Overview

overview

10

Static

static

1.exe

windows7_x64

10

1.exe

windows10_x64

10

Analysis

  • max time kernel
    100s
  • max time network
    158s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-06-2021 14:05

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    1.exe

  • Size

    21KB

  • MD5

    3802b905937b9212384ce6ed7241d96c

  • SHA1

    9ef9f19a2327bce05bbb5cc23021f5c2b7cd1cec

  • SHA256

    fc1cb9ea6c1d86600f690b0f7c7ea6ab73d401a3b0e899360c4a619aeaed4cc4

  • SHA512

    bac5dc5c299979461ad7eb3f329c9b61042b3d7cb261acdcdd14111741a549c986ea19c871564d9c799d2da7a042ab9f1918efcfcddc3bfe51a4d1aaf3c39d9b

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://32309a084c14c040dchwcbxhw.5s4ixqul2enwxrqv.onion/hwcbxhw Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://32309a084c14c040dchwcbxhw.plughas.casa/hwcbxhw http://32309a084c14c040dchwcbxhw.dayhit.xyz/hwcbxhw http://32309a084c14c040dchwcbxhw.ownhits.space/hwcbxhw http://32309a084c14c040dchwcbxhw.bestep.cyou/hwcbxhw Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://32309a084c14c040dchwcbxhw.5s4ixqul2enwxrqv.onion/hwcbxhw

http://32309a084c14c040dchwcbxhw.plughas.casa/hwcbxhw

http://32309a084c14c040dchwcbxhw.dayhit.xyz/hwcbxhw

http://32309a084c14c040dchwcbxhw.ownhits.space/hwcbxhw

http://32309a084c14c040dchwcbxhw.bestep.cyou/hwcbxhw

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
    • Modifies extensions of user files
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1120
    • C:\Windows\system32\notepad.exe
      notepad.exe C:\Users\Public\readme.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1496
    • C:\Windows\system32\cmd.exe
      cmd /c "start http://32309a084c14c040dchwcbxhw.plughas.casa/hwcbxhw^&1^&40439685^&61^&307^&12"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:672
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://32309a084c14c040dchwcbxhw.plughas.casa/hwcbxhw&1&40439685&61&307&12
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:960
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:960 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:2152
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:984
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1176
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\1.exe
      "C:\Users\Admin\AppData\Local\Temp\1.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2008
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2044
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
            PID:1076
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1156
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1460
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1212
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1160
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1596
    • C:\Windows\system32\cmd.exe
      cmd /c CompMgmtLauncher.exe
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1884
      • C:\Windows\system32\CompMgmtLauncher.exe
        CompMgmtLauncher.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2164
        • C:\Windows\system32\wbem\wmic.exe
          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
          3⤵
            PID:2448
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:784
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2188
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
            3⤵
              PID:2460
        • C:\Windows\system32\cmd.exe
          cmd /c CompMgmtLauncher.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:1748
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2204
            • C:\Windows\system32\wbem\wmic.exe
              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
              3⤵
                PID:2436
          • C:\Windows\system32\cmd.exe
            cmd /c CompMgmtLauncher.exe
            1⤵
            • Process spawned unexpected child process
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2008
            • C:\Windows\system32\CompMgmtLauncher.exe
              CompMgmtLauncher.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2128
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:2424
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2640
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2664
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2656
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2732
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
                PID:2780

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\3VZRLSGA.txt
                MD5

                2e50be8ad444338dda710a3deed1f2a4

                SHA1

                e533c909b00d40f6c754dd0ce3d26f426c3b7ce7

                SHA256

                067d010dcca9b74545043513f83ac41918e69d022f85d969b93ad2d89e22a25f

                SHA512

                79f9467a7cf28d482d22e7c94e21bbb349589963bcb575478289f1ae6d28e89b2079c184b6a551597d42b29a8c1de184bfc8e3abb6218e4ad9174749579c0edc

                Download Submit

              • C:\Users\Admin\Desktop\ClearLimit.vsd.hwcbxhw
                MD5

                a1fdc73348f551ceeda8cb8990ebbb94

                SHA1

                ac45b08b4b1399c4ecab101821e267b16b92c435

                SHA256

                47fffa31aa3f22a0101aa858274b398db17e98a224989a8e4827de07073b0a38

                SHA512

                75e5132b68381021b9f77d5ae0d902f9e77571db95042156173e40e7b3c8cc0965bedff9ae20528f9e2fbd9293687ebd3bf102d672ea5334473c3e7cc5b235db

                Download Submit

              • C:\Users\Admin\Desktop\CloseSearch.wav.hwcbxhw
                MD5

                f3f9a2910447af936659b7e6575a58c1

                SHA1

                fdcc8b0e0a6a923af56e36039868eb89c73d652e

                SHA256

                fad4fae080dd2842e58bc58ac62cc08fcba66dbce269e87735c1107f449f168c

                SHA512

                d7721be3d750b7ef62798146b2ff07ba3daf14c1fbf6c4c764291dcde94a330cc57fd12e17ab17e40f69147a45902fc1dda9505c77f29fd10c5e621bbb8f364e

                Download Submit

              • C:\Users\Admin\Desktop\ConvertFromSwitch.vsdx.hwcbxhw
                MD5

                0fb99368174eb755992f5818bf58dcf7

                SHA1

                4c401aebbed45903f0505fcdabcf906c11657241

                SHA256

                a7b1155e46a64178b267fcb35980882bc31f1401a1e7631c86c8da975ecdc834

                SHA512

                0cc68222a4da539babdfa9281e24f3edda2b4e1c791fc8928395825e6206791179bfdd591cad85dc2e07f00134bc2c1635d62620c7bc4b58288cf507aaa79c5b

                Download Submit

              • C:\Users\Admin\Desktop\ConvertToFormat.tif.hwcbxhw
                MD5

                8e3a0d92282d879857b1b32583c1570e

                SHA1

                df2edc8ecc8ff92d4c0665341e4d459071315bec

                SHA256

                37c288ee68ba874e5d72e9a6111465f324c56e924023066d64fc67e96d95b3eb

                SHA512

                0db8bb21230944fd6bbd0e41fe8319cba229a8a9bbca3ce5378b24ae6dfc9fef73374a2745c67e75d1839b589f7987bd33a50f710a650a7a11dc44b69a682138

                Download Submit

              • C:\Users\Admin\Desktop\GrantResize.tiff.hwcbxhw
                MD5

                40826a3419e8e63386d74f9e31e3134c

                SHA1

                e829b1800d69db4a2aee43d50879440bb76f0577

                SHA256

                c6ff7605ee1199a2f84be89bb681ef052ef1584ca2d68ff85147c7f338df87e1

                SHA512

                cb2fc4e9529b70f35a5778b8fd2023f24ac07cb0b1b8ae7247cd2bee2ea5c8f8daad5332cbe6760cc5c59079c1c8ddbf36afc63a9a7d5a46a20a8f98fd9aaf25

                Download Submit

              • C:\Users\Admin\Desktop\InvokeCheckpoint.potm.hwcbxhw
                MD5

                1a5916a5713e5317d8d6ee20ec37d160

                SHA1

                38d3fabc5a1bc78c847fee707522648bb1ec24b9

                SHA256

                b9a8562114e0c00c134e8b160e898c4cfd6e15664a3279a96622bc2e3128d4f9

                SHA512

                b9a172663129aee855f18b7e9784eae538968bd421517a16d99bc19b788d3948c0ec4137814e66e72a6dc3faeb40c795ba87f320cb3441b54cafbb8fbf1832c4

                Download Submit

              • C:\Users\Admin\Desktop\RequestFormat.wmv.hwcbxhw
                MD5

                b7823adbbc91e6bf64351158b97b4924

                SHA1

                c9a4b726420638f01232a06023088f6f5eea1ecd

                SHA256

                916afe0294e274ee196069a48e03a07233270a0f71233e4523d6c7c82db71b83

                SHA512

                fb565db06b2b733e9dea27fbc21cf2ace523cc696641b76f8ed0fc26650fa98460871903e559c4c7d51a107007ca7022f50a804b1dd1b447dbe05d9ed3e32096

                Download Submit

              • C:\Users\Admin\Desktop\TestWrite.rar.hwcbxhw
                MD5

                0841fc30c1eb1a4147c8665194105adb

                SHA1

                57d57b2827f76f4c9b7d02b930222ec22bdd566b

                SHA256

                581d2f463e150d5a0163759dee4dbab53c3607c028a24edd6309ee89872decef

                SHA512

                c25e42300f3ce573579062d22504701045692a68c952257064ca998d3969fdfb98995d8613ce77a9c798044e37751179db43c5523aa4cb030483fb721412feaf

                Download Submit

              • C:\Users\Admin\Desktop\UnlockMeasure.xlsb.hwcbxhw
                MD5

                e3267832f5ccb31ffe1256ace93ffd87

                SHA1

                86d3dabd99222c29f9d636ae3b640cd0c909c812

                SHA256

                9060673d4da56913e87770bd1f75677d20c1f5410ed53fa7b9dd43a431a8604e

                SHA512

                4ca3a0336f9a900459ef45fb0ba64a01b404c3606297479cb3613562198a933d6fb04045b717ca3b6465ccbbda1d30f62d02a50bf4c7c3c68f1703013ce547ba

                Download Submit

              • C:\Users\Admin\Desktop\UnregisterPublish.vstx.hwcbxhw
                MD5

                03b48594dca790ac957f1c17be67969f

                SHA1

                103fb9d431d79aa40fa609102d8c911313344e9e

                SHA256

                4ff93da8ea930f8aa3d93308abbd986622408caf56d6d561c6184e5da548142b

                SHA512

                4a0ee640d43e058e814994434f4032f7abc2ca0d3126a0a38982a848b818886174daa0a229c89d7927fdc6c6b6d07c18d0ddd20cdf3e784f81cdf347c2216870

                Download Submit

              • C:\Users\Admin\Desktop\WaitTest.crw.hwcbxhw
                MD5

                43b9a4e9265696010cc9bd96c83ce9ac

                SHA1

                45e5949752c783ead18f75a1f0be36c6a23ff41d

                SHA256

                e96c1dfd21df112ba8af26a24793f77d025ebfaeef371b5f9702d3c8b3f9e3bc

                SHA512

                dc2ef4f889016c070b2bd11cf52c36180bea8b533fca6197ecbd9e01c161f666e20a8be5d440632b89b15d53004f0edb11d036e9ec1ffbc403b4c821fac5896f

                Download Submit

              • C:\Users\Admin\Desktop\readme.txt
                MD5

                5f4e29a9397960421bea4c88823ccd5e

                SHA1

                9e0061ac1c91a9f69f77da45ea98060668f02c05

                SHA256

                4308a9e1a74eeec11d6230c45fd67d05ab59f2b53555db6c33ce61ff21461ba4

                SHA512

                6a10126fbd66eb7cf4daeed4f4cd2c31b60edd51c544aee6a17781a748a1f9655e4949e7ec2fff4016006dc7b3acfde558cee719cb3de59f02896f7a83c08638

                Download Submit

              • C:\Users\Public\readme.txt
                MD5

                5f4e29a9397960421bea4c88823ccd5e

                SHA1

                9e0061ac1c91a9f69f77da45ea98060668f02c05

                SHA256

                4308a9e1a74eeec11d6230c45fd67d05ab59f2b53555db6c33ce61ff21461ba4

                SHA512

                6a10126fbd66eb7cf4daeed4f4cd2c31b60edd51c544aee6a17781a748a1f9655e4949e7ec2fff4016006dc7b3acfde558cee719cb3de59f02896f7a83c08638

                Download Submit

              • memory/672-127-0x0000000000000000-mapping.dmp

                Download

              • memory/960-142-0x0000000000000000-mapping.dmp

                Download

              • memory/984-128-0x0000000000000000-mapping.dmp

                Download

              • memory/1076-150-0x0000000000000000-mapping.dmp

                Download

              • memory/1120-107-0x0000000001BC0000-0x0000000001BC4000-memory.dmp

                Filesize

                16KB

                Download

              • memory/1156-145-0x0000000000000000-mapping.dmp

                Download

              • memory/1160-143-0x0000000000000000-mapping.dmp

                Download

              • memory/1176-144-0x0000000000000000-mapping.dmp

                Download

              • memory/1460-147-0x0000000000000000-mapping.dmp

                Download

              • memory/1496-62-0x000007FEFC411000-0x000007FEFC413000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1496-61-0x0000000000000000-mapping.dmp

                Download

              • memory/1596-149-0x0000000000000000-mapping.dmp

                Download

              • memory/2008-67-0x0000000000210000-0x0000000000211000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2008-96-0x0000000001D20000-0x0000000001D21000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2008-65-0x00000000001F0000-0x00000000001F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2008-66-0x0000000000200000-0x0000000000201000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2008-60-0x0000000000020000-0x0000000000025000-memory.dmp

                Filesize

                20KB

                Download

              • memory/2008-90-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2008-91-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2008-92-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2008-94-0x0000000001D00000-0x0000000001D01000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2008-95-0x0000000001D10000-0x0000000001D11000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2008-97-0x0000000001D30000-0x0000000001D31000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2008-64-0x00000000001E0000-0x00000000001E1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2044-148-0x0000000000000000-mapping.dmp

                Download

              • memory/2128-151-0x0000000000000000-mapping.dmp

                Download

              • memory/2152-153-0x0000000000000000-mapping.dmp

                Download

              • memory/2152-155-0x00000000765F1000-0x00000000765F3000-memory.dmp

                Filesize

                8KB

                Download

              • memory/2164-154-0x0000000000000000-mapping.dmp

                Download

              • memory/2188-156-0x0000000000000000-mapping.dmp

                Download

              • memory/2204-158-0x0000000000000000-mapping.dmp

                Download

              • memory/2424-161-0x0000000000000000-mapping.dmp

                Download

              • memory/2436-162-0x0000000000000000-mapping.dmp

                Download

              • memory/2448-163-0x0000000000000000-mapping.dmp

                Download

              • memory/2460-164-0x0000000000000000-mapping.dmp

                Download