magniber | 11561379191d262a95b93a210030105c0b62da1c1cf817a69690329be72bbe23

Analysis

max time kernel
29s
max time network
28s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
21-04-2023 04:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

fb3f2b0636c7f9e8913fb5ff593c38ed261473bc1a2f8fb0860dce82ecaf5e06.msi
Size

10.6MB
MD5

2eb29d721fbee14edbf2ad8f60336ebf
SHA1

e1aada3863d929f9674597ebb595dc84bac7263e
SHA256

fb3f2b0636c7f9e8913fb5ff593c38ed261473bc1a2f8fb0860dce82ecaf5e06
SHA512

4161c8c76b085963b9557ecd38e3a379255a3c9aa16391f3bce4c2f60522b9d726ebc7fab1e0eec430422504105c04e0efc3a3f3af8d92b353aa7d2173ccdf92
SSDEEP

1536:3RGjMkF2VAv21tCHDca26KfpD15sy7o/D6Ds0Ds7d:QJAAvatCHDaF515V7iDL

Score

10^/10

magniber ransomware

Malware Config

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/2480-144-0x000002BF4B680000-0x000002BF4B68C000-memory.dmp	family_magniber
behavioral1/memory/2584-158-0x00000175DEFA0000-0x00000175DEFA4000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e56f1c7.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e56f1c7.msi	msiexec.exe

Checks SCSI registry key(s) 3 TTPs 5 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters	vssvc.exe
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\PartitionTableCache = 000000000400000027c70fafd0cbe6b20000000000000000000000000000000000000000000000000000000000000000000000000000000000001000000000000000c01200000000ffffffff00000000270101000008000027c70faf0000000000001000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000d01200000000000020ed3f000000ffffffff00000000070001000068090027c70faf000000000000d0120000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000ffffffff00000000000000000000000027c70faf00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe
Set value (data)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Device Parameters\Partmgr\SnapshotDataCache = 534e41505041525401000000700000008ec7416a0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000	vssvc.exe

Suspicious use of AdjustPrivilegeToken 39 IoCs

description	pid	Process
Token: SeShutdownPrivilege	5040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5040	msiexec.exe
Token: SeSecurityPrivilege	4708	msiexec.exe
Token: SeCreateTokenPrivilege	5040	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	5040	msiexec.exe
Token: SeLockMemoryPrivilege	5040	msiexec.exe
Token: SeIncreaseQuotaPrivilege	5040	msiexec.exe
Token: SeMachineAccountPrivilege	5040	msiexec.exe
Token: SeTcbPrivilege	5040	msiexec.exe
Token: SeSecurityPrivilege	5040	msiexec.exe
Token: SeTakeOwnershipPrivilege	5040	msiexec.exe
Token: SeLoadDriverPrivilege	5040	msiexec.exe
Token: SeSystemProfilePrivilege	5040	msiexec.exe
Token: SeSystemtimePrivilege	5040	msiexec.exe
Token: SeProfSingleProcessPrivilege	5040	msiexec.exe
Token: SeIncBasePriorityPrivilege	5040	msiexec.exe
Token: SeCreatePagefilePrivilege	5040	msiexec.exe
Token: SeCreatePermanentPrivilege	5040	msiexec.exe
Token: SeBackupPrivilege	5040	msiexec.exe
Token: SeRestorePrivilege	5040	msiexec.exe
Token: SeShutdownPrivilege	5040	msiexec.exe
Token: SeDebugPrivilege	5040	msiexec.exe
Token: SeAuditPrivilege	5040	msiexec.exe
Token: SeSystemEnvironmentPrivilege	5040	msiexec.exe
Token: SeChangeNotifyPrivilege	5040	msiexec.exe
Token: SeRemoteShutdownPrivilege	5040	msiexec.exe
Token: SeUndockPrivilege	5040	msiexec.exe
Token: SeSyncAgentPrivilege	5040	msiexec.exe
Token: SeEnableDelegationPrivilege	5040	msiexec.exe
Token: SeManageVolumePrivilege	5040	msiexec.exe
Token: SeImpersonatePrivilege	5040	msiexec.exe
Token: SeCreateGlobalPrivilege	5040	msiexec.exe
Token: SeBackupPrivilege	4272	vssvc.exe
Token: SeRestorePrivilege	4272	vssvc.exe
Token: SeAuditPrivilege	4272	vssvc.exe
Token: SeBackupPrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeRestorePrivilege	4708	msiexec.exe
Token: SeTakeOwnershipPrivilege	4708	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5040	msiexec.exe

Suspicious use of WriteProcessMemory 2 IoCs

description	pid	Process	procid_target
PID 4708 wrote to memory of 4580	4708	msiexec.exe	94
PID 4708 wrote to memory of 4580	4708	msiexec.exe	94

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Windows\system32\msiexec.exe
msiexec.exe /I C:\Users\Admin\AppData\Local\Temp\fb3f2b0636c7f9e8913fb5ff593c38ed261473bc1a2f8fb0860dce82ecaf5e06.msi
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:5040

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4708
- C:\Windows\system32\srtasks.exe
  C:\Windows\system32\srtasks.exe ExecuteScopeRestorePoint /WaitForRestorePoint:2
  2⤵
  PID:4580
- C:\Windows\System32\MsiExec.exe
  C:\Windows\System32\MsiExec.exe -Embedding 17202D19EB3A412AE3D71AD6061CA331
  2⤵
  PID:2760

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Checks SCSI registry key(s)
- Suspicious use of AdjustPrivilegeToken
PID:4272

C:\Windows\system32\regsvr32.exe
regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/zlujw06rvtx
1⤵
PID:1976

C:\Windows\system32\regsvr32.exe
regsvr32.exe scrobj.dll /s /u /n /i:../../../Users/Public/zlujw06rvtx
1⤵
PID:3380

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Installer\MSIF300.tmp

Filesize
164KB

MD5
58cbb401a11d8c1dffeafb2912f19dba

SHA1
eab721fe6fbf50cdf108ed9293b2aabf8cd26603

SHA256
373c717d2f44a4b7dffaebad38955b0a9403b4123c03fb58510c5976cc6b918a

SHA512
2c7bb343576d05f2a85bf0309ce163dc35789e477ad35c0069516658eb2aa791f48b54b2fcae956a5fd59c13501feae594277c3bef6a0f016facbd27910e1aa9

Download Submit
C:\Windows\Installer\MSIF300.tmp

Filesize
164KB

MD5
58cbb401a11d8c1dffeafb2912f19dba

SHA1
eab721fe6fbf50cdf108ed9293b2aabf8cd26603

SHA256
373c717d2f44a4b7dffaebad38955b0a9403b4123c03fb58510c5976cc6b918a

SHA512
2c7bb343576d05f2a85bf0309ce163dc35789e477ad35c0069516658eb2aa791f48b54b2fcae956a5fd59c13501feae594277c3bef6a0f016facbd27910e1aa9

Download Submit
memory/2480-144-0x000002BF4B680000-0x000002BF4B68C000-memory.dmp

Filesize
48KB

Download
memory/2584-158-0x00000175DEFA0000-0x00000175DEFA4000-memory.dmp

Filesize
16KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads