magniber | 6d41befa35eac07ea647bebd21efbc38eb825a274ba1758701a4bf70d0ae5f91

General

Target

SYSTEM.Critical.Upgrade.Win10.0.3328b853458d14.jse
Size

177KB
MD5

09eef16b2386f3c3026930d6e2cf4052
SHA1

52cb01541e9ffb62e8744fdd41c13bbeb5083aac
SHA256

5b6e931f07ac9d16237282dfb11bd76ae26cadd255a687c378f6b320cf231224
SHA512

10f444dc05b33612bfbfb684bb8b45fc18f963e2884947c3a94516d3111e33ca388dcf58a28434ff041fd7bc5ab78f889e766011a5cd54aae1f7fed1d3c203c6
SSDEEP

3072:9uACDasQAJWzjKoTVk/4wAn6YiUZPKlwQ/SBpkgxnl+Kvm25gfEb1J:9uzFJf/WXiUZSlHqBHlUKoEbX

Score

10^/10

Malware Config

Signatures

Detect magniber ransomware 3 IoCs

resource	yara_rule
behavioral2/memory/4788-134-0x000001FF63D60000-0x000001FF64D60000-memory.dmp	family_magniber
behavioral2/memory/2356-135-0x0000027F6C460000-0x0000027F6C46A000-memory.dmp	family_magniber
behavioral2/memory/4788-147-0x000001FF63D60000-0x000001FF64D60000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Modifies extensions of user files 5 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\NewBlock.raw => C:\Users\Admin\Pictures\NewBlock.raw.polrzgucd	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\GroupSet.tif => C:\Users\Admin\Pictures\GroupSet.tif.polrzgucd	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\ResetApprove.tif => C:\Users\Admin\Pictures\ResetApprove.tif.polrzgucd	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\StepEnter.tif => C:\Users\Admin\Pictures\StepEnter.tif.polrzgucd	taskhostw.exe
File renamed	C:\Users\Admin\Pictures\CompleteCheckpoint.raw => C:\Users\Admin\Pictures\CompleteCheckpoint.raw.polrzgucd	taskhostw.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4036	3288	WerFault.exe	33

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2891029575-1462575-1165213807-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4788	WScript.exe
4788	WScript.exe

Suspicious use of AdjustPrivilegeToken 10 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	3508	RuntimeBroker.exe
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	3508	RuntimeBroker.exe
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE
Token: SeShutdownPrivilege	2640	Explorer.EXE
Token: SeCreatePagefilePrivilege	2640	Explorer.EXE

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 4788 wrote to memory of 2356	4788	WScript.exe	57
PID 4788 wrote to memory of 2388	4788	WScript.exe	56
PID 4788 wrote to memory of 2468	4788	WScript.exe	24
PID 4788 wrote to memory of 2640	4788	WScript.exe	35
PID 4788 wrote to memory of 3096	4788	WScript.exe	34
PID 4788 wrote to memory of 3288	4788	WScript.exe	33
PID 4788 wrote to memory of 3420	4788	WScript.exe	31
PID 4788 wrote to memory of 3508	4788	WScript.exe	26
PID 4788 wrote to memory of 3616	4788	WScript.exe	30
PID 4788 wrote to memory of 3808	4788	WScript.exe	27
PID 4788 wrote to memory of 4692	4788	WScript.exe	29

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies extensions of user files
PID:2468

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:3508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3808

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4692

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3616

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3420

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3288
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3288 -s 924
  2⤵
  - Program crash
  PID:4036

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3096

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2640
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\SYSTEM.Critical.Upgrade.Win10.0.3328b853458d14.jse"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:4788

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2388

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2356

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3288 -ip 3288
1⤵
PID:1964

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2356-135-0x0000027F6C460000-0x0000027F6C46A000-memory.dmp

Filesize
40KB

Download
memory/4788-132-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/4788-134-0x000001FF63D60000-0x000001FF64D60000-memory.dmp

Filesize
16.0MB

Download
memory/4788-142-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download
memory/4788-147-0x000001FF63D60000-0x000001FF64D60000-memory.dmp

Filesize
16.0MB

Download
memory/4788-148-0x00007FFAE3A50000-0x00007FFAE4511000-memory.dmp

Filesize
10.8MB

Download

Analysis

Sharing