magniber | d7ac1232f9860102bc977ecf949543f83f3d651d7a1e55af3c1d0bacddf68a2f

Analysis

max time kernel
226s
max time network
203s
platform
windows11_x64
resource
win11
submitted
27-08-2021 11:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

tempa.dll
Size

38KB
MD5

b90ea37466ff51b92394c61642360f27
SHA1

1137d8f12c1f1c1a4cb16b5f36a6e297b53d969c
SHA256

d7ac1232f9860102bc977ecf949543f83f3d651d7a1e55af3c1d0bacddf68a2f
SHA512

ade05a09a533c08be307303abe5fcff2fe62b23b73da1b1e1b0d9c83c8d4a93a250fc4500264f2dc7357a4c51633ed7548ec23c57a689f2045086f7de3874220

Score

10^/10

magniber ransomware

Malware Config

Extracted

Path

C:\Users\Admin\Documents\readme.txt

Family

magniber

Ransom Note

ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://16145618bc1492a06ahvbluctpp.7cdpfkmp6tm2t7ce6m7fdldv4eor5jxotxj6v23djv73mwfstpq3ebad.onion/hvbluctpp Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://16145618bc1492a06ahvbluctpp.burybig.xyz/hvbluctpp http://16145618bc1492a06ahvbluctpp.centone.top/hvbluctpp http://16145618bc1492a06ahvbluctpp.joyfits.site/hvbluctpp http://16145618bc1492a06ahvbluctpp.dumpour.space/hvbluctpp Note! These are temporary addresses! They will be available for a limited amount of time!

URLs

http://16145618bc1492a06ahvbluctpp.7cdpfkmp6tm2t7ce6m7fdldv4eor5jxotxj6v23djv73mwfstpq3ebad.onion/hvbluctpp

http://16145618bc1492a06ahvbluctpp.burybig.xyz/hvbluctpp

http://16145618bc1492a06ahvbluctpp.centone.top/hvbluctpp

http://16145618bc1492a06ahvbluctpp.joyfits.site/hvbluctpp

http://16145618bc1492a06ahvbluctpp.dumpour.space/hvbluctpp

Signatures

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Process spawned unexpected child process 5 IoCs

This typically indicates the parent process was compromised via an exploit or macro.

description	pid	pid_target	Process	procid_target
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2540	4788	cmd.exe	12
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2432	4788	vssadmin.exe	12
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	2460	4788	cmd.exe	12
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	1164	4788	vssadmin.exe	12
Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process	620	4788	vssadmin.exe	12

Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1107

Inhibit System Recovery
T1490

Interacts with shadow copies 2 TTPs 3 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1107

Inhibit System Recovery

T1490

pid	Process
2432	vssadmin.exe
1164	vssadmin.exe
620	vssadmin.exe

Modifies data under HKEY_USERS 43 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\SmartCardRoot\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\Connections	svchost.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA\CTLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust\CRLs	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust\Certificates	sihclient.exe
Key created	\REGISTRY\USER\S-1-5-19\Software\Classes\Local Settings\MuiCache\7\52C64B7E	svchost.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\Disallowed	sihclient.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs	sihclient.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\ = "regsvr32.exe scrobj.dll /s /u /n /i:C:\\Users\\Public\\readme.txt"	rundll32.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\DelegateExecute = "0"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-257790753-2419383948-818201544-1000_Classes\ms-settings\shell\open	rundll32.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4548	rundll32.exe
4548	rundll32.exe

Suspicious behavior: MapViewOfSection 14 IoCs

pid	Process
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe
4548	rundll32.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3108	wmic.exe
Token: SeSecurityPrivilege	3108	wmic.exe
Token: SeTakeOwnershipPrivilege	3108	wmic.exe
Token: SeLoadDriverPrivilege	3108	wmic.exe
Token: SeSystemProfilePrivilege	3108	wmic.exe
Token: SeSystemtimePrivilege	3108	wmic.exe
Token: SeProfSingleProcessPrivilege	3108	wmic.exe
Token: SeIncBasePriorityPrivilege	3108	wmic.exe
Token: SeCreatePagefilePrivilege	3108	wmic.exe
Token: SeBackupPrivilege	3108	wmic.exe
Token: SeRestorePrivilege	3108	wmic.exe
Token: SeShutdownPrivilege	3108	wmic.exe
Token: SeDebugPrivilege	3108	wmic.exe
Token: SeSystemEnvironmentPrivilege	3108	wmic.exe
Token: SeRemoteShutdownPrivilege	3108	wmic.exe
Token: SeUndockPrivilege	3108	wmic.exe
Token: SeManageVolumePrivilege	3108	wmic.exe
Token: 33	3108	wmic.exe
Token: 34	3108	wmic.exe
Token: 35	3108	wmic.exe
Token: 36	3108	wmic.exe
Token: SeIncreaseQuotaPrivilege	1656	WMIC.exe
Token: SeSecurityPrivilege	1656	WMIC.exe
Token: SeTakeOwnershipPrivilege	1656	WMIC.exe
Token: SeLoadDriverPrivilege	1656	WMIC.exe
Token: SeSystemProfilePrivilege	1656	WMIC.exe
Token: SeSystemtimePrivilege	1656	WMIC.exe
Token: SeProfSingleProcessPrivilege	1656	WMIC.exe
Token: SeIncBasePriorityPrivilege	1656	WMIC.exe
Token: SeCreatePagefilePrivilege	1656	WMIC.exe
Token: SeBackupPrivilege	1656	WMIC.exe
Token: SeRestorePrivilege	1656	WMIC.exe
Token: SeShutdownPrivilege	1656	WMIC.exe
Token: SeDebugPrivilege	1656	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1656	WMIC.exe
Token: SeRemoteShutdownPrivilege	1656	WMIC.exe
Token: SeUndockPrivilege	1656	WMIC.exe
Token: SeManageVolumePrivilege	1656	WMIC.exe
Token: 33	1656	WMIC.exe
Token: 34	1656	WMIC.exe
Token: 35	1656	WMIC.exe
Token: 36	1656	WMIC.exe
Token: SeIncreaseQuotaPrivilege	1696	WMIC.exe
Token: SeSecurityPrivilege	1696	WMIC.exe
Token: SeTakeOwnershipPrivilege	1696	WMIC.exe
Token: SeLoadDriverPrivilege	1696	WMIC.exe
Token: SeSystemProfilePrivilege	1696	WMIC.exe
Token: SeSystemtimePrivilege	1696	WMIC.exe
Token: SeProfSingleProcessPrivilege	1696	WMIC.exe
Token: SeIncBasePriorityPrivilege	1696	WMIC.exe
Token: SeCreatePagefilePrivilege	1696	WMIC.exe
Token: SeBackupPrivilege	1696	WMIC.exe
Token: SeRestorePrivilege	1696	WMIC.exe
Token: SeShutdownPrivilege	1696	WMIC.exe
Token: SeDebugPrivilege	1696	WMIC.exe
Token: SeSystemEnvironmentPrivilege	1696	WMIC.exe
Token: SeRemoteShutdownPrivilege	1696	WMIC.exe
Token: SeUndockPrivilege	1696	WMIC.exe
Token: SeManageVolumePrivilege	1696	WMIC.exe
Token: 33	1696	WMIC.exe
Token: 34	1696	WMIC.exe
Token: 35	1696	WMIC.exe
Token: 36	1696	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3108	wmic.exe

Suspicious use of WriteProcessMemory 18 IoCs

description	pid	Process	procid_target
PID 4548 wrote to memory of 3108	4548	rundll32.exe	91
PID 4548 wrote to memory of 3108	4548	rundll32.exe	91
PID 4548 wrote to memory of 1016	4548	rundll32.exe	93
PID 4548 wrote to memory of 1016	4548	rundll32.exe	93
PID 4548 wrote to memory of 468	4548	rundll32.exe	94
PID 4548 wrote to memory of 468	4548	rundll32.exe	94
PID 1016 wrote to memory of 1656	1016	cmd.exe	98
PID 1016 wrote to memory of 1656	1016	cmd.exe	98
PID 468 wrote to memory of 1696	468	cmd.exe	97
PID 468 wrote to memory of 1696	468	cmd.exe	97
PID 2460 wrote to memory of 2928	2460	cmd.exe	105
PID 2460 wrote to memory of 2928	2460	cmd.exe	105
PID 2540 wrote to memory of 1284	2540	cmd.exe	107
PID 2540 wrote to memory of 1284	2540	cmd.exe	107
PID 2928 wrote to memory of 3888	2928	ComputerDefaults.exe	109
PID 2928 wrote to memory of 3888	2928	ComputerDefaults.exe	109
PID 1284 wrote to memory of 3420	1284	ComputerDefaults.exe	110
PID 1284 wrote to memory of 3420	1284	ComputerDefaults.exe	110

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\tempa.dll,#1
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:4548
- C:\Windows\system32\wbem\wmic.exe
  C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  - Suspicious use of AdjustPrivilegeToken
  PID:3108
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1016
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1656
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:468
- - C:\Windows\system32\wbem\WMIC.exe
    C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1696

C:\Windows\System32\sihclient.exe
C:\Windows\System32\sihclient.exe /cv R3q930x020WnyfI9gsy3Ow.0.2
1⤵
- Modifies data under HKEY_USERS
PID:3400

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2540
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1284
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3420

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:2432

C:\Windows\system32\cmd.exe
cmd /c computerdefaults.exe
1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
PID:2460
- C:\Windows\system32\ComputerDefaults.exe
  computerdefaults.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2928
- - C:\Windows\system32\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
    3⤵
    PID:3888

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:916

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:1164

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
PID:620

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
1⤵
- Modifies data under HKEY_USERS
PID:1480

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
1⤵
PID:1656

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

File Deletion

T1107

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1480-173-0x00000206E4D40000-0x00000206E4D44000-memory.dmp

Filesize
16KB

Download
memory/1480-172-0x00000206E4FC0000-0x00000206E4FC1000-memory.dmp

Filesize
4KB

Download
memory/1480-171-0x00000206E6000000-0x00000206E6004000-memory.dmp

Filesize
16KB

Download
memory/1480-170-0x00000206E4D10000-0x00000206E4D14000-memory.dmp

Filesize
16KB

Download
memory/1480-169-0x00000206E2710000-0x00000206E2720000-memory.dmp

Filesize
64KB

Download
memory/1480-168-0x00000206E2690000-0x00000206E26A0000-memory.dmp

Filesize
64KB

Download
memory/1480-174-0x00000206E4D30000-0x00000206E4D31000-memory.dmp

Filesize
4KB

Download
memory/1480-175-0x00000206E4D30000-0x00000206E4D34000-memory.dmp

Filesize
16KB

Download
memory/1480-176-0x00000206E4C10000-0x00000206E4C11000-memory.dmp

Filesize
4KB

Download
memory/4548-154-0x000001C1E9020000-0x000001C1E9021000-memory.dmp

Filesize
4KB

Download
memory/4548-165-0x000001C1EE680000-0x000001C1EE681000-memory.dmp

Filesize
4KB

Download
memory/4548-156-0x000001C1ECB60000-0x000001C1ECB61000-memory.dmp

Filesize
4KB

Download
memory/4548-146-0x000001C1E86D0000-0x000001C1E8FD4000-memory.dmp

Filesize
9.0MB

Download
memory/4548-155-0x000001C1E9030000-0x000001C1E9031000-memory.dmp

Filesize
4KB

Download
memory/4548-157-0x000001C1ECB70000-0x000001C1ECB75000-memory.dmp

Filesize
20KB

Download
memory/4548-153-0x000001C1E9000000-0x000001C1E9001000-memory.dmp

Filesize
4KB

Download
memory/4548-152-0x000001C1E85B0000-0x000001C1E85B1000-memory.dmp

Filesize
4KB

Download
memory/4548-151-0x000001C1E85A0000-0x000001C1E85A1000-memory.dmp

Filesize
4KB

Download
memory/4548-150-0x000001C1E8590000-0x000001C1E8591000-memory.dmp

Filesize
4KB

Download
memory/4548-148-0x000001C1E8570000-0x000001C1E8571000-memory.dmp

Filesize
4KB

Download
memory/4548-149-0x000001C1E8580000-0x000001C1E8581000-memory.dmp

Filesize
4KB

Download
memory/4548-147-0x000001C1E8560000-0x000001C1E8561000-memory.dmp

Filesize
4KB

Download