Overview

overview

10

Static

static

9.exe

windows7_x64

10

9.exe

windows10_x64

10

Analysis

  • max time kernel
    103s
  • max time network
    170s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-06-2021 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9.exe

  • Size

    21KB

  • MD5

    6e4d7e63e05ef919d2b8724fbc3f3eeb

  • SHA1

    97730b10da62c23ee6554625f5c24bf262aae261

  • SHA256

    a5a2b6bfba012554d3c7e01c9df1173f995639caf31fdde8693e30ef501d26d7

  • SHA512

    641c16245535d0e7eff19063830f8b8448d51fdefd6384a615495709b203c1522603292140b951cd220d1cd22e0f414f5c0e156633b2eb69f8ecf7fde8cdef86

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://5624184026784a70dassdxwead.ndkeblzjnpqgpo5o.onion/ssdxwead Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://5624184026784a70dassdxwead.lieedge.casa/ssdxwead http://5624184026784a70dassdxwead.wonride.site/ssdxwead http://5624184026784a70dassdxwead.lognear.xyz/ssdxwead http://5624184026784a70dassdxwead.bejoin.space/ssdxwead Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://5624184026784a70dassdxwead.ndkeblzjnpqgpo5o.onion/ssdxwead

http://5624184026784a70dassdxwead.lieedge.casa/ssdxwead

http://5624184026784a70dassdxwead.wonride.site/ssdxwead

http://5624184026784a70dassdxwead.lognear.xyz/ssdxwead

http://5624184026784a70dassdxwead.bejoin.space/ssdxwead

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 11 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1252
    • C:\Users\Admin\AppData\Local\Temp\9.exe
      "C:\Users\Admin\AppData\Local\Temp\9.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:684
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:524
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1632
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1492
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
          PID:1748
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1188
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1144
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:624
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
      • Modifies extensions of user files
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1124
      • C:\Windows\system32\notepad.exe
        notepad.exe C:\Users\Public\readme.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:2036
      • C:\Windows\system32\cmd.exe
        cmd /c "start http://5624184026784a70dassdxwead.lieedge.casa/ssdxwead^&1^&57969811^&88^&373^&12"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1972
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://5624184026784a70dassdxwead.lieedge.casa/ssdxwead&1&57969811&88&373&12
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:760
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:760 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1768
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1200
    • C:\Windows\system32\cmd.exe
      cmd /c CompMgmtLauncher.exe
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:2056
      • C:\Windows\system32\CompMgmtLauncher.exe
        CompMgmtLauncher.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2212
        • C:\Windows\system32\wbem\wmic.exe
          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
          3⤵
            PID:2440
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1072
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2172
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
            3⤵
              PID:2396
        • C:\Windows\system32\cmd.exe
          cmd /c CompMgmtLauncher.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:1732
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2192
            • C:\Windows\system32\wbem\wmic.exe
              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
              3⤵
                PID:2380
          • C:\Windows\system32\cmd.exe
            cmd /c CompMgmtLauncher.exe
            1⤵
            • Process spawned unexpected child process
            • Suspicious use of WriteProcessMemory
            PID:820
            • C:\Windows\system32\CompMgmtLauncher.exe
              CompMgmtLauncher.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2156
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:2424
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2568
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2560
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2612
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
                PID:2692
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                PID:2920

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\IY5CI4T4.txt
                MD5

                e9008f3ead33b9bdd75bb09d4cd5aa89

                SHA1

                4ab8970ca606676d078a744db223da5a2aa7f008

                SHA256

                330eb93b93d5255d53f65496c7871c84d412a0f258424d5ade6f482908c83617

                SHA512

                203be16e5891ab6511afd1c42ee1bc48e15fea414189dda0bb8932d42e4f9f944483fdcb1c2fd662bae8ee2ecff225df6d46bc43c60811508812c07698692bdc

                Download Submit

              • C:\Users\Admin\Desktop\AssertWatch.pptx.ssdxwead
                MD5

                46ae3c8d8a580dff6e635c82dd696ae1

                SHA1

                8e99c684f85f5c30ae8d02d98285229665dfc050

                SHA256

                6cbb501750c13d7c2654a184a6f76c516211fe08aebb58186b67d819d135376b

                SHA512

                add4f0703a8dfb36fa8cb6546b5b67149292a42dc6dc3ead23843f27bff8f7146e8fdafb772cd5a2be078bed57278b523c60957266aa6561c05b88e30aced4f4

                Download Submit

              • C:\Users\Admin\Desktop\BlockUnprotect.potm.ssdxwead
                MD5

                e1cb74a1f50f3d1ff0d98918fb38c271

                SHA1

                77269feb4351d020eb720b0ab442845f8f6b9318

                SHA256

                89d12caaa538004d361bfb4cb7b161c8c77cc9f98d0ba08ffa6f1a3fd9afa9a0

                SHA512

                7ba295bb9c11db91ac597dd55098ff82f8807d48cca65d01aba763c6910696c9d3c0417cf7c70d91fc45148d449e399ff4f01819253e5ee2a64eba8f52053c54

                Download Submit

              • C:\Users\Admin\Desktop\CloseUpdate.zip.ssdxwead
                MD5

                2a2aa11356e9198b3ef47bf85f111eeb

                SHA1

                efdafa9d6ff9b3309728eb95afdf0071f737e523

                SHA256

                035fa11a10e2c21d53ac65713e58263ff85b906189b755769bad8cbbdb5f721d

                SHA512

                3cc00259a9267a138a242feec2eebcaccc8bbac474e5db949a08991d84741ea61c93dd659868c9160c5655769ea2bdfaf9c19981c3168d87804ce7dd336025aa

                Download Submit

              • C:\Users\Admin\Desktop\ExitExport.png.ssdxwead
                MD5

                de4319b595dc9bb03bc7463450b11c7b

                SHA1

                1c6c9cb4a957e4006b84c0e569154bf16af32f16

                SHA256

                cafa90be0b0647c1083b49a7ca4a571386e790e5e3e037a75b26490878e27d49

                SHA512

                f62d526fb33c632a82f7712e4135c4a58ead36fb7705d3137128c66eb60b253492cb745622b7afe18cb7ce2838c556798ff80e2ddeba226927c0655d7ca6f3be

                Download Submit

              • C:\Users\Admin\Desktop\MountUnregister.gif.ssdxwead
                MD5

                5e3ee6f8c0d48a45355744598dec2542

                SHA1

                0229972b970cb38900d3ca4567e7576a05060c85

                SHA256

                591ccd5dedceb03a11e58a6fa4f7434e30fa0de4bf1dec4513945899d66a2c45

                SHA512

                3d4cc2ebfef23733447500f941fcdf71229383aff437f0afdc69de1ecf471c631c87016f11ef77219754b0f263afdb4062f78d9bb6b9c21b21cfd38b1b82de3c

                Download Submit

              • C:\Users\Admin\Desktop\OutUndo.wav.ssdxwead
                MD5

                4505e12167bdb0d094b38524627ad8eb

                SHA1

                ac9726fdc2207c7490424b457823b5fbbdd4ca9f

                SHA256

                a75f6a562698f5ea5b2b5a9fe0c6c7b4cb77ef8d8df4cdf67d17b1be231d1cfe

                SHA512

                7dd6b0db95c219cc80e31704df236c553ea1f7fc64c294880fb18e546c09086e25a3a22a51baf5227efbfbe13f8b0a71c947c79c24254cd9b087ec4653c0a286

                Download Submit

              • C:\Users\Admin\Desktop\PushPing.ppsm.ssdxwead
                MD5

                f9b623b262a6f49856f4eccdf17d4bd6

                SHA1

                8317c6aacb8c8bffa31120acca102316007cd4d6

                SHA256

                4891e16f6abe88ae219f47e84f28c3b207e48bdfb8c0facc7a80185f92b644c3

                SHA512

                1dd568ac9de9b5b75eabef04f4d9f9709973f71410f3f4837d9a96080d25072868e9e8eb0ef436fd95f28efa48d575b221c22a942c85b5b02cf7341be000299d

                Download Submit

              • C:\Users\Admin\Desktop\ReadMount.rtf.ssdxwead
                MD5

                013976dd5567671dd6d32e2c1950572b

                SHA1

                15e4585150f950e623476a1197084d347ecc4893

                SHA256

                f0357d4fcfa094b6b84760320de6e055f488413a4115906585e4aed3c992db74

                SHA512

                26b953fefdfc57a5a001723bdc2f35d20107c2c3b60f33d0a3d06780d9e1da15abdadb04e13b7ab061e7f84c146d4a3ec746fb577ea68b35f15049d3bb1b9117

                Download Submit

              • C:\Users\Admin\Desktop\StartCompress.jpeg.ssdxwead
                MD5

                d1265842cbb94feff6610df4fb54efa6

                SHA1

                781ac7665f969c36975f063ed1ffdf50f802023b

                SHA256

                0fd13214810d4a7d16e13dcdfbdab27de8a3b3d86d54b2b2373c1bdd78496b7f

                SHA512

                7b36f9a2cd6308d0851649a4ffd2413a08ed5125691da024ef816541e7e31f6fe8d10cd8911655de860bbb19d60fb669e8222d68074a792f066d1af05c81f23b

                Download Submit

              • C:\Users\Admin\Desktop\UnpublishMeasure.odt.ssdxwead
                MD5

                8feadb145deca8a058f60a9da4b5ea65

                SHA1

                f07e85f9ac3b0486e3a17cf73d263447b797928e

                SHA256

                ba74eeae3590738781bd9db76b3eab29b320ea9dcf3fc6569a56b0842262b6cf

                SHA512

                9311dd7c7ef9acc8ae7698e3364a9f05fa670d39faceccece58fe1eb0d67cd7f085356824bd4f7bc1868ecda011045eb1f5e55df88cc1d28c64de4d33f428a01

                Download Submit

              • C:\Users\Admin\Desktop\UseTest.mpg.ssdxwead
                MD5

                7a0ec8c5495554b07a713c2b491c1b28

                SHA1

                e49394d78abc168ed899b538e36269cab3fecdba

                SHA256

                8d6770413b25bcb4024211f1129666c0e9205b41843772b1b3b0a40054e1bd62

                SHA512

                ec062630dd79a9760767a3634500212b07327d5462fb84ca73b167e8edd69b6280c41c281311d11be71dcd99b038e9d754c11483e0e26b5d76fb625267633ace

                Download Submit

              • C:\Users\Admin\Desktop\readme.txt
                MD5

                95b845124fb0b50744c08af40f1bc215

                SHA1

                a4511c58d09d60454522e104ed7c05d717807f2b

                SHA256

                cb5a0c3267c72f5cbf25d72409f87475b5e251b3f0909fec8be73e9f1be9db28

                SHA512

                85879f97024911cdb6bc70f8d38930b461f376ca99817f03b09a660657f750f3f2f01a7639477f9b750ae7c6c109eae0e8f4feb0b9a5690a66978b2a3851bcd6

                Download Submit

              • C:\Users\Public\readme.txt
                MD5

                95b845124fb0b50744c08af40f1bc215

                SHA1

                a4511c58d09d60454522e104ed7c05d717807f2b

                SHA256

                cb5a0c3267c72f5cbf25d72409f87475b5e251b3f0909fec8be73e9f1be9db28

                SHA512

                85879f97024911cdb6bc70f8d38930b461f376ca99817f03b09a660657f750f3f2f01a7639477f9b750ae7c6c109eae0e8f4feb0b9a5690a66978b2a3851bcd6

                Download Submit

              • memory/524-81-0x0000000000000000-mapping.dmp

                Download

              • memory/624-84-0x0000000000000000-mapping.dmp

                Download

              • memory/684-59-0x0000000000020000-0x0000000000025000-memory.dmp

                Filesize

                20KB

                Download

              • memory/684-60-0x00000000000E0000-0x00000000000E1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/760-82-0x0000000000000000-mapping.dmp

                Download

              • memory/1144-74-0x0000000000000000-mapping.dmp

                Download

              • memory/1200-79-0x0000000000000000-mapping.dmp

                Download

              • memory/1492-83-0x0000000000000000-mapping.dmp

                Download

              • memory/1632-85-0x0000000000000000-mapping.dmp

                Download

              • memory/1748-86-0x0000000000000000-mapping.dmp

                Download

              • memory/1768-87-0x0000000000000000-mapping.dmp

                Download

              • memory/1956-65-0x0000000000000000-mapping.dmp

                Download

              • memory/1972-64-0x0000000000000000-mapping.dmp

                Download

              • memory/2036-61-0x0000000000000000-mapping.dmp

                Download

              • memory/2036-62-0x000007FEFB9F1000-0x000007FEFB9F3000-memory.dmp

                Filesize

                8KB

                Download

              • memory/2156-88-0x0000000000000000-mapping.dmp

                Download

              • memory/2172-89-0x0000000000000000-mapping.dmp

                Download

              • memory/2192-90-0x0000000000000000-mapping.dmp

                Download

              • memory/2212-91-0x0000000000000000-mapping.dmp

                Download

              • memory/2380-96-0x0000000000000000-mapping.dmp

                Download

              • memory/2396-97-0x0000000000000000-mapping.dmp

                Download

              • memory/2424-98-0x0000000000000000-mapping.dmp

                Download

              • memory/2440-99-0x0000000000000000-mapping.dmp

                Download