Analysis
-
max time kernel
51s -
max time network
146s -
platform
windows10-1703_x64 -
resource
win10-20220812-en -
resource tags
arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system -
submitted
15-09-2022 02:53
Static task
static1
Behavioral task
behavioral1
Sample
SYSTEM.Security.Database.Upgrade.Win10.0_1.jse
Resource
win10-20220812-en
4 signatures
150 seconds
General
-
Target
SYSTEM.Security.Database.Upgrade.Win10.0_1.jse
-
Size
192KB
-
MD5
b40966619d66f80774ebf817c3316acc
-
SHA1
cdc90f17b5a54005993a4db61ac60e0b905f8416
-
SHA256
5472bce876d0758fb1379260504b791a3b8c95b87fc365f5ce8c3a6424facd34
-
SHA512
a489b19a01b66807e3cc5af17abdc679e72d34139b47f5face96ac68cf183f5d790d24adb065db9327dd82cde24532c3e193a716a5212df310f90eb7e241b88e
-
SSDEEP
6144:9a6398SbpjPvtKLqAMFHEbbz5ek3/Auyn5Ia:xnvkwdizUk3/Auynqa
Score
10/10
Malware Config
Signatures
-
Detect magniber ransomware 3 IoCs
resource yara_rule behavioral1/memory/2432-119-0x00000275C8B70000-0x00000275C8B82000-memory.dmp family_magniber behavioral1/memory/2432-121-0x00000275CA090000-0x00000275CB090000-memory.dmp family_magniber behavioral1/memory/2344-122-0x000002C939A30000-0x000002C939A3B000-memory.dmp family_magniber -
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2432 WScript.exe 2432 WScript.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2432 wrote to memory of 2344 2432 WScript.exe 59 PID 2432 wrote to memory of 2356 2432 WScript.exe 36 PID 2432 wrote to memory of 2772 2432 WScript.exe 51 PID 2432 wrote to memory of 3048 2432 WScript.exe 50 PID 2432 wrote to memory of 3280 2432 WScript.exe 39 PID 2432 wrote to memory of 3296 2432 WScript.exe 49 PID 2432 wrote to memory of 3492 2432 WScript.exe 48 PID 2432 wrote to memory of 3696 2432 WScript.exe 47
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵PID:2356
-
C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca1⤵PID:3280
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3696
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3492
-
C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca1⤵PID:3296
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3048
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\SYSTEM.Security.Database.Upgrade.Win10.0_1.jse"2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2432
-
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:2772
-
c:\windows\system32\sihost.exesihost.exe1⤵PID:2344