magniber | 79494b2b76515207a2cf1a29484096cbf884ea4b0e2b834af07beac7879ce714

General

Target

Antivirus_Upgrade_Cloud.680409c94d12.cpl.dll
Size

1.2MB
MD5

b2de8946fb439575f2777559e1a74095
SHA1

1ad2a01982c85718bf883899c3de7d329c8e4057
SHA256

79494b2b76515207a2cf1a29484096cbf884ea4b0e2b834af07beac7879ce714
SHA512

bb6f4f952a8067aab434e45f38565ad3f1d7fb7c78626608ac6fffb08b145ead5d9643e7a88f6cacb68ae45ade644ad6d4be32d4ee291767074006e874147943
SSDEEP

1536:gOY47IHwHDLvujZZmn/tUuNpOLR1aJmvH8GsBjW5BKbOTWgYwJkRG5z:gOt7rHDLvUZmn/t7Npu/GIkRG5z

Score

10^/10

magniber ransomware

Malware Config

Signatures

Detect magniber ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/2564-133-0x000002302E4E0000-0x000002302E5F4000-memory.dmp	family_magniber
behavioral2/memory/2700-134-0x000001D5C4C70000-0x000001D5C4C7B000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Suspicious use of SetThreadContext 11 IoCs

Processes:

rundll32.exe

description	pid	process
PID 2564 set thread context of 0	2564	rundll32.exe
PID 2564 set thread context of 0	2564	rundll32.exe
PID 2564 set thread context of 0	2564	rundll32.exe
PID 2564 set thread context of 0	2564	rundll32.exe
PID 2564 set thread context of 0	2564	rundll32.exe
PID 2564 set thread context of 0	2564	rundll32.exe
PID 2564 set thread context of 0	2564	rundll32.exe
PID 2564 set thread context of 0	2564	rundll32.exe
PID 2564 set thread context of 0	2564	rundll32.exe
PID 2564 set thread context of 0	2564	rundll32.exe
PID 2564 set thread context of 0	2564	rundll32.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

1880 2564 WerFault.exe rundll32.exe
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid process

2564 rundll32.exe
2564 rundll32.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

Explorer.EXE

pid process

2376 Explorer.EXE

pid	pid_target	process	target process
1880	2564	WerFault.exe	rundll32.exe

pid	process
2564	rundll32.exe
2564	rundll32.exe

pid	process
2376	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 19 IoCs

Processes:

Explorer.EXERuntimeBroker.exe

description	pid	process
Token: SeShutdownPrivilege	2376	Explorer.EXE
Token: SeCreatePagefilePrivilege	2376	Explorer.EXE
Token: SeShutdownPrivilege	2376	Explorer.EXE
Token: SeCreatePagefilePrivilege	2376	Explorer.EXE
Token: SeShutdownPrivilege	2376	Explorer.EXE
Token: SeCreatePagefilePrivilege	2376	Explorer.EXE
Token: SeShutdownPrivilege	2376	Explorer.EXE
Token: SeCreatePagefilePrivilege	2376	Explorer.EXE
Token: SeShutdownPrivilege	2376	Explorer.EXE
Token: SeCreatePagefilePrivilege	2376	Explorer.EXE
Token: SeShutdownPrivilege	2376	Explorer.EXE
Token: SeCreatePagefilePrivilege	2376	Explorer.EXE
Token: SeShutdownPrivilege	2376	Explorer.EXE
Token: SeCreatePagefilePrivilege	2376	Explorer.EXE
Token: SeShutdownPrivilege	2376	Explorer.EXE
Token: SeCreatePagefilePrivilege	2376	Explorer.EXE
Token: SeShutdownPrivilege	3444	RuntimeBroker.exe
Token: SeShutdownPrivilege	3444	RuntimeBroker.exe
Token: SeShutdownPrivilege	3444	RuntimeBroker.exe

Suspicious use of WriteProcessMemory 10 IoCs

Processes:

rundll32.exe

description	pid	process	target process
PID 2564 wrote to memory of 2700	2564	rundll32.exe	sihost.exe
PID 2564 wrote to memory of 2816	2564	rundll32.exe	svchost.exe
PID 2564 wrote to memory of 2868	2564	rundll32.exe	taskhostw.exe
PID 2564 wrote to memory of 2376	2564	rundll32.exe	Explorer.EXE
PID 2564 wrote to memory of 2936	2564	rundll32.exe	svchost.exe
PID 2564 wrote to memory of 3276	2564	rundll32.exe	DllHost.exe
PID 2564 wrote to memory of 3376	2564	rundll32.exe	StartMenuExperienceHost.exe
PID 2564 wrote to memory of 3444	2564	rundll32.exe	RuntimeBroker.exe
PID 2564 wrote to memory of 3532	2564	rundll32.exe	SearchApp.exe
PID 2564 wrote to memory of 3700	2564	rundll32.exe	RuntimeBroker.exe

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2376
- C:\Windows\system32\rundll32.exe
  rundll32.exe C:\Users\Admin\AppData\Local\Temp\Antivirus_Upgrade_Cloud.680409c94d12.cpl.dll,#1
  2⤵
  - Suspicious use of SetThreadContext
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2564
- - C:\Windows\system32\WerFault.exe
    C:\Windows\system32\WerFault.exe -u -p 2564 -s 280
    3⤵
    - Program crash
    PID:1880

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3444

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3700

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3532

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3376

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3276

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:2936

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2868

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2816

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2700

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 420 -p 2564 -ip 2564
1⤵
PID:3352

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2564-132-0x00007FFD78EF0000-0x00007FFD79022000-memory.dmp

Filesize
1.2MB

Download
memory/2564-133-0x000002302E4E0000-0x000002302E5F4000-memory.dmp

Filesize
1.1MB

Download
memory/2700-134-0x000001D5C4C70000-0x000001D5C4C7B000-memory.dmp

Filesize
44KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads