magniber | bb864576586c22594ef8dd2ed7420015e31b4c83472522223970e4592301f0f7

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
29-09-2022 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Antivirus_Upgrade_Cloud.1bfb82d816ad4.jse
Size

168KB
MD5

7c8cc6d9152df2679664eb7298d31b4f
SHA1

97ce336d29886674b9047ffeedb97fa5952d1bb0
SHA256

bb864576586c22594ef8dd2ed7420015e31b4c83472522223970e4592301f0f7
SHA512

0c5598de660b6f085c4780b8ecfa7358050bc9c063d8dd4e74b71a909551378747daa6f5a6ea9e98f1f814798d8ad176eb19207c15537e12a4985093eb8b8508
SSDEEP

3072:iQTPBA9ovz4cWf3OosFwKWXG1QCU/ueNYh6J7UGGQlqk2VV0poGGJGVRl8x3SG85:iQTBLN1FIXGqeZSG8EkK9nxa93

Score

10^/10

magniber ransomware

Malware Config

Signatures

Detect magniber ransomware 3 IoCs

resource	yara_rule
behavioral2/memory/2368-137-0x00000221B0A10000-0x00000221B1A10000-memory.dmp	family_magniber
behavioral2/memory/2516-138-0x000001CB4ECB0000-0x000001CB4ECBA000-memory.dmp	family_magniber
behavioral2/memory/2368-150-0x00000221B0A10000-0x00000221B1A10000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Modifies extensions of user files 6 IoCs

Ransomware generally changes the extension on encrypted files.

ransomware

description	ioc	Process
File renamed	C:\Users\Admin\Pictures\MountMeasure.raw => C:\Users\Admin\Pictures\MountMeasure.raw.xrjsaho	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\RestartEnable.raw => C:\Users\Admin\Pictures\RestartEnable.raw.xrjsaho	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\CheckpointShow.png => C:\Users\Admin\Pictures\CheckpointShow.png.xrjsaho	Explorer.EXE
File opened for modification	C:\Users\Admin\Pictures\CopyStart.tiff	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\CopyStart.tiff => C:\Users\Admin\Pictures\CopyStart.tiff.xrjsaho	Explorer.EXE
File renamed	C:\Users\Admin\Pictures\RedoSync.png => C:\Users\Admin\Pictures\RedoSync.png.xrjsaho	Explorer.EXE

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4492	3256	WerFault.exe	56

Modifies registry class 42 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/hvitnftfr.mgmt"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/ylzleuisopm.mgmt"	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/zkpaof.mgmt"	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/tkfwhcnw.mgmt"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/dszxqeu.mgmt"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	taskhostw.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	RuntimeBroker.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/gitbjtcoylv.mgmt"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	taskhostw.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/vuitiumsgamw.mgmt"	svchost.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	RuntimeBroker.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/amyjsfsco.mgmt"	sihost.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	sihost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	svchost.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	svchost.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2368	WScript.exe
2368	WScript.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2596	Explorer.EXE

Suspicious use of AdjustPrivilegeToken 15 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2596	Explorer.EXE
Token: SeCreatePagefilePrivilege	2596	Explorer.EXE
Token: SeShutdownPrivilege	2596	Explorer.EXE
Token: SeCreatePagefilePrivilege	2596	Explorer.EXE
Token: SeShutdownPrivilege	2596	Explorer.EXE
Token: SeCreatePagefilePrivilege	2596	Explorer.EXE
Token: SeShutdownPrivilege	2596	Explorer.EXE
Token: SeCreatePagefilePrivilege	2596	Explorer.EXE
Token: SeShutdownPrivilege	3472	RuntimeBroker.exe
Token: SeShutdownPrivilege	3472	RuntimeBroker.exe
Token: SeShutdownPrivilege	3472	RuntimeBroker.exe
Token: SeShutdownPrivilege	2596	Explorer.EXE
Token: SeCreatePagefilePrivilege	2596	Explorer.EXE
Token: SeShutdownPrivilege	2596	Explorer.EXE
Token: SeCreatePagefilePrivilege	2596	Explorer.EXE

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2516	2368	WScript.exe	45
PID 2368 wrote to memory of 2528	2368	WScript.exe	46
PID 2368 wrote to memory of 2636	2368	WScript.exe	49
PID 2368 wrote to memory of 2596	2368	WScript.exe	54
PID 2368 wrote to memory of 944	2368	WScript.exe	55
PID 2368 wrote to memory of 3256	2368	WScript.exe	56
PID 2368 wrote to memory of 3368	2368	WScript.exe	57
PID 2368 wrote to memory of 3472	2368	WScript.exe	59
PID 2368 wrote to memory of 3568	2368	WScript.exe	60
PID 2368 wrote to memory of 3768	2368	WScript.exe	79
PID 2368 wrote to memory of 4724	2368	WScript.exe	77
PID 1852 wrote to memory of 1088	1852	cmd.exe	94
PID 1852 wrote to memory of 1088	1852	cmd.exe	94
PID 1088 wrote to memory of 3832	1088	fodhelper.exe	96
PID 1088 wrote to memory of 3832	1088	fodhelper.exe	96
PID 2252 wrote to memory of 3084	2252	cmd.exe	99
PID 2252 wrote to memory of 3084	2252	cmd.exe	99
PID 3084 wrote to memory of 3508	3084	fodhelper.exe	101
PID 3084 wrote to memory of 3508	3084	fodhelper.exe	101
PID 4880 wrote to memory of 4368	4880	cmd.exe	104
PID 4880 wrote to memory of 4368	4880	cmd.exe	104

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
- Modifies registry class
PID:2516

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
- Modifies registry class
PID:2528
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4880
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    PID:4368

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
- Modifies registry class
PID:2636

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies extensions of user files
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:2596
- C:\Windows\System32\WScript.exe
  C:\Windows\System32\WScript.exe "C:\Users\Admin\AppData\Local\Temp\Antivirus_Upgrade_Cloud.1bfb82d816ad4.jse"
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2368
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:1088
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/amyjsfsco.mgmt
      4⤵
      PID:3832

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
- Modifies registry class
PID:944

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3256
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 3256 -s 472
  2⤵
  - Program crash
  PID:4492

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3368

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:3472

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3568

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:4724
- C:\Windows\System32\cmd.exe
  /c fodhelper.exe
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2252
- - C:\Windows\System32\fodhelper.exe
    fodhelper.exe
    3⤵
    - Suspicious use of WriteProcessMemory
    PID:3084
  - - C:\Windows\system32\wscript.exe
      "wscript.exe" /B /E:VBScript.Encode ../../Users/Public/gitbjtcoylv.mgmt
      4⤵
      PID:3508

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
- Modifies registry class
PID:3768

C:\Windows\system32\WerFault.exe
C:\Windows\system32\WerFault.exe -pss -s 460 -p 3256 -ip 3256
1⤵
PID:2720

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2368-135-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2368-137-0x00000221B0A10000-0x00000221B1A10000-memory.dmp

Filesize
16.0MB

Download
memory/2368-149-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2368-150-0x00000221B0A10000-0x00000221B1A10000-memory.dmp

Filesize
16.0MB

Download
memory/2368-151-0x00007FFB3D400000-0x00007FFB3DEC1000-memory.dmp

Filesize
10.8MB

Download
memory/2516-138-0x000001CB4ECB0000-0x000001CB4ECBA000-memory.dmp

Filesize
40KB

Download