Overview

overview

10

Static

static

Antivirus_...d2.jse

windows7-x64

10

Antivirus_...d2.jse

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    130s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2022 12:55

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Antivirus_Upgrade_Cloud.9fdd7aebbe418ed2.jse

  • Size

    176KB

  • MD5

    ad184cf93d38d51111a7ef305992eb5f

  • SHA1

    37b05248dbd96c8a94082471069f24a7b1036313

  • SHA256

    266f930572d3006c36ba7e97b4ffed107827decd7738a58c218e1ae5450fbe95

  • SHA512

    a37d0984d65b0eaef4169a22e5802ac8f24b9508b717f46b2911ad583f5a4b2e4f59bd31c317976f14995ba69a7855318ef7d5e0ba866d3b8fc1db352a14c56e

  • SSDEEP

    3072:x4xkakIeI6QKzm+bga+V9cw+yOTE4o5V0eD11TbXx1113B1WR9KflL11H6IFNC4v:GfelQKzbMYJQ4o5VxhakLDNyjt8

Score
10/10
magniberevasionransomware

Malware Config

Signatures

  • Detect magniber ransomware 3 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Drops file in Windows directory 3 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 47 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies extensions of user files
    • Modifies registry class
    PID:2372
  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
    • Modifies registry class
    PID:2380
    • C:\Windows\System32\cmd.exe
      /c fodhelper.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:736
      • C:\Windows\System32\fodhelper.exe
        fodhelper.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:3676
        • C:\Windows\system32\wscript.exe
          "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/atkfrjgbugk.now
          4⤵
            PID:5088
    • C:\Windows\system32\taskhostw.exe
      taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
      1⤵
      • Modifies registry class
      PID:2476
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
      • Modifies registry class
      PID:3824
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:3620
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:3512
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:3404
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:3308
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 3308 -s 748
              2⤵
              • Program crash
              PID:4048
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
            1⤵
            • Modifies registry class
            PID:3108
            • C:\Windows\System32\cmd.exe
              /c fodhelper.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4832
              • C:\Windows\System32\fodhelper.exe
                fodhelper.exe
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:4184
                • C:\Windows\system32\wscript.exe
                  "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/kxndrn.now
                  4⤵
                    PID:1736
            • C:\Windows\Explorer.EXE
              C:\Windows\Explorer.EXE
              1⤵
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2228
              • C:\Windows\System32\WScript.exe
                C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Antivirus_Upgrade_Cloud.9fdd7aebbe418ed2.jse"
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:880
            • C:\Windows\System32\RuntimeBroker.exe
              C:\Windows\System32\RuntimeBroker.exe -Embedding
              1⤵
              • Modifies registry class
              PID:4700
              • C:\Windows\System32\cmd.exe
                /c fodhelper.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:3100
                • C:\Windows\System32\fodhelper.exe
                  fodhelper.exe
                  3⤵
                  • Suspicious use of WriteProcessMemory
                  PID:3312
                  • C:\Windows\system32\wscript.exe
                    "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/kdwlrcnbldxn.now
                    4⤵
                      PID:4008
              • C:\Windows\system32\WerFault.exe
                C:\Windows\system32\WerFault.exe -pss -s 444 -p 3308 -ip 3308
                1⤵
                  PID:1440
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:4348
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} bootstatuspolicy ignoreallfailures
                  1⤵
                  • Process spawned unexpected child process
                  • Modifies boot configuration data using bcdedit
                  PID:1680
                • C:\Windows\system32\bcdedit.exe
                  bcdedit /set {default} recoveryenabled no
                  1⤵
                  • Process spawned unexpected child process
                  • Modifies boot configuration data using bcdedit
                  PID:2200
                • C:\Windows\system32\wbadmin.exe
                  wbadmin delete catalog -quiet
                  1⤵
                  • Process spawned unexpected child process
                  • Deletes backup catalog
                  PID:4520
                • C:\Windows\system32\wbadmin.exe
                  wbadmin delete systemstatebackup -quiet
                  1⤵
                  • Process spawned unexpected child process
                  • Deletes System State backups
                  • Drops file in Windows directory
                  PID:1144
                • C:\Windows\system32\wbengine.exe
                  "C:\Windows\system32\wbengine.exe"
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3596
                • C:\Windows\System32\vdsldr.exe
                  C:\Windows\System32\vdsldr.exe -Embedding
                  1⤵
                    PID:1692
                  • C:\Windows\System32\vds.exe
                    C:\Windows\System32\vds.exe
                    1⤵
                    • Checks SCSI registry key(s)
                    PID:1852

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Public\atkfrjgbugk.now
                    Filesize

                    880B

                    MD5

                    b190ff090537a6cd507870077a4a6160

                    SHA1

                    7d23d91564a6dcb298b03b122d0f4e329a4f29f4

                    SHA256

                    422626de7cbc0fb2c7c36fd85ae325b873270d027666fe47d9588cd81489c053

                    SHA512

                    a151b50cb3bc593b605c01e38d3c438dba472e3635f2ebf3646d1febe8deb2c74c997457cd3af51a7f528311f4c28f752b5ed7bac1b087b389d1368ebcf9978b

                    Download Submit

                  • memory/880-134-0x00000211B5220000-0x00000211B6220000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/880-146-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/880-147-0x00000211B5220000-0x00000211B6220000-memory.dmp

                    Filesize

                    16.0MB

                    Download

                  • memory/880-148-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/880-132-0x00007FFD10110000-0x00007FFD10BD1000-memory.dmp

                    Filesize

                    10.8MB

                    Download

                  • memory/1736-153-0x0000000000000000-mapping.dmp

                    Download

                  • memory/2372-135-0x0000020029D60000-0x0000020029D6B000-memory.dmp

                    Filesize

                    44KB

                    Download

                  • memory/3312-154-0x0000000000000000-mapping.dmp

                    Download

                  • memory/3676-149-0x0000000000000000-mapping.dmp

                    Download

                  • memory/4008-155-0x0000000000000000-mapping.dmp

                    Download

                  • memory/4184-152-0x0000000000000000-mapping.dmp

                    Download

                  • memory/5088-150-0x0000000000000000-mapping.dmp

                    Download