Analysis
-
max time kernel
149s -
max time network
141s -
platform
windows10-2004_x64 -
resource
win10v2004-20220812-en -
resource tags
-
submitted
15-09-2022 12:43
General
-
Target
Antivirus_Upgrade_Cloud.b79e8f66eb124.jse
-
Size
186KB
-
MD5
871d0084a53bb7733346b167f7e67e36
-
SHA1
2b75f4d60b357ea3cdd53a73e8dd00148fea0889
-
SHA256
9095bbb4b123a353a856634166f193124bdc4591cb3a38922b2283acc1d966d6
-
SHA512
b77f916dfe0fa3ebcd7ca7fef2df57d9e3e647a37ee90e5bdf845cc715f2ad58f7c3053d55b43d108da004ea1097826ad7dca7fde5f6f45bcb6781acbe68ddaf
-
SSDEEP
3072:S7e1lcDeY9tstU6UtjvN7MLFfOVMumRRCivI7lvLAe25gfV99p:S4uDBtstmtJouig7V99p
Score
10/10
Malware Config
Signatures
-
Detect magniber ransomware 3 IoCs
-
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Modifies boot configuration data using bcdedit 1 TTPs 6 IoCs
-
Deletes System State backups 3 TTPs 3 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Deletes backup catalog 3 TTPs 3 IoCs
Uses wbadmin.exe to inhibit system recovery.
-
Modifies extensions of user files 12 IoCs
Ransomware generally changes the extension on encrypted files.
-
Drops file in Windows directory 6 IoCs
-
Program crash 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 4 IoCs
SCSI information is often read in order to detect sandboxing environments.
-
Modifies registry class 42 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of WriteProcessMemory 32 IoCs
Processes
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"wscript.exe" /B /E:VBScript.Encode ../../Users/Public/qiznxoynrf.dd4⤵
-
-
-
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppX53ypgrj20bgndg05hj3tc7z654myszwp.mca1⤵
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"wscript.exe" /B /E:VBScript.Encode ../../Users/Public/reovgnwbjymr.dd4⤵
-
-
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
-
C:\Windows\System32\WScript.exeC:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Antivirus_Upgrade_Cloud.b79e8f66eb124.jse"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3276 -s 9362⤵
- Program crash
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"wscript.exe" /B /E:VBScript.Encode ../../Users/Public/reovgnwbjymr.dd4⤵
-
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"wscript.exe" /B /E:VBScript.Encode ../../Users/Public/reovgnwbjymr.dd4⤵
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
- Modifies registry class
-
C:\Windows\System32\cmd.exe/c fodhelper.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\fodhelper.exefodhelper.exe3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wscript.exe"wscript.exe" /B /E:VBScript.Encode ../../Users/Public/qiznxoynrf.dd4⤵
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
- Modifies extensions of user files
- Modifies registry class
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Modifies registry class
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -pss -s 468 -p 3276 -ip 32761⤵
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete systemstatebackup -quiet1⤵
- Process spawned unexpected child process
- Deletes System State backups
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet1⤵
- Process spawned unexpected child process
- Deletes backup catalog
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\System32\vdsldr.exeC:\Windows\System32\vdsldr.exe -Embedding1⤵
-
C:\Windows\System32\vds.exeC:\Windows\System32\vds.exe1⤵
- Checks SCSI registry key(s)
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet1⤵
- Process spawned unexpected child process
- Deletes backup catalog
-
C:\Windows\system32\wbadmin.exewbadmin delete systemstatebackup -quiet1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} bootstatuspolicy ignoreallfailures1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete catalog -quiet1⤵
- Process spawned unexpected child process
- Deletes backup catalog
-
C:\Windows\system32\bcdedit.exebcdedit /set {default} recoveryenabled no1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
-
C:\Windows\system32\wbadmin.exewbadmin delete systemstatebackup -quiet1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
857B
MD5b179b9ad7d9523ca77a96719ed849079
SHA19bad1bcc6484428080fb03d22b079c0fda4985b2
SHA256d6d195a21b9c7174293c0ada29c421199b6fdca4e009b8905dcbb9f0161db9a2
SHA512162dfb7cc03e6ab7fb9afa005a01cd525806cb513e97b8b49a7f170a62f12a10ebf3529c9a4f7f28e61afe88c7a1f11d2004d3e37c502316c9c99ba0a72033e7
-
Filesize
857B
MD5b179b9ad7d9523ca77a96719ed849079
SHA19bad1bcc6484428080fb03d22b079c0fda4985b2
SHA256d6d195a21b9c7174293c0ada29c421199b6fdca4e009b8905dcbb9f0161db9a2
SHA512162dfb7cc03e6ab7fb9afa005a01cd525806cb513e97b8b49a7f170a62f12a10ebf3529c9a4f7f28e61afe88c7a1f11d2004d3e37c502316c9c99ba0a72033e7
-
-
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
Filesize
64KB
-
-
-
-
Filesize
40KB
-
-
-
-
-
-
Filesize
10.8MB
-
Filesize
16.0MB
-
Filesize
10.8MB
-
Filesize
16.0MB
-
Filesize
10.8MB