Overview

overview

10

Static

static

Antivirus_...1f.jse

windows7-x64

10

Antivirus_...1f.jse

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2022 12:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Antivirus_Upgrade_Cloud.2736a0cc3a2e1f.jse

  • Size

    161KB

  • MD5

    ed5481f4b64e048f09d5d9d880dafa23

  • SHA1

    9948c71e77c9a7551f9f3b976da5b0e5e5950afe

  • SHA256

    76c012f134e81138fb37ac3638488f309662efcc9bb4011ff8e54869f26bb119

  • SHA512

    addd60848f245d83c70a65414b3d676e92ffdb2f31aa2de3497b8cda69ddb3938874aac062005c66d81af2451c545a5c871db4a392815cd9e69707b0388cbea0

  • SSDEEP

    3072:5tCIP3D125lF+90AGp9K9zCdKuxkvhq8n8skOfx/bll25DftO5:PPz1GlF+9yjK9WBxkpq8n8mItO5

Score
10/10
magniberevasionransomware

Malware Config

Signatures

  • Detect magniber ransomware 3 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Modifies boot configuration data using bcdedit 1 TTPs 2 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 1 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 4 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 42 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\svchost.exe
    C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
    1⤵
    • Modifies extensions of user files
    • Modifies registry class
    PID:2784
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:3380
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      PID:3448
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:3536
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
        • Modifies registry class
        PID:4624
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
        • Modifies registry class
        PID:3700
        • C:\Windows\System32\cmd.exe
          /c fodhelper.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1576
          • C:\Windows\System32\fodhelper.exe
            fodhelper.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3428
            • C:\Windows\system32\wscript.exe
              "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/ygjcfpxgor.dt
              4⤵
                PID:1924
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:3288
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -u -p 3288 -s 400
              2⤵
              • Program crash
              PID:4692
          • C:\Windows\system32\svchost.exe
            C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
            1⤵
            • Modifies registry class
            PID:3100
          • C:\Windows\system32\backgroundTaskHost.exe
            "C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca
            1⤵
              PID:3524
            • C:\Windows\Explorer.EXE
              C:\Windows\Explorer.EXE
              1⤵
              • Modifies registry class
              • Suspicious behavior: GetForegroundWindowSpam
              • Suspicious use of AdjustPrivilegeToken
              PID:2416
              • C:\Windows\System32\WScript.exe
                C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Antivirus_Upgrade_Cloud.2736a0cc3a2e1f.jse"
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:4636
            • C:\Windows\system32\taskhostw.exe
              taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
              1⤵
              • Modifies registry class
              PID:2880
            • C:\Windows\system32\sihost.exe
              sihost.exe
              1⤵
              • Modifies registry class
              PID:2740
            • C:\Windows\system32\WerFault.exe
              C:\Windows\system32\WerFault.exe -pss -s 472 -p 3288 -ip 3288
              1⤵
                PID:3496
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1076
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} bootstatuspolicy ignoreallfailures
                1⤵
                • Process spawned unexpected child process
                • Modifies boot configuration data using bcdedit
                PID:4484
              • C:\Windows\system32\bcdedit.exe
                bcdedit /set {default} recoveryenabled no
                1⤵
                • Process spawned unexpected child process
                • Modifies boot configuration data using bcdedit
                PID:4964
              • C:\Windows\system32\wbadmin.exe
                wbadmin delete catalog -quiet
                1⤵
                • Process spawned unexpected child process
                • Deletes backup catalog
                PID:4960
              • C:\Windows\system32\wbadmin.exe
                wbadmin delete systemstatebackup -quiet
                1⤵
                • Process spawned unexpected child process
                • Deletes System State backups
                PID:2840
              • C:\Windows\system32\wbengine.exe
                "C:\Windows\system32\wbengine.exe"
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:744
              • C:\Windows\System32\vdsldr.exe
                C:\Windows\System32\vdsldr.exe -Embedding
                1⤵
                  PID:3744
                • C:\Windows\System32\vds.exe
                  C:\Windows\System32\vds.exe
                  1⤵
                  • Checks SCSI registry key(s)
                  PID:3960

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Public\ygjcfpxgor.dt
                  Filesize

                  868B

                  MD5

                  df5084fd1e202103ed233fdae20b0e7f

                  SHA1

                  c5c80dd04b64c0f156866e92510a960fc239b09d

                  SHA256

                  afc959699eadc9a97f93851a1d924c15e4bc3aa7b1aee6f2f87e3b8a38dd3e3c

                  SHA512

                  f6ddc9db94fb89c188bffb9d4789a14a535bfaf93d05a4922a5331e63405d929103f00c8427f85c0663930ef3db0d724de02bf400de8142a4f3b8c8ab18f7470

                  Download Submit

                • memory/1924-151-0x0000000000000000-mapping.dmp

                  Download

                • memory/2416-158-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-171-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-172-0x0000000008D20000-0x0000000008D30000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-159-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-170-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-169-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-168-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-153-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-154-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-155-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-156-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-157-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-173-0x0000000008D20000-0x0000000008D30000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-167-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-164-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-161-0x0000000008D20000-0x0000000008D30000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-162-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-163-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-160-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-165-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2416-166-0x0000000008CF0000-0x0000000008D00000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/2740-135-0x000001FCFCDF0000-0x000001FCFCDFA000-memory.dmp

                  Filesize

                  40KB

                  Download

                • memory/3428-150-0x0000000000000000-mapping.dmp

                  Download

                • memory/4636-146-0x00007FFAA2BE0000-0x00007FFAA36A1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4636-134-0x000001721C520000-0x000001721D520000-memory.dmp

                  Filesize

                  16.0MB

                  Download

                • memory/4636-149-0x00007FFAA2BE0000-0x00007FFAA36A1000-memory.dmp

                  Filesize

                  10.8MB

                  Download

                • memory/4636-148-0x000001721C520000-0x000001721D520000-memory.dmp

                  Filesize

                  16.0MB

                  Download

                • memory/4636-132-0x00007FFAA2BE0000-0x00007FFAA36A1000-memory.dmp

                  Filesize

                  10.8MB

                  Download