magniber | 649d1fcdc4529a221d916768edd5108a6a0172ab68fb3068b5248eae7d25143c

Analysis

max time kernel
2s
max time network
8s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 15:19

Target

649d1fcdc4529a221d916768edd5108a6a0172ab68fb3068b5248eae7d25143c_JC.dll
Size

144KB
MD5

4e0b43fccdce8ac262a4c760f604a418
SHA1

fcfd2240283547cc436f2c6ee8c0d5c3b33b14bf
SHA256

649d1fcdc4529a221d916768edd5108a6a0172ab68fb3068b5248eae7d25143c
SHA512

25de71118b2d2b6111fc2a06e9b8774a3e8839d6b7f0576ea74377a2dd389a78ba225b4684f85efdd3dd48ce34d866fd38ade33642af6610ea41e3a8312556ea
SSDEEP

1536:NnYwKcxgp81CjMPdrvvXUH4+zNPq7csUEZUWv7EUxV1ZTTbifA47+rjB:NY0o4PRvvz+vV7M

Score

10^/10

Detect magniber ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3184-0-0x0000022D1E780000-0x0000022D1E79A000-memory.dmp	family_magniber
behavioral2/memory/2424-1-0x00000240B5E00000-0x00000240B5E0A000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid	Process
3184	rundll32.exe
3184	rundll32.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 3184 wrote to memory of 2424	3184	rundll32.exe	76
PID 3184 wrote to memory of 2432	3184	rundll32.exe	75
PID 3184 wrote to memory of 2564	3184	rundll32.exe	72
PID 3184 wrote to memory of 3116	3184	rundll32.exe	40
PID 3184 wrote to memory of 3244	3184	rundll32.exe	39
PID 3184 wrote to memory of 3480	3184	rundll32.exe	67

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3244

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3480

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2564

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2432

memory/2424-1-0x00000240B5E00000-0x00000240B5E0A000-memory.dmp

Filesize
40KB

Download
memory/2424-6-0x0000024080000000-0x0000024080001000-memory.dmp

Filesize
4KB

Download
memory/2424-7-0x0000024080010000-0x0000024080011000-memory.dmp

Filesize
4KB

Download
memory/3184-0-0x0000022D1E780000-0x0000022D1E79A000-memory.dmp

Filesize
104KB

Download
memory/3184-2-0x0000022D1E7E0000-0x0000022D1E7E1000-memory.dmp

Filesize
4KB

Download
memory/3184-4-0x0000022D20360000-0x0000022D20361000-memory.dmp

Filesize
4KB

Download
memory/3184-3-0x0000022D20350000-0x0000022D20351000-memory.dmp

Filesize
4KB

Download
memory/3184-5-0x0000022D20370000-0x0000022D20371000-memory.dmp

Filesize
4KB

Download
memory/3184-8-0x0000022D1E7B0000-0x0000022D1E7B1000-memory.dmp

Filesize
4KB

Download