magniber | 2b474cca6c5ff5e1d435d91694b4436876901e3be9c63c3a1d76ff3dbc432017

Analysis

max time kernel
120s
max time network
119s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
29-12-2023 18:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

009aaaf3b4f3a34b662cb9d27fb4409d.dll
Size

39KB
MD5

009aaaf3b4f3a34b662cb9d27fb4409d
SHA1

ac5bfd05ec67090c4f7180519628328e29f3f39a
SHA256

2b474cca6c5ff5e1d435d91694b4436876901e3be9c63c3a1d76ff3dbc432017
SHA512

50973c3ac2849c8664d74d7efc07fcb0a43260d05030fa7772f135cf716357d522309e70d7ba4ee51cd44ea7a3c711b321221b33ab192ccce6ee71dceb527aea
SSDEEP

768:QJvL0rvzhHm06R0Zd+01mV0kgMazfo269xnWf77/KrkVPe4kQKNNJ7kIGsp9C88K:q0rvzhV6Ra+01Y0dMio39xWDrKrkVm4i

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://4cc06478d6a030d076sgokwyejx.yeipgu36oui5z4yvck5w6d252oo3h7ktcsxvs3m2wac6ezmti2iotzad.onion/sgokwyejx Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://4cc06478d6a030d076sgokwyejx.actmake.site/sgokwyejx http://4cc06478d6a030d076sgokwyejx.bearsat.space/sgokwyejx http://4cc06478d6a030d076sgokwyejx.mixedon.xyz/sgokwyejx http://4cc06478d6a030d076sgokwyejx.spiteor.space/sgokwyejx Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://4cc06478d6a030d076sgokwyejx.yeipgu36oui5z4yvck5w6d252oo3h7ktcsxvs3m2wac6ezmti2iotzad.onion/sgokwyejx

http://4cc06478d6a030d076sgokwyejx.actmake.site/sgokwyejx

http://4cc06478d6a030d076sgokwyejx.bearsat.space/sgokwyejx

http://4cc06478d6a030d076sgokwyejx.mixedon.xyz/sgokwyejx

http://4cc06478d6a030d076sgokwyejx.spiteor.space/sgokwyejx

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/1244-0-0x0000000001E70000-0x00000000021AA000-memory.dmp	family_magniber
behavioral1/memory/1088-193-0x0000000000220000-0x0000000000224000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 12 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	112	2404	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1656	2404	cmd.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2564	2404	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	956	2404	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1804	2404	cmd.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1600	2404	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3016	2404	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2936	2404	cmd.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1320	2404	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1520	2404	vssadmin.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3068	2404	cmd.exe	37
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2200	2404	vssadmin.exe	37

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (79) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 1244 set thread context of 1088	1244	rundll32.exe	10
PID 1244 set thread context of 1176	1244	rundll32.exe	8
PID 1244 set thread context of 1208	1244	rundll32.exe	7

Interacts with shadow copies 2 TTPs 8 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
2564	vssadmin.exe
956	vssadmin.exe
1600	vssadmin.exe
3016	vssadmin.exe
1320	vssadmin.exe
1520	vssadmin.exe
2200	vssadmin.exe
112	vssadmin.exe

Modifies Internet Explorer settings 1 TTPs 34 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a00000000020000000000106600000001000020000000ff26afd1bbed7690f640f10b1c8581276404cbcaa231bee70ddd9f3f254fd853000000000e800000000200002000000071512cf8444285e8fe33eb69ce51cb7af3bc08612a816e8ae128e95dd223a01d200000005933017f5f92e998fd191480e1854272b24978d201a04a759d8fc97cc8813eb040000000e8aaa4375a10d9127f6011ddff0def1e9480526829bf8868c504720b611bf28d88af74b4a8554ec89b42c73bc0f6fe63542d7a86fc70e820bd9408bddbab196b	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = a0232b0def3dda01	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb01000000969d72c3e5a03a40a0257479feadc03a000000000200000000001066000000010000200000004132408e9721e7031a8242ec6d6e1d0e0abdb5900bb6fe9fac97a24948d2fb5c000000000e800000000200002000000028e3f2a2662561f139b58630050187f4cb9f6cb71a66ded8db5a83db05e7ca90900000007c07c3c750a5078b9c3b7e32b0354dc5830859d99705d70f8a92b02612256e978b436de38fdbe3c14f3ea9ab5cc0f91710f718860ac7fec8308a65c12e6f8f5e67a5988f8a28cfa469e6cd75bd44f827dbce6de9d38cdf55af7ef84c80966c86b7d3abdba909ae3b24c2d234a6dbd63b38716c6f166e77d7ed6e10192f0e120f6913aa46a2e13b6c4f7855a96f2496ba40000000d37d6319f83519fdbd3c99f604a2eee15369e2c425f658e7954154c8762b5010675d10823d33f4d0236a858881449adff44da0fad71f2996ce54d0348bdbff8d	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{386043C1-A9E2-11EE-832E-DECE4B73D784} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "410411826"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe

Modifies registry class 11 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile\shell	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile\shell\open	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile\shell\open\command	Dwm.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile	taskhost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Dwm.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile\shell\open\command	taskhost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2108	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1244	rundll32.exe
1244	rundll32.exe

Suspicious behavior: MapViewOfSection 3 IoCs

pid	Process
1244	rundll32.exe
1244	rundll32.exe
1244	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	996	wmic.exe
Token: SeSecurityPrivilege	996	wmic.exe
Token: SeTakeOwnershipPrivilege	996	wmic.exe
Token: SeLoadDriverPrivilege	996	wmic.exe
Token: SeSystemProfilePrivilege	996	wmic.exe
Token: SeSystemtimePrivilege	996	wmic.exe
Token: SeProfSingleProcessPrivilege	996	wmic.exe
Token: SeIncBasePriorityPrivilege	996	wmic.exe
Token: SeCreatePagefilePrivilege	996	wmic.exe
Token: SeBackupPrivilege	996	wmic.exe
Token: SeRestorePrivilege	996	wmic.exe
Token: SeShutdownPrivilege	996	wmic.exe
Token: SeDebugPrivilege	996	wmic.exe
Token: SeSystemEnvironmentPrivilege	996	wmic.exe
Token: SeRemoteShutdownPrivilege	996	wmic.exe
Token: SeUndockPrivilege	996	wmic.exe
Token: SeManageVolumePrivilege	996	wmic.exe
Token: 33	996	wmic.exe
Token: 34	996	wmic.exe
Token: 35	996	wmic.exe
Token: SeIncreaseQuotaPrivilege	780	WMIC.exe
Token: SeSecurityPrivilege	780	WMIC.exe
Token: SeTakeOwnershipPrivilege	780	WMIC.exe
Token: SeLoadDriverPrivilege	780	WMIC.exe
Token: SeSystemProfilePrivilege	780	WMIC.exe
Token: SeSystemtimePrivilege	780	WMIC.exe
Token: SeProfSingleProcessPrivilege	780	WMIC.exe
Token: SeIncBasePriorityPrivilege	780	WMIC.exe
Token: SeCreatePagefilePrivilege	780	WMIC.exe
Token: SeBackupPrivilege	780	WMIC.exe
Token: SeRestorePrivilege	780	WMIC.exe
Token: SeShutdownPrivilege	780	WMIC.exe
Token: SeDebugPrivilege	780	WMIC.exe
Token: SeSystemEnvironmentPrivilege	780	WMIC.exe
Token: SeRemoteShutdownPrivilege	780	WMIC.exe
Token: SeUndockPrivilege	780	WMIC.exe
Token: SeManageVolumePrivilege	780	WMIC.exe
Token: 33	780	WMIC.exe
Token: 34	780	WMIC.exe
Token: 35	780	WMIC.exe
Token: SeIncreaseQuotaPrivilege	996	wmic.exe
Token: SeSecurityPrivilege	996	wmic.exe
Token: SeTakeOwnershipPrivilege	996	wmic.exe
Token: SeLoadDriverPrivilege	996	wmic.exe
Token: SeSystemProfilePrivilege	996	wmic.exe
Token: SeSystemtimePrivilege	996	wmic.exe
Token: SeProfSingleProcessPrivilege	996	wmic.exe
Token: SeIncBasePriorityPrivilege	996	wmic.exe
Token: SeCreatePagefilePrivilege	996	wmic.exe
Token: SeBackupPrivilege	996	wmic.exe
Token: SeRestorePrivilege	996	wmic.exe
Token: SeShutdownPrivilege	996	wmic.exe
Token: SeDebugPrivilege	996	wmic.exe
Token: SeSystemEnvironmentPrivilege	996	wmic.exe
Token: SeRemoteShutdownPrivilege	996	wmic.exe
Token: SeUndockPrivilege	996	wmic.exe
Token: SeManageVolumePrivilege	996	wmic.exe
Token: 33	996	wmic.exe
Token: 34	996	wmic.exe
Token: 35	996	wmic.exe
Token: SeIncreaseQuotaPrivilege	780	WMIC.exe
Token: SeSecurityPrivilege	780	WMIC.exe
Token: SeTakeOwnershipPrivilege	780	WMIC.exe
Token: SeLoadDriverPrivilege	780	WMIC.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
1588	iexplore.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
1588	iexplore.exe
1588	iexplore.exe
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE
2088	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1088 wrote to memory of 2108	1088	taskhost.exe	28
PID 1088 wrote to memory of 2108	1088	taskhost.exe	28
PID 1088 wrote to memory of 2108	1088	taskhost.exe	28
PID 1088 wrote to memory of 2120	1088	taskhost.exe	29
PID 1088 wrote to memory of 2120	1088	taskhost.exe	29
PID 1088 wrote to memory of 2120	1088	taskhost.exe	29
PID 1088 wrote to memory of 996	1088	taskhost.exe	34
PID 1088 wrote to memory of 996	1088	taskhost.exe	34
PID 1088 wrote to memory of 996	1088	taskhost.exe	34
PID 1088 wrote to memory of 1496	1088	taskhost.exe	31
PID 1088 wrote to memory of 1496	1088	taskhost.exe	31
PID 1088 wrote to memory of 1496	1088	taskhost.exe	31
PID 1496 wrote to memory of 780	1496	cmd.exe	35
PID 1496 wrote to memory of 780	1496	cmd.exe	35
PID 1496 wrote to memory of 780	1496	cmd.exe	35
PID 2120 wrote to memory of 1588	2120	cmd.exe	36
PID 2120 wrote to memory of 1588	2120	cmd.exe	36
PID 2120 wrote to memory of 1588	2120	cmd.exe	36
PID 1588 wrote to memory of 2088	1588	iexplore.exe	43
PID 1588 wrote to memory of 2088	1588	iexplore.exe	43
PID 1588 wrote to memory of 2088	1588	iexplore.exe	43
PID 1588 wrote to memory of 2088	1588	iexplore.exe	43
PID 1656 wrote to memory of 1592	1656	cmd.exe	44
PID 1656 wrote to memory of 1592	1656	cmd.exe	44
PID 1656 wrote to memory of 1592	1656	cmd.exe	44
PID 1592 wrote to memory of 2680	1592	CompMgmtLauncher.exe	47
PID 1592 wrote to memory of 2680	1592	CompMgmtLauncher.exe	47
PID 1592 wrote to memory of 2680	1592	CompMgmtLauncher.exe	47
PID 1176 wrote to memory of 608	1176	Dwm.exe	54
PID 1176 wrote to memory of 608	1176	Dwm.exe	54
PID 1176 wrote to memory of 608	1176	Dwm.exe	54
PID 1176 wrote to memory of 600	1176	Dwm.exe	55
PID 1176 wrote to memory of 600	1176	Dwm.exe	55
PID 1176 wrote to memory of 600	1176	Dwm.exe	55
PID 600 wrote to memory of 2164	600	cmd.exe	58
PID 600 wrote to memory of 2164	600	cmd.exe	58
PID 600 wrote to memory of 2164	600	cmd.exe	58
PID 1804 wrote to memory of 2532	1804	cmd.exe	63
PID 1804 wrote to memory of 2532	1804	cmd.exe	63
PID 1804 wrote to memory of 2532	1804	cmd.exe	63
PID 2532 wrote to memory of 1568	2532	CompMgmtLauncher.exe	64
PID 2532 wrote to memory of 1568	2532	CompMgmtLauncher.exe	64
PID 2532 wrote to memory of 1568	2532	CompMgmtLauncher.exe	64
PID 1208 wrote to memory of 1548	1208	Explorer.EXE	81
PID 1208 wrote to memory of 1548	1208	Explorer.EXE	81
PID 1208 wrote to memory of 1548	1208	Explorer.EXE	81
PID 1208 wrote to memory of 1968	1208	Explorer.EXE	80
PID 1208 wrote to memory of 1968	1208	Explorer.EXE	80
PID 1208 wrote to memory of 1968	1208	Explorer.EXE	80
PID 1968 wrote to memory of 1304	1968	cmd.exe	68
PID 1968 wrote to memory of 1304	1968	cmd.exe	68
PID 1968 wrote to memory of 1304	1968	cmd.exe	68
PID 2936 wrote to memory of 1656	2936	cmd.exe	69
PID 2936 wrote to memory of 1656	2936	cmd.exe	69
PID 2936 wrote to memory of 1656	2936	cmd.exe	69
PID 1656 wrote to memory of 2732	1656	CompMgmtLauncher.exe	73
PID 1656 wrote to memory of 2732	1656	CompMgmtLauncher.exe	73
PID 1656 wrote to memory of 2732	1656	CompMgmtLauncher.exe	73
PID 1244 wrote to memory of 688	1244	rundll32.exe	95
PID 1244 wrote to memory of 688	1244	rundll32.exe	95
PID 1244 wrote to memory of 688	1244	rundll32.exe	95
PID 1244 wrote to memory of 1984	1244	rundll32.exe	94
PID 1244 wrote to memory of 1984	1244	rundll32.exe	94
PID 1244 wrote to memory of 1984	1244	rundll32.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1208
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\009aaaf3b4f3a34b662cb9d27fb4409d.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Modifies registry class
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1244
- - C:\Windows\system32\cmd.exe
    cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
    3⤵
    PID:1984
- - C:\Windows\system32\wbem\wmic.exe
    C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:688
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1968
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1548

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1176
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:608
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:600
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    PID:2164

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1088
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2108
- C:\Windows\system32\cmd.exe
  cmd /c "start http://4cc06478d6a030d076sgokwyejx.actmake.site/sgokwyejx^&2^&35326166^&79^&331^&12"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2120
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://4cc06478d6a030d076sgokwyejx.actmake.site/sgokwyejx&2&35326166&79&331&12
    3⤵
    - Modifies Internet Explorer settings
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:1588
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1588 CREDAT:275457 /prefetch:2
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of SetWindowsHookEx
      PID:2088
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:780
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:996

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:112

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1592
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:2680

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2708

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2564

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:956

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:1804
- C:\Windows\system32\CompMgmtLauncher.exe
  CompMgmtLauncher.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2532
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:1568

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1600

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
1⤵
PID:1304

C:\Windows\system32\CompMgmtLauncher.exe
CompMgmtLauncher.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:1656
- C:\Windows\system32\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2732

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:3016

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1320

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
1⤵
PID:2336

C:\Windows\system32\CompMgmtLauncher.exe
CompMgmtLauncher.exe
1⤵
PID:3044
- C:\Windows\system32\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:1340

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1520

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
- Process spawned unexpected child process
PID:3068

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2200

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
8f2e69e2866f5eec138efb4db3a26051

SHA1
766b1801c95745b7cdfc6c9b82316a5d6e3f3272

SHA256
e0e5eb194f9f3d40d0ec518a7ae40720aac7f4cec5f4551967a1c27f417c50c6

SHA512
ebdff506b15944cabc3e9d67d241d3bf495455274de99c2d87e44af4afa45f358fa174900f125febacb8b9bdf7e19c66ee1d290c35fea3e47a6e89516b78deaf

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
327164d181fdb794257c54965f4994ac

SHA1
59e9f59f3b5eb9da09d8905453fedb36fa58077b

SHA256
2f3011c899f23ecad53083bb1b83c8f61b9222acecc3bf911cfb42c8f48c2fe7

SHA512
ac357d40d40b2b09b49ab35d7855c90d43bd461aa5ee5d52bdaf5885be3784d1af5dda9cb5e2e475f728d7d81678b2fafd895d79123a9de5050d657a2edea88e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
01a41891f11d8ec0cf0f7ca6af8e7085

SHA1
253596011bac2c16d25135473108d7c7f9678f75

SHA256
cad88ccfb4d806a4416bdcfa53dd075428925aa637e4b3d848c872c5553fed2c

SHA512
b89dcaedf8cb167f5068540d0658b8d1049dde6db6f19525c3fdf9102ddd9e1ea4c3c7def4372ea0a70b1d1f6f3713d6219d2d7f57cdb0c9651cb658dbf3d9a6

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
53f8c3a36757f60e2cb2bfa28315aad2

SHA1
c6901fda7f2004812e54f9bae445a9b2b691ad61

SHA256
5aa7f4f7dcac79248b49af762d0483dd20444653e4f9b51b9246b6614594bc0b

SHA512
3dfd36b87d6e2226284d04ebdeec21e45ac681c35130b4795ad0c616ee5050a37e5bdf28ba4ebeeb61d720897b1395a5ea095fb615c1a308847107edef5ffba3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabA834.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarA8E3.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\Pictures\readme.txt

Filesize
1KB

MD5
8895b466cb001b4547073d74d19081e0

SHA1
62a74705ac70f4338c42bb0c121b30a5bc365042

SHA256
17581f8ec3fb8999a74dea4254a36224ec5906164478e200c25a539e331e51f5

SHA512
9276741139082b4a44548f7f19268612930f024a120aae83d3b25fccbf30d8928ef9a1b6263142c1782c7331dcb8985fb6ba67151e64148fa78dfe9d795446e7

Download Submit
memory/1088-193-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1088-7-0x0000000000220000-0x0000000000224000-memory.dmp

Filesize
16KB

Download
memory/1244-6-0x0000000002240000-0x0000000002241000-memory.dmp

Filesize
4KB

Download
memory/1244-1-0x00000000002A0000-0x00000000002A1000-memory.dmp

Filesize
4KB

Download
memory/1244-99-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/1244-128-0x00000000022B0000-0x00000000022B1000-memory.dmp

Filesize
4KB

Download
memory/1244-157-0x00000000022C0000-0x00000000022C1000-memory.dmp

Filesize
4KB

Download
memory/1244-30-0x0000000002260000-0x0000000002261000-memory.dmp

Filesize
4KB

Download
memory/1244-8-0x0000000002250000-0x0000000002251000-memory.dmp

Filesize
4KB

Download
memory/1244-65-0x0000000002290000-0x0000000002291000-memory.dmp

Filesize
4KB

Download
memory/1244-0-0x0000000001E70000-0x00000000021AA000-memory.dmp

Filesize
3.2MB

Download
memory/1244-3-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download
memory/1244-4-0x0000000002220000-0x0000000002221000-memory.dmp

Filesize
4KB

Download
memory/1244-5-0x0000000002230000-0x0000000002231000-memory.dmp

Filesize
4KB

Download
memory/1244-2-0x00000000002B0000-0x00000000002B1000-memory.dmp

Filesize
4KB

Download
memory/1244-1055-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download