magniber | 9095bbb4b123a353a856634166f193124bdc4591cb3a38922b2283acc1d966d6

Analysis

max time kernel
148s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
15-09-2022 12:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Antivirus_Upgrade_Cloud.b79e8f66eb124.jse
Size

186KB
MD5

871d0084a53bb7733346b167f7e67e36
SHA1

2b75f4d60b357ea3cdd53a73e8dd00148fea0889
SHA256

9095bbb4b123a353a856634166f193124bdc4591cb3a38922b2283acc1d966d6
SHA512

b77f916dfe0fa3ebcd7ca7fef2df57d9e3e647a37ee90e5bdf845cc715f2ad58f7c3053d55b43d108da004ea1097826ad7dca7fde5f6f45bcb6781acbe68ddaf
SSDEEP

3072:S7e1lcDeY9tstU6UtjvN7MLFfOVMumRRCivI7lvLAe25gfV99p:S4uDBtstmtJouig7V99p

Score

10^/10

magniber evasion ransomware

Malware Config

Signatures

Detect magniber ransomware 3 IoCs

resource	yara_rule
behavioral2/memory/2280-134-0x0000021FBE860000-0x0000021FBF860000-memory.dmp	family_magniber
behavioral2/memory/2620-135-0x00000197D2CF0000-0x00000197D2CFA000-memory.dmp	family_magniber
behavioral2/memory/2280-147-0x0000021FBE860000-0x0000021FBF860000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4024	1624	bcdedit.exe	53
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4756	1624	bcdedit.exe	53
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5004	1624	wbadmin.exe	53
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4996	1624	wbadmin.exe	53
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3164	1624	bcdedit.exe	53
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3504	1624	bcdedit.exe	53
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	656	1624	wbadmin.exe	53
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3732	1624	wbadmin.exe	53

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
4024	bcdedit.exe
4756	bcdedit.exe
3164	bcdedit.exe
3504	bcdedit.exe

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4996	wbadmin.exe
3732	wbadmin.exe

Deletes backup catalog 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
5004	wbadmin.exe
656	wbadmin.exe

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\UnpublishRevoke.crw => C:\Users\Admin\Pictures\UnpublishRevoke.crw.gpbaiwzt	sihost.exe
File renamed	C:\Users\Admin\Pictures\ResizeStop.png => C:\Users\Admin\Pictures\ResizeStop.png.gpbaiwzt	sihost.exe
File renamed	C:\Users\Admin\Pictures\SendRevoke.tif => C:\Users\Admin\Pictures\SendRevoke.tif.gpbaiwzt	sihost.exe
File renamed	C:\Users\Admin\Pictures\ExpandPush.raw => C:\Users\Admin\Pictures\ExpandPush.raw.gpbaiwzt	sihost.exe
File renamed	C:\Users\Admin\Pictures\LockUninstall.raw => C:\Users\Admin\Pictures\LockUninstall.raw.gpbaiwzt	sihost.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4808	3276	WerFault.exe	15

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	sihost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/zpeqgiedp.dd"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/rhaqsojvm.dd"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/euhvgshob.dd"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/thefqgtifpkr.dd"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/gvgsagsa.dd"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/pcwjwjvhtk.dd"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/vjbbrz.dd"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/avixtjbxpc.dd"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2280	WScript.exe
2280	WScript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2648	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	3440	RuntimeBroker.exe
Token: SeShutdownPrivilege	3440	RuntimeBroker.exe
Token: SeBackupPrivilege	4776	vssvc.exe
Token: SeRestorePrivilege	4776	vssvc.exe
Token: SeAuditPrivilege	4776	vssvc.exe
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeBackupPrivilege	1908	wbengine.exe
Token: SeRestorePrivilege	1908	wbengine.exe
Token: SeSecurityPrivilege	1908	wbengine.exe
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE
Token: SeShutdownPrivilege	2648	Explorer.EXE
Token: SeCreatePagefilePrivilege	2648	Explorer.EXE

Suspicious use of WriteProcessMemory 27 IoCs

description	pid	Process	procid_target
PID 2280 wrote to memory of 2620	2280	WScript.exe	21
PID 2280 wrote to memory of 2696	2280	WScript.exe	20
PID 2280 wrote to memory of 2884	2280	WScript.exe	19
PID 2280 wrote to memory of 2648	2280	WScript.exe	17
PID 2280 wrote to memory of 2580	2280	WScript.exe	16
PID 2280 wrote to memory of 3276	2280	WScript.exe	15
PID 2280 wrote to memory of 3376	2280	WScript.exe	14
PID 2280 wrote to memory of 3440	2280	WScript.exe	13
PID 2280 wrote to memory of 3528	2280	WScript.exe	65
PID 2280 wrote to memory of 3688	2280	WScript.exe	64
PID 2280 wrote to memory of 4700	2280	WScript.exe	61
PID 3568 wrote to memory of 4948	3568	cmd.exe	93
PID 3568 wrote to memory of 4948	3568	cmd.exe	93
PID 4948 wrote to memory of 3148	4948	fodhelper.exe	95
PID 4948 wrote to memory of 3148	4948	fodhelper.exe	95
PID 3456 wrote to memory of 2336	3456	cmd.exe	112
PID 3456 wrote to memory of 2336	3456	cmd.exe	112
PID 2336 wrote to memory of 1900	2336	fodhelper.exe	113
PID 2336 wrote to memory of 1900	2336	fodhelper.exe	113
PID 704 wrote to memory of 2280	704	cmd.exe	124
PID 704 wrote to memory of 2280	704	cmd.exe	124
PID 2280 wrote to memory of 3912	2280	fodhelper.exe	126
PID 2280 wrote to memory of 3912	2280	fodhelper.exe	126
PID 2096 wrote to memory of 4844	2096	cmd.exe	129
PID 2096 wrote to memory of 4844	2096	cmd.exe	129
PID 4844 wrote to memory of 2176	4844	fodhelper.exe	130
PID 4844 wrote to memory of 2176	4844	fodhelper.exe	130

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3440

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3276
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3276 -s 868
  2⤵
  - Program crash
  PID:4808

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:2580
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2096
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4844
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/rhaqsojvm.dd
      4⤵
      PID:2176

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2648
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Antivirus_Upgrade_Cloud.b79e8f66eb124.jse"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2280

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2884

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2696
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3456
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2336
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/vjbbrz.dd
      4⤵
      PID:1900

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
PID:2620

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4700
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3568
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4948
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/vjbbrz.dd
      4⤵
      PID:3148

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3688
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:704
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2280
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/rhaqsojvm.dd
      4⤵
      PID:3912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3528

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3276 -ip 3276
1⤵
PID:3636

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4776

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4024

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4756

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:5004

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:4996

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:1908

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2860

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:4532

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3164

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3504

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:656

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:3732

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\vjbbrz.dd

Filesize
857B

MD5
b179b9ad7d9523ca77a96719ed849079

SHA1
9bad1bcc6484428080fb03d22b079c0fda4985b2

SHA256
d6d195a21b9c7174293c0ada29c421199b6fdca4e009b8905dcbb9f0161db9a2

SHA512
162dfb7cc03e6ab7fb9afa005a01cd525806cb513e97b8b49a7f170a62f12a10ebf3529c9a4f7f28e61afe88c7a1f11d2004d3e37c502316c9c99ba0a72033e7

Download Submit
memory/2280-132-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-134-0x0000021FBE860000-0x0000021FBF860000-memory.dmp

Filesize
16.0MB

Download
memory/2280-146-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2280-147-0x0000021FBE860000-0x0000021FBF860000-memory.dmp

Filesize
16.0MB

Download
memory/2280-148-0x00007FFA07300000-0x00007FFA07DC1000-memory.dmp

Filesize
10.8MB

Download
memory/2620-135-0x00000197D2CF0000-0x00000197D2CFA000-memory.dmp

Filesize
40KB

Download