Analysis

  • max time kernel
    91s
  • max time network
    103s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    23-08-2021 15:41

General

  • Target

    3154ded31015965d68a48be47f904ef6.dll

  • Size

    21KB

  • MD5

    3154ded31015965d68a48be47f904ef6

  • SHA1

    914d15ee52a9822fe4138b51cfb713e7d37ed1b8

  • SHA256

    77d3b1cf6d5a0a07090cdb078dce6e3849465c9acde7e1ba66c3893fefc73d4b

  • SHA512

    2cec1fabb86263edb30da9e96c5331f3bfff9c707df588127f7daf45d8de87543b43e5f1472b845a6574d71afe26c386c6c954e29a9924d05ea6851c3f009ed1

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\Documents\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://ce805680a61492a0aexocpbvek.xurvsjipiyubcsta.onion/xocpbvek Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://ce805680a61492a0aexocpbvek.loglook.club/xocpbvek http://ce805680a61492a0aexocpbvek.tankmy.space/xocpbvek http://ce805680a61492a0aexocpbvek.gorise.uno/xocpbvek http://ce805680a61492a0aexocpbvek.laygive.site/xocpbvek Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://ce805680a61492a0aexocpbvek.xurvsjipiyubcsta.onion/xocpbvek

http://ce805680a61492a0aexocpbvek.loglook.club/xocpbvek

http://ce805680a61492a0aexocpbvek.tankmy.space/xocpbvek

http://ce805680a61492a0aexocpbvek.gorise.uno/xocpbvek

http://ce805680a61492a0aexocpbvek.laygive.site/xocpbvek

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

  • Process spawned unexpected child process 4 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies data under HKEY_USERS 47 IoCs
  • Modifies registry class 7 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3154ded31015965d68a48be47f904ef6.dll,#1
    1⤵
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3920
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:4908
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4672
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3956
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3564
  • C:\Windows\system32\cmd.exe
    cmd /c computerdefaults.exe
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:3868
    • C:\Windows\system32\ComputerDefaults.exe
      computerdefaults.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:448
      • C:\Windows\system32\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
        3⤵
          PID:3124
    • C:\Windows\system32\cmd.exe
      cmd /c computerdefaults.exe
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:4832
      • C:\Windows\system32\ComputerDefaults.exe
        computerdefaults.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3504
        • C:\Windows\system32\wbem\wmic.exe
          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
          3⤵
            PID:480
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe Delete Shadows /all /quiet
        1⤵
        • Process spawned unexpected child process
        • Interacts with shadow copies
        PID:4712
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe Delete Shadows /all /quiet
        1⤵
        • Process spawned unexpected child process
        • Interacts with shadow copies
        PID:5052
      • C:\Windows\system32\vssvc.exe
        C:\Windows\system32\vssvc.exe
        1⤵
          PID:4612
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
          1⤵
          • Modifies data under HKEY_USERS
          PID:4908
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
          1⤵
            PID:1180

          Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/448-163-0x0000000000000000-mapping.dmp

          • memory/480-165-0x0000000000000000-mapping.dmp

          • memory/3124-164-0x0000000000000000-mapping.dmp

          • memory/3504-162-0x0000000000000000-mapping.dmp

          • memory/3564-160-0x0000000000000000-mapping.dmp

          • memory/3920-161-0x000002156A1D0000-0x000002156A1D1000-memory.dmp

            Filesize

            4KB

          • memory/3920-155-0x00000215686B0000-0x00000215686B1000-memory.dmp

            Filesize

            4KB

          • memory/3920-153-0x0000021567DE0000-0x0000021567DE1000-memory.dmp

            Filesize

            4KB

          • memory/3920-152-0x0000021567DC0000-0x0000021567DC1000-memory.dmp

            Filesize

            4KB

          • memory/3920-150-0x0000021567D80000-0x0000021567D81000-memory.dmp

            Filesize

            4KB

          • memory/3920-149-0x0000021567D70000-0x0000021567D71000-memory.dmp

            Filesize

            4KB

          • memory/3920-147-0x00000215679B0000-0x00000215679B1000-memory.dmp

            Filesize

            4KB

          • memory/3920-148-0x0000021567D60000-0x0000021567D61000-memory.dmp

            Filesize

            4KB

          • memory/3920-156-0x00000215686C0000-0x00000215686C4000-memory.dmp

            Filesize

            16KB

          • memory/3920-151-0x0000021567D90000-0x0000021567D91000-memory.dmp

            Filesize

            4KB

          • memory/3920-146-0x00000215679A0000-0x00000215679A1000-memory.dmp

            Filesize

            4KB

          • memory/3920-154-0x0000021567DF0000-0x0000021567DF1000-memory.dmp

            Filesize

            4KB

          • memory/3956-158-0x0000000000000000-mapping.dmp

          • memory/4672-159-0x0000000000000000-mapping.dmp

          • memory/4908-157-0x0000000000000000-mapping.dmp

          • memory/4908-166-0x0000015E31860000-0x0000015E31870000-memory.dmp

            Filesize

            64KB

          • memory/4908-167-0x0000015E318E0000-0x0000015E318F0000-memory.dmp

            Filesize

            64KB

          • memory/4908-168-0x0000015E31BF0000-0x0000015E31BF4000-memory.dmp

            Filesize

            16KB