magniber | 9095bbb4b123a353a856634166f193124bdc4591cb3a38922b2283acc1d966d6

General

Target

Antivirus_Upgrade_Cloud.b79e8f66eb124.jse
Size

186KB
MD5

871d0084a53bb7733346b167f7e67e36
SHA1

2b75f4d60b357ea3cdd53a73e8dd00148fea0889
SHA256

9095bbb4b123a353a856634166f193124bdc4591cb3a38922b2283acc1d966d6
SHA512

b77f916dfe0fa3ebcd7ca7fef2df57d9e3e647a37ee90e5bdf845cc715f2ad58f7c3053d55b43d108da004ea1097826ad7dca7fde5f6f45bcb6781acbe68ddaf
SSDEEP

3072:S7e1lcDeY9tstU6UtjvN7MLFfOVMumRRCivI7lvLAe25gfV99p:S4uDBtstmtJouig7V99p

Score

10^/10

magniber evasion ransomware

Malware Config

Signatures

Detect magniber ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2280-134-0x0000021FBE860000-0x0000021FBF860000-memory.dmp	family_magniber
behavioral2/memory/2620-135-0x00000197D2CF0000-0x00000197D2CFA000-memory.dmp	family_magniber
behavioral2/memory/2280-147-0x0000021FBE860000-0x0000021FBF860000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	1624	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	1624	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1624	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	1624	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	1624	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	1624	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	1624	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	1624	wbadmin.exe

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

4024 bcdedit.exe
4756 bcdedit.exe
3164 bcdedit.exe
3504 bcdedit.exe
Deletes System State backups 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

4996 wbadmin.exe
3732 wbadmin.exe
Deletes backup catalog 3 TTPs 2 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exe

pid process

5004 wbadmin.exe
656 wbadmin.exe

pid	process
4024	bcdedit.exe
4756	bcdedit.exe
3164	bcdedit.exe
3504	bcdedit.exe

pid	process
4996	wbadmin.exe
3732	wbadmin.exe

pid	process
5004	wbadmin.exe
656	wbadmin.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sihost.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\UnpublishRevoke.crw => C:\Users\Admin\Pictures\UnpublishRevoke.crw.gpbaiwzt	sihost.exe
File renamed	C:\Users\Admin\Pictures\ResizeStop.png => C:\Users\Admin\Pictures\ResizeStop.png.gpbaiwzt	sihost.exe
File renamed	C:\Users\Admin\Pictures\SendRevoke.tif => C:\Users\Admin\Pictures\SendRevoke.tif.gpbaiwzt	sihost.exe
File renamed	C:\Users\Admin\Pictures\ExpandPush.raw => C:\Users\Admin\Pictures\ExpandPush.raw.gpbaiwzt	sihost.exe
File renamed	C:\Users\Admin\Pictures\LockUninstall.raw => C:\Users\Admin\Pictures\LockUninstall.raw.gpbaiwzt	sihost.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4808 3276 WerFault.exe DllHost.exe

pid	pid_target	process	target process
4808	3276	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Modifies registry class 42 IoCs

Processes:

RuntimeBroker.exesihost.exeExplorer.EXERuntimeBroker.exeRuntimeBroker.exetaskhostw.exesvchost.exesvchost.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/zpeqgiedp.dd"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/rhaqsojvm.dd"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/euhvgshob.dd"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/thefqgtifpkr.dd"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/gvgsagsa.dd"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/pcwjwjvhtk.dd"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/vjbbrz.dd"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/avixtjbxpc.dd"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WScript.exe

pid process

2280 WScript.exe
2280 WScript.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2648 Explorer.EXE

pid	process
2280	WScript.exe
2280	WScript.exe

pid	process
2648	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

Explorer.EXERuntimeBroker.exevssvc.exewbengine.exe

description	pid	process
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	3440	RuntimeBroker.exe
Token: SeShutdownPrivilege	3440	RuntimeBroker.exe
Token: SeBackupPrivilege	4776	vssvc.exe
Token: SeRestorePrivilege	4776	vssvc.exe
Token: SeAuditPrivilege	4776	vssvc.exe
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeBackupPrivilege	1908	wbengine.exe
Token: SeRestorePrivilege	1908	wbengine.exe
Token: SeSecurityPrivilege	1908	wbengine.exe
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

Processes:

WScript.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.exe

description	pid	process	target process
PID 2280 wrote to memory of 2620	2280	WScript.exe	sihost.exe
PID 2280 wrote to memory of 2696	2280	WScript.exe	svchost.exe
PID 2280 wrote to memory of 2884	2280	WScript.exe	taskhostw.exe
PID 2280 wrote to memory of 2648	2280	WScript.exe	Explorer.EXE
PID 2280 wrote to memory of 2580	2280	WScript.exe	svchost.exe
PID 2280 wrote to memory of 3276	2280	WScript.exe	DllHost.exe
PID 2280 wrote to memory of 3376	2280	WScript.exe	StartMenuExperienceHost.exe
PID 2280 wrote to memory of 3440	2280	WScript.exe	RuntimeBroker.exe
PID 2280 wrote to memory of 3528	2280	WScript.exe	SearchApp.exe
PID 2280 wrote to memory of 3688	2280	WScript.exe	RuntimeBroker.exe
PID 2280 wrote to memory of 4700	2280	WScript.exe	RuntimeBroker.exe
PID 3568 wrote to memory of 4948	3568	cmd.exe	fodhelper.exe
PID 3568 wrote to memory of 4948	3568	cmd.exe	fodhelper.exe
PID 4948 wrote to memory of 3148	4948	fodhelper.exe	wscript.exe
PID 4948 wrote to memory of 3148	4948	fodhelper.exe	wscript.exe
PID 3456 wrote to memory of 2336	3456	cmd.exe	fodhelper.exe
PID 3456 wrote to memory of 2336	3456	cmd.exe	fodhelper.exe
PID 2336 wrote to memory of 1900	2336	fodhelper.exe	wscript.exe
PID 2336 wrote to memory of 1900	2336	fodhelper.exe	wscript.exe
PID 704 wrote to memory of 2280	704	cmd.exe	fodhelper.exe
PID 704 wrote to memory of 2280	704	cmd.exe	fodhelper.exe
PID 2280 wrote to memory of 3912	2280	fodhelper.exe	wscript.exe
PID 2280 wrote to memory of 3912	2280	fodhelper.exe	wscript.exe
PID 2096 wrote to memory of 4844	2096	cmd.exe	fodhelper.exe
PID 2096 wrote to memory of 4844	2096	cmd.exe	fodhelper.exe
PID 4844 wrote to memory of 2176	4844	fodhelper.exe	wscript.exe
PID 4844 wrote to memory of 2176	4844	fodhelper.exe	wscript.exe

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3276
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3276 -s 868
  2⤵
  - Program crash
  PID:4808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:2580
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/rhaqsojvm.dd
      4⤵
      PID:2176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2648
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Antivirus_Upgrade_Cloud.b79e8f66eb124.jse"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2280

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2696
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/vjbbrz.dd
      4⤵
      PID:1900

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
PID:2620

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4700
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/vjbbrz.dd
      4⤵
      PID:3148

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3688
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/rhaqsojvm.dd
      4⤵
      PID:3912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3276 -ip 3276
1⤵
PID:3636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4024

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4756

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:5004

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:4996

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2860

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4532

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3164

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3504

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:656

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:3732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

2

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vjbbrz.dd

Filesize
857B

MD5
b179b9ad7d9523ca77a96719ed849079

SHA1
9bad1bcc6484428080fb03d22b079c0fda4985b2

SHA256
d6d195a21b9c7174293c0ada29c421199b6fdca4e009b8905dcbb9f0161db9a2

SHA512
162dfb7cc03e6ab7fb9afa005a01cd525806cb513e97b8b49a7f170a62f12a10ebf3529c9a4f7f28e61afe88c7a1f11d2004d3e37c502316c9c99ba0a72033e7

Download Submit
memory/1900-153-0x0000000000000000-mapping.dmp

Download
memory/2176-157-0x0000000000000000-mapping.dmp

Download
memory/2280-132-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-134-0x0000021FBE860000-0x0000021FBF860000-memory.dmp

Filesize
16.0MB

Download
memory/2280-146-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-147-0x0000021FBE860000-0x0000021FBF860000-memory.dmp

Filesize
16.0MB

Download
memory/2280-148-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-154-0x0000000000000000-mapping.dmp

Download
memory/2336-152-0x0000000000000000-mapping.dmp

Download
memory/2620-135-0x00000197D2CF0000-0x00000197D2CFA000-memory.dmp

Filesize
40KB

Download
memory/3148-150-0x0000000000000000-mapping.dmp

Download
memory/3912-155-0x0000000000000000-mapping.dmp

Download
memory/4844-156-0x0000000000000000-mapping.dmp

Download
memory/4948-149-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads