSystemProfilePrivilege	3888	msiexec.exe
Token: SeSystemtimePrivilege	3888	msiexec.exe
Token: SeProfSingleProcessPrivilege	3888	msiexec.exe
Token: SeIncBasePriorityPrivilege	3888	msiexec.exe
Token: SeCreatePagefilePrivilege	3888	msiexec.exe
Token: SeCreatePermanentPrivilege	3888	msiexec.exe
Token: SeBackupPrivilege	3888	msiexec.exe
Token: SeRestorePrivilege	3888	msiexec.exe
Token: SeShutdownPrivilege	3888	msiexec.exe
Token: SeDebugPrivilege	3888	msiexec.exe
Token: SeAuditPrivilege	3888	msiexec.exe
Token: SeSystemEnvironmentPrivilege	3888	msiexec.exe
Token: SeChangeNotifyPrivilege	3888	msiexec.exe
Token: SeRemoteShutdownPrivilege	3888	msiexec.exe
Token: SeUndockPrivilege	3888	msiexec.exe
Token: SeSyncAgentPrivilege	3888	msiexec.exe
Token: SeEnableDelegationPrivilege	3888	msiexec.exe
Token: SeManageVolumePrivilege	3888	msiexec.exe
Token: SeImpersonatePrivilege	3888	msiexec.exe
Token: SeCreateGlobalPrivilege	3888	msiexec.exe
Token: SeBackupPrivilege	4712	vssvc.exe
Token: SeRestorePrivilege	4712	vssvc.exe
Token: SeAuditPrivilege	4712	vssvc.exe
Token: SeBackupPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeRestorePrivilege	4716	msiexec.exe
Token: SeTakeOwnershipPrivilege	4716	msiexec.exe
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeBackupPrivilege	680	srtasks.exe
Token: SeRestorePrivilege	680	srtasks.exe
Token: SeSecurityPrivilege	680	srtasks.exe
Token: SeTakeOwnershipPrivilege	680	srtasks.exe
Token: SeBackupPrivilege	680	srtasks.exe
Token: SeRestorePrivilege	680	srtasks.exe
Token: SeSecurityPrivilege	680	srtasks.exe
Token: SeTakeOwnershipPrivilege	680	srtasks.exe
Token: SeShutdownPrivilege	2284	Explorer.EXE
Token: SeCreatePagefilePrivilege	2284	Explorer.EXE
Token: SeShutdownPrivilege	2284	Explorer.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3888	msiexec.exe
3888	msiexec.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4716 wrote to memory of 680	4716	msiexec.exe	91
PID 4716 wrote to memory of 680	4716	msiexec.exe	91
PID 4716 wrote to memory of 1716	4716	msiexec.exe	93
PID 4716 wrote to memory of 1716	4716	msiexec.exe	93
PID 1716 wrote to memory of 2388	1716	MsiExec.exe	57
PID 1716 wrote to memory of 2416	1716	MsiExec.exe	56
PID 1716 wrote to memory of 2644	1716	MsiExec.exe	53
PID 1716 wrote to memory of 2284	1716	MsiExec.exe	26
PID 1716 wrote to memory of 2976	1716	MsiExec.exe	49
PID 1716 wrote to memory of 3256	1716	MsiExec.exe	48
PID 1716 wrote to memory of 3356	1716	MsiExec.exe	44
PID 1716 wrote to memory of 3492	1716	MsiExec.exe	29
PID 1716 wrote to memory of 3572	1716	MsiExec.exe	32
PID 1716 wrote to memory of 3804	1716	MsiExec.exe	31
PID 1716 wrote to memory of 4020	1716	MsiExec.exe	33
PID 1716 wrote to memory of 3888	1716	MsiExec.exe	78
PID 1540 wrote to memory of 3376	1540	cmd.exe	100
PID 1540 wrote to memory of 3376	1540	cmd.exe	100
PID 3376 wrote to memory of 2428	3376	fodhelper.exe	102
PID 3376 wrote to memory of 2428	3376	fodhelper.exe	102
PID 3780 wrote to memory of 3460	3780	cmd.exe	105
PID 3780 wrote to memory of 3460	3780	cmd.exe	105
PID 3460 wrote to memory of 2188	3460	fodhelper.exe	107
PID 3460 wrote to memory of 2188	3460	fodhelper.exe	107
PID 3856 wrote to memory of 2508	3856	cmd.exe	130
PID 3856 wrote to memory of 2508	3856	cmd.exe	130
PID 2508 wrote to memory of 4896	2508	fodhelper.exe	131
PID 2508 wrote to memory of 4896	2508	fodhelper.exe	131

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2284
- C:\Windows\system32\msiexec.exe
  msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Magniber2.msi
  2⤵
  - Enumerates connected drives
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  PID:3888
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3780
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3460
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\jkytqjnstw.vbe
      4⤵
      PID:2188

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3492
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1540
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3376
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\jkytqjnstw.vbe
      4⤵
      PID:2428

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3804

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3572

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4020

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3356

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3256
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3256 -s 840
  2⤵
  - Program crash
  PID:1856

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2976

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies extensions of user files
- Modifies registry class
PID:2644
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3856
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2508
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" \Users\Public\jkytqjnstw.vbe
      4⤵
      PID:4896

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2416

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2388

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4716
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:680
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 0B9F29146EC39978D2482FA95D2EAD4D
  2⤵
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1716

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4712

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 408 -p 3256 -ip 3256
1⤵
PID:3908

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2720

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1596

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1780

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:3648

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:3308

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:112

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3592

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:2236

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
PID:3452

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2128

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:2808

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3284

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3280

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:3256

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:2356

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\jkytqjnstw.vbe

Filesize
887B

MD5
160393e71f56b85069c76e677de1f3d1

SHA1
a69b2075e65e4c06fe16301cd2636b083ed1976c

SHA256
d5582ef700b129e4a3f4a958d2d4f3aeac31373536ed49b0af7de4c7a654228f

SHA512
047bcbf9d5e66da44e88a7c496671530b13ec04dde62ec56048a983d5a9bcee3d9080485de6e489618da01e12a765fdd5e335d7f8aed6b6355154fff26c2a21e

Download Submit
C:\Users\Public\jkytqjnstw.vbe

Filesize
887B

MD5
160393e71f56b85069c76e677de1f3d1

SHA1
a69b2075e65e4c06fe16301cd2636b083ed1976c

SHA256
d5582ef700b129e4a3f4a958d2d4f3aeac31373536ed49b0af7de4c7a654228f

SHA512
047bcbf9d5e66da44e88a7c496671530b13ec04dde62ec56048a983d5a9bcee3d9080485de6e489618da01e12a765fdd5e335d7f8aed6b6355154fff26c2a21e

Download Submit
C:\Users\Public\jkytqjnstw.vbe

Filesize
887B

MD5
160393e71f56b85069c76e677de1f3d1

SHA1
a69b2075e65e4c06fe16301cd2636b083ed1976c

SHA256
d5582ef700b129e4a3f4a958d2d4f3aeac31373536ed49b0af7de4c7a654228f

SHA512
047bcbf9d5e66da44e88a7c496671530b13ec04dde62ec56048a983d5a9bcee3d9080485de6e489618da01e12a765fdd5e335d7f8aed6b6355154fff26c2a21e

Download Submit
C:\Windows\Installer\MSI4F63.tmp

Filesize
107KB

MD5
5020274a62dd8711387e218ccb4d864e

SHA1
a2da2d2a55924e13e46fb3efb42c0b735ec67a27

SHA256
10e398018b3973dee2a3ecfefc4e9f2c57c2a6932bbea90e3dc9808ed772d2f7

SHA512
775fdc377b949c5e5b3dd667c875878a2affbb2f5d9846afb9d8b511783af7dbaf8f9e7dc7778922bc3133ba5bab2bb3b329c35609803252f9686d7a46a18898

Download Submit
C:\Windows\Installer\MSI4F63.tmp

Filesize
107KB

MD5
5020274a62dd8711387e218ccb4d864e

SHA1
a2da2d2a55924e13e46fb3efb42c0b735ec67a27

SHA256
10e398018b3973dee2a3ecfefc4e9f2c57c2a6932bbea90e3dc9808ed772d2f7

SHA512
775fdc377b949c5e5b3dd667c875878a2affbb2f5d9846afb9d8b511783af7dbaf8f9e7dc7778922bc3133ba5bab2bb3b329c35609803252f9686d7a46a18898

Download Submit
\??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2

Filesize
23.0MB

MD5
b1500096fcb51708142d2e097d326f09

SHA1
93968b476926517efa127594a205d8d69527a000

SHA256
61773f8ab04b2db38c7b5e00b92849d40ce2ad9f75a3858353b5c9f6675f69aa

SHA512
e1483d8febf1462445c5654f019e512007f1996d908ed227105f0aa7be191a0a86ebb1b8d7fb308fd916e132c410e17729ca45e4cb696d993fe12690078e25e6

Download Submit
\??\Volume{c8b84e5a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{5edfebb6-a140-40c3-877b-fe3aa67bed76}_OnDiskSnapshotProp

Filesize
5KB

MD5
dd4c1bdd747aae185e93a3241dd59ab2

SHA1
6510ba15e519d97b58372967ab947f3628c4cbdf

SHA256
1d1346251bde52866644baea53f3e8193c5208771c3ed7c7c90a8582f766cc1e

SHA512
f9c8807d9fc10bace7677274fe495c651ab780b0eeee31125eb5af54c673e41637a6c0ec3e0cee091e5638f646f22fae776f798d7fff0fce43637be30ad21f13

Download Submit
memory/1716-135-0x000001F498DA0000-0x000001F498DA9000-memory.dmp

Filesize
36KB

Download
memory/1716-134-0x000001F498570000-0x000001F498583000-memory.dmp

Filesize
76KB

Download