Overview

overview

10

Static

static

Antivirus_...ab.jse

windows7-x64

10

Antivirus_...ab.jse

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2022 12:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Antivirus_Upgrade_Cloud.e2550b79e6f94ab.jse

  • Size

    167KB

  • MD5

    b901b278c04a64daf3622012224a8cca

  • SHA1

    0fd90e8962a3a87f10af4448250c85bda8ff48b7

  • SHA256

    56d301fe7a6b1a9e21898162b0dada9ff12878c539591052919fabcc36d28541

  • SHA512

    e648d2ae461aa71fdc578c41626a90f501bd24e5b42fa140deb886ae1091019a5fce75a58b81489225510856555902656da3ed6f4cebbcbab66ffe1872cfdaf3

  • SSDEEP

    3072:p6U8hsMvboPvqad0Y3mrTGCsmf+W0zwA0yX7AzmipeUph59pMhDhTfPDh3GZbrtc:pMvboPaY3r7W0zsOAzrqV5Tg3on1e7xS

Score
10/10
magniberevasionransomware

Malware Config

Signatures

  • Detect magniber ransomware 2 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 37 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies extensions of user files
    • Modifies registry class
    PID:2356
    • C:\Windows\System32\cmd.exe
      /c fodhelper.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1244
      • C:\Windows\System32\fodhelper.exe
        fodhelper.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:4684
        • C:\Windows\system32\wscript.exe
          "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/tnsefzalmno.ozb
          4⤵
            PID:2604
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
      • Modifies registry class
      PID:2388
    • C:\Windows\system32\taskhostw.exe
      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
      1⤵
      • Modifies registry class
      PID:2468
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Modifies registry class
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      PID:2640
      • C:\Windows\System32\WScript.exe
        C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Antivirus_Upgrade_Cloud.e2550b79e6f94ab.jse"
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:4804
      • C:\Windows\System32\cmd.exe
        /c fodhelper.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1520
        • C:\Windows\System32\fodhelper.exe
          fodhelper.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:4828
          • C:\Windows\system32\wscript.exe
            "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/mkbjcp.ozb
            4⤵
              PID:1268
      • C:\Windows\system32\svchost.exe
        C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
        1⤵
        • Modifies registry class
        PID:3096
      • C:\Windows\system32\DllHost.exe
        C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
        1⤵
          PID:3288
          • C:\Windows\system32\WerFault.exe
            C:\Windows\system32\WerFault.exe -u -p 3288 -s 924
            2⤵
            • Program crash
            PID:1756
        • C:\Windows\System32\RuntimeBroker.exe
          C:\Windows\System32\RuntimeBroker.exe -Embedding
          1⤵
          • Modifies registry class
          • Suspicious use of AdjustPrivilegeToken
          PID:3508
          • C:\Windows\System32\cmd.exe
            /c fodhelper.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:4352
            • C:\Windows\System32\fodhelper.exe
              fodhelper.exe
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:3148
              • C:\Windows\system32\wscript.exe
                "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/cgdqqsxhtir.ozb
                4⤵
                  PID:4528
          • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
            "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
            1⤵
              PID:3420
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:4692
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:3808
            • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
              "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
              1⤵
                PID:3616
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -pss -s 460 -p 3288 -ip 3288
                1⤵
                  PID:4468
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:1876
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  1⤵
                  • Process spawned unexpected child process
                  • Modifies boot configuration data using bcdedit
                  PID:3404
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} recoveryenabled no
                  1⤵
                  • Process spawned unexpected child process
                  • Modifies boot configuration data using bcdedit
                  PID:4336
                • C:\Windows\system32\wbadmin.exe
                  wbadmin delete catalog -quiet
                  1⤵
                  • Process spawned unexpected child process
                  • Deletes backup catalog
                  PID:3240
                • C:\Windows\system32\wbadmin.exe
                  wbadmin delete systemstatebackup -quiet
                  1⤵
                  • Process spawned unexpected child process
                  • Deletes System State backups
                  PID:1092
                • C:\Windows\system32\wbengine.exe
                  "C:\Windows\system32\wbengine.exe"
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:480
                • C:\Windows\System32\vdsldr.exe
                  C:\Windows\System32\vdsldr.exe -Embedding
                  1⤵
                    PID:4068
                  • C:\Windows\System32\vds.exe
                    C:\Windows\System32\vds.exe
                    1⤵
                    • Checks SCSI registry key(s)
                    PID:3896

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Public\tnsefzalmno.ozb
                    Filesize

                    872B

                    MD5

                    6c7c0ca02f9309ee714ad4e3ddc88522

                    SHA1

                    b770120c20761a6e8f748de49fb05c8820509189

                    SHA256

                    1fcd1713b7a3de5dcdf51e61e9b2cec6c284e14c9791c502295c73161d5914b9

                    SHA512

                    3290b59cac4efa045fa5744586d66a90a00093b9451399fb05dac4b0318e4e92fdb98730b3b01dd97be5536e62a1570958883fff38f55cae781c69ea9b8ded48

                    Download Submit

                  • memory/1268-179-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2356-135-0x0000027F6C460000-0x0000027F6C46A000-memory.dmp

                    Filesize

                    40KB

                    Download

                  • memory/2604-151-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2640-161-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-164-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-177-0x0000000003400000-0x0000000003410000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-176-0x0000000003400000-0x0000000003410000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-175-0x0000000003400000-0x0000000003410000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-174-0x0000000003400000-0x0000000003410000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-153-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-154-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-155-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-156-0x0000000003360000-0x0000000003370000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-157-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-158-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-159-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-160-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-173-0x0000000003400000-0x0000000003410000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-162-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-163-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-172-0x0000000003400000-0x0000000003410000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-165-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-166-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-167-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-168-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-169-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-170-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/2640-171-0x0000000003220000-0x0000000003230000-memory.dmp

                    Filesize

                    64KB

                    Download

                  • memory/3148-148-0x0000000000000000-mapping.dmp

                    Download

                  • memory/4528-149-0x0000000000000000-mapping.dmp

                    Download

                  • memory/4684-150-0x0000000000000000-mapping.dmp

                    Download

                  • memory/4804-133-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4804-146-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4804-147-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/4804-134-0x0000020380000000-0x0000020381000000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/4828-178-0x0000000000000000-mapping.dmp

                    Download