General
-
Target
tempa.dll
-
Size
38KB
-
Sample
210827-x9wkjeszz2
-
MD5
b90ea37466ff51b92394c61642360f27
-
SHA1
1137d8f12c1f1c1a4cb16b5f36a6e297b53d969c
-
SHA256
d7ac1232f9860102bc977ecf949543f83f3d651d7a1e55af3c1d0bacddf68a2f
-
SHA512
ade05a09a533c08be307303abe5fcff2fe62b23b73da1b1e1b0d9c83c8d4a93a250fc4500264f2dc7357a4c51633ed7548ec23c57a689f2045086f7de3874220
Static task
static1
Behavioral task
behavioral1
Sample
tempa.dll
Resource
win7v20210408
Behavioral task
behavioral2
Sample
tempa.dll
Resource
win11
Behavioral task
behavioral3
Sample
tempa.dll
Resource
win10v20210408
Malware Config
Extracted
C:\Users\Admin\Documents\readme.txt
magniber
http://16145618bc1492a06ahvbluctpp.7cdpfkmp6tm2t7ce6m7fdldv4eor5jxotxj6v23djv73mwfstpq3ebad.onion/hvbluctpp
http://16145618bc1492a06ahvbluctpp.burybig.xyz/hvbluctpp
http://16145618bc1492a06ahvbluctpp.centone.top/hvbluctpp
http://16145618bc1492a06ahvbluctpp.joyfits.site/hvbluctpp
http://16145618bc1492a06ahvbluctpp.dumpour.space/hvbluctpp
Extracted
C:\Users\Admin\Desktop\readme.txt
magniber
http://1e44620834ec44d02ehvbluctpp.7cdpfkmp6tm2t7ce6m7fdldv4eor5jxotxj6v23djv73mwfstpq3ebad.onion/hvbluctpp
http://1e44620834ec44d02ehvbluctpp.burybig.xyz/hvbluctpp
http://1e44620834ec44d02ehvbluctpp.centone.top/hvbluctpp
http://1e44620834ec44d02ehvbluctpp.joyfits.site/hvbluctpp
http://1e44620834ec44d02ehvbluctpp.dumpour.space/hvbluctpp
Targets
-
-
Target
tempa.dll
-
Size
38KB
-
MD5
b90ea37466ff51b92394c61642360f27
-
SHA1
1137d8f12c1f1c1a4cb16b5f36a6e297b53d969c
-
SHA256
d7ac1232f9860102bc977ecf949543f83f3d651d7a1e55af3c1d0bacddf68a2f
-
SHA512
ade05a09a533c08be307303abe5fcff2fe62b23b73da1b1e1b0d9c83c8d4a93a250fc4500264f2dc7357a4c51633ed7548ec23c57a689f2045086f7de3874220
Score10/10-
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Suspicious use of SetThreadContext
-