Overview

overview

10

Static

static

8dee319522...e4.exe

windows7_x64

10

8dee319522...e4.exe

windows10_x64

3

Sharing

Copy URL
Twitter E-mail

General

  • Target

    8dee31952250b0335eb20a948d71167d586e696a777e2f313dd3b1b953aba1e4.exe

  • Size

    22KB

  • Sample

    210522-hl665jwd3a

  • MD5

    dae0a57f09cfc41ade922b0bbb436d1b

  • SHA1

    46c8e510d998718b98c61b04375dcd92f81574ab

  • SHA256

    8dee31952250b0335eb20a948d71167d586e696a777e2f313dd3b1b953aba1e4

  • SHA512

    f4d39b5555e0da1a383c609f3aac8347c0a9fd98939563d3761c6bdde66bf8ced83cc166a3894875985e2c30a9707ff98a8aa82b402044d74daccd1e7efc8b82

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://c4741e281814c04092ahdcadrra.erpp3f6j634gmj33.onion/ahdcadrra Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://c4741e281814c04092ahdcadrra.nowuser.casa/ahdcadrra http://c4741e281814c04092ahdcadrra.bykeep.club/ahdcadrra http://c4741e281814c04092ahdcadrra.boxgas.icu/ahdcadrra http://c4741e281814c04092ahdcadrra.jobsbig.cam/ahdcadrra Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://c4741e281814c04092ahdcadrra.erpp3f6j634gmj33.onion/ahdcadrra

http://c4741e281814c04092ahdcadrra.nowuser.casa/ahdcadrra

http://c4741e281814c04092ahdcadrra.bykeep.club/ahdcadrra

http://c4741e281814c04092ahdcadrra.boxgas.icu/ahdcadrra

http://c4741e281814c04092ahdcadrra.jobsbig.cam/ahdcadrra

Targets

    • Target

      8dee31952250b0335eb20a948d71167d586e696a777e2f313dd3b1b953aba1e4.exe

    • Size

      22KB

    • MD5

      dae0a57f09cfc41ade922b0bbb436d1b

    • SHA1

      46c8e510d998718b98c61b04375dcd92f81574ab

    • SHA256

      8dee31952250b0335eb20a948d71167d586e696a777e2f313dd3b1b953aba1e4

    • SHA512

      f4d39b5555e0da1a383c609f3aac8347c0a9fd98939563d3761c6bdde66bf8ced83cc166a3894875985e2c30a9707ff98a8aa82b402044d74daccd1e7efc8b82

    Score
    10/10
    magniberransomware

    • Magniber Ransomware

      Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

      ransomwaremagniber

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

      ransomware

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

      ransomware

    • Suspicious use of SetThreadContext

    behavioral1behavioral2

MITRE ATT&CK Enterprise v6

Tasks