Overview

overview

10

Static

static

3154ded310...f6.dll

windows7_x64

3154ded310...f6.dll

windows11_x64

10

3154ded310...f6.dll

windows10_x64

10

Analysis

  • max time kernel
    121s
  • max time network
    117s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    23-08-2021 15:41

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3154ded31015965d68a48be47f904ef6.dll

  • Size

    21KB

  • MD5

    3154ded31015965d68a48be47f904ef6

  • SHA1

    914d15ee52a9822fe4138b51cfb713e7d37ed1b8

  • SHA256

    77d3b1cf6d5a0a07090cdb078dce6e3849465c9acde7e1ba66c3893fefc73d4b

  • SHA512

    2cec1fabb86263edb30da9e96c5331f3bfff9c707df588127f7daf45d8de87543b43e5f1472b845a6574d71afe26c386c6c954e29a9924d05ea6851c3f009ed1

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://80b40a8014b06a30fxocpbvek.xurvsjipiyubcsta.onion/xocpbvek Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://80b40a8014b06a30fxocpbvek.loglook.club/xocpbvek http://80b40a8014b06a30fxocpbvek.tankmy.space/xocpbvek http://80b40a8014b06a30fxocpbvek.gorise.uno/xocpbvek http://80b40a8014b06a30fxocpbvek.laygive.site/xocpbvek Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://80b40a8014b06a30fxocpbvek.xurvsjipiyubcsta.onion/xocpbvek

http://80b40a8014b06a30fxocpbvek.loglook.club/xocpbvek

http://80b40a8014b06a30fxocpbvek.tankmy.space/xocpbvek

http://80b40a8014b06a30fxocpbvek.gorise.uno/xocpbvek

http://80b40a8014b06a30fxocpbvek.laygive.site/xocpbvek

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 2 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Modifies extensions of user files 8 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 9 IoCs
  • Drops file in Windows directory 1 IoCs
  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 9 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 8 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 20 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3154ded31015965d68a48be47f904ef6.dll,#1
    1⤵
    • Modifies extensions of user files
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:3132
    • C:\Windows\system32\notepad.exe
      notepad.exe C:\Users\Public\readme.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:1744
    • C:\Windows\system32\cmd.exe
      cmd /c "start http://80b40a8014b06a30fxocpbvek.loglook.club/xocpbvek^&1^&46497082^&84^&293^&2215063"
      2⤵
      • Checks computer location settings
      PID:3064
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2296
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1928
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3036
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:3668
  • C:\Windows\system32\cmd.exe
    cmd /c computerdefaults.exe
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:1328
    • C:\Windows\system32\ComputerDefaults.exe
      computerdefaults.exe
      2⤵
        PID:3772
    • C:\Windows\system32\cmd.exe
      cmd /c computerdefaults.exe
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1264
      • C:\Windows\system32\ComputerDefaults.exe
        computerdefaults.exe
        2⤵
          PID:2388
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
        1⤵
        • Drops file in Windows directory
        • Modifies Internet Explorer settings
        • Modifies registry class
        • Suspicious use of SetWindowsHookEx
        PID:364
      • C:\Windows\system32\browser_broker.exe
        C:\Windows\system32\browser_broker.exe -Embedding
        1⤵
        • Modifies Internet Explorer settings
        PID:2096
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4232
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies Internet Explorer settings
        • Modifies registry class
        PID:4300
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        PID:4624
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        PID:4800
      • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
        "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
        1⤵
        • Modifies registry class
        PID:4888

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Packages\microsoft.microsoftedge_8wekyb3d8bbwe\AC\MicrosoftEdge\Cache\17MZNV88\favicon[1].ico
        MD5

        8a80554c91d9fca8acb82f023de02f11

        SHA1

        5f36b2ea290645ee34d943220a14b54ee5ea5be5

        SHA256

        ca3d163bab055381827226140568f3bef7eaac187cebd76878e0b63e9e442356

        SHA512

        ca4b6defb8adcc010050bc8b1bb8f8092c4928b8a0fba32146abcfb256e4d91672f88ca2cdf6210e754e5b8ac5e23fb023806ccd749ac8b701f79a691f03c87a

        Download Submit

      • C:\Users\Public\readme.txt
        MD5

        fc6f238c319b9eec209f0435f9e99811

        SHA1

        0bd0a1a602e79164f8ecbcd3032aa9e469ee9531

        SHA256

        9f1260aac7aa6a4ff76d011e5b7862f5a7bd59e3c490a69d182a6f9fc40c48f7

        SHA512

        6ceb2a0a74734a1e21678d329b455e69b60eda54b79f76ecc516d6e408532dd5fc7ee94e810b1aa6dc1dffcc0b7d7065c1cb2e8367ba4ad065728768f0f7bd77

        Download Submit

      • memory/1744-127-0x0000000000000000-mapping.dmp

        Download

      • memory/1928-133-0x0000000000000000-mapping.dmp

        Download

      • memory/2296-130-0x0000000000000000-mapping.dmp

        Download

      • memory/2388-135-0x0000000000000000-mapping.dmp

        Download

      • memory/3036-131-0x0000000000000000-mapping.dmp

        Download

      • memory/3064-129-0x0000000000000000-mapping.dmp

        Download

      • memory/3132-117-0x0000020C6C9E0000-0x0000020C6C9E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3132-116-0x0000020C6C9D0000-0x0000020C6C9D1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3132-124-0x0000020C6CA70000-0x0000020C6CA71000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3132-125-0x0000020C6D170000-0x0000020C6D171000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3132-126-0x0000020C6D180000-0x0000020C6D184000-memory.dmp

        Filesize

        16KB

        Download

      • memory/3132-119-0x0000020C6CA00000-0x0000020C6CA01000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3132-118-0x0000020C6C9F0000-0x0000020C6C9F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3132-122-0x0000020C6CA50000-0x0000020C6CA51000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3132-120-0x0000020C6CA10000-0x0000020C6CA11000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3132-121-0x0000020C6CA40000-0x0000020C6CA41000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3132-115-0x0000020C6C5F0000-0x0000020C6C5F1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3132-123-0x0000020C6CA60000-0x0000020C6CA61000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3132-134-0x0000020C6ECA0000-0x0000020C6ECA1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3132-114-0x0000020C6C5E0000-0x0000020C6C5E1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3668-132-0x0000000000000000-mapping.dmp

        Download

      • memory/3764-137-0x00000206B9D40000-0x00000206B9D48000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3764-140-0x00000206B9BF0000-0x00000206B9BF8000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3764-141-0x00000206B9AE0000-0x00000206B9AE1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3764-142-0x00000206B9F40000-0x00000206B9F48000-memory.dmp

        Filesize

        32KB

        Download

      • memory/3764-143-0x00000206B9BB0000-0x00000206B9BB1000-memory.dmp

        Filesize

        4KB

        Download

      • memory/3772-136-0x0000000000000000-mapping.dmp

        Download