Analysis
-
max time kernel
2s -
max time network
183s -
platform
windows7_x64 -
resource
win7v20210408 -
submitted
19-05-2021 11:54
General
-
Target
3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe
-
Size
22KB
-
MD5
8cd81ae69ade058076263addc8dd3ebb
-
SHA1
362eb81ecac33897d4dd2a3f175efaaf0fe2c2f5
-
SHA256
3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3
-
SHA512
6170bc3191b8d88043b5c7799c17338f4717af087fa4524141955d2e6cfb0cb468262bcc5c466fe39adfbc534796a79e06d84894ae9f7911b2353460580dac21
Malware Config
Extracted
C:\Users\Admin\Desktop\readme.txt
magniber
http://72601420c2784a70b4qwfekni.n5fnrf4l7bdjhelx.onion/qwfekni
http://72601420c2784a70b4qwfekni.perages.cyou/qwfekni
http://72601420c2784a70b4qwfekni.aimdrop.fit/qwfekni
http://72601420c2784a70b4qwfekni.soblack.xyz/qwfekni
http://72601420c2784a70b4qwfekni.sixsees.club/qwfekni
Signatures
-
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process 9 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Modifies extensions of user files 7 IoCs
Ransomware generally changes the extension on encrypted files.
-
Suspicious use of SetThreadContext 4 IoCs
-
Interacts with shadow copies 2 TTPs 4 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies registry class 9 IoCs
-
Opens file in notepad (likely ransom note) 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of WriteProcessMemory 9 IoCs
Processes
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
-
C:\Users\Admin\AppData\Local\Temp\3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe"C:\Users\Admin\AppData\Local\Temp\3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe"2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""3⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"4⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""3⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"4⤵
-
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
-
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\readme.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2424 CREDAT:275457 /prefetch:23⤵
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Modifies registry class
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad.exe C:\Users\Public\readme.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\system32\cmd.execmd /c "start http://72601420c2784a70b4qwfekni.perages.cyou/qwfekni^&1^&33450903^&87^&351^&12"2⤵
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://72601420c2784a70b4qwfekni.perages.cyou/qwfekni&1&33450903&87&351&123⤵
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2012 CREDAT:275457 /prefetch:24⤵
-
-
-
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
-
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x5981⤵
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
MD5
09718149eabaf2ed637e53c9902c2988
SHA1a36ad5f83ffe5e0fc4bb3671e48dcb1545772bb0
SHA256f548a31f375f8bfa809772eebf1de9ee672542387ee4cfef7c81e696667f6950
SHA5125efae2e60bb4cba80444362d1dd86a79c02a7b3ef9a767460dd5603f6b86b31bf0fd452bcc0a6fe0fab33c83d1a50def1dbb7699a43885d985b45a29d75a81d4
-
MD5
e384a255300c3937571587bca1ac5cc3
SHA1e14a35e2f06ce9ac9895da7a4582b4da3a197072
SHA25636da5404fb8e0d5aa1389134f47932691d8c24cccab748137d9536691bbdeb3f
SHA5120b85c87a7ab8065f8ca6f388d554463625cacf5dd06aa597f3231eea86e59b6b6d89b361df2ca7b70104edaa3a5a3bca30d7abd0b25933bcece3de1bbd806da1
-
MD5
ca2320ae3f8efa98a610dccead1b1b21
SHA1efb95c08c2dcfec2b49fe060985988417f6fa975
SHA25635729b6a6969eaae4709e16b0ecd511f2009c4596b258597c237aaa7caf4b175
SHA5125138033379614077ef7ecae866baaf5b3feeb44eba535983f7c60af8e5c89a80ee66f294f6d93283aaaeba3687f676f2e833048ff04814fe2208ecf705208d4c
-
MD5
ad4f1c789ba562d08de83b97868314f5
SHA1946523f696b8525f190a3155d6958ea5d16c1fe5
SHA256276b4bb5edb25f9bd8fdde28ceb56ee7a953e29ba616e6658fa256f46830cc49
SHA512c5a15796b32662714e6f11e0a07f0693ba59de3ebf5b2e62ae9e7e588f22b699f0668f00b82f9abffaba31e2d9c76eda8aae680fb71d20f8132d957a0bc0aef0
-
MD5
be513b9042ad93914256c57f982874eb
SHA16824cc841056732322ba1eb982f6c6dc697c76fe
SHA256f245582fd02ba26fa81d0c526c2ef1956014a9667d42f6889a771afd534032b0
SHA5123cd129686b6ea1803a840767578e0faed7824297901b465cbb18a6964f21db3451063c5b1d3a5db4768e0a8119a948b122459ba9a1c14371a09100e23121f90c
-
MD5
2877e9f227fd9f3827048acb8f25d7cd
SHA1b3cd77b93dfcb24737a8319696ff1a935a7f9dd3
SHA256f3c63d2c72c41ce904c0b3403b163397fcd4a912a9aab65521134dc4ac9876b2
SHA512339a30ec2f3da7e78f9ef57288398748293c7f9ad1143719744f0e486a648b1f3b73771628605ce3091e04a01f50fe0dd75a503fa2e1c9a0b48740548746ff41
-
MD5
f37f5a609c976049d380a5ba434e064e
SHA15f63a268b2607153b42f230c8fa181852f376078
SHA256512e8eadd098c70f60b1a7d2d6b09400628f6c01c1e847cacbb513bc731d90ef
SHA5128133ccf2c406460dbb97a2d4e4cb3a11d94edf3f2dca2b874fde832568e5c19f7ac1a83fe50eb486fa000d905dd9e00046162142abf548e57fc4a6c3f87adc51
-
MD5
dfdc3cb5a6561826d7fa9ac28385e250
SHA103bc73a6182a69c21921790454160e4148df5bf6
SHA256504b4f99c54434e458ac1e6feab420482e81771fbf592998b6dec2659c45e5f5
SHA5126c8159ffa2770672b83b54d1b24f8d3c3697f679f81f1e4279c862430f0acd0ac212465067a562b0e7587810b81ef559b47c9def282049654111ab974ae04487
-
MD5
095eae8c9d030214b132a252813a5738
SHA1b505b67bdd80473b586cdd6601e1542535cef4ab
SHA25681ef6b34b005a2962a10963467cddd5e4e1c4e2b5d30d7a25352503afda945e2
SHA512c689cb23c40edec7ffe41c2f79744f630951353a254fdeadb8a6de7eb615593c36243d22a1cb4c9731cbb888434f5fd22de69dc51456bd59b33af7497450a8b2
-
MD5
5733c2a7337fdc1a29a55188937ba1c6
SHA1831272bc18d6051f6a265bc6cc1e980c9a1ba242
SHA2563c66dd10da27d5144d904c2d61161cdceabffc4be83bf38827d74a2be714a4f7
SHA512891b0c228f49d76cfee56b5ab42c8b2ab9087ac7247e7ea8d029b76dc9602e027d52f3814ed1648f78c895c87fb16cec84a0a73b77fb7c8c695fbe5051a8075f
-
MD5
bb0d01a7cca652d2b885e2d60514d6f0
SHA104594cffb0e3df1bc6ef449f925e7e396a6eaca1
SHA25697942ad363cfdfe8cc8511fd6c421e93c8f2e9da9fc123ef9a6d0fce0fcfbcdc
SHA512594cdcf39a8966cf7658e12bbe7fe9f89318ba9a8a5b9b7214abc845578abfcbe1eab13eb362f746cdf226715637494fef71a558149f726c679898821554c925
-
MD5
7741812427b3f9e85aec3c3ae80e31a0
SHA149294d8f1c8007f6b6083e04a5c88bdf9f02200c
SHA2565c2143bf928d6f3f2d4d3f81e111ab6075f81a67c4fd8dec4d1880975f348f14
SHA5123fc29d47847c1eccfeb856a918a00b7141893f881d9b4d2dc312a1601716258ca67cc6a2b91939202a65fd86bbb5d09b0f045dd9fc73e831a351b5f379492772
-
MD5
1e736d2d8b08aa30e714b20bd6e32ad1
SHA13ccf0db05bde9fa2982ca7b08b62205ceb82f3b6
SHA256d186549c1e9cab184b96c7e190bf56e9f95185131e6ab073eb0e3c68032593c5
SHA5128a77ed102e099c3714c6626e1d8c00554415392dd1ebf295cc823b490f511b6d5ae1403f76ffa770e679a855cc284afa6763e6511ceab8db03f6cb8137854146
-
MD5
35bbdad929c9de26833162841cae557c
SHA1b8c1bc0e8f6646d4df7530cc11db0cc4a7df6311
SHA256606f49da6a04bc88825ebd489380d32a3280468bd94120cb71b0bbe771850f86
SHA51282274759677c352d0a2ce7c608ab4f9c8cc9e50bc2ba29395845fcbf431342a075533e0a45e134e93f7b08370634f5425942a37296c39dc7a69d011d807a60a5
-
MD5
1eb16261e83df6d1dc3b8d66243ba6db
SHA1ccaa7416aee466617137f3adf7d5b5b5d783c269
SHA2568b545d2976c4028b49e9362bc169221d9a4da43d2539bab52d5e8891e07c7b11
SHA5126fd3fa6a0d06cb29b4724a9ac39018491284a643515bcdadf64b0e2d9eaefe4784380e8bfc7d06910c51ef8ff02e3d13deeba1893d098b9b535ce75e980f3354
-
MD5
f1dc8e75fa0fa828ab7ab39839b17017
SHA1964a3cec42f4c417cc5ca2f8d4f7c2979f9a806f
SHA256ae6ab3863ee4b602de2d34aaa5354ef10c53e1e0ac0634f415ee86b6c120d522
SHA512f78bafbae3c76ae42c58bf3c5dcb135766bfdad16beef7bf1d8c972aa955070263dc4fef0a8cfd6a9a97b6a3ca6c0606c3e197b1a2305293df6c44196033e3d1
-
MD5
5daf69d19158786b560d074730160ad2
SHA1c4e1a47b331cd2f44aa6f4cde46ce419cbc557df
SHA256d298f3df1802d7d3b86ce512da2d59982af33ae9eefd38a1436196ea8b980220
SHA512222d1dfd7806ad219bc7576b9295bcd895d1640f5d667538e7f369c1b52802d38a701ffcb62769f4fce506b4f306dd3d90d1d8dbbe3cb7b28e8ae92336d700b0
-
MD5
0b89b5597d42a00e1fdf47270c0744fc
SHA125faec472f2564c526b5b3e33aad46f98491851e
SHA2567773811bb5818ca2e905c3e4df9cc87fc22055aa0c26f03a6381501ed498c074
SHA5120b2b3f3c9a5e65589f0039078d7e4b017fb50d8c599086ffe9bc049aa481edf7296d19daa955ec3eb293ed7842bb79a7368d3bcd1d44692e089802ac8dfe236e
-
MD5
a2dde629d17db33a7e61d238f1134680
SHA1841b29d786196111a358b7496e3e6be952cf4e1c
SHA25631c683d0879208aee2f700fc145c5b17653d1ba6785406cfcb003c2298ced770
SHA51241470e998f2d0aea2c7256d023d679ce658fbb68c93e9cfbe7d73d815ceb1cfef34afc87f90ce15b551fb18dc04f7e278e3e8d324490f5f3f103bf0ee2915330
-
MD5
85338cbdab62017c6d4a2f95cbc7b59b
SHA16ceb679e13ee4d2d997bdc5c71041fc2a3328fac
SHA2561fa3839d8a23225279ccb108be6e57cf379ef49fb74fb1cb85279f5619c74d96
SHA512679d0ae20f4799d8cbf2abf2b1d865bc0c48ac50a0e762a1a277671fa1d03bb756b8ea7315bec53493d5aabeeca545bda3d352f28d6e0bb8260392151bdc23b2
-
MD5
727b5831c1c70223a9d91adff1b61091
SHA1a0cca5abbc519fb8b770a92eee77e40ce7f7bdbd
SHA256a6148f5d910c69e2b12c7db4e976e760f552ee6efe11b60f0b60bad1bbc572b4
SHA512635e00954decedc17612c2dbff6a59b0ebe0dc68b8ad98d152114229d6beaf4ded23524e38392b2d0c35af9f7fc025e4d9da044aa695715cd1538834050678d6
-
MD5
04e4aee17c7965191cc1f7b2851d271b
SHA17d8ebc723528c34cd4ea865399e5561b371e3b2e
SHA25664861321caa28018cf75a66c7fe2abc3cfa33cdbc6438a22a6689a615d653a80
SHA51238111b009d7242d3cc7956b0a6d56cb7a99c5498ab27d18a8be43d7c5dc8461320b30d805f2c17e85d1a73f5cb38bfb44e9ed271cbdb663fe2b4f73c27a5f5d5
-
MD5
dd570db5d5f835ee13f08c7ec3b871c7
SHA1b4158460a1d042e25e8090e6474cafe318a5aab5
SHA256025ce78bb3c562d8f0e2bd36cd0d000ebe1721cc027001c126d9350b1e20b7cc
SHA512ecde14295143745d0847f781c8ae0fb69ee80ab48051b6b570340fafeb1d73f71a94a4bb049d00e8821b306b9ca2bba8aaaf897fea468c92e0fc44db4b98ee1d
-
MD5
3f1d538021b82f49b8a2e9c38783b6bd
SHA152e00aa11e5ef9b0cb76b476d3aab58dec817db5
SHA256e8ebad753d5bc7668ee12a59654d741fa7bfed04935eccd67fa56c4dab5b30fc
SHA512d2ef87fab3d947936543ce1e11384c0b7b78a91a11175e2bc2d5badec4a2936dbcaf99f584689c5bed73126d79d3dd9c9698899758568101ebcfd8a38cd2d19a
-
MD5
35bbdad929c9de26833162841cae557c
SHA1b8c1bc0e8f6646d4df7530cc11db0cc4a7df6311
SHA256606f49da6a04bc88825ebd489380d32a3280468bd94120cb71b0bbe771850f86
SHA51282274759677c352d0a2ce7c608ab4f9c8cc9e50bc2ba29395845fcbf431342a075533e0a45e134e93f7b08370634f5425942a37296c39dc7a69d011d807a60a5
-
-
-
Filesize
16KB
-
-
-
-
-
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
-
-
-
-
-
-
Filesize
8KB
-
-
-
-
-
-
Filesize
8KB
-
-
-
-
-
-
-
-
-
