General
-
Target
dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204
-
Size
38KB
-
Sample
210929-gzgtzsdgb9
-
MD5
57cc3140477c915e6202e6b1d2f8bb7e
-
SHA1
69201178ee3bf8bc5b9f8212bb412c7f7a3aa3c0
-
SHA256
dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204
-
SHA512
47a0854b4640ba0d8ff69695a0f799af56362a801752a00ada96d1d876ab3f396d81be3ee511b36b2889f213656f2b126ea51077ca6e75cd630810dd20b6a91e
Static task
static1
Behavioral task
behavioral1
Sample
dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204.dll
Resource
win7-en-20210920
Behavioral task
behavioral2
Sample
dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204.dll
Resource
win10v20210408
Malware Config
Extracted
C:\Users\Admin\Desktop\readme.txt
magniber
http://1230cad8425cf070bddihwvy.ypajgycpauisibmmq6en2xd6z6doiiwxitzhwbu2zmxfxwjcumvirbad.onion/ddihwvy
http://1230cad8425cf070bddihwvy.outwest.top/ddihwvy
http://1230cad8425cf070bddihwvy.coldsum.space/ddihwvy
http://1230cad8425cf070bddihwvy.datesat.site/ddihwvy
http://1230cad8425cf070bddihwvy.outplea.xyz/ddihwvy
Extracted
C:\Users\Admin\Desktop\readme.txt
magniber
http://de9cac1062ec44d0f6ddihwvy.ypajgycpauisibmmq6en2xd6z6doiiwxitzhwbu2zmxfxwjcumvirbad.onion/ddihwvy
http://de9cac1062ec44d0f6ddihwvy.outwest.top/ddihwvy
http://de9cac1062ec44d0f6ddihwvy.coldsum.space/ddihwvy
http://de9cac1062ec44d0f6ddihwvy.datesat.site/ddihwvy
http://de9cac1062ec44d0f6ddihwvy.outplea.xyz/ddihwvy
Targets
-
-
Target
dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204
-
Size
38KB
-
MD5
57cc3140477c915e6202e6b1d2f8bb7e
-
SHA1
69201178ee3bf8bc5b9f8212bb412c7f7a3aa3c0
-
SHA256
dc7be5c75c746cd6e0660711d3fb8bc8753d760ece99c00f222fe21d9ddd4204
-
SHA512
47a0854b4640ba0d8ff69695a0f799af56362a801752a00ada96d1d876ab3f396d81be3ee511b36b2889f213656f2b126ea51077ca6e75cd630810dd20b6a91e
Score10/10-
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process
This typically indicates the parent process was compromised via an exploit or macro.
-
Modifies extensions of user files
Ransomware generally changes the extension on encrypted files.
-
Suspicious use of SetThreadContext
-