Overview

overview

10

Static

static

Magniber14.msi

windows7_x64

7

Magniber14.msi

windows10-2004_x64

10

Analysis

  • max time kernel
    149s
  • max time network
    136s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220414-en
  • submitted
    27-06-2022 14:11

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Magniber14.msi

  • Size

    11.4MB

  • MD5

    578dcc9ab0d231ad315da3c568dd974a

  • SHA1

    e690c686e225abbde34dbe4ff0e41bb2c93f3b53

  • SHA256

    64a3d5a2d4e801efc34f17d2f32aaea3126b7f2dd9c3def16ebaa7a45486596b

  • SHA512

    8a5e9476a25f4513ea047cb98a383c6b6208efa479841557eadc3fb037b024b6da40f4a18068f618a3a412bb8408b78870c26b530e95b749e3ceac84a2163bc2

Score
10/10
magniberevasionransomware

Malware Config

Signatures

  • Detect magniber ransomware 2 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 20 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Modifies boot configuration data using bcdedit 1 TTPs 10 IoCs
    ransomwareevasion
  • Deletes System State backups 3 TTPs 5 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Deletes backup catalog 3 TTPs 5 IoCs

    Uses wbadmin.exe to inhibit system recovery.

    ransomware
  • Modifies extensions of user files 9 IoCs

    Ransomware generally changes the extension on encrypted files.

    ransomware
  • Loads dropped DLL 1 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Windows directory 7 IoCs
  • Program crash 1 IoCs
  • Checks SCSI registry key(s) 3 TTPs 9 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Modifies registry class 37 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 36 IoCs

Processes

  • C:\Windows\system32\sihost.exe
    sihost.exe
    1⤵
    • Modifies registry class
    PID:2388
    • C:\Windows\System32\cmd.exe
      /c fodhelper.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2672
      • C:\Windows\System32\fodhelper.exe
        fodhelper.exe
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:1956
        • C:\Windows\system32\wscript.exe
          "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
          4⤵
            PID:1068
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
      1⤵
      • Modifies registry class
      PID:2416
      • C:\Windows\System32\cmd.exe
        /c fodhelper.exe
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4392
        • C:\Windows\System32\fodhelper.exe
          fodhelper.exe
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1428
          • C:\Windows\system32\wscript.exe
            "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
            4⤵
              PID:3544
      • C:\Windows\system32\taskhostw.exe
        taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
        1⤵
        • Modifies registry class
        PID:2644
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
        • Modifies extensions of user files
        • Modifies registry class
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of AdjustPrivilegeToken
        PID:2284
        • C:\Windows\system32\msiexec.exe
          msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\Magniber14.msi
          2⤵
          • Enumerates connected drives
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          PID:3816
        • C:\Windows\System32\cmd.exe
          /c fodhelper.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:4652
          • C:\Windows\System32\fodhelper.exe
            fodhelper.exe
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:3552
            • C:\Windows\system32\wscript.exe
              "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
              4⤵
                PID:3068
        • C:\Windows\system32\svchost.exe
          C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
          1⤵
          • Modifies registry class
          PID:2976
        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
          "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
          1⤵
            PID:3356
          • C:\Windows\System32\RuntimeBroker.exe
            C:\Windows\System32\RuntimeBroker.exe -Embedding
            1⤵
              PID:3492
            • C:\Windows\system32\DllHost.exe
              C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
              1⤵
                PID:3256
                • C:\Windows\system32\WerFault.exe
                  C:\Windows\system32\WerFault.exe -u -p 3256 -s 988
                  2⤵
                  • Program crash
                  PID:2568
              • C:\Windows\System32\RuntimeBroker.exe
                C:\Windows\System32\RuntimeBroker.exe -Embedding
                1⤵
                • Modifies registry class
                PID:4020
                • C:\Windows\System32\cmd.exe
                  /c fodhelper.exe
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:4540
                  • C:\Windows\System32\fodhelper.exe
                    fodhelper.exe
                    3⤵
                    • Suspicious use of WriteProcessMemory
                    PID:2972
                    • C:\Windows\system32\wscript.exe
                      "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
                      4⤵
                        PID:1120
                • C:\Windows\System32\RuntimeBroker.exe
                  C:\Windows\System32\RuntimeBroker.exe -Embedding
                  1⤵
                  • Modifies registry class
                  PID:3804
                  • C:\Windows\System32\cmd.exe
                    /c fodhelper.exe
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:1820
                    • C:\Windows\System32\fodhelper.exe
                      fodhelper.exe
                      3⤵
                      • Suspicious use of WriteProcessMemory
                      PID:2564
                      • C:\Windows\system32\wscript.exe
                        "wscript.exe" \Users\Public\bqbpvcoufgj.vbe
                        4⤵
                          PID:5004
                  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
                    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
                    1⤵
                      PID:3572
                    • C:\Windows\system32\msiexec.exe
                      C:\Windows\system32\msiexec.exe /V
                      1⤵
                      • Enumerates connected drives
                      • Drops file in Windows directory
                      • Suspicious behavior: EnumeratesProcesses
                      • Suspicious use of AdjustPrivilegeToken
                      • Suspicious use of WriteProcessMemory
                      PID:3452
                      • C:\Windows\system32\srtasks.exe
                        C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
                        2⤵
                        • Suspicious use of AdjustPrivilegeToken
                        PID:4008
                      • C:\Windows\System32\MsiExec.exe
                        C:\Windows\System32\MsiExec.exe -Embedding E0A5418A245D8379F108A9193A2A88A2
                        2⤵
                        • Loads dropped DLL
                        • Suspicious behavior: EnumeratesProcesses
                        • Suspicious use of WriteProcessMemory
                        PID:408
                    • C:\Windows\system32\vssvc.exe
                      C:\Windows\system32\vssvc.exe
                      1⤵
                      • Checks SCSI registry key(s)
                      • Suspicious use of AdjustPrivilegeToken
                      PID:5012
                    • C:\Windows\system32\WerFault.exe
                      C:\Windows\system32\WerFault.exe -pss -s 408 -p 3256 -ip 3256
                      1⤵
                        PID:1832
                      • C:\Windows\system32\bcdedit.exe
                        bcdedit /set {default} bootstatuspolicy ignoreallfailures
                        1⤵
                        • Process spawned unexpected child process
                        • Modifies boot configuration data using bcdedit
                        PID:5088
                      • C:\Windows\system32\bcdedit.exe
                        bcdedit /set {default} recoveryenabled no
                        1⤵
                        • Process spawned unexpected child process
                        • Modifies boot configuration data using bcdedit
                        PID:5056
                      • C:\Windows\system32\wbadmin.exe
                        wbadmin delete catalog -quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Deletes backup catalog
                        PID:8
                      • C:\Windows\system32\wbadmin.exe
                        wbadmin delete systemstatebackup -quiet
                        1⤵
                        • Process spawned unexpected child process
                        • Deletes System State backups
                        • Drops file in Windows directory
                        PID:3096
                      • C:\Windows\system32\wbengine.exe
                        "C:\Windows\system32\wbengine.exe"
                        1⤵
                          PID:4032
                        • C:\Windows\System32\vdsldr.exe
                          C:\Windows\System32\vdsldr.exe -Embedding
                          1⤵
                            PID:3748
                          • C:\Windows\System32\vds.exe
                            C:\Windows\System32\vds.exe
                            1⤵
                            • Checks SCSI registry key(s)
                            PID:3980
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} bootstatuspolicy ignoreallfailures
                            1⤵
                            • Process spawned unexpected child process
                            • Modifies boot configuration data using bcdedit
                            PID:1488
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} recoveryenabled no
                            1⤵
                            • Process spawned unexpected child process
                            • Modifies boot configuration data using bcdedit
                            PID:2476
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete systemstatebackup -quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Deletes System State backups
                            PID:1920
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete catalog -quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Deletes backup catalog
                            PID:2204
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} bootstatuspolicy ignoreallfailures
                            1⤵
                            • Process spawned unexpected child process
                            • Modifies boot configuration data using bcdedit
                            PID:3856
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} recoveryenabled no
                            1⤵
                            • Process spawned unexpected child process
                            • Modifies boot configuration data using bcdedit
                            PID:4728
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete systemstatebackup -quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Deletes System State backups
                            PID:3256
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete catalog -quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Deletes backup catalog
                            PID:2068
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} bootstatuspolicy ignoreallfailures
                            1⤵
                            • Process spawned unexpected child process
                            • Modifies boot configuration data using bcdedit
                            PID:3652
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} recoveryenabled no
                            1⤵
                            • Process spawned unexpected child process
                            • Modifies boot configuration data using bcdedit
                            PID:2592
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete catalog -quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Deletes backup catalog
                            PID:2084
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete systemstatebackup -quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Deletes System State backups
                            PID:1048
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} bootstatuspolicy ignoreallfailures
                            1⤵
                            • Process spawned unexpected child process
                            • Modifies boot configuration data using bcdedit
                            PID:1556
                          • C:\Windows\system32\bcdedit.exe
                            bcdedit /set {default} recoveryenabled no
                            1⤵
                            • Process spawned unexpected child process
                            • Modifies boot configuration data using bcdedit
                            PID:2428
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete catalog -quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Deletes backup catalog
                            PID:2516
                          • C:\Windows\system32\wbadmin.exe
                            wbadmin delete systemstatebackup -quiet
                            1⤵
                            • Process spawned unexpected child process
                            • Deletes System State backups
                            PID:1152

                          Network

                          MITRE ATT&CK Enterprise v6

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Public\bqbpvcoufgj.vbe
                            Filesize

                            862B

                            MD5

                            8c6010b5f4a5f819f36fa9a4179cf583

                            SHA1

                            7e5e759f3a8593c7be0dcfa97538308c0f5f1709

                            SHA256

                            9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

                            SHA512

                            098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

                            Download Submit

                          • C:\Users\Public\bqbpvcoufgj.vbe
                            Filesize

                            862B

                            MD5

                            8c6010b5f4a5f819f36fa9a4179cf583

                            SHA1

                            7e5e759f3a8593c7be0dcfa97538308c0f5f1709

                            SHA256

                            9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

                            SHA512

                            098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

                            Download Submit

                          • C:\Users\Public\bqbpvcoufgj.vbe
                            Filesize

                            862B

                            MD5

                            8c6010b5f4a5f819f36fa9a4179cf583

                            SHA1

                            7e5e759f3a8593c7be0dcfa97538308c0f5f1709

                            SHA256

                            9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

                            SHA512

                            098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

                            Download Submit

                          • C:\Users\Public\bqbpvcoufgj.vbe
                            Filesize

                            862B

                            MD5

                            8c6010b5f4a5f819f36fa9a4179cf583

                            SHA1

                            7e5e759f3a8593c7be0dcfa97538308c0f5f1709

                            SHA256

                            9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

                            SHA512

                            098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

                            Download Submit

                          • C:\Users\Public\bqbpvcoufgj.vbe
                            Filesize

                            862B

                            MD5

                            8c6010b5f4a5f819f36fa9a4179cf583

                            SHA1

                            7e5e759f3a8593c7be0dcfa97538308c0f5f1709

                            SHA256

                            9b7671b16d1b0018f87660d32ed492d3d774867297951fd6aad01ec444f2da05

                            SHA512

                            098b19fb177741a49f4778ddcf63c656be644da137aeb97b48049664ac6a50a26cb49e911d0a822412c40ed08a35c875323568fb14f6e7358d2b6b0bb6ef61cf

                            Download Submit

                          • C:\Windows\Installer\MSI1FB8.tmp
                            Filesize

                            99KB

                            MD5

                            6e2b8071887c4662bb95923b7c14acf7

                            SHA1

                            3e186c237a37987037b96bd32761b58c56238c7d

                            SHA256

                            2f6e10671dd552e2adfad918f363c76a08de7baa6df381af7c441d4ec10f4ffb

                            SHA512

                            0c2e90416abd56296430b8b631bd2c2608e122203cec44158353897c56922fff82c4574377ef5ece8b9b2609fe2d7b5355acd2e6f74df159d61eaea5882fbf4d

                            Download Submit

                          • C:\Windows\Installer\MSI1FB8.tmp
                            Filesize

                            99KB

                            MD5

                            6e2b8071887c4662bb95923b7c14acf7

                            SHA1

                            3e186c237a37987037b96bd32761b58c56238c7d

                            SHA256

                            2f6e10671dd552e2adfad918f363c76a08de7baa6df381af7c441d4ec10f4ffb

                            SHA512

                            0c2e90416abd56296430b8b631bd2c2608e122203cec44158353897c56922fff82c4574377ef5ece8b9b2609fe2d7b5355acd2e6f74df159d61eaea5882fbf4d

                            Download Submit

                          • \??\GLOBALROOT\Device\HarddiskVolumeShadowCopy2\System Volume Information\SPP\metadata-2
                            Filesize

                            23.0MB

                            MD5

                            287cf286685f21e65578f9358fd417f9

                            SHA1

                            2e86c4afc0ea9cf781aa6d4a0af3922c947b802d

                            SHA256

                            2c5b1347829622ca382933dd789cf52467221b89649b3df783efcd108ccb3306

                            SHA512

                            6749a49dd8f01ea73a447a519984396efcd6a92e2c37920e53fe03b7833f5aedc83f8171b5be21f1176ace5cbd0b7783450b19703edf08c727304cab8e25bff3

                            Download Submit

                          • \??\Volume{c8b84e5a-0000-0000-0000-d01200000000}\System Volume Information\SPP\OnlineMetadataCache\{bf3ec9d7-87d4-4c37-b04b-0745f1381d7b}_OnDiskSnapshotProp
                            Filesize

                            5KB

                            MD5

                            c4ef064004053082449128b24ec1f0d8

                            SHA1

                            8fdd4d6cac9c9653f12267c4b5ddbea86897914b

                            SHA256

                            edd2c03d4a20e655a9f89ca5515906a1d683959555fe5232e2fc8e294522870c

                            SHA512

                            714b30823de2cff86cd3692cf79240c7c192ee018257fb876e887b449bf81d2389b23e34623441c830bc41e5c82540856b1946ff925a95ce38cd49a338875759

                            Download Submit

                          • memory/408-135-0x0000014C58EC0000-0x0000014C58ECA000-memory.dmp

                            Filesize

                            40KB

                            Download

                          • memory/408-134-0x0000014C56BA0000-0x0000014C56BB4000-memory.dmp

                            Filesize

                            80KB

                            Download

                          • memory/2284-165-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-171-0x0000000013160000-0x0000000013170000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-158-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-172-0x0000000013160000-0x0000000013170000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-159-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-170-0x0000000012D30000-0x0000000012D40000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-169-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-153-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-154-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-155-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-156-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-157-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-173-0x0000000013160000-0x0000000013170000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-168-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-164-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-161-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-162-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-163-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-160-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-167-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download

                          • memory/2284-166-0x0000000010980000-0x0000000010990000-memory.dmp

                            Filesize

                            64KB

                            Download