magniber | 513d8f9c6ee757d3d473c63c5df7b672631d3ffa735f94f59e9fe98e39d60088

Analysis

max time kernel
149s
max time network
166s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
20-10-2022 07:24

Target

ConsoleApplication1.exe
Size

51KB
MD5

a9165accb037d84b5ebc6602c6b984ea
SHA1

0352a0cb2d582bfdb18774c49459f70fa1249ac4
SHA256

513d8f9c6ee757d3d473c63c5df7b672631d3ffa735f94f59e9fe98e39d60088
SHA512

623c24d7c4642514e6d71be032cb6d6988e6063c95c47d4f7138c463442b4b024ed93fa79ea8691dd5ed503f6122bdfcecb21908428499109774a8b3e136114e
SSDEEP

768:kLuvk93lA9o5dpgqXtcGPhFDhgYBod9OxYXA:lkU9q3gcLPhhhgYW9

Score

10^/10

Detect magniber ransomware 1 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4544-132-0x00000000001B0000-0x00000000001BB000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Modifies extensions of user files 11 IoCs

Ransomware generally changes the extension on encrypted files.

Processes:

ConsoleApplication1.exe

description	ioc	process
File renamed	C:\Users\Admin\Pictures\MoveReset.png => C:\Users\Admin\Pictures\MoveReset.png.rfguxgmap	ConsoleApplication1.exe
File renamed	C:\Users\Admin\Pictures\StepMeasure.tiff => C:\Users\Admin\Pictures\StepMeasure.tiff.rfguxgmap	ConsoleApplication1.exe
File renamed	C:\Users\Admin\Pictures\UnlockWrite.png => C:\Users\Admin\Pictures\UnlockWrite.png.rfguxgmap	ConsoleApplication1.exe
File renamed	C:\Users\Admin\Pictures\ConfirmRename.png => C:\Users\Admin\Pictures\ConfirmRename.png.rfguxgmap	ConsoleApplication1.exe
File renamed	C:\Users\Admin\Pictures\ResolveCompare.raw => C:\Users\Admin\Pictures\ResolveCompare.raw.rfguxgmap	ConsoleApplication1.exe
File renamed	C:\Users\Admin\Pictures\SubmitConvert.raw => C:\Users\Admin\Pictures\SubmitConvert.raw.rfguxgmap	ConsoleApplication1.exe
File opened for modification	C:\Users\Admin\Pictures\ConvertFromApprove.tiff	ConsoleApplication1.exe
File renamed	C:\Users\Admin\Pictures\ConvertFromApprove.tiff => C:\Users\Admin\Pictures\ConvertFromApprove.tiff.rfguxgmap	ConsoleApplication1.exe
File renamed	C:\Users\Admin\Pictures\FormatRemove.tif => C:\Users\Admin\Pictures\FormatRemove.tif.rfguxgmap	ConsoleApplication1.exe
File opened for modification	C:\Users\Admin\Pictures\StepMeasure.tiff	ConsoleApplication1.exe
File renamed	C:\Users\Admin\Pictures\FindBlock.crw => C:\Users\Admin\Pictures\FindBlock.crw.rfguxgmap	ConsoleApplication1.exe

Modifies registry class 5 IoCs

Processes:

ConsoleApplication1.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings	ConsoleApplication1.exe
Key created	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer	ConsoleApplication1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\ms-settings\CurVer\ = "AppX0enk2acdsmv8ydhntbtea6yjp27223q6"	ConsoleApplication1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\ = "wscript.exe /B /E:VBScript.Encode ../../Users/Public/nwwgoxis.rdb"	ConsoleApplication1.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2295526160-1155304984-640977766-1000_Classes\AppX0enk2acdsmv8ydhntbtea6yjp27223q6\Shell\open\command\DelegateExecute	ConsoleApplication1.exe

memory/4544-132-0x00000000001B0000-0x00000000001BB000-memory.dmp

Filesize
44KB

Download