Overview

overview

10

Static

static

Magniber14.msi

windows7_x64

7

Magniber14.msi

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27/06/2022, 14:11 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Magniber14.msi

  • Size

    11.4MB

  • MD5

    578dcc9ab0d231ad315da3c568dd974a

  • SHA1

    e690c686e225abbde34dbe4ff0e41bb2c93f3b53

  • SHA256

    64a3d5a2d4e801efc34f17d2f32aaea3126b7f2dd9c3def16ebaa7a45486596b

  • SHA512

    8a5e9476a25f4513ea047cb98a383c6b6208efa479841557eadc3fb037b024b6da40f4a18068f618a3a412bb8408b78870c26b530e95b749e3ceac84a2163bc2

Score
10/10
magniberevasionransomware

Malware Config

Signatures

  • Detect magniber ransomware 2 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 20 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 5 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 5 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 37 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    PID:2388
    • C:\Windows\System32\cmd.exe
      /c fodhelper.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\System32\fodhelper.exe
        fodhelper.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Windows\system32\wscript.exe
          "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
          4⤵
            PID:1068
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
      • Modifies registry class
      PID:2416
      • C:\Windows\System32\cmd.exe
        /c fodhelper.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4392
        • C:\Windows\System32\fodhelper.exe
          fodhelper.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1428
          • C:\Windows\system32\wscript.exe
            "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
            4⤵
              PID:3544
      • C:\Windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
        • Modifies registry class
        PID:2644
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Modifies extensions of user files
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2284
        • C:\Windows\system32\msiexec.exe
          msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Magniber14.msi
          2⤵
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:3816
        • C:\Windows\System32\cmd.exe
          /c fodhelper.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4652
          • C:\Windows\System32\fodhelper.exe
            fodhelper.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3552
            • C:\Windows\system32\wscript.exe
              "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
              4⤵
                PID:3068
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
          1⤵
          • Modifies registry class
          PID:2976
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:3356
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3492
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              1⤵
                PID:3256
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 3256 -s 988
                  2⤵
                  • Program crash
                  PID:2568
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                • Modifies registry class
                PID:4020
                • C:\Windows\System32\cmd.exe
                  /c fodhelper.exe
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4540
                  • C:\Windows\System32\fodhelper.exe
                    fodhelper.exe
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2972
                    • C:\Windows\system32\wscript.exe
                      "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
                      4⤵
                        PID:1120
                • C:\Windows\System32\RuntimeBroker.exe
                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                  1⤵
                  • Modifies registry class
                  PID:3804
                  • C:\Windows\System32\cmd.exe
                    /c fodhelper.exe
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1820
                    • C:\Windows\System32\fodhelper.exe
                      fodhelper.exe
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2564
                      • C:\Windows\system32\wscript.exe
                        "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
                        4⤵
                          PID:5004
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:3572
                    • C:\Windows\system32\msiexec.exe
                      C:\Windows\system32\msiexec.exe /V
                      1⤵
                      • Enumerates connected drives
                      • Drops file in Windows directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3452
                      • C:\Windows\system32\srtasks.exe
                        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                        2⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4008
                      • C:\Windows\System32\MsiExec.exe
                        C:\Windows\System32\MsiExec.exe -Embedding E0A5418A245D8379F108A9193A2A88A2
                        2⤵
                        • Loads dropped DLL
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:408
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                      • Checks SCSI registry key(s)
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5012
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -pss -s 408 -p 3256 -ip 3256
                      1⤵
                        PID:1832
                      • C:\Windows\system32\bcdedit.exe
                        bcdedit /set {default} bootstatuspolicy ignoreallfailures
                        1⤵
                        • Process spawned unexpected child process
                        • Modifies boot configuration data using bcdedit
                        PID:5088
                      • C:\Windows\system32\bcdedit.exe
                        bcdedit /set {default} recoveryenabled no
                        1⤵
                        • Process spawned unexpected child process
                        • Modifies boot configuration data using bcdedit
                        PID:5056
                      • C:\Windows\system32\wbadmin.exe
                        wbadmin delete catalog -quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Deletes backup catalog
                        PID:8
                      • C:\Windows\system32\wbadmin.exe
                        wbadmin delete systemstatebackup -quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Deletes System State backups
                        • Drops file in Windows directory
                        PID:3096
                      • C:\Windows\system32\wbengine.exe
                        "C:\Windows\system32\wbengine.exe"
                        1⤵
                          PID:4032
                        • C:\Windows\System32\vdsldr.exe
                          C:\Windows\System32\vdsldr.exe -Embedding
                          1⤵
                            PID:3748
                          • C:\Windows\System32\vds.exe
                            C:\Windows\System32\vds.exe
                            1⤵
                            • Checks SCSI registry key(s)
                            PID:3980
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} bootstatuspolicy ignoreallfailures
                            1⤵
                            • Process spawned unexpected child process
                            • Modifies boot configuration data using bcdedit
                            PID:1488
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} recoveryenabled no
                            1⤵
                            • Process spawned unexpected child process
                            • Modifies boot configuration data using bcdedit
                            PID:2476
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete systemstatebackup -quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Deletes System State backups
                            PID:1920
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete catalog -quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Deletes backup catalog
                            PID:2204
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} bootstatuspolicy ignoreallfailures
                            1⤵
                            • Process spawned unexpected child process
                            • Modifies boot configuration data using bcdedit
                            PID:3856
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} recoveryenabled no
                            1⤵
                            • Process spawned unexpected child process
                            • Modifies boot configuration data using bcdedit
                            PID:4728
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete systemstatebackup -quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Deletes System State backups
                            PID:3256
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete catalog -quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Deletes backup catalog
                            PID:2068
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} bootstatuspolicy ignoreallfailures
                            1⤵
                            • Process spawned unexpected child process
                            • Modifies boot configuration data using bcdedit
                            PID:3652
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} recoveryenabled no
                            1⤵
                            • Process spawned unexpected child process
                            • Modifies boot configuration data using bcdedit
                            PID:2592
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete catalog -quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Deletes backup catalog
                            PID:2084
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete systemstatebackup -quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Deletes System State backups
                            PID:1048
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} bootstatuspolicy ignoreallfailures
                            1⤵
                            • Process spawned unexpected child process
                            • Modifies boot configuration data using bcdedit
                            PID:1556
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} recoveryenabled no
                            1⤵
                            • Process spawned unexpected child process
                            • Modifies boot configuration data using bcdedit
                            PID:2428
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete catalog -quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Deletes backup catalog
                            PID:2516
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete systemstatebackup -quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Deletes System State backups
                            PID:1152

                          Network

                          • flag-us
                            DNS
                            14.110.152.52.in-addr.arpa
                            Remote address:
                            8.8.8.8:53
                            Request
                            14.110.152.52.in-addr.arpa
                            IN PTR
                            Response
                          • 8.253.208.113:80
                            322 B
                             7
                          • 20.50.73.9:443
                            322 B
                             7
                          • 8.253.208.113:80
                            322 B
                             7
                          • 8.253.208.113:80
                            322 B
                             7
                          • 8.253.208.113:80
                            322 B
                             7
                          • 8.8.8.8:53
                            14.110.152.52.in-addr.arpa
                            dns
                            72 B
                             146 B
                             1
                            1

                            DNS Request

                            14.110.152.52.in-addr.arpa

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Public\bqbpvcoufgj.vbe
                            Filesize

                            862B

                            MD5

                            8c6010b5f4a5f819f36fa9a4179cf583

                            SHA1

                            7e5e759f3a8593c7be0dcfa97538308c0f5f1709

                            SHA256

                            9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

                            SHA512

                            098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

                            Download Submit

                          • C:\Users\Public\bqbpvcoufgj.vbe
                            Filesize

                            862B

                            MD5

                            8c6010b5f4a5f819f36fa9a4179cf583

                            SHA1

                            7e5e759f3a8593c7be0dcfa97538308c0f5f1709

                            SHA256

                            9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

                            SHA512

                            098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

                            Download Submit

                          • C:\Users\Public\bqbpvcoufgj.vbe
                            Filesize

                            862B

                            MD5

                            8c6010b5f4a5f819f36fa9a4179cf583

                            SHA1

                            7e5e759f3a8593c7be0dcfa97538308c0f5f1709

                            SHA256

                            9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

                            SHA512

                            098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

                            Download Submit

                          • C:\Users\Public\bqbpvcoufgj.vbe
                            Filesize

                            862B

                            MD5

                            8c6010b5f4a5f819f36fa9a4179cf583

                            SHA1

                            7e5e759f3a8593c7be0dcfa97538308c0f5f1709

                            SHA256

                            9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

                            SHA512

                            098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

                            Download Submit

                          • C:\Users\Public\bqbpvcoufgj.vbe
                            Filesize

                            862B

                            MD5

                            8c6010b5f4a5f819f36fa9a4179cf583

                            SHA1

                            7e5e759f3a8593c7be0dcfa97538308c0f5f1709

                            SHA256

                            9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

                            SHA512

                            098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

                            Download Submit

                          • C:\Windows\Installer\MSI1FB8.tmp
                            Filesize

                            99KB

                            MD5

                            6e2b8071887c4662bb95923b7c14acf7

                            SHA1

                            3e186c237a37987037b96bd32761b58c56238c7d

                            SHA256

                            2f6e10671dd552e2adfad918f363c76a08de7baa6df381af7c441d4ec10f4ffb

                            SHA512

                            0c2e90416abd56296430b8b631bd2c2608e122203cec44158353897c56922fff82c4574377ef5ece8b9b2609fe2d7b5355acd2e6f74df159d61eaea5882fbf4d

                            Download Submit

                          • C:\Windows\Installer\MSI1FB8.tmp
                            Filesize

                            99KB

                            MD5

                            6e2b8071887c4662bb95923b7c14acf7

                            SHA1

                            3e186c237a37987037b96bd32761b58c56238c7d

                            SHA256

                            2f6e10671dd552e2adfad918f363c76a08de7baa6df381af7c441d4ec10f4ffb

                            SHA512

                            0c2e90416abd56296430b8b631bd2c2608e122203cec44158353897c56922fff82c4574377ef5ece8b9b2609fe2d7b5355acd2e6f74df159d61eaea5882fbf4d

                            Download Submit

                          • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                            Filesize

                            23.0MB

                            MD5

                            287cf286685f21e65578f9358fd417f9

                            SHA1

                            2e86c4afc0ea9cf781aa6d4a0af3922c947b802d

                            SHA256

                            2c5b1347829622ca382933dd789cf52467221b89649b3df783efcd108ccb3306

                            SHA512

                            6749a49dd8f01ea73a447a519984396efcd6a92e2c37920e53fe03b7833f5aedc83f8171b5be21f1176ace5cbd0b7783450b19703edf08c727304cab8e25bff3

                            Download Submit

                          • \??\Volume{c8b84e5a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bf3ec9d7-87d4-4c37-b04b-0745f1381d7b}_OnDiskSnapshotProp
                            Filesize

                            5KB

                            MD5

                            c4ef064004053082449128b24ec1f0d8

                            SHA1

                            8fdd4d6cac9c9653f12267c4b5ddbea86897914b

                            SHA256

                            edd2c03d4a20e655a9f89ca5515906a1d683959555fe5232e2fc8e294522870c

                            SHA512

                            714b30823de2cff86cd3692cf79240c7c192ee018257fb876e887b449bf81d2389b23e34623441c830bc41e5c82540856b1946ff925a95ce38cd49a338875759

                            Download Submit

                          • memory/408-135-0x0000014C58EC0000-0x0000014C58ECA000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/408-134-0x0000014C56BA0000-0x0000014C56BB4000-memory.dmp

                            Filesize

                            80KB

                            Download

                          • memory/2284-165-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-169-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-173-0x0000000013160000-0x0000000013170000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-172-0x0000000013160000-0x0000000013170000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-160-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-171-0x0000000013160000-0x0000000013170000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-170-0x0000000012D30000-0x0000000012D40000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-153-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-154-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-155-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-156-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-157-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-159-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-158-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-168-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-161-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-162-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-163-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-164-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-167-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-166-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          We care about your privacy.

                          This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.