magniber | 5472bce876d0758fb1379260504b791a3b8c95b87fc365f5ce8c3a6424facd34 | Triage

Analysis

max time kernel
52s
max time network
64s
platform
windows10-1703_x64
resource
win10-20220901-en
resource tags

arch:x64arch:x86image:win10-20220901-enlocale:en-usos:windows10-1703-x64system
submitted
15-09-2022 06:32

Sharing

Report Analysis Logs

General

Target

test.jse
Size

192KB
MD5

b40966619d66f80774ebf817c3316acc
SHA1

cdc90f17b5a54005993a4db61ac60e0b905f8416
SHA256

5472bce876d0758fb1379260504b791a3b8c95b87fc365f5ce8c3a6424facd34
SHA512

a489b19a01b66807e3cc5af17abdc679e72d34139b47f5face96ac68cf183f5d790d24adb065db9327dd82cde24532c3e193a716a5212df310f90eb7e241b88e
SSDEEP

6144:9a6398SbpjPvtKLqAMFHEbbz5ek3/Auyn5Ia:xnvkwdizUk3/Auynqa

Score

10^/10

magniber ransomware

Malware Config

Signatures

Detect magniber ransomware 3 IoCs

resource	yara_rule
behavioral1/memory/4468-124-0x0000024CF9A00000-0x0000024CF9A12000-memory.dmp	family_magniber
behavioral1/memory/4468-126-0x0000024C80000000-0x0000024C81000000-memory.dmp	family_magniber
behavioral1/memory/2456-127-0x000001E644830000-0x000001E64483B000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4468	WScript.exe
4468	WScript.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 4468 wrote to memory of 2456	4468	WScript.exe	43
PID 4468 wrote to memory of 2472	4468	WScript.exe	42
PID 4468 wrote to memory of 2772	4468	WScript.exe	37
PID 4468 wrote to memory of 2116	4468	WScript.exe	36
PID 4468 wrote to memory of 3240	4468	WScript.exe	24
PID 4468 wrote to memory of 3256	4468	WScript.exe	35
PID 4468 wrote to memory of 3448	4468	WScript.exe	34
PID 4468 wrote to memory of 3668	4468	WScript.exe	33

C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe
"C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe" -ServerName:App.AppXtk181tbxbce2qsex02s8tw7hfxa9xb3t.mca
1⤵
PID:3240

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3668

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3448

C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe
"C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe" -ServerName:CortanaUI.AppXa50dqqa5gqv4a428c9y1jjw7m3btvepj.mca
1⤵
PID:3256

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:2116
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\test.jse"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4468

c:\windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2772

c:\windows\system32\svchost.exe
c:\windows\system32\svchost.exe -k unistacksvcgroup -s CDPUserSvc
1⤵
PID:2472

c:\windows\system32\sihost.exe
sihost.exe
1⤵
PID:2456

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2456-127-0x000001E644830000-0x000001E64483B000-memory.dmp

Filesize
44KB

Download
memory/4468-124-0x0000024CF9A00000-0x0000024CF9A12000-memory.dmp

Filesize
72KB

Download
memory/4468-126-0x0000024C80000000-0x0000024C81000000-memory.dmp

Filesize
16.0MB

Download