magniber | 12921c2d0578f9d83ada9dfc4eb362ba5258d44e07741fcce87fdd91118d7cd2

Analysis

max time kernel
148s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2022 13:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SYSTEM.Critical.Upgrade.Win10.0.26e26b85be2e07d.js
Size

212KB
MD5

6a76eeb61c3f44ae8d61bbddc9b1f58e
SHA1

25ade112e1930ed4ca7501c0ab2944cb25738478
SHA256

12921c2d0578f9d83ada9dfc4eb362ba5258d44e07741fcce87fdd91118d7cd2
SHA512

a1b753cce043ee06b5b7520f4a46cc7fc704870d9d2ed9c7285bb2a4084a3075dff4c95ba369480dc5b9536ed2636bb856e4ac4e097322cb09b625260f13f518
SSDEEP

1536:rcVvZx6Nl+Ywq8zNNR6E4JrLZ8hsnUKMkQcIntkov/VJH8Uq0is6EHqUXnxA+ETK:t25gfhe7

Score

10^/10

magniber evasion ransomware

Malware Config

Signatures

Detect magniber ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4964-136-0x000001AA9F960000-0x000001AAA0960000-memory.dmp	family_magniber
behavioral2/memory/2432-137-0x00000212776C0000-0x00000212776CA000-memory.dmp	family_magniber
behavioral2/memory/4964-149-0x000001AA9F960000-0x000001AAA0960000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4360	2148	bcdedit.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	544	2148	bcdedit.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1592	2148	wbadmin.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4736	2148	wbadmin.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3608	2148	bcdedit.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2128	2148	bcdedit.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2580	2148	wbadmin.exe	69
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3648	2148	wbadmin.exe	69

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	Process
4360	bcdedit.exe
544	bcdedit.exe
3608	bcdedit.exe
2128	bcdedit.exe

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

wbadmin.exewbadmin.exe

pid	Process
4736	wbadmin.exe
2580	wbadmin.exe

Deletes backup catalog 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

Processes:

wbadmin.exewbadmin.exe

pid	Process
1592	wbadmin.exe
3648	wbadmin.exe

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

svchost.exe

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\CompressRead.tiff => C:\Users\Admin\Pictures\CompressRead.tiff.xqjrmwj	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\ResolveResize.tiff	svchost.exe
File renamed	C:\Users\Admin\Pictures\ResolveResize.tiff => C:\Users\Admin\Pictures\ResolveResize.tiff.xqjrmwj	svchost.exe
File renamed	C:\Users\Admin\Pictures\StopBlock.tif => C:\Users\Admin\Pictures\StopBlock.tif.xqjrmwj	svchost.exe
File renamed	C:\Users\Admin\Pictures\UnblockRedo.png => C:\Users\Admin\Pictures\UnblockRedo.png.xqjrmwj	svchost.exe
File renamed	C:\Users\Admin\Pictures\RedoComplete.crw => C:\Users\Admin\Pictures\RedoComplete.crw.xqjrmwj	svchost.exe
File opened for modification	C:\Users\Admin\Pictures\CompressRead.tiff	svchost.exe
File renamed	C:\Users\Admin\Pictures\InvokeSplit.png => C:\Users\Admin\Pictures\InvokeSplit.png.xqjrmwj	svchost.exe
File renamed	C:\Users\Admin\Pictures\PublishConnect.png => C:\Users\Admin\Pictures\PublishConnect.png.xqjrmwj	svchost.exe

Program crash 2 IoCs

Processes:

WerFault.exeWerFault.exe

pid	pid_target	Process	procid_target
4544	3260	WerFault.exe	17
4676	3668	WerFault.exe	78

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Modifies registry class 42 IoCs

Processes:

svchost.exetaskhostw.exeRuntimeBroker.exeRuntimeBroker.exeExplorer.EXEsvchost.exesihost.exeRuntimeBroker.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/jbrdthy.kpg"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/rrjxrcoc.kpg"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/jbpavjhvhv.kpg"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/mvfnxfkrzem.kpg"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/pakntxgk.kpg"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/wrhuku.kpg"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/ohwlzm.kpg"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/joftkr.kpg"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

wscript.exe

pid	Process
4964	wscript.exe
4964	wscript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid	Process
3064	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 57 IoCs

Processes:

Explorer.EXERuntimeBroker.exevssvc.exewbengine.exe

description	pid	Process
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3428	RuntimeBroker.exe
Token: SeShutdownPrivilege	3428	RuntimeBroker.exe
Token: SeShutdownPrivilege	3428	RuntimeBroker.exe
Token: SeBackupPrivilege	2120	vssvc.exe
Token: SeRestorePrivilege	2120	vssvc.exe
Token: SeAuditPrivilege	2120	vssvc.exe
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeBackupPrivilege	732	wbengine.exe
Token: SeRestorePrivilege	732	wbengine.exe
Token: SeSecurityPrivilege	732	wbengine.exe
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE
Token: SeShutdownPrivilege	3064	Explorer.EXE
Token: SeCreatePagefilePrivilege	3064	Explorer.EXE

Suspicious use of WriteProcessMemory 19 IoCs

Processes:

wscript.execmd.exefodhelper.execmd.exefodhelper.exe

description	pid	Process	procid_target
PID 4964 wrote to memory of 2432	4964	wscript.exe	29
PID 4964 wrote to memory of 2452	4964	wscript.exe	28
PID 4964 wrote to memory of 2720	4964	wscript.exe	21
PID 4964 wrote to memory of 3064	4964	wscript.exe	19
PID 4964 wrote to memory of 2984	4964	wscript.exe	18
PID 4964 wrote to memory of 3260	4964	wscript.exe	17
PID 4964 wrote to memory of 3360	4964	wscript.exe	16
PID 4964 wrote to memory of 3428	4964	wscript.exe	15
PID 4964 wrote to memory of 3512	4964	wscript.exe	79
PID 4964 wrote to memory of 3668	4964	wscript.exe	78
PID 4964 wrote to memory of 4800	4964	wscript.exe	75
PID 4196 wrote to memory of 4616	4196	cmd.exe	93
PID 4196 wrote to memory of 4616	4196	cmd.exe	93
PID 4616 wrote to memory of 4020	4616	fodhelper.exe	95
PID 4616 wrote to memory of 4020	4616	fodhelper.exe	95
PID 4188 wrote to memory of 4036	4188	cmd.exe	114
PID 4188 wrote to memory of 4036	4188	cmd.exe	114
PID 4036 wrote to memory of 1340	4036	fodhelper.exe	116
PID 4036 wrote to memory of 1340	4036	fodhelper.exe	116

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3428

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3360

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3260
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3260 -s 908
  2⤵
  - Program crash
  PID:4544

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:2984

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:3064
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\SYSTEM.Critical.Upgrade.Win10.0.26e26b85be2e07d.js
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4964

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2720
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4188
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4036
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/mvfnxfkrzem.kpg
      4⤵
      PID:1340

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies extensions of user files
- Modifies registry class
PID:2452

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2432

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4800

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3668
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4196
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4616
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/pakntxgk.kpg
      4⤵
      PID:4020
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3668 -s 436
  2⤵
  - Program crash
  PID:4676

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3512

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3260 -ip 3260
1⤵
PID:664

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2120

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4360

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:544

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:1592

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:4736

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:732

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1072

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:448

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 528 -p 3668 -ip 3668
1⤵
PID:904

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3608

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:2128

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:2580

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:3648

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\mvfnxfkrzem.kpg

Filesize
879B

MD5
d3272865d96aca9d876b2abb975ec6fb

SHA1
e93d935ff3e185e50ee9524d64977e778a1ac0aa

SHA256
f08930a65b91fc6025b66a64c9ca3aca4a74f8e1e770c17c56dbe76762625901

SHA512
e4622ccc72e1fa34e2fd0d03c9ad1190d29ed0f1b62de9c6331000abdb7f88adb23d54d7bdd2cdd9854f7bb197a07165f4c2c4d2d9c51205ea005a5277c7c89a

Download Submit
C:\Users\Public\pakntxgk.kpg

Filesize
879B

MD5
d3272865d96aca9d876b2abb975ec6fb

SHA1
e93d935ff3e185e50ee9524d64977e778a1ac0aa

SHA256
f08930a65b91fc6025b66a64c9ca3aca4a74f8e1e770c17c56dbe76762625901

SHA512
e4622ccc72e1fa34e2fd0d03c9ad1190d29ed0f1b62de9c6331000abdb7f88adb23d54d7bdd2cdd9854f7bb197a07165f4c2c4d2d9c51205ea005a5277c7c89a

Download Submit
memory/1340-155-0x0000000000000000-mapping.dmp

Download
memory/2432-137-0x00000212776C0000-0x00000212776CA000-memory.dmp

Filesize
40KB

Download
memory/4020-152-0x0000000000000000-mapping.dmp

Download
memory/4036-154-0x0000000000000000-mapping.dmp

Download
memory/4616-151-0x0000000000000000-mapping.dmp

Download
memory/4964-136-0x000001AA9F960000-0x000001AAA0960000-memory.dmp

Filesize
16.0MB

Download
memory/4964-150-0x00007FFBDC0C0000-0x00007FFBDCB81000-memory.dmp

Filesize
10.8MB

Download
memory/4964-149-0x000001AA9F960000-0x000001AAA0960000-memory.dmp

Filesize
16.0MB

Download
memory/4964-143-0x00007FFBDC0C0000-0x00007FFBDCB81000-memory.dmp

Filesize
10.8MB

Download
memory/4964-132-0x00007FFBDC0C0000-0x00007FFBDCB81000-memory.dmp

Filesize
10.8MB

Download
memory/4964-134-0x000001AABA010000-0x000001AABA538000-memory.dmp

Filesize
5.2MB

Download
memory/4964-133-0x000001AAB9960000-0x000001AAB9ADE000-memory.dmp

Filesize
1.5MB

Download