Overview

overview

10

Static

static

Antivirus_...pl.dll

windows7-x64

1

Antivirus_...pl.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    144s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20220812-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15-09-2022 12:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    Antivirus_Upgrade_Cloud.adf57c1153dae7f.cpl.dll

  • Size

    69KB

  • MD5

    28f71f85417e8897ea1f27d8d9c16248

  • SHA1

    c3f0881b1e543ac8a9172e0528ac1400820622dd

  • SHA256

    00270d016c00f9a58a8fad47aa52b95f2383e5b00a76e7281112156e828472bd

  • SHA512

    7bebacbcfd25325cc9af2be0727e926f57564c437e0a03c63e188bee900c1d3370206e62cdb86d7634f79d8b2678235d36796c000c4e879a70f173b68f4ce988

  • SSDEEP

    1536:OtBd0whwlxq3REfnynG2JrkDUgjsqyzMIN8jcahCc4ySyI:O2wJevwuyzF3ZyXI

Score
10/10
magniberransomware

Malware Config

Signatures

  • Detect magniber ransomware 2 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Suspicious use of SetThreadContext 12 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 17 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:2416
    • C:\Windows\system32\rundll32.exe
      rundll32.exe C:\Users\Admin\AppData\Local\Temp\Antivirus_Upgrade_Cloud.adf57c1153dae7f.cpl.dll,#1
      2⤵
      • Suspicious use of SetThreadContext
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of WriteProcessMemory
      PID:2472
  • C:\Windows\System32\RuntimeBroker.exe
    C:\Windows\System32\RuntimeBroker.exe -Embedding
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    PID:3448
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:3380
    • C:\Windows\System32\RuntimeBroker.exe
      C:\Windows\System32\RuntimeBroker.exe -Embedding
      1⤵
        PID:4624
      • C:\Windows\System32\RuntimeBroker.exe
        C:\Windows\System32\RuntimeBroker.exe -Embedding
        1⤵
          PID:3700
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:3536
          • C:\Windows\system32\DllHost.exe
            C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
            1⤵
              PID:3288
            • C:\Windows\system32\svchost.exe
              C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
              1⤵
                PID:3100
              • C:\Windows\system32\taskhostw.exe
                taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
                1⤵
                  PID:2880
                • C:\Windows\system32\svchost.exe
                  C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
                  1⤵
                    PID:2784
                  • C:\Windows\system32\sihost.exe
                    sihost.exe
                    1⤵
                      PID:2740

                    Network

                    MITRE ATT&CK Matrix

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • memory/2472-132-0x00007FFAB24E0000-0x00007FFAB24F1000-memory.dmp

                      Filesize

                      68KB

                      Download

                    • memory/2472-133-0x000001A358F80000-0x000001A358F8D000-memory.dmp

                      Filesize

                      52KB

                      Download

                    • memory/2740-134-0x000001FCFCDF0000-0x000001FCFCDFB000-memory.dmp

                      Filesize

                      44KB

                      Download