cdcaa4a5c0a620047b45b49968c30bf26a57834e7a6489fe3026a8d99b7f5cbf

Analysis

max time kernel
100s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
29/04/2024, 05:07

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Size

6.7MB
MD5

c16f00308248ddaa94e75fdbc8ec490e
SHA1

01e25e544d310d3b930b17855743b1f05f8b9479
SHA256

cdcaa4a5c0a620047b45b49968c30bf26a57834e7a6489fe3026a8d99b7f5cbf
SHA512

0a4ba3a564149f5afe8d5bd61f26083190c02dc9c22959d93f5444716a40c531ed32c00d98581d26fe1ea69713b27fe19189123f109899c070ff6a5e8b5b9cc1
SSDEEP

98304:4/AH+HGh2ZzVlvoFAvyIwZ8UX8Un8UXgeEeg/uI:hH/QBJE8UX8Un8UhI

Score

6^/10

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\R:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\Z:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\P:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\K:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\L:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\M:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\I:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\U:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\Y:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\B:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\J:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\T:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\W:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\V:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\S:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\G:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\H:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\N:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\X:	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
File opened (read-only)	\??\O:	msiexec.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation	seederexe.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wwin32u.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\WLDP.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ole32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\winhttp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\winsta.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\dnsapi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Storage.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\ws2_32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\winnsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\DLL\winnsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\combase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\secur32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\Kernel.Appcore.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wkernelbase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\advapi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\bcryptprimitives.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\nsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wtsapi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\DLL\wimm32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\webio.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wmswsock.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\exe\stat_sender.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wrpcrt4.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shell32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\version.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\stat_sender.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\rasadhlp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\userenv.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\WLDP.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\iphlpapi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\ws2_32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wuser32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wgdi32full.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\wsspicli.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\shell32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ucrtbase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\bcryptprimitives.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\webio.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wmswsock.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wntdll.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\winhttp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\winsta.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\Windows.Storage.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\msvcp_win.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\BitsProxy.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\winnsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\nsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\msvcrt.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\combase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\shlwapi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\winsta.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\userenv.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wimm32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\secur32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\WLDP.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\dbghelp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\iphlpapi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wkernel32.pdb	sender.exe

Drops file in Windows directory 24 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIA5A0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA5B1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA6BF.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA74D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e579ed0.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA0C4.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA501.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA512.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA5C2.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA72D.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1C0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4C1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA4F1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA590.tmp	msiexec.exe
File created	C:\Windows\Installer\e579ed0.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA181.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA3D5.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA1E0.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA601.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIA602.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
2944	seederexe.exe
3748	sender.exe
5080	lite_installer.exe

Loads dropped DLL 17 IoCs

pid	Process
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe
3296	MsiExec.exe
1292	MsiExec.exe
1292	MsiExec.exe

Modifies Internet Explorer settings 1 TTPs 1 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\SearchScopes	seederexe.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
636	msiexec.exe
636	msiexec.exe
3748	sender.exe
3748	sender.exe
5080	lite_installer.exe
5080	lite_installer.exe
5080	lite_installer.exe
5080	lite_installer.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeIncreaseQuotaPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeSecurityPrivilege	636	msiexec.exe
Token: SeCreateTokenPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeAssignPrimaryTokenPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeLockMemoryPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeIncreaseQuotaPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeMachineAccountPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeTcbPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeSecurityPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeTakeOwnershipPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeLoadDriverPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeSystemProfilePrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeSystemtimePrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeProfSingleProcessPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeIncBasePriorityPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeCreatePagefilePrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeCreatePermanentPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeBackupPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeRestorePrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeShutdownPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeDebugPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeAuditPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeSystemEnvironmentPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeChangeNotifyPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeRemoteShutdownPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeUndockPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeSyncAgentPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeEnableDelegationPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeManageVolumePrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeImpersonatePrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeCreateGlobalPrivilege	2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe
Token: SeRestorePrivilege	636	msiexec.exe
Token: SeTakeOwnershipPrivilege	636	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
2356	2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 636 wrote to memory of 1292	636	msiexec.exe	91
PID 636 wrote to memory of 1292	636	msiexec.exe	91
PID 636 wrote to memory of 1292	636	msiexec.exe	91
PID 1292 wrote to memory of 2944	1292	MsiExec.exe	93
PID 1292 wrote to memory of 2944	1292	MsiExec.exe	93
PID 1292 wrote to memory of 2944	1292	MsiExec.exe	93
PID 2944 wrote to memory of 3748	2944	seederexe.exe	94
PID 2944 wrote to memory of 3748	2944	seederexe.exe	94
PID 2944 wrote to memory of 3748	2944	seederexe.exe	94
PID 636 wrote to memory of 3296	636	msiexec.exe	96
PID 636 wrote to memory of 3296	636	msiexec.exe	96
PID 636 wrote to memory of 3296	636	msiexec.exe	96
PID 1292 wrote to memory of 5080	1292	MsiExec.exe	97
PID 1292 wrote to memory of 5080	1292	MsiExec.exe	97
PID 1292 wrote to memory of 5080	1292	MsiExec.exe	97

C:\Users\Admin\AppData\Local\Temp\2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-29_c16f00308248ddaa94e75fdbc8ec490e_bkransomware_magniber.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2356

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:636
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 152A67D16949F2C92E4EBBE54ECE72D8
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Users\Admin\AppData\Local\Temp\33DFBC52-87C7-47A9-B1EE-382AC52ADD29\seederexe.exe
    "C:\Users\Admin\AppData\Local\Temp\33DFBC52-87C7-47A9-B1EE-382AC52ADD29\seederexe.exe" "--yqs=" "--yhp=" "--loglevel=trace" "--ess=clid=2270896&uuid=%7B5CD61AD4-E94A-474E-A82A-15EB7428C545%7D&cntp=0&jntp=0&intp=0&lntp=0&pntp=0&llntp=0&fntp=0&entp=0&ontp=0&cbl=0&gbl=0&vnt=100x64&file-no=38%0A106%0A25%0A47%0A37%0A8%0A102%0A" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\E744F2C7-B454-463D-BF3B-B731D3BA5A7B\sender.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious use of WriteProcessMemory
    PID:2944
  - - C:\Users\Admin\AppData\Local\Temp\E744F2C7-B454-463D-BF3B-B731D3BA5A7B\sender.exe
      C:\Users\Admin\AppData\Local\Temp\E744F2C7-B454-463D-BF3B-B731D3BA5A7B\sender.exe --send "/status.xml?clid=2270896&uuid=%7B5CD61AD4-E94A-474E-A82A-15EB7428C545%7D&vnt=100x64&file-no=8%0A25%0A37%0A38%0A47%0A102%0A106%0A129%0A"
      4⤵
      Drops file in System32 directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:3748
- - C:\Users\Admin\AppData\Local\Temp\9AB04D85-A104-4996-8B89-9A71C26E1012\lite_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\9AB04D85-A104-4996-8B89-9A71C26E1012\lite_installer.exe" --use-user-default-locale --silent
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:5080
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding B263697211360D34F591973686D20D29 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  PID:3296

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e579ed1.rbs

Filesize
1.3MB

MD5
30f2bb48d417c4bdae245b4419b4ae31

SHA1
555bffa2410f45f7fc9b0e8f85a9d5dc2155bd85

SHA256
db26658d99dbcbae16b6eaa0c0b8947955969cbe75d2fb7d5a696a7057c428fc

SHA512
4d83a992373ade20ba49389c3f27c2ebf7a2d196b285aacb81b298bbe4584c56837995ab4ab2a74b1d6d499f5b8f43abcb3735059df7f90dcbd01c40d4400cd0

Download Submit
C:\Users\Admin\AppData\Local\Chromium\Metro\User Data\Default\Preferences

Filesize
5B

MD5
55743877f3ffd5fc834e97bc43a6e7bd

SHA1
00f550e11183e2bb70f8bf12699c3866e5c8fcb3

SHA256
8e1d794b49e35ea828279c6a8c95282bbb9a0787cf5c9385256c2cc9d17baeb7

SHA512
4c02f85e7bca1b9bd3497d313f90db66a6bd9bdf37710cf14c289025450416599ec1fcc3cb7305c07cacc740da94335698a8314db71b4a123303f95702c0f796

Download Submit
C:\Users\Admin\AppData\Local\Chromium\User Data\Default\Local Storage\chrome-extension_fdjdjkkjoiomafnihnobkinnfjnnlhdg_0.localstorage

Filesize
5KB

MD5
3f51d78283fb5586b16da891ec9d0a90

SHA1
420f8c8efc847f37d76aa09278dbfe60a268d2e2

SHA256
318a28c5cd82c4fb9c4de80bfc55d73a1204f9bdfb57f94b2c3e4071b9df2be2

SHA512
756e58a3d79c2186f87dffe8aa68309f1f28796602254a536d45cf436d58eaec2b19c5823fd194a1f4fcfe8ff365eadd0be8d328c22362ab76050248874cad20

Download Submit
C:\Users\Admin\AppData\Local\Chromium\User Data\Default\Local Storage\chrome-extension_fdjdjkkjoiomafnihnobkinnfjnnlhdg_0.localstorage

Filesize
7KB

MD5
1c8a4032b78c130aabea58587fc6c58d

SHA1
5828dbeb4d5a9676336a3e509bea991c19572f74

SHA256
bb7221fc275cbf4c339dcb8be18e41fd971555d2577c188cc7ae28888e8f3d5e

SHA512
e2398c0de07c7e4b32be07d55839bff8ececf4f5f3172f5ac15129b50716ee945bb0126df04a910666f0547b41a2061ba61ef3e13ba9478d9f6f10b84c2debb1

Download Submit
C:\Users\Admin\AppData\Local\Chromium\User Data\Default\Local Storage\chrome-extension_fdjdjkkjoiomafnihnobkinnfjnnlhdg_0.localstorage

Filesize
7KB

MD5
a6fa3488f7a19560981f8b9502312830

SHA1
fcf595e31f6fdcf85d403d286c4d47330d83dbc7

SHA256
b92b4b874c5b8450c97b105eef879979f188b33e65d5c4bda7d59bbc69a3b620

SHA512
fd5a13cdce80329794d9fb485eb1eeab4591b35ecbe3d6c255880c60560e4bd3a9fa4a82547c780dc87732cce45a8dfaa5b930e4dd56b397602e32ac153e11c0

Download Submit
C:\Users\Admin\AppData\Local\Chromium\User Data\Default\Preferences

Filesize
30B

MD5
2b32a558d9e95cc9a3c708afc4d78fbf

SHA1
b3073050732486ed35b20e22e05c6f09744f4e4d

SHA256
39d672b6d3b0919ac9fc37864c26f7ef6ceb8b6289f4c9e2a25b023581872b20

SHA512
66322e344e3cc7de7c23905fa807b9148fd2433979726e54ffbbe81ca643496f0ec28c0319b6944832cdf6bb6f01252f63da98ddb92124cb74d1fdf8d3f65567

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Metro\User Data\Default\Preferences

Filesize
63B

MD5
f2c062c5c651b2f17108bf238c15ac9c

SHA1
e6b9cb360d132ac8cb412f55db9f6b0af02b191c

SHA256
8c0c80d448bd99fbed564651666fa78c84f6fd7bddd52f8a43b5b8651d803f01

SHA512
f0bbd700b83f285c39112a6c83432ea03c7bf2b89e2f0c0d7fda14e1eb3320c3fc76eab87fb7797797a143e78ae559784a4c6f3e2f2e4dd70f0a2f1398cfbac3

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\Metro\User Data\Default\Preferences

Filesize
992B

MD5
0ccff5a384e79180c5e3c75b215ea55b

SHA1
e51a22f51d6e1dea44554bb109804daa0b17c73b

SHA256
99a8fc46c122671352e19ba1df982ea0e670be87666dcd3b52b9c84d3757f5e8

SHA512
90219b87b5b5341702a40814d30953eea5c3c45e801d3f9a3e954a0bdbbe68e18cabce3ef06ff459d0aaebd5ca6a53fabc914a9a7f6a9c6f0edb224f4afa3f12

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
d1ef5187a4cf6e9a042304c018666f2f

SHA1
4da7c35655a8b94c78162b5998ed4d70ebef87de

SHA256
29a945b465fb38facb47873c4c81a8cbeea97f8b032fa819528b598c5ed50610

SHA512
55ad334b721d8bf3f5e288ef0712affc328d02f5ec7b5cd48d0a857d8d662915b789280041c6133cc23cabbb8928d438fa9bd1a03e8ee77881fd70c4d2f66108

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
8KB

MD5
84a1b9565af3c3f1a6a34f0a8266b03f

SHA1
f5a9a78b8271ad7da4478e54652537db5ba628a4

SHA256
fb57081c5915f8cb6a7030f8c487b56d869ea8730db715183c72ffe286a225ef

SHA512
d3d86a1f2f6aa4db2ddbd43e3e4a05263d9349cac2bc94f144c71535dc5c2f563bb34f90a121e8274af07e8a062a0d709119082475d7ee35b3beb00db721e605

Download Submit
C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Preferences

Filesize
7KB

MD5
fea95dfb7a98f7ea7ee4455014608892

SHA1
3cc3d2ee06757d08cd401879a1dbd0bdfa9525a9

SHA256
2f7fe8d59ef29c2223cffb0cf9d6f5e3d7380214f8daed1dae38cb72dff170ca

SHA512
c9c852860ea34cf07f6abe3e3d10d697ca0d263cd4b6b730245273263c8b0ec832f868add9df9f984ccbac27c57c2fc8d5632b8a1c49984801bf2f797015252d

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.12.1.2356 (PARTNER)\#Bar4IE.cab

Filesize
104KB

MD5
1093f0ca05e5a07170af9c125d4da530

SHA1
1b3ba5a930e7ed7fcb6ae7e6acbe241b510ce858

SHA256
8053cb0deff7b2c6e9891ce9e27eab14e40e644c2141f536da2cfc316add250c

SHA512
2383d89648df5e5e83d15ca188a3e46e3683516f84cdf5be6aea9bc75d974630937688ab556fdf577189526698152af92b4757b86a9eb6afeb5d5fa481f5220b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.12.1.2356 (PARTNER)\[email protected]

Filesize
496KB

MD5
a80e0ced440101213135763568e54f3b

SHA1
57f345136edef9f8894e72f548e2c25281c3aa87

SHA256
863670992230d231d1801db95c58b3b660eafd7e1529af7cfe7ed395c2964302

SHA512
ad186e6724e5cd35657774c89c3715d61de0df8f3e1978cf797491f400dafc4f9b50da18288accf99f85db64418ba8eb3303db87a04a97fc99c7299cbb40f0f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.12.1.2356 (PARTNER)\stdout.log

Filesize
40B

MD5
37c6ab48c0c7876df5693169833bad8a

SHA1
a2c034cb3d510c51af306ad95c31a4011e68d9b2

SHA256
8219fca02b42efa433038a9d5f22eded19cacc05d656cd6f2b439530f2474aba

SHA512
8972178e305362b862f37b84bf3391f879ce69ddefe41830a25b76989bf03e434a97a54961a8205e476040fc67a4edb98ff78d4aa5e528e097d9c62dac3a0e75

Download Submit
C:\Users\Admin\AppData\Local\Temp\2.12.1.2356 (PARTNER)\[email protected]

Filesize
1.7MB

MD5
4dcca932664c84d2def388f0e33729ea

SHA1
cfe6203621ce9f3936f04a1a8d9ff7077e2fe8fe

SHA256
df4c9a77a686630d1a3d7c3a338dce8fa3b066049214699faf5680acaf7d0f97

SHA512
e696f4816d821265adaf06c1d45087f44b0ca16bd398fc344e86559caf53c37d286f1a6f8939dde033dbede14098f7dfbd998387db4f648b5bc518b13ab707e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\33DFBC52-87C7-47A9-B1EE-382AC52ADD29\seederexe.exe

Filesize
1.5MB

MD5
6b7dbe77b944e2f2f713b1a7b1a78a7d

SHA1
a5f862319abe681f42395f203d106b7627732a9e

SHA256
1e748d4bb0ef06671baf8d0f1dc87f32593a5e38ea28bcf4ac34f2b0aaa422c2

SHA512
28a21ca99df1f1166ac842b5896943b6bf3a8d8b62836e8f640eeaf38926d2a379dffaed39132016df0adc14ded1bc23c85f09be6f09fe291c2a6a656b813e2a

Download Submit
C:\Users\Admin\AppData\Local\Temp\9AB04D85-A104-4996-8B89-9A71C26E1012\lite_installer.exe

Filesize
360KB

MD5
6aef23d9b019e4c4adda6dd4c26acd0f

SHA1
eb2f591f88be7d868a2c8b0b05e6946f44311692

SHA256
30daba3c1086ea7203f278ce9fc4274b2081eca655458b4832a8075a2412652e

SHA512
7b34a5a701c6aeeb065eca7f70c3d2304f2ed1ba2f1c9bf87b09e3ba25e90b8a049ed3246fa194bea5fdc982e31a72e9a83e8adad12cde6822400360d1562902

Download Submit
C:\Users\Admin\AppData\Local\Temp\E744F2C7-B454-463D-BF3B-B731D3BA5A7B\sender.exe

Filesize
217KB

MD5
515bacbf4089f76835701f7d54ffd10d

SHA1
26365deb5f7bac4dfc3bd2c49f24d5f7ca9e5d9a

SHA256
261f9bf83bcca61a778a6f8ce6f44fcafa7730e2c0103707a1b9120b43d463d6

SHA512
3bc7f47f71c96ff199403c328833ec497d553f3e8d5cc78153832f926869e548535ca8478a1c54b880ec9be34a75f0958f4f863627a623517517168c243e817d

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

Filesize
33KB

MD5
9f27cb1d49a1efc86373b7ad61bea4c0

SHA1
5c25c5a51e1967d47590aed40bcf3e275e45bd2c

SHA256
94dca68b0c0ad837cd6e2ee6e75496a2589d6193a455eac0e345cbca5017897c

SHA512
cddfee0e574d2e5a6a7960976ad9fc13873d2a19c3bc0fa141c37cb24188b50c7ec7439a1d1cfcd03d110cff7d92a3fffc63aaa842c3dc8825dd43f492add1ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml

Filesize
531B

MD5
e6edeb347c6246aeb0fa62cd78efa8bc

SHA1
b671ca53975c38c1128a3941b1fcc159684ed7b8

SHA256
a023262d32469cb6e9546cd5a1e6c077810d4d634ca27ab53d962b005a37d366

SHA512
30de0cf87cf1374ebff36491773c3fef5223c54bc8d31ad4d19a5ff542377169bd4b2c6ebe94b8a6cef22ac5d2a3958306618e8d72c0c059ae846122378bf2a3

Download Submit
C:\Users\Admin\AppData\Local\Temp\etilqs_LTGFdc7h2dR6h1Y

Filesize
2KB

MD5
95871a30bc0a6c5e4421e798e96aa82e

SHA1
8b6f15daed73c5ac738a21bd3abbd0702106bfd1

SHA256
4f8b23ab2567fc5ee70445dd73cd6c808418c7188d4cfca2763fc912f4ea8084

SHA512
80d88569a599596e729a5180ebc0f6db3957f44bb214c3fd0cc9f53b07acabec864c62f8927877de22c6a2042ecc38cbc7c865128e46fe3f2e52270906b6815e

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

Filesize
568B

MD5
9556698335b1439d1b63c88fbf61dcf5

SHA1
02da38a2ee89b3b93de60e46150a7d7844598276

SHA256
879b54826ce2655418718d9673ae9b6cfca8fb7af5741d0a99680b26d23c939c

SHA512
f4bc9c694a0be994b52263cd72b66cfe592870acc9c41ee3cb442136a9245b3fd44687bb33578425cd8afa511aef3d93f9491487e6be9a7ab4ace33e6dfeab27

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

Filesize
6.4MB

MD5
f31e63017b8ed46ff7741401abd68a0f

SHA1
87067439219d7bea86ce44298c2d5a0f2a0513b2

SHA256
a9511f773d392a29516e2878f043fcd47d5fd8d2149c98f3077b032e3383eec1

SHA512
ab993e66b393eb03af322a0fcea4f0f2b54cffff6e459dfa995570361ebd1ce7e8a62da6ab04cf6fbca03fe554add770ed07dd0a9208e4a527d15a7b1759f003

Download Submit
C:\Users\Admin\AppData\Local\Xpom\Metro\User Data\Local State

Filesize
83B

MD5
beba89380690f7d54354290642add52b

SHA1
3ab5ea75b822de4f0df59c3de5030bcbdd89bf7d

SHA256
ac4f380f765cdab18c9fc9a00f10ea9ed0ea3888e8217e0015b6474c64380311

SHA512
516bde8f8e22574aef4ebde9e86250b46e21991fdb4441b984fbdb0798713118708dae561e35ef4fb854596140f997b64d59e928f62017d58dd86be110cf6142

Download Submit
C:\Users\Admin\AppData\Local\Xpom\User Data\Default\Preferences

Filesize
2B

MD5
99914b932bd37a50b983c5e7c90ae93b

SHA1
bf21a9e8fbc5a3846fb05b4fa0859e0917b2202f

SHA256
44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a

SHA512
27c74670adb75075fad058d5ceaf7b20c4e7786c83bae8a32f626f9782af34c9a33c2046ef60fd2a7878d378e29fec851806bbd9a67878f3a9f1cda4830763fd

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\i1179i57.Admin\prefs.js

Filesize
219B

MD5
bf1534e27a6f282dcc8d071088594bcf

SHA1
bb4ef3656b080425a3165a9f5d10e56560cb90a9

SHA256
89a7c756d307082f107ae7a17d1a3c3579c4fc7855b640e284587c4b8172a959

SHA512
6b231195e75d273632408202f681e94d5c29203f35118684f60dc70bbce01feec17909f0182128e035aa4d704a614a4b96525e09dc30ef8d69dcfca1b59b77ba

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\md1ejlmw.default-release\prefs.js

Filesize
8KB

MD5
5518437a764a5ddc33b576c043c01d3d

SHA1
abe9eeb27cc440eb9cc7d16765328c3aadc70776

SHA256
ada63c89eaf85f6dddb3b1defb2797136e93a1f005c8737a9db567ac0cb71f7c

SHA512
e675d8c20eb802e0aa6f9f7d46fa36b5d24421a1152d8dd4cdd427fe6d7729e8fa589a696ffcb6a94c9552e72b58b47ef5b56567145f47cf21d6eccfefb17d6e

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\ui

Filesize
38B

MD5
1ebf10e06b364aacee3baef9ee1cf76d

SHA1
8a65f59ebb93102ba762c942fa162994d71f6418

SHA256
63d2e680c8053edba35384cbdae4540c44d156a5f58d6f7aaee80bfd44e3b52e

SHA512
fcaa3451418704614c1e99f82d512b5e5b724b1e65e23e6bc930bfc7d774b5b9de57d0ffe9df72a4a575ae4a12f149e151e0773f14e4265802565f657564015d

Download Submit
C:\Windows\Installer\MSIA0C4.tmp

Filesize
152KB

MD5
d7194cce0acb36242678fe14f0b593a5

SHA1
8f4c1c82a0d171eaa6b8b5e72669e4cebda62422

SHA256
3079088d87505fb30f18593345a36c0977d2c84471fd6f00ec7c529ba260239c

SHA512
1191fdfbbf592c9dc519c2eb906e6c8dabfd3b9b8d22446a4c646654b3453d867d2e9cc85591ed2c29bc0d8a09357ef885d92731eb1cc68ad5e7cde3bbf8d313

Download Submit
C:\Windows\Installer\MSIA181.tmp

Filesize
160KB

MD5
eb68dff1de027023aad354ab4b83c0a5

SHA1
9bff33e69584b1873a36de7472a5f7b9eb815c5f

SHA256
c9ea99c557ed4c3c3019f07b4271e4f148f8ee61be0dcb3ca3ce19e876f61bd5

SHA512
63a6759bae94b29f8a017e611c89fd2dd49b7b3bf64d660d8aab5817f5af605850cb8fec7c2865794b5dec46c560b13926f1dfea8cd979bb905bc6d42ae9a42d

Download Submit
C:\Windows\Installer\MSIA1E0.tmp

Filesize
1.2MB

MD5
9b17a6f0362a7f6cceb4eaa41dfd527f

SHA1
e9bdd20cec22e8d6f21d2782ff2ca5fbca8a62c4

SHA256
18c58d002823249659c4fd9ffab02702c64b75cb688cecdbb1797a623f8c893b

SHA512
40f5c1247bd93adbd1dc982c94f8a22a1e9f3a0b836c435d762c5772367709aeef598b44003ab6bc9a414eec1896f4408a0afae3256f40957034e536c1d38b9c

Download Submit