General

  • Target

    dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204

  • Size

    38KB

  • Sample

    210929-gzgtzsdgb9

  • MD5

    57cc3140477c915e6202e6b1d2f8bb7e

  • SHA1

    69201178ee3bf8bc5b9f8212bb412c7f7a3aa3c0

  • SHA256

    dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204

  • SHA512

    47a0854b4640ba0d8ff69695a0f799af56362a801752a00ada96d1d876ab3f396d81be3ee511b36b2889f213656f2b126ea51077ca6e75cd630810dd20b6a91e

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://1230cad8425cf070bddihwvy.ypajgycpauisibmmq6en2xd6z6doiiwxitzhwbu2zmxfxwjcumvirbad.onion/ddihwvy Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://1230cad8425cf070bddihwvy.outwest.top/ddihwvy http://1230cad8425cf070bddihwvy.coldsum.space/ddihwvy http://1230cad8425cf070bddihwvy.datesat.site/ddihwvy http://1230cad8425cf070bddihwvy.outplea.xyz/ddihwvy Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://1230cad8425cf070bddihwvy.ypajgycpauisibmmq6en2xd6z6doiiwxitzhwbu2zmxfxwjcumvirbad.onion/ddihwvy

http://1230cad8425cf070bddihwvy.outwest.top/ddihwvy

http://1230cad8425cf070bddihwvy.coldsum.space/ddihwvy

http://1230cad8425cf070bddihwvy.datesat.site/ddihwvy

http://1230cad8425cf070bddihwvy.outplea.xyz/ddihwvy

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://de9cac1062ec44d0f6ddihwvy.ypajgycpauisibmmq6en2xd6z6doiiwxitzhwbu2zmxfxwjcumvirbad.onion/ddihwvy Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://de9cac1062ec44d0f6ddihwvy.outwest.top/ddihwvy http://de9cac1062ec44d0f6ddihwvy.coldsum.space/ddihwvy http://de9cac1062ec44d0f6ddihwvy.datesat.site/ddihwvy http://de9cac1062ec44d0f6ddihwvy.outplea.xyz/ddihwvy Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://de9cac1062ec44d0f6ddihwvy.ypajgycpauisibmmq6en2xd6z6doiiwxitzhwbu2zmxfxwjcumvirbad.onion/ddihwvy

http://de9cac1062ec44d0f6ddihwvy.outwest.top/ddihwvy

http://de9cac1062ec44d0f6ddihwvy.coldsum.space/ddihwvy

http://de9cac1062ec44d0f6ddihwvy.datesat.site/ddihwvy

http://de9cac1062ec44d0f6ddihwvy.outplea.xyz/ddihwvy

Targets

    • Target

      dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204

    • Size

      38KB

    • MD5

      57cc3140477c915e6202e6b1d2f8bb7e

    • SHA1

      69201178ee3bf8bc5b9f8212bb412c7f7a3aa3c0

    • SHA256

      dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204

    • SHA512

      47a0854b4640ba0d8ff69695a0f799af56362a801752a00ada96d1d876ab3f396d81be3ee511b36b2889f213656f2b126ea51077ca6e75cd630810dd20b6a91e

    Score
    10/10
    • Magniber Ransomware

      Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    • Process spawned unexpected child process

      This typically indicates the parent process was compromised via an exploit or macro.

    • Deletes shadow copies

      Ransomware often targets backup files to inhibit system recovery.

    • Modifies extensions of user files

      Ransomware generally changes the extension on encrypted files.

    • Suspicious use of SetThreadContext

MITRE ATT&CK Enterprise v6

Tasks