Resubmissions

18-08-2021 21:12

210818-4y2nlxfp46 10

19-05-2021 11:54

210519-macc77ed1x 10

Analysis

  • max time kernel
    101s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    18-08-2021 21:12

General

  • Target

    3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe

  • Size

    22KB

  • MD5

    8cd81ae69ade058076263addc8dd3ebb

  • SHA1

    362eb81ecac33897d4dd2a3f175efaaf0fe2c2f5

  • SHA256

    3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3

  • SHA512

    6170bc3191b8d88043b5c7799c17338f4717af087fa4524141955d2e6cfb0cb468262bcc5c466fe39adfbc534796a79e06d84894ae9f7911b2353460580dac21

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://2834c0381ed008e06qwfekni.n5fnrf4l7bdjhelx.onion/qwfekni Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://2834c0381ed008e06qwfekni.perages.cyou/qwfekni http://2834c0381ed008e06qwfekni.aimdrop.fit/qwfekni http://2834c0381ed008e06qwfekni.soblack.xyz/qwfekni http://2834c0381ed008e06qwfekni.sixsees.club/qwfekni Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://2834c0381ed008e06qwfekni.n5fnrf4l7bdjhelx.onion/qwfekni

http://2834c0381ed008e06qwfekni.perages.cyou/qwfekni

http://2834c0381ed008e06qwfekni.aimdrop.fit/qwfekni

http://2834c0381ed008e06qwfekni.soblack.xyz/qwfekni

http://2834c0381ed008e06qwfekni.sixsees.club/qwfekni

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 4 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Suspicious use of SetThreadContext 3 IoCs
  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1260
    • C:\Users\Admin\AppData\Local\Temp\3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe
      "C:\Users\Admin\AppData\Local\Temp\3ad0af44a4269c0121eeb19cee197a90b4a7e862b5ce04eab6aafc021dd6e7a3.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:2024
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
            PID:1680
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
          PID:520
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:772
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
        • Modifies extensions of user files
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1224
        • C:\Windows\system32\notepad.exe
          notepad.exe C:\Users\Public\readme.txt
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:1968
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1784
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:1580
        • C:\Windows\system32\cmd.exe
          cmd /c "start http://2834c0381ed008e06qwfekni.perages.cyou/qwfekni^&1^&39803775^&70^&347^&12"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1836
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://2834c0381ed008e06qwfekni.perages.cyou/qwfekni&1&39803775&70&347&12
            3⤵
            • Modifies Internet Explorer settings
            • Suspicious use of FindShellTrayWindow
            • Suspicious use of SetWindowsHookEx
            • Suspicious use of WriteProcessMemory
            PID:1616
            • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
              "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1616 CREDAT:275457 /prefetch:2
              4⤵
              • Modifies Internet Explorer settings
              • Suspicious use of SetWindowsHookEx
              PID:1772
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1124
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1624
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
              PID:636
        • C:\Windows\system32\cmd.exe
          cmd /c CompMgmtLauncher.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:1300
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2008
            • C:\Windows\system32\wbem\wmic.exe
              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
              3⤵
                PID:820
          • C:\Windows\system32\cmd.exe
            cmd /c CompMgmtLauncher.exe
            1⤵
            • Process spawned unexpected child process
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:2024
            • C:\Windows\system32\CompMgmtLauncher.exe
              CompMgmtLauncher.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1548
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:684
            • C:\Windows\system32\cmd.exe
              cmd /c CompMgmtLauncher.exe
              1⤵
              • Process spawned unexpected child process
              • Suspicious use of WriteProcessMemory
              PID:784
              • C:\Windows\system32\CompMgmtLauncher.exe
                CompMgmtLauncher.exe
                2⤵
                  PID:1652
                  • C:\Windows\system32\wbem\wmic.exe
                    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                    3⤵
                      PID:1676
                • C:\Windows\system32\cmd.exe
                  cmd /c CompMgmtLauncher.exe
                  1⤵
                  • Process spawned unexpected child process
                  • Suspicious use of WriteProcessMemory
                  PID:304
                  • C:\Windows\system32\CompMgmtLauncher.exe
                    CompMgmtLauncher.exe
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1668
                    • C:\Windows\system32\wbem\wmic.exe
                      "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:520
                • C:\Windows\system32\conhost.exe
                  \??\C:\Windows\system32\conhost.exe "-800035401159936499210739613732136189843-11730882861985560618-457655950876638901"
                  1⤵
                  • Suspicious use of AdjustPrivilegeToken
                  PID:636
                • C:\Windows\system32\vssadmin.exe
                  vssadmin.exe Delete Shadows /all /quiet
                  1⤵
                  • Process spawned unexpected child process
                  • Interacts with shadow copies
                  • Suspicious use of WriteProcessMemory
                  PID:2024
                • C:\Windows\system32\vssadmin.exe
                  vssadmin.exe Delete Shadows /all /quiet
                  1⤵
                  • Process spawned unexpected child process
                  • Interacts with shadow copies
                  PID:1816
                • C:\Windows\system32\vssadmin.exe
                  vssadmin.exe Delete Shadows /all /quiet
                  1⤵
                  • Process spawned unexpected child process
                  • Interacts with shadow copies
                  PID:1100
                • C:\Windows\system32\vssadmin.exe
                  vssadmin.exe Delete Shadows /all /quiet
                  1⤵
                  • Process spawned unexpected child process
                  • Interacts with shadow copies
                  PID:1888
                • C:\Windows\system32\sppsvc.exe
                  C:\Windows\system32\sppsvc.exe
                  1⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1652
                • C:\Windows\system32\vssvc.exe
                  C:\Windows\system32\vssvc.exe
                  1⤵
                    PID:1484

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/1224-74-0x00000000002A0000-0x00000000002A4000-memory.dmp

                    Filesize

                    16KB

                  • memory/1260-60-0x0000000002650000-0x0000000002660000-memory.dmp

                    Filesize

                    64KB

                  • memory/1968-75-0x000007FEFB571000-0x000007FEFB573000-memory.dmp

                    Filesize

                    8KB

                  • memory/2024-70-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

                    Filesize

                    4KB

                  • memory/2024-66-0x0000000001F80000-0x0000000001F81000-memory.dmp

                    Filesize

                    4KB

                  • memory/2024-96-0x0000000002290000-0x0000000002291000-memory.dmp

                    Filesize

                    4KB

                  • memory/2024-65-0x0000000000120000-0x0000000000121000-memory.dmp

                    Filesize

                    4KB

                  • memory/2024-67-0x0000000001F90000-0x0000000001F91000-memory.dmp

                    Filesize

                    4KB

                  • memory/2024-73-0x0000000002000000-0x0000000002001000-memory.dmp

                    Filesize

                    4KB

                  • memory/2024-72-0x0000000001FF0000-0x0000000001FF1000-memory.dmp

                    Filesize

                    4KB

                  • memory/2024-62-0x00000000000F0000-0x00000000000F1000-memory.dmp

                    Filesize

                    4KB

                  • memory/2024-71-0x0000000001FE0000-0x0000000001FE1000-memory.dmp

                    Filesize

                    4KB

                  • memory/2024-64-0x0000000000110000-0x0000000000111000-memory.dmp

                    Filesize

                    4KB

                  • memory/2024-63-0x0000000000100000-0x0000000000101000-memory.dmp

                    Filesize

                    4KB

                  • memory/2024-68-0x0000000001FA0000-0x0000000001FA1000-memory.dmp

                    Filesize

                    4KB

                  • memory/2024-61-0x0000000000020000-0x0000000000025000-memory.dmp

                    Filesize

                    20KB