magniber | 5472bce876d0758fb1379260504b791a3b8c95b87fc365f5ce8c3a6424facd34

Analysis

max time kernel
50s
max time network
146s
platform
windows10-1703_x64
resource
win10-20220812-en
resource tags

arch:x64arch:x86image:win10-20220812-enlocale:en-usos:windows10-1703-x64system
submitted
15-09-2022 02:31

Target

SYSTEM.Security.Database.Upgrade.Win10.0_1.jse
Size

192KB
MD5

b40966619d66f80774ebf817c3316acc
SHA1

cdc90f17b5a54005993a4db61ac60e0b905f8416
SHA256

5472bce876d0758fb1379260504b791a3b8c95b87fc365f5ce8c3a6424facd34
SHA512

a489b19a01b66807e3cc5af17abdc679e72d34139b47f5face96ac68cf183f5d790d24adb065db9327dd82cde24532c3e193a716a5212df310f90eb7e241b88e
SSDEEP

6144:9a6398SbpjPvtKLqAMFHEbbz5ek3/Auyn5Ia:xnvkwdizUk3/Auynqa

Score

10^/10

Detect magniber ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral1/memory/1112-124-0x000002595AB20000-0x000002595AB32000-memory.dmp	family_magniber
behavioral1/memory/1112-126-0x000002595D560000-0x000002595E560000-memory.dmp	family_magniber
behavioral1/memory/2368-127-0x00000254A6A40000-0x00000254A6A4B000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WScript.exe

pid process

1112 WScript.exe
1112 WScript.exe

pid	process
1112	WScript.exe
1112	WScript.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 1112 wrote to memory of 2368	1112	WScript.exe	sihost.exe
PID 1112 wrote to memory of 2388	1112	WScript.exe	svchost.exe
PID 1112 wrote to memory of 2508	1112	WScript.exe	taskhostw.exe
PID 1112 wrote to memory of 3056	1112	WScript.exe	Explorer.EXE
PID 1112 wrote to memory of 3284	1112	WScript.exe	ShellExperienceHost.exe
PID 1112 wrote to memory of 3300	1112	WScript.exe	SearchUI.exe
PID 1112 wrote to memory of 3492	1112	WScript.exe	RuntimeBroker.exe
PID 1112 wrote to memory of 3692	1112	WScript.exe	DllHost.exe

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3284

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3692

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3492

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3300

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2508

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2388

memory/1112-124-0x000002595AB20000-0x000002595AB32000-memory.dmp

Filesize
72KB

Download
memory/1112-126-0x000002595D560000-0x000002595E560000-memory.dmp

Filesize
16.0MB

Download
memory/2368-127-0x00000254A6A40000-0x00000254A6A4B000-memory.dmp

Filesize
44KB

Download