magniber | 6d41befa35eac07ea647bebd21efbc38eb825a274ba1758701a4bf70d0ae5f91

General

Target

SYSTEM.Critical.Upgrade.Win10.0.3328b853458d14.jse
Size

177KB
MD5

09eef16b2386f3c3026930d6e2cf4052
SHA1

52cb01541e9ffb62e8744fdd41c13bbeb5083aac
SHA256

5b6e931f07ac9d16237282dfb11bd76ae26cadd255a687c378f6b320cf231224
SHA512

10f444dc05b33612bfbfb684bb8b45fc18f963e2884947c3a94516d3111e33ca388dcf58a28434ff041fd7bc5ab78f889e766011a5cd54aae1f7fed1d3c203c6
SSDEEP

3072:9uACDasQAJWzjKoTVk/4wAn6YiUZPKlwQ/SBpkgxnl+Kvm25gfEb1J:9uzFJf/WXiUZSlHqBHlUKoEbX

Score

10^/10

magniber ransomware

Malware Config

Signatures

Detect magniber ransomware 3 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4788-134-0x000001FF63D60000-0x000001FF64D60000-memory.dmp	family_magniber
behavioral2/memory/2356-135-0x0000027F6C460000-0x0000027F6C46A000-memory.dmp	family_magniber
behavioral2/memory/4788-147-0x000001FF63D60000-0x000001FF64D60000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

Processes:

taskhostw.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\NewBlock.raw => C:\Users\Admin\Pictures\NewBlock.raw.polrzgucd	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\GroupSet.tif => C:\Users\Admin\Pictures\GroupSet.tif.polrzgucd	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\ResetApprove.tif => C:\Users\Admin\Pictures\ResetApprove.tif.polrzgucd	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\StepEnter.tif => C:\Users\Admin\Pictures\StepEnter.tif.polrzgucd	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\CompleteCheckpoint.raw => C:\Users\Admin\Pictures\CompleteCheckpoint.raw.polrzgucd	taskhostw.exe

Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

4036 3288 WerFault.exe DllHost.exe

pid	pid_target	process	target process
4036	3288	WerFault.exe	DllHost.exe

Modifies registry class 2 IoCs

Processes:

Explorer.EXE

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

WScript.exe

pid process

4788 WScript.exe
4788 WScript.exe

pid	process
4788	WScript.exe
4788	WScript.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

Processes:

Explorer.EXERuntimeBroker.exe

description	pid	process
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	3508	RuntimeBroker.exe
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	3508	RuntimeBroker.exe
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

Processes:

WScript.exe

description	pid	process	target process
PID 4788 wrote to memory of 2356	4788	WScript.exe	sihost.exe
PID 4788 wrote to memory of 2388	4788	WScript.exe	svchost.exe
PID 4788 wrote to memory of 2468	4788	WScript.exe	taskhostw.exe
PID 4788 wrote to memory of 2640	4788	WScript.exe	Explorer.EXE
PID 4788 wrote to memory of 3096	4788	WScript.exe	svchost.exe
PID 4788 wrote to memory of 3288	4788	WScript.exe	DllHost.exe
PID 4788 wrote to memory of 3420	4788	WScript.exe	StartMenuExperienceHost.exe
PID 4788 wrote to memory of 3508	4788	WScript.exe	RuntimeBroker.exe
PID 4788 wrote to memory of 3616	4788	WScript.exe	SearchApp.exe
PID 4788 wrote to memory of 3808	4788	WScript.exe	RuntimeBroker.exe
PID 4788 wrote to memory of 4692	4788	WScript.exe	RuntimeBroker.exe

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies extensions of user files
PID:2468

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3420

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3288
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3288 -s 924
  2⤵
  - Program crash
  PID:4036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2640
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\SYSTEM.Critical.Upgrade.Win10.0.3328b853458d14.jse"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2388

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2356

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3288 -ip 3288
1⤵
PID:1964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2356-135-0x0000027F6C460000-0x0000027F6C46A000-memory.dmp

Filesize
40KB

Download
memory/4788-132-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/4788-134-0x000001FF63D60000-0x000001FF64D60000-memory.dmp

Filesize
16.0MB

Download
memory/4788-142-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/4788-147-0x000001FF63D60000-0x000001FF64D60000-memory.dmp

Filesize
16.0MB

Download
memory/4788-148-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads