Analysis
-
max time kernel
91s -
max time network
103s -
platform
windows11_x64 -
resource
win11 -
submitted
23-08-2021 15:41
Static task
static1
Behavioral task
behavioral1
Sample
3154ded31015965d68a48be47f904ef6.dll
Resource
win7v20210410
Behavioral task
behavioral2
Sample
3154ded31015965d68a48be47f904ef6.dll
Resource
win11
Behavioral task
behavioral3
Sample
3154ded31015965d68a48be47f904ef6.dll
Resource
win10v20210408
General
-
Target
3154ded31015965d68a48be47f904ef6.dll
-
Size
21KB
-
MD5
3154ded31015965d68a48be47f904ef6
-
SHA1
914d15ee52a9822fe4138b51cfb713e7d37ed1b8
-
SHA256
77d3b1cf6d5a0a07090cdb078dce6e3849465c9acde7e1ba66c3893fefc73d4b
-
SHA512
2cec1fabb86263edb30da9e96c5331f3bfff9c707df588127f7daf45d8de87543b43e5f1472b845a6574d71afe26c386c6c954e29a9924d05ea6851c3f009ed1
Malware Config
Extracted
C:\Users\Admin\Documents\readme.txt
magniber
http://ce805680a61492a0aexocpbvek.xurvsjipiyubcsta.onion/xocpbvek
http://ce805680a61492a0aexocpbvek.loglook.club/xocpbvek
http://ce805680a61492a0aexocpbvek.tankmy.space/xocpbvek
http://ce805680a61492a0aexocpbvek.gorise.uno/xocpbvek
http://ce805680a61492a0aexocpbvek.laygive.site/xocpbvek
Signatures
-
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process 4 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
Processes:
cmd.execmd.exevssadmin.exevssadmin.exedescription pid pid_target Process procid_target Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 3868 4848 cmd.exe 5 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4832 4848 cmd.exe 5 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 4712 4848 vssadmin.exe 5 Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process 5052 4848 vssadmin.exe 5 -
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Interacts with shadow copies 2 TTPs 2 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
Processes:
vssadmin.exevssadmin.exepid Process 4712 vssadmin.exe 5052 vssadmin.exe -
Modifies data under HKEY_USERS 47 IoCs
Processes:
svchost.exedescription ioc Process Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\Root svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\Root\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\Root\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\trust\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\Disallowed\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\trust\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\CA svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\Disallowed\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\trust\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\CA\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\CA\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\CA\CTLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\Root\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\TrustedPeople svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\trust svchost.exe Key created \REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Policies\Microsoft\SystemCertificates\Disallowed svchost.exe Key created \REGISTRY\USER\S-1-5-19\Software\Microsoft\SystemCertificates\SmartCardRoot svchost.exe -
Modifies registry class 7 IoCs
Processes:
rundll32.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\"" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt" rundll32.exe Set value (int) \REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0" rundll32.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
rundll32.exepid Process 3920 rundll32.exe 3920 rundll32.exe -
Suspicious behavior: MapViewOfSection 12 IoCs
Processes:
rundll32.exepid Process 3920 rundll32.exe 3920 rundll32.exe 3920 rundll32.exe 3920 rundll32.exe 3920 rundll32.exe 3920 rundll32.exe 3920 rundll32.exe 3920 rundll32.exe 3920 rundll32.exe 3920 rundll32.exe 3920 rundll32.exe 3920 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
WMIC.exeWMIC.exedescription pid Process Token: SeIncreaseQuotaPrivilege 4672 WMIC.exe Token: SeSecurityPrivilege 4672 WMIC.exe Token: SeTakeOwnershipPrivilege 4672 WMIC.exe Token: SeLoadDriverPrivilege 4672 WMIC.exe Token: SeSystemProfilePrivilege 4672 WMIC.exe Token: SeSystemtimePrivilege 4672 WMIC.exe Token: SeProfSingleProcessPrivilege 4672 WMIC.exe Token: SeIncBasePriorityPrivilege 4672 WMIC.exe Token: SeCreatePagefilePrivilege 4672 WMIC.exe Token: SeBackupPrivilege 4672 WMIC.exe Token: SeRestorePrivilege 4672 WMIC.exe Token: SeShutdownPrivilege 4672 WMIC.exe Token: SeDebugPrivilege 4672 WMIC.exe Token: SeSystemEnvironmentPrivilege 4672 WMIC.exe Token: SeRemoteShutdownPrivilege 4672 WMIC.exe Token: SeUndockPrivilege 4672 WMIC.exe Token: SeManageVolumePrivilege 4672 WMIC.exe Token: 33 4672 WMIC.exe Token: 34 4672 WMIC.exe Token: 35 4672 WMIC.exe Token: 36 4672 WMIC.exe Token: SeIncreaseQuotaPrivilege 3564 WMIC.exe Token: SeSecurityPrivilege 3564 WMIC.exe Token: SeTakeOwnershipPrivilege 3564 WMIC.exe Token: SeLoadDriverPrivilege 3564 WMIC.exe Token: SeSystemProfilePrivilege 3564 WMIC.exe Token: SeSystemtimePrivilege 3564 WMIC.exe Token: SeProfSingleProcessPrivilege 3564 WMIC.exe Token: SeIncBasePriorityPrivilege 3564 WMIC.exe Token: SeCreatePagefilePrivilege 3564 WMIC.exe Token: SeBackupPrivilege 3564 WMIC.exe Token: SeRestorePrivilege 3564 WMIC.exe Token: SeShutdownPrivilege 3564 WMIC.exe Token: SeDebugPrivilege 3564 WMIC.exe Token: SeSystemEnvironmentPrivilege 3564 WMIC.exe Token: SeRemoteShutdownPrivilege 3564 WMIC.exe Token: SeUndockPrivilege 3564 WMIC.exe Token: SeManageVolumePrivilege 3564 WMIC.exe Token: 33 3564 WMIC.exe Token: 34 3564 WMIC.exe Token: 35 3564 WMIC.exe Token: 36 3564 WMIC.exe Token: SeIncreaseQuotaPrivilege 4672 WMIC.exe Token: SeSecurityPrivilege 4672 WMIC.exe Token: SeTakeOwnershipPrivilege 4672 WMIC.exe Token: SeLoadDriverPrivilege 4672 WMIC.exe Token: SeSystemProfilePrivilege 4672 WMIC.exe Token: SeSystemtimePrivilege 4672 WMIC.exe Token: SeProfSingleProcessPrivilege 4672 WMIC.exe Token: SeIncBasePriorityPrivilege 4672 WMIC.exe Token: SeCreatePagefilePrivilege 4672 WMIC.exe Token: SeBackupPrivilege 4672 WMIC.exe Token: SeRestorePrivilege 4672 WMIC.exe Token: SeShutdownPrivilege 4672 WMIC.exe Token: SeDebugPrivilege 4672 WMIC.exe Token: SeSystemEnvironmentPrivilege 4672 WMIC.exe Token: SeRemoteShutdownPrivilege 4672 WMIC.exe Token: SeUndockPrivilege 4672 WMIC.exe Token: SeManageVolumePrivilege 4672 WMIC.exe Token: 33 4672 WMIC.exe Token: 34 4672 WMIC.exe Token: 35 4672 WMIC.exe Token: 36 4672 WMIC.exe Token: SeIncreaseQuotaPrivilege 3564 WMIC.exe -
Suspicious use of WriteProcessMemory 16 IoCs
Processes:
rundll32.execmd.execmd.execmd.execmd.exeComputerDefaults.exeComputerDefaults.exedescription pid Process procid_target PID 3920 wrote to memory of 4908 3920 rundll32.exe 77 PID 3920 wrote to memory of 4908 3920 rundll32.exe 77 PID 3920 wrote to memory of 3956 3920 rundll32.exe 80 PID 3920 wrote to memory of 3956 3920 rundll32.exe 80 PID 4908 wrote to memory of 4672 4908 cmd.exe 81 PID 4908 wrote to memory of 4672 4908 cmd.exe 81 PID 3956 wrote to memory of 3564 3956 cmd.exe 82 PID 3956 wrote to memory of 3564 3956 cmd.exe 82 PID 4832 wrote to memory of 3504 4832 cmd.exe 87 PID 4832 wrote to memory of 3504 4832 cmd.exe 87 PID 3868 wrote to memory of 448 3868 cmd.exe 88 PID 3868 wrote to memory of 448 3868 cmd.exe 88 PID 448 wrote to memory of 3124 448 ComputerDefaults.exe 90 PID 448 wrote to memory of 3124 448 ComputerDefaults.exe 90 PID 3504 wrote to memory of 480 3504 ComputerDefaults.exe 91 PID 3504 wrote to memory of 480 3504 ComputerDefaults.exe 91
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\3154ded31015965d68a48be47f904ef6.dll,#11⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:3920 -
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:4908 -
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:4672
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""2⤵
- Suspicious use of WriteProcessMemory
PID:3956 -
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
PID:3564
-
-
-
C:\Windows\system32\cmd.execmd /c computerdefaults.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:3868 -
C:\Windows\system32\ComputerDefaults.execomputerdefaults.exe2⤵
- Suspicious use of WriteProcessMemory
PID:448 -
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵PID:3124
-
-
-
C:\Windows\system32\cmd.execmd /c computerdefaults.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:4832 -
C:\Windows\system32\ComputerDefaults.execomputerdefaults.exe2⤵
- Suspicious use of WriteProcessMemory
PID:3504 -
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵PID:480
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:4712
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:5052
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵PID:4612
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k netsvcs -p -s BITS1⤵
- Modifies data under HKEY_USERS
PID:4908
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV1⤵PID:1180