magniber | df8dce1ee7e2c194ff3be88cc11e3ecd69ccfabb9b2ae9beb5e83b55ce628d4a

Analysis

max time kernel
120s
max time network
100s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
27-08-2024 16:23

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

a0f95786d74ff238ac3b3b415949ace0N.dll
Size

306KB
MD5

a0f95786d74ff238ac3b3b415949ace0
SHA1

0b5be735058fd69dd45f6cf22fdb2d2905f4cb62
SHA256

df8dce1ee7e2c194ff3be88cc11e3ecd69ccfabb9b2ae9beb5e83b55ce628d4a
SHA512

29c19dd384f272464fb697713978e3ed31eb0785a459878cabc9f1bad56328b1818470d7ea82d86ab9d9f7d90daaead2de32fe514c9b4254e9e33dbeb4c248f1
SSDEEP

3072:VdTfrxerj474EArcIxwgWDaKwAF3kQvlwXIHO6zqf50huP9Vvgmn5NgjFkm:HTjUelArcI2g/2/aXIHOGqh02vgiAkm

Score

10^/10

magniber evasion ransomware

Malware Config

Signatures

Detect magniber ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4512-0-0x0000028548730000-0x000002854873C000-memory.dmp	family_magniber
behavioral2/memory/2652-5-0x0000023D3C2F0000-0x0000023D3C2FB000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 8 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

Processes:

bcdedit.exebcdedit.exewbadmin.exewbadmin.exebcdedit.exebcdedit.exewbadmin.exewbadmin.exe

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3152	1236	bcdedit.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1928	1236	bcdedit.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4168	1236	wbadmin.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1560	1236	wbadmin.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	3088	1236	bcdedit.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	4288	1236	bcdedit.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2380	1236	wbadmin.exe	100
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1900	1236	wbadmin.exe	100

Modifies boot configuration data using bcdedit 1 TTPs 4 IoCs

ransomware evasion

Inhibit System Recovery

T1490

Processes:

bcdedit.exebcdedit.exebcdedit.exebcdedit.exe

pid	Process
3152	bcdedit.exe
1928	bcdedit.exe
3088	bcdedit.exe
4288	bcdedit.exe

Renames multiple (86) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Deletes System State backups 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

wbadmin.exewbadmin.exe

pid	Process
1560	wbadmin.exe
1900	wbadmin.exe

Deletes backup catalog 3 TTPs 2 IoCs

Uses wbadmin.exe to inhibit system recovery.

ransomware

Command and Scripting Interpreter

T1059

File Deletion

T1070.004

Inhibit System Recovery

T1490

Processes:

wbadmin.exewbadmin.exe

pid	Process
4168	wbadmin.exe
2380	wbadmin.exe

Checks SCSI registry key(s) 3 TTPs 4 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

vds.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_WDC&PROD_WDS100T2B0A\4&215468A5&0&000000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_WDC&Prod_WDS100T2B0A\4&215468a5&0&000000\FriendlyName	vds.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000	vds.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\FriendlyName	vds.exe

Modifies registry class 43 IoCs

Processes:

RuntimeBroker.exeRuntimeBroker.exetaskhostw.exesvchost.exeRuntimeBroker.exesihost.exeExplorer.EXEsvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/eyiienupgu.scm"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/lgpshsud.scm"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/murdenh.scm"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\CurVer	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppModel\SystemAppData\Microsoft.Windows.Search_cw5n1h2txyewy\WasEverActivated = "1"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/xrsikwtm.scm"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\CurVer	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/pphtfvn.scm"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\CurVer	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/bwvjfarmpeod.scm"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\CurVer	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/wnsbqsr.scm"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/gtvxucakicy.scm"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\ms-settings\CurVer	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1194130065-3471212556-1656947724-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid	Process
4512	rundll32.exe
4512	rundll32.exe

Suspicious use of AdjustPrivilegeToken 59 IoCs

Processes:

Explorer.EXERuntimeBroker.exevssvc.exewbengine.exe

description	pid	Process
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3996	RuntimeBroker.exe
Token: SeShutdownPrivilege	3996	RuntimeBroker.exe
Token: SeBackupPrivilege	936	vssvc.exe
Token: SeRestorePrivilege	936	vssvc.exe
Token: SeAuditPrivilege	936	vssvc.exe
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeBackupPrivilege	3500	wbengine.exe
Token: SeRestorePrivilege	3500	wbengine.exe
Token: SeSecurityPrivilege	3500	wbengine.exe
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3996	RuntimeBroker.exe
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3996	RuntimeBroker.exe
Token: SeShutdownPrivilege	3996	RuntimeBroker.exe
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE
Token: SeShutdownPrivilege	3548	Explorer.EXE
Token: SeCreatePagefilePrivilege	3548	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

Processes:

RuntimeBroker.exeExplorer.EXE

pid	Process
3996	RuntimeBroker.exe
3548	Explorer.EXE

Suspicious use of WriteProcessMemory 30 IoCs

Processes:

rundll32.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.execmd.exefodhelper.exe

description	pid	Process	procid_target
PID 4512 wrote to memory of 2652	4512	rundll32.exe	44
PID 4512 wrote to memory of 2664	4512	rundll32.exe	45
PID 4512 wrote to memory of 2864	4512	rundll32.exe	51
PID 4512 wrote to memory of 3548	4512	rundll32.exe	56
PID 4512 wrote to memory of 3656	4512	rundll32.exe	57
PID 4512 wrote to memory of 3836	4512	rundll32.exe	58
PID 4512 wrote to memory of 3928	4512	rundll32.exe	59
PID 4512 wrote to memory of 3996	4512	rundll32.exe	60
PID 4512 wrote to memory of 4084	4512	rundll32.exe	61
PID 4512 wrote to memory of 3676	4512	rundll32.exe	62
PID 4512 wrote to memory of 1068	4512	rundll32.exe	75
PID 4512 wrote to memory of 4492	4512	rundll32.exe	76
PID 4512 wrote to memory of 788	4512	rundll32.exe	83
PID 4512 wrote to memory of 972	4512	rundll32.exe	84
PID 3760 wrote to memory of 3316	3760	cmd.exe	111
PID 3760 wrote to memory of 3316	3760	cmd.exe	111
PID 3316 wrote to memory of 980	3316	fodhelper.exe	112
PID 3316 wrote to memory of 980	3316	fodhelper.exe	112
PID 1488 wrote to memory of 2648	1488	cmd.exe	129
PID 1488 wrote to memory of 2648	1488	cmd.exe	129
PID 2648 wrote to memory of 3088	2648	fodhelper.exe	130
PID 2648 wrote to memory of 3088	2648	fodhelper.exe	130
PID 1100 wrote to memory of 3536	1100	cmd.exe	134
PID 1100 wrote to memory of 3536	1100	cmd.exe	134
PID 3536 wrote to memory of 4644	3536	fodhelper.exe	135
PID 3536 wrote to memory of 4644	3536	fodhelper.exe	135
PID 4828 wrote to memory of 4768	4828	cmd.exe	141
PID 4828 wrote to memory of 4768	4828	cmd.exe	141
PID 4768 wrote to memory of 2912	4768	fodhelper.exe	142
PID 4768 wrote to memory of 2912	4768	fodhelper.exe	142

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2652
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1488
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:2648
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/gtvxucakicy.scm
      4⤵
      PID:3088

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2664
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3760
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3316
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/murdenh.scm
      4⤵
      PID:980

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2864

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3548
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\a0f95786d74ff238ac3b3b415949ace0N.dll,#1
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4512

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:3656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3836

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3928

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:3996
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4828
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:4768
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/pphtfvn.scm
      4⤵
      PID:2912

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:4084

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3676

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:1068

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4492
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1100
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3536
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/bwvjfarmpeod.scm
      4⤵
      PID:4644

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:788

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:972

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:936

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3152

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:1928

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:4168

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:1560

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3500

C:\Windows\System32\vdsldr.exe
C:\Windows\System32\vdsldr.exe -Embedding
1⤵
PID:2400

C:\Windows\System32\vds.exe
C:\Windows\System32\vds.exe
1⤵
- Checks SCSI registry key(s)
PID:1860

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} bootstatuspolicy ignoreallfailures
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:3088

C:\Windows\system32\bcdedit.exe
bcdedit /set {default} recoveryenabled no
1⤵
- Process spawned unexpected child process
- Modifies boot configuration data using bcdedit
PID:4288

C:\Windows\system32\wbadmin.exe
wbadmin delete catalog -quiet
1⤵
- Process spawned unexpected child process
- Deletes backup catalog
PID:2380

C:\Windows\system32\wbadmin.exe
wbadmin delete systemstatebackup -quiet
1⤵
- Process spawned unexpected child process
- Deletes System State backups
PID:1900

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\thumbcache_idx.db

Filesize
28KB

MD5
69376a4fe3af25bd86b6a8a3153b9995

SHA1
72db84592edf1be9bf037bfbd41ccd466fef100b

SHA256
cf407ace0bc7def286ed520c35c01126a7137f1f7528528241e908d35cdf0ecc

SHA512
c5f6abf08cffa35a55948c03595d76fc90db86a9eb5dae81bf5e3bd9b388e56db91cceae1c8228d5af517c7cc2be3996a131ee23e95cf116034c50cd6b1cb096

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\310091\1724775842

Filesize
2KB

MD5
e02e2523a0b892120d327e65a521f97b

SHA1
ecdc9992390affe63e234e1d93c0fe3daf66d4dd

SHA256
a4740a4a1fd443c31d92e553bfb6979985b0a90f5bd874a0dd1cdcb9cfba8585

SHA512
e5515696ae2d0307c95f66f47f42f91f8e1d7ee72149b82ad6da9a8e75a1cd96604c34bef90224d5bd96ff991e026ec4772e6d15b56aa19fab0c4f64766ff04e

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.ContentDeliveryManager_cw5n1h2txyewy\LocalState\ContentManagementSDK\Creatives\338388\1724775842

Filesize
4KB

MD5
62120e12a7e871614d1defc092eb8652

SHA1
42cd378bc5734c009063d7ee9e4c657c578baa55

SHA256
b98dfbb23328b706a01e4d7639c3e334eee9884b99fdb25d51d0f128cd804625

SHA512
bf423815e2dc87cdb0a7e118d7e57919f2405c82fcf2ecd6e189b82c62a9e454c30bc40e511169d29f3a26d6212b24ec5d7f6d9c12d52cb6e8d47485be707cc2

Download Submit
C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133692494501270460.txt

Filesize
75KB

MD5
4fc1c04995407e2a0a38c2f7f4c6b5a0

SHA1
545ff5c5cf49501595f78e227d808121841f4796

SHA256
cd5ea0750e6df0dc34e07e61b7db36d5e4bee5767009065c1cc04b72c7089408

SHA512
4903c6cf0721de948e0e7e9d1bec6e823dce300d39a1712b3c5b3b1e37291ad33ae3bb7fc4eff614d0882d789768a84ccbe656c2845fd88127b252791225b74f

Download Submit
C:\Users\Admin\Pictures\README.html

Filesize
16KB

MD5
e619ffab7b0c97fd749f3fe3808ba59e

SHA1
d9c2d05d504a85c7f3ebe293edc5fa05243cbb66

SHA256
4dbcf879293165ff7fe5f8f7e28107ed838abd6deeb7dd235624e76472c6c449

SHA512
6d114e7006d726a5363131bd336bc8d24e1d426561d8254627eda7201ce729e38570deaeb2718435b7ac0c5ba860ef328a0e21a9f17a698277541e7cbf9f0304

Download Submit
C:\Users\Public\simwqlgjsh.scm

Filesize
841B

MD5
275badec701852e5514fa75bfbb7f2d7

SHA1
2289db3427d989673aba5716c3d41cadbc0c44c3

SHA256
2617fe2ebfae61455dea5a9a23bc59377b401778f2c4e4a6b80ef332e84390a4

SHA512
a71fcd072bdcc5e7f86332ef917f7fed36b1814da60a036a30f0893bf7f308ec0f3cbe9f6d7924d75cd2ba4459897d4042badc363b808b79f6761cb3449b70b6

Download Submit
memory/2652-5-0x0000023D3C2F0000-0x0000023D3C2FB000-memory.dmp

Filesize
44KB

Download
memory/4512-0-0x0000028548730000-0x000002854873C000-memory.dmp

Filesize
48KB

Download
memory/4512-6-0x0000028548E70000-0x0000028548E71000-memory.dmp

Filesize
4KB

Download
memory/4512-7-0x0000028548E80000-0x0000028548E81000-memory.dmp

Filesize
4KB

Download
memory/4512-4-0x0000028548E50000-0x0000028548E51000-memory.dmp

Filesize
4KB

Download
memory/4512-3-0x0000028548880000-0x0000028548881000-memory.dmp

Filesize
4KB

Download
memory/4512-2-0x0000028548870000-0x0000028548871000-memory.dmp

Filesize
4KB

Download
memory/4512-1-0x0000028548740000-0x0000028548741000-memory.dmp

Filesize
4KB

Download