Overview

overview

10

Static

static

c6b6ec00_b...is.exe

windows7_x64

10

c6b6ec00_b...is.exe

windows10_x64

3

Resubmissions

18-08-2021 23:22

210818-8e7ftqdsax 10

22-05-2021 11:01

210522-avrsva3a7s 10

Analysis

  • max time kernel
    122s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-05-2021 11:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6b6ec00_by_Libranalysis.exe

  • Size

    22KB

  • MD5

    c6b6ec00b64069d66c8d14d65f7cfd8f

  • SHA1

    b90e6bf12728fa3b0984aabc32b39f1db082a1da

  • SHA256

    7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed

  • SHA512

    c9d7c97c63806e87804c33530f48ba950542ba28421d354cb287c9bf027ff5a853b76200e87eadd3cde0469f4b8c93f8c4bc0e71f5e4aa1cdf33e05c0673254a

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://50b03ce896784a70d4csnwyqmwa.erpp3f6j634gmj33.onion/csnwyqmwa Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://50b03ce896784a70d4csnwyqmwa.jobsbig.cam/csnwyqmwa http://50b03ce896784a70d4csnwyqmwa.nowuser.casa/csnwyqmwa http://50b03ce896784a70d4csnwyqmwa.boxgas.icu/csnwyqmwa http://50b03ce896784a70d4csnwyqmwa.bykeep.club/csnwyqmwa Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://50b03ce896784a70d4csnwyqmwa.erpp3f6j634gmj33.onion/csnwyqmwa

http://50b03ce896784a70d4csnwyqmwa.jobsbig.cam/csnwyqmwa

http://50b03ce896784a70d4csnwyqmwa.nowuser.casa/csnwyqmwa

http://50b03ce896784a70d4csnwyqmwa.boxgas.icu/csnwyqmwa

http://50b03ce896784a70d4csnwyqmwa.bykeep.club/csnwyqmwa

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Users\Admin\AppData\Local\Temp\c6b6ec00_by_Libranalysis.exe
      "C:\Users\Admin\AppData\Local\Temp\c6b6ec00_by_Libranalysis.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1920
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1680
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:556
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:284
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
            PID:764
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1676
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1172
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
          PID:1540
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
        • Modifies extensions of user files
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1124
        • C:\Windows\system32\notepad.exe
          notepad.exe C:\Users\Public\readme.txt
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:780
        • C:\Windows\system32\cmd.exe
          cmd /c "start http://50b03ce896784a70d4csnwyqmwa.jobsbig.cam/csnwyqmwa^&1^&47038039^&81^&363^&12"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1404
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://50b03ce896784a70d4csnwyqmwa.jobsbig.cam/csnwyqmwa&1&47038039&81&363&12
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1804
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1804 CREDAT:275457 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2100
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1864
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1908
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2132
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
            3⤵
              PID:2400
        • C:\Windows\system32\cmd.exe
          cmd /c CompMgmtLauncher.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:1316
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2144
            • C:\Windows\system32\wbem\wmic.exe
              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
              3⤵
                PID:2408
          • C:\Windows\system32\cmd.exe
            cmd /c CompMgmtLauncher.exe
            1⤵
            • Process spawned unexpected child process
            • Suspicious use of WriteProcessMemory
            PID:1784
            • C:\Windows\system32\CompMgmtLauncher.exe
              CompMgmtLauncher.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2184
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:2456
            • C:\Windows\system32\cmd.exe
              cmd /c CompMgmtLauncher.exe
              1⤵
              • Process spawned unexpected child process
              • Suspicious use of WriteProcessMemory
              PID:1576
              • C:\Windows\system32\CompMgmtLauncher.exe
                CompMgmtLauncher.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2124
                • C:\Windows\system32\wbem\wmic.exe
                  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                  3⤵
                    PID:2424
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                PID:2668
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                PID:2660
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                PID:2652
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                PID:2756
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                  PID:2824

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\Desktop\ConvertToResume.png.csnwyqmwa
                  MD5

                  d8e3cd1e0d04c5f6061ff57bbaaf88f2

                  SHA1

                  cdfa82824f4028a0491fdd5ff3ebf4f9ebdc2f80

                  SHA256

                  4b0d4d66e50c47ad5f83fd3de4c0c472809bbcae9089124dafbf289394d29ba2

                  SHA512

                  59760191681de46bc2349ffd2278d1dddc015d0a90885edf4c37fa20299befa3ea737910781489379d4cdf27cba8a0ac5fbb96a8fb94c88ef9baed24b0f2106f

                  Download Submit

                • C:\Users\Admin\Desktop\DisconnectConnect.wma.csnwyqmwa
                  MD5

                  8596814211ec99edad67d63be6872a21

                  SHA1

                  058b440510784605b08894734a1f2159c969dc3b

                  SHA256

                  c5a500c0e7c6bb98902e9d98e841ca2e739af00907c03e8ef681032881ed5d1b

                  SHA512

                  81143ccbea1e7ad999762543785c0a15228bbb37759fec5ecb4263b7a30bdd12f40a91b5f0eb8dd7dc77c68ff5b3e88ad2a6a4c90290543f0b47365472d127c2

                  Download Submit

                • C:\Users\Admin\Desktop\InvokeResolve.jpeg.csnwyqmwa
                  MD5

                  0ea6db758a9833f921ab52ae4e5fb08e

                  SHA1

                  8d91284456fadcb30b38ce345eb42a56df5c8579

                  SHA256

                  86a74c80513f991bcfe70e2fe23ab736ccb16a6b1b91390cabae47a61a0088f2

                  SHA512

                  73ba9944ce447f6259f8438a2df70ab6b32cf2d750137912af3134fe639fd79877a3235c01c954e7731a05d44f0a201d0cac4f018a678cd7b198518822594f86

                  Download Submit

                • C:\Users\Admin\Desktop\RequestConvertFrom.ppsm.csnwyqmwa
                  MD5

                  320c02d5bfe02b6189b550c61e3f2696

                  SHA1

                  7864791db15cae330d4c83a94c510cee0a25830b

                  SHA256

                  72301b7de21df221c93229796d6aa0bcc19fc2b8921c924039bc50018cfb0481

                  SHA512

                  439c28dc644aa2c96dad64b97f0ae30b644a738e8be43ed8090be784d6e76d9143c82cadd336de39adee73f1ca628fd23e5d5580d7e3f9528f92ec177bda9eb8

                  Download Submit

                • C:\Users\Admin\Desktop\RequestSync.rtf.csnwyqmwa
                  MD5

                  81616cde15d747b0c5d237e556c34890

                  SHA1

                  f4ef128abf5e2cba5b3f3bdfeb4f99e77d62f6f2

                  SHA256

                  db5c826fe794263d95f3ba539e9a4ea99bf90df6933d3788cad7158b70bbe9ab

                  SHA512

                  90e84a108c77300b4a68a1cb2b4a50537df06c685082473932d7e2ae45a2860b81875515a645c2d9f3910eb1e6d9a8694c668368e1eb86addb465a71a414df6f

                  Download Submit

                • C:\Users\Admin\Desktop\RestartFormat.gif.csnwyqmwa
                  MD5

                  e01b8ca05fdd2bc4413245438a494170

                  SHA1

                  50848db7e4f718705cc750f0704559a205e78668

                  SHA256

                  1b67051265475e1142a496e6678b08f5bce4f1cd60b13e075c740b61993a66da

                  SHA512

                  594210ad1c038d2e4042d45bb1fe121993b6de661d18a686cbb23e71db21f93acc709b0a592a6fec660312cf88065498212abb372c107ee6ca0a0b3fa6482a5f

                  Download Submit

                • C:\Users\Admin\Desktop\RestoreMount.xps.csnwyqmwa
                  MD5

                  92084368acddccd7dcec48fca106f488

                  SHA1

                  87c114d0e78b0a15f8385981faed25746102f1ef

                  SHA256

                  c2e57aafe40e41639f57b4e1ebd348dad4ee3f1a8a411f2f4e2677b39cc67f3d

                  SHA512

                  cfe25d8d5a464dc47abba6361cf3330ff04af0be1f3e37bab02825635940a37bce9b71b59ac2f3df8886f1f10279ebcde640575700c3fb5d67f379c3d0286158

                  Download Submit

                • C:\Users\Admin\Desktop\UnblockInvoke.doc.csnwyqmwa
                  MD5

                  24e80ed346381c680d7b9aaed58e4219

                  SHA1

                  a2d9354b23f2bfb7654d608d5ae0b0a910cc3e70

                  SHA256

                  1843215d9961550322694aa92f12542f0f7479aa2c24a9693055ed9e8461d5f6

                  SHA512

                  6f294a60f86114a78b45de0fc30dfe7241ce26cd51797812cca9dea3b6f2e706416c669109f1802d839c9300b438747bdec518fb706fd46ddaabf94e1d54d906

                  Download Submit

                • C:\Users\Admin\Desktop\UndoInvoke.avi.csnwyqmwa
                  MD5

                  d64f5692f50e4ad8fbd97f7fa7f6a21a

                  SHA1

                  35c13b499397651073f8a6b9285dee0a6d6277b1

                  SHA256

                  e1692b9db62a6e43e1a0f5983ffb7fb4b3bf30f41dcf43f4adeb8e421552ee04

                  SHA512

                  38a6782362e82418a00e0cab521494434f870149f0153f406291fcbd41f1aab042728e8370c123d34bfbfdd7e36a811093f398f7a3d7ed32a07920b1c51ad247

                  Download Submit

                • C:\Users\Admin\Desktop\UnpublishResize.xltm.csnwyqmwa
                  MD5

                  7ce3f06cc0dcfb70646c848548b62c30

                  SHA1

                  247e584dcbf04530202c741b9cef987a56b520da

                  SHA256

                  95f355959660f19f7a9a278a091ab0b75d00e62b28a275be677ae71a83432de4

                  SHA512

                  36edef8eb2f23c8edf9287bd41432066500db915008e053db9454d6cce13c22d4411c99951ecbfa9ad6d59478e64024854accd0ec7797a5e14cacb657396aa35

                  Download Submit

                • C:\Users\Admin\Desktop\UpdateBlock.pot.csnwyqmwa
                  MD5

                  74eb6f4d38a9cf72ac298650f2e0d082

                  SHA1

                  6689ef5fe30b1c088b61efc4509d354637212c9c

                  SHA256

                  edc155a2aa535c720f874e75b247ad733632ccc69df51ba461ee655508766afc

                  SHA512

                  204c4e58a01157a6edca86f49673b0057d537f7277fd61ca3a0ddc91709f0a213bb6dd6e2692e12b3fadfcdcd596ed2f368371818fe83e90a1db6164e66558a5

                  Download Submit

                • C:\Users\Admin\Desktop\WatchImport.jpg.csnwyqmwa
                  MD5

                  05bc20e22ee727467e016cedfe2b27be

                  SHA1

                  cb036eec28bda34238d5aae85ca88f0805877e84

                  SHA256

                  2453f21948c1567684a92dd5a67e32479b1684b220835c21983821c2055dfad0

                  SHA512

                  2e7e2eb406e3a117f6a5bd84d31f5f4716a4c4367b866992500f23a4a8a418be1d6d6104a02bbbe2cc45f602416717921d0b3e327c9392dc7f4fb4934b31549b

                  Download Submit

                • C:\Users\Admin\Desktop\readme.txt
                  MD5

                  5fc1d6e72e9f3899d2e456208002e798

                  SHA1

                  6ef4b9c2f98d30053a4e3a9bbcdf0086fde82b22

                  SHA256

                  e0055f606d69030aa9f0ac9aec2672aa3f8cc6d5749aed824ed62304e8393123

                  SHA512

                  420f398fc8b1bbd635192b72ba379dd51c14b78a2f60d6ced95dfd572dd2d29918a81c99c9444726480ce46d764936be91d8419dbfc624438801477b6668b084

                  Download Submit

                • C:\Users\Public\readme.txt
                  MD5

                  5fc1d6e72e9f3899d2e456208002e798

                  SHA1

                  6ef4b9c2f98d30053a4e3a9bbcdf0086fde82b22

                  SHA256

                  e0055f606d69030aa9f0ac9aec2672aa3f8cc6d5749aed824ed62304e8393123

                  SHA512

                  420f398fc8b1bbd635192b72ba379dd51c14b78a2f60d6ced95dfd572dd2d29918a81c99c9444726480ce46d764936be91d8419dbfc624438801477b6668b084

                  Download Submit

                • memory/284-150-0x0000000000000000-mapping.dmp

                  Download

                • memory/556-149-0x0000000000000000-mapping.dmp

                  Download

                • memory/764-151-0x0000000000000000-mapping.dmp

                  Download

                • memory/780-124-0x0000000000000000-mapping.dmp

                  Download

                • memory/780-125-0x000007FEFBFB1000-0x000007FEFBFB3000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1124-104-0x0000000001D20000-0x0000000001D24000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1404-140-0x0000000000000000-mapping.dmp

                  Download

                • memory/1540-144-0x0000000000000000-mapping.dmp

                  Download

                • memory/1676-147-0x0000000000000000-mapping.dmp

                  Download

                • memory/1680-148-0x0000000000000000-mapping.dmp

                  Download

                • memory/1728-145-0x0000000000000000-mapping.dmp

                  Download

                • memory/1804-146-0x0000000000000000-mapping.dmp

                  Download

                • memory/1864-141-0x0000000000000000-mapping.dmp

                  Download

                • memory/1908-143-0x0000000000000000-mapping.dmp

                  Download

                • memory/1920-87-0x0000000001F80000-0x0000000001F81000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1920-61-0x00000000002E0000-0x00000000002E1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1920-60-0x0000000000020000-0x0000000000025000-memory.dmp

                  Filesize

                  20KB

                  Download

                • memory/1920-88-0x0000000001F90000-0x0000000001F91000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1920-89-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1920-91-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1920-92-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1920-93-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1920-94-0x0000000002000000-0x0000000002001000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1920-63-0x0000000000300000-0x0000000000301000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1920-62-0x00000000002F0000-0x00000000002F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1920-64-0x0000000000310000-0x0000000000311000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/2100-152-0x0000000000000000-mapping.dmp

                  Download

                • memory/2100-153-0x0000000076691000-0x0000000076693000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/2124-154-0x0000000000000000-mapping.dmp

                  Download

                • memory/2132-155-0x0000000000000000-mapping.dmp

                  Download

                • memory/2144-156-0x0000000000000000-mapping.dmp

                  Download

                • memory/2184-157-0x0000000000000000-mapping.dmp

                  Download

                • memory/2400-163-0x0000000000000000-mapping.dmp

                  Download

                • memory/2408-162-0x0000000000000000-mapping.dmp

                  Download

                • memory/2424-164-0x0000000000000000-mapping.dmp

                  Download

                • memory/2456-165-0x0000000000000000-mapping.dmp

                  Download