magniber | 4bfe0c4a9fc1c5c7b47d4dd054d1af7871c969db32acc7dd4dfe22752cd73223 | Triage

Analysis

max time kernel
148s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220414-en
submitted
13-07-2022 17:52

Sharing

Report Analysis Logs

General

Target

0698b1361ea3daf8fb0a27b9693fb29debac45ebcee19249a47f3ccf97ad6f9d.dll
Size

184KB
MD5

8ede431939b9595143132b3adf365e15
SHA1

795ab2548467e81277ac50a1306ecc87ff63eb6a
SHA256

0698b1361ea3daf8fb0a27b9693fb29debac45ebcee19249a47f3ccf97ad6f9d
SHA512

3a82653762c7ad6df6061531ebbef7e0507ec3f6197fdaf11b5cdb6d62a70f120e2b4d6b8dbd9f6dfeb6d787f9b1db935a664d113acd70ccd033b0c55b448190

Score

10^/10

magniber ransomware

Malware Config

Signatures

Detect magniber ransomware 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2348-130-0x0000024841190000-0x000002484119B000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

Processes:

rundll32.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\SaveStep.crw => C:\Users\Admin\Pictures\SaveStep.crw.kewkmnybp	rundll32.exe
File renamed	C:\Users\Admin\Pictures\UninstallInstall.raw => C:\Users\Admin\Pictures\UninstallInstall.raw.kewkmnybp	rundll32.exe
File opened for modification	C:\Users\Admin\Pictures\RequestMove.tiff	rundll32.exe
File renamed	C:\Users\Admin\Pictures\RequestMove.tiff => C:\Users\Admin\Pictures\RequestMove.tiff.kewkmnybp	rundll32.exe
File renamed	C:\Users\Admin\Pictures\WriteProtect.png => C:\Users\Admin\Pictures\WriteProtect.png.kewkmnybp	rundll32.exe

Modifies registry class 5 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/rsmmtp.x"	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\ms-settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000_Classes\ms-settings\CurVer	rundll32.exe

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\0698b1361ea3daf8fb0a27b9693fb29debac45ebcee19249a47f3ccf97ad6f9d.dll,#1
1⤵
- Modifies extensions of user files
- Modifies registry class
PID:2348

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2348-130-0x0000024841190000-0x000002484119B000-memory.dmp

Filesize
44KB

Download