Overview

overview

10

Static

static

Antivirus_...86.jse

windows7-x64

10

Antivirus_...86.jse

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    08-09-2022 05:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Antivirus_Upgrade_Cloud.8a6cd22d83c0486.jse

  • Size

    167KB

  • MD5

    a1f5a11ee4b1ae01ea986311bdc9a840

  • SHA1

    0aacc589c57adba17786cbfa4446e6ce1ae48d2e

  • SHA256

    bba85d79db69db1b638e24e0a426ccccdc5c95875b8c3a26aa959cce3f6c8575

  • SHA512

    ce8db2d1da1f446df13ac6bc12a76d78b5578f787e0b24dccca4ebc7bb941e5d27336321c6338957fc198e92669345d95298b3fbaeca6e604666ee44d5f108f9

  • SSDEEP

    3072:fHsGPsk+UsSlORiat8x8S4k1sZa7GGCcxaeQR3ReRw/H3MrqW25pf5w2D:fPsk+UjlOR1t8n1sGVCcxbQm28O5wo

Score
10/10
magniberevasionransomware

Malware Config

Signatures

  • Detect magniber ransomware 3 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Program crash 1 IoCs
  • Modifies registry class 56 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 30 IoCs

Processes

  • C:\Windows\system32\backgroundTaskHost.exe
    "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
    1⤵
      PID:3680
    • C:\Windows\system32\backgroundTaskHost.exe
      "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
      1⤵
        PID:5012
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
        • Modifies registry class
        PID:1772
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
        • Modifies registry class
        PID:4776
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
        • Modifies registry class
        PID:3896
        • C:\Windows\System32\cmd.exe
          /c fodhelper.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3716
          • C:\Windows\System32\fodhelper.exe
            fodhelper.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3752
            • C:\Windows\system32\wscript.exe
              "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/rqgksfsx.jfif
              4⤵
                PID:2060
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:3544
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
            • Modifies registry class
            • Suspicious use of AdjustPrivilegeToken
            PID:3412
            • C:\Windows\System32\cmd.exe
              /c fodhelper.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3756
              • C:\Windows\System32\fodhelper.exe
                fodhelper.exe
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:3084
                • C:\Windows\system32\wscript.exe
                  "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/rqgksfsx.jfif
                  4⤵
                    PID:3624
            • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
              "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
              1⤵
                PID:3348
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                1⤵
                  PID:3244
                  • C:\Windows\system32\WerFault.exe
                    C:\Windows\system32\WerFault.exe -u -p 3244 -s 900
                    2⤵
                    • Program crash
                    PID:4812
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
                  1⤵
                  • Modifies registry class
                  PID:760
                • C:\Windows\Explorer.EXE
                  C:\Windows\Explorer.EXE
                  1⤵
                  • Modifies extensions of user files
                  • Modifies registry class
                  • Suspicious behavior: GetForegroundWindowSpam
                  • Suspicious use of AdjustPrivilegeToken
                  • Suspicious use of FindShellTrayWindow
                  • Suspicious use of SendNotifyMessage
                  PID:2432
                  • C:\Windows\System32\WScript.exe
                    C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Antivirus_Upgrade_Cloud.8a6cd22d83c0486.jse"
                    2⤵
                    • Suspicious behavior: EnumeratesProcesses
                    • Suspicious use of WriteProcessMemory
                    PID:1108
                • C:\Windows\system32\taskhostw.exe
                  taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                  1⤵
                  • Modifies registry class
                  PID:2628
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                  1⤵
                  • Modifies registry class
                  PID:2388
                  • C:\Windows\System32\cmd.exe
                    /c fodhelper.exe
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1752
                    • C:\Windows\System32\fodhelper.exe
                      fodhelper.exe
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:764
                      • C:\Windows\system32\wscript.exe
                        "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/rqgksfsx.jfif
                        4⤵
                          PID:1356
                  • C:\Windows\system32\sihost.exe
                    sihost.exe
                    1⤵
                    • Modifies registry class
                    PID:2376
                    • C:\Windows\System32\cmd.exe
                      /c fodhelper.exe
                      2⤵
                      • Suspicious use of WriteProcessMemory
                      PID:4492
                      • C:\Windows\System32\fodhelper.exe
                        fodhelper.exe
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:4628
                        • C:\Windows\system32\wscript.exe
                          "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/supfsegva.jfif
                          4⤵
                            PID:4488
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -pss -s 456 -p 3244 -ip 3244
                      1⤵
                        PID:2948
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1812
                      • C:\Windows\system32\bcdedit.exe
                        bcdedit /set {default} bootstatuspolicy ignoreallfailures
                        1⤵
                        • Process spawned unexpected child process
                        • Modifies boot configuration data using bcdedit
                        PID:4632
                      • C:\Windows\system32\bcdedit.exe
                        bcdedit /set {default} recoveryenabled no
                        1⤵
                        • Process spawned unexpected child process
                        • Modifies boot configuration data using bcdedit
                        PID:3680
                      • C:\Windows\system32\wbadmin.exe
                        wbadmin delete catalog -quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Deletes backup catalog
                        PID:1940
                      • C:\Windows\system32\wbadmin.exe
                        wbadmin delete systemstatebackup -quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Deletes System State backups
                        PID:1708
                      • C:\Windows\system32\wbengine.exe
                        "C:\Windows\system32\wbengine.exe"
                        1⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:5012
                      • C:\Windows\System32\vdsldr.exe
                        C:\Windows\System32\vdsldr.exe -Embedding
                        1⤵
                          PID:1920
                        • C:\Windows\System32\vds.exe
                          C:\Windows\System32\vds.exe
                          1⤵
                            PID:4312

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Public\rqgksfsx.jfif
                            Filesize

                            876B

                            MD5

                            42efa7eac4c01a7ad942e23cafff35f6

                            SHA1

                            98c779c17c882d831fb24d43b6ddf2d1f2cb168f

                            SHA256

                            b0ff6c7ef7c2fd4a9037620d0e56e276480b9e2bf2b0bc44c878182adf3dbdc3

                            SHA512

                            b41b2cd6fe388ebf65aab8ec7b5b532a5dea73165741e17a016f63d7b6e136b4a67f10133f6cb9b44f4737cfaccc9d4f1239da7e9ac0caf5e9daf750a3612580

                            Download Submit

                          • memory/764-158-0x0000000000000000-mapping.dmp

                            Download

                          • memory/1108-134-0x0000029800000000-0x0000029801000000-memory.dmp

                            Filesize

                            16.0MB

                            Download

                          • memory/1108-146-0x00007FF8CB920000-0x00007FF8CC3E1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1108-148-0x0000029800000000-0x0000029801000000-memory.dmp

                            Filesize

                            16.0MB

                            Download

                          • memory/1108-151-0x00007FF8CB920000-0x00007FF8CC3E1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1108-132-0x00007FF8CB920000-0x00007FF8CC3E1000-memory.dmp

                            Filesize

                            10.8MB

                            Download

                          • memory/1356-159-0x0000000000000000-mapping.dmp

                            Download

                          • memory/2060-156-0x0000000000000000-mapping.dmp

                            Download

                          • memory/2376-135-0x000001D9B6FA0000-0x000001D9B6FAA000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/3084-155-0x0000000000000000-mapping.dmp

                            Download

                          • memory/3624-157-0x0000000000000000-mapping.dmp

                            Download

                          • memory/3752-154-0x0000000000000000-mapping.dmp

                            Download

                          • memory/4488-153-0x0000000000000000-mapping.dmp

                            Download

                          • memory/4628-152-0x0000000000000000-mapping.dmp

                            Download