Overview

overview

10

Static

static

8.exe

windows7_x64

10

8.exe

windows10_x64

10

Analysis

  • max time kernel
    113s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-06-2021 14:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    8.exe

  • Size

    21KB

  • MD5

    4a30853a3699ae354d8a238558ed59dd

  • SHA1

    9494865a139853498338b0dc505bd36cc59b6bae

  • SHA256

    3f06e0fa1a8d27d1d1f9d82462acc41b757e1a82b34d5d8e0354f024262a6fc9

  • SHA512

    09bc363d9d62700cf5a7066121e4359f000a6affc8aa04fb642dff8963d0b42f2cc2b02787b1529b2fdcea2d1332a353337199ff364a19cac1504e7ed18d706d

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://f294eea0fa784a70eaqsydkxb.ndkeblzjnpqgpo5o.onion/qsydkxb Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://f294eea0fa784a70eaqsydkxb.bejoin.space/qsydkxb http://f294eea0fa784a70eaqsydkxb.lognear.xyz/qsydkxb http://f294eea0fa784a70eaqsydkxb.lieedge.casa/qsydkxb http://f294eea0fa784a70eaqsydkxb.wonride.site/qsydkxb Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://f294eea0fa784a70eaqsydkxb.ndkeblzjnpqgpo5o.onion/qsydkxb

http://f294eea0fa784a70eaqsydkxb.bejoin.space/qsydkxb

http://f294eea0fa784a70eaqsydkxb.lognear.xyz/qsydkxb

http://f294eea0fa784a70eaqsydkxb.lieedge.casa/qsydkxb

http://f294eea0fa784a70eaqsydkxb.wonride.site/qsydkxb

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 10 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 4 IoCs
  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 7 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Users\Admin\AppData\Local\Temp\8.exe
      "C:\Users\Admin\AppData\Local\Temp\8.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:344
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:572
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1764
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1148
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1052
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
          PID:2172
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
      • Modifies extensions of user files
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1060
      • C:\Windows\system32\notepad.exe
        notepad.exe C:\Users\Public\readme.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1896
      • C:\Windows\system32\cmd.exe
        cmd /c "start http://f294eea0fa784a70eaqsydkxb.bejoin.space/qsydkxb^&1^&37830466^&66^&309^&12"
        2⤵
          PID:852
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://f294eea0fa784a70eaqsydkxb.bejoin.space/qsydkxb&1&37830466&66&309&12
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1424
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1424 CREDAT:275457 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:568
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:1768
            • C:\Windows\system32\wbem\wmic.exe
              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
              4⤵
                PID:2328
          • C:\Windows\system32\cmd.exe
            cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:840
            • C:\Windows\system32\wbem\WMIC.exe
              C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
              3⤵
              • Suspicious use of AdjustPrivilegeToken
              PID:1056
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          1⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1988
        • C:\Windows\system32\cmd.exe
          cmd /c CompMgmtLauncher.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:524
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1844
            • C:\Windows\system32\wbem\wmic.exe
              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
              3⤵
                PID:2336
          • C:\Windows\system32\cmd.exe
            cmd /c CompMgmtLauncher.exe
            1⤵
            • Process spawned unexpected child process
            • Suspicious use of WriteProcessMemory
            PID:944
            • C:\Windows\system32\CompMgmtLauncher.exe
              CompMgmtLauncher.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1572
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:2320
            • C:\Windows\system32\cmd.exe
              cmd /c CompMgmtLauncher.exe
              1⤵
              • Process spawned unexpected child process
              • Suspicious use of WriteProcessMemory
              PID:852
            • C:\Windows\system32\cmd.exe
              cmd /c CompMgmtLauncher.exe
              1⤵
              • Process spawned unexpected child process
              • Suspicious use of WriteProcessMemory
              PID:2244
              • C:\Windows\system32\CompMgmtLauncher.exe
                CompMgmtLauncher.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:2272
                • C:\Windows\system32\wbem\wmic.exe
                  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                  3⤵
                    PID:2312
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                PID:2528
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                PID:2536
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                PID:2584
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                PID:2576
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                  PID:2708

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\R9YOXL9N.txt
                  MD5

                  9a5a0be0a6a813b04c4e9e9c8f40aaf1

                  SHA1

                  78cabfcea35934dbacf4fbe491f3c352f015179a

                  SHA256

                  2e6325355ce54cc6dc864d15d8bb14a56e7d7a033d114c9ed8ce6b9f863b3bac

                  SHA512

                  5ab8ad082111e82f877c09310ea828c8a2187b9ea26c2b879ef8f3fcd2f33d80d58251088e54e7d5a8536543465b4e649eb8ad284c7eade4a1f1e3bdcf32b054

                  Download Submit

                • C:\Users\Admin\Desktop\ConfirmCopy.jpeg.qsydkxb
                  MD5

                  54aa109c24c301422e764548ea640fa1

                  SHA1

                  75437130c63527415d1529042a258539a16f6146

                  SHA256

                  588b78c5746b3377c221d5b163214c9ce2d12b1a07dcf3354d56119c36a7185a

                  SHA512

                  e97214c3abe10527402d4130829919268e46fca2086cf2c5ea8775fe1fae1cd1745f8518105fe4b7752b4d359b6f5e78971f216eaf20067cae9e68b7a7b1cd84

                  Download Submit

                • C:\Users\Admin\Desktop\ConfirmRemove.xps.qsydkxb
                  MD5

                  223e25e436052f00edf905690dbcf961

                  SHA1

                  828e255169d45d4a365682a5f6b9f25a8a2610a0

                  SHA256

                  1fc471cbb6446f88f1cf57054869a70ddb7ef580b016648d3c5ddf87d28cb967

                  SHA512

                  f84dae7042d1f1e779f588693ceb137a9bf6f69d548c7e31c4ca1fdb9f7752bfbe90b1bcfbfe939cdd385cf63d4799c5959a715ead0bc13685bba462e70a21a0

                  Download Submit

                • C:\Users\Admin\Desktop\GetUnblock.eps.qsydkxb
                  MD5

                  c37f077d62c1af47ab13f8772bc722f5

                  SHA1

                  2d040755cd37c5ca2e5b3d5e4739f365bccaa23c

                  SHA256

                  c41f7c0c540c64ead6d93b2f925250e302137aa10457a29099971b2bbf480b2d

                  SHA512

                  8d656a4e3fd753e0340ed82e1f53012158cea0398c69b76be1c255551ed01a6cd9cb63542ace461302b3589067c0734c90424ccc72a9e858387df2f2f555a5d4

                  Download Submit

                • C:\Users\Admin\Desktop\GetUpdate.potm.qsydkxb
                  MD5

                  1fb8ea3569f596369ac455fca67f1c5f

                  SHA1

                  16c17500c26fb7832b5a55a0338c6af1d18c07f1

                  SHA256

                  e98002eb5525af9ff5e8545c41d1122409b8c0c1bc8b57021cac82be7ff75b07

                  SHA512

                  5c59848eeaddd496dacc16ba846cbf268abe2b6c8222732fea27891c0f0c4e0157df94f02f7a3309a6b0ea774c5f69ad4a31b3735b2b8d1cd07d1931a3c8a3af

                  Download Submit

                • C:\Users\Admin\Desktop\ResizeClose.mpeg.qsydkxb
                  MD5

                  79622a6f0ed0047d15c0bf94e4aba983

                  SHA1

                  8b7c84c833978c2523acdc31a3a415d1df0e31f4

                  SHA256

                  a86d2958951ad36b783ce19a3160d4b1936816e10cf1511a7226bc7fde143d74

                  SHA512

                  9af965d968f167d086ff7e08ec376aa14f39bfdf3f3ad321fea1a9c36667aa9664c65ecece765dd36570c540690cdabfa9c58e45c92289df843c4f1b11a75e88

                  Download Submit

                • C:\Users\Admin\Desktop\ResumeMount.bmp.qsydkxb
                  MD5

                  42b3fabad245a62a2f89a9bf839441be

                  SHA1

                  7471faac26ac9dd9508609df2ef3fa624f241ae0

                  SHA256

                  757cf239fd4d0181180df90cde68e952679104db748cd3283c2b395e49a089fa

                  SHA512

                  78490448c055eebb818a8a087ef195da57383f9ef9e4677c6148ef1510aae635e33ccdc21961307f03cc1a6b53122d9b4b74cf77c3b5a398ca8d592d8b92a10a

                  Download Submit

                • C:\Users\Admin\Desktop\SwitchSet.asp.qsydkxb
                  MD5

                  46388ab56f1b1ddff6e761315eca776c

                  SHA1

                  53ef789d18e7050bd3bb673d12ae04345ecfd1c5

                  SHA256

                  257096fc6451e41b1e59a943c0818461c0314d7feb17dda8e7f1144df106afef

                  SHA512

                  242e7837c5c9054d920f028b045f157bbb8bd89350831877e9ef5577f680fb81b6a8ff95abab193f83a43701a66c4f3a509811d5bf0c401b6bb6f51aff162e5c

                  Download Submit

                • C:\Users\Admin\Desktop\readme.txt
                  MD5

                  ffc31b46edcbd056cf031d00e6e91ff0

                  SHA1

                  8e3c90abc1dd8ea35a1505feedd0832582d827e4

                  SHA256

                  372c01c3420f0195063103b250825468e6fa652047be4ffc15035b0b124951cc

                  SHA512

                  8f2982c432a06978662ff18d6b1619217c3be62ebf4a3742e1d7eb0bee8e304c6d47e2e7f17860fecba935d08714c53c589f605add0823bc9e3bab2074f822a2

                  Download Submit

                • C:\Users\Public\readme.txt
                  MD5

                  ffc31b46edcbd056cf031d00e6e91ff0

                  SHA1

                  8e3c90abc1dd8ea35a1505feedd0832582d827e4

                  SHA256

                  372c01c3420f0195063103b250825468e6fa652047be4ffc15035b0b124951cc

                  SHA512

                  8f2982c432a06978662ff18d6b1619217c3be62ebf4a3742e1d7eb0bee8e304c6d47e2e7f17860fecba935d08714c53c589f605add0823bc9e3bab2074f822a2

                  Download Submit

                • memory/344-60-0x0000000000020000-0x0000000000025000-memory.dmp

                  Filesize

                  20KB

                  Download

                • memory/344-61-0x0000000000070000-0x0000000000071000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/344-62-0x0000000000080000-0x0000000000081000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/344-63-0x0000000000090000-0x0000000000091000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/344-64-0x0000000000210000-0x0000000000211000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/568-109-0x0000000075211000-0x0000000075213000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/568-108-0x0000000000000000-mapping.dmp

                  Download

                • memory/572-103-0x0000000000000000-mapping.dmp

                  Download

                • memory/840-99-0x0000000000000000-mapping.dmp

                  Download

                • memory/852-98-0x0000000000000000-mapping.dmp

                  Download

                • memory/1052-101-0x0000000000000000-mapping.dmp

                  Download

                • memory/1056-102-0x0000000000000000-mapping.dmp

                  Download

                • memory/1180-86-0x00000000029B0000-0x00000000029C0000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1424-104-0x0000000000000000-mapping.dmp

                  Download

                • memory/1572-112-0x0000000000000000-mapping.dmp

                  Download

                • memory/1672-105-0x0000000000000000-mapping.dmp

                  Download

                • memory/1764-107-0x0000000000000000-mapping.dmp

                  Download

                • memory/1768-110-0x0000000000000000-mapping.dmp

                  Download

                • memory/1844-111-0x0000000000000000-mapping.dmp

                  Download

                • memory/1896-96-0x000007FEFBAE1000-0x000007FEFBAE3000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1896-87-0x0000000000000000-mapping.dmp

                  Download

                • memory/1988-106-0x0000000000000000-mapping.dmp

                  Download

                • memory/2172-116-0x0000000000000000-mapping.dmp

                  Download

                • memory/2272-117-0x0000000000000000-mapping.dmp

                  Download

                • memory/2312-119-0x0000000000000000-mapping.dmp

                  Download

                • memory/2320-121-0x0000000000000000-mapping.dmp

                  Download

                • memory/2328-120-0x0000000000000000-mapping.dmp

                  Download

                • memory/2336-122-0x0000000000000000-mapping.dmp

                  Download