magniber | 649d1fcdc4529a221d916768edd5108a6a0172ab68fb3068b5248eae7d25143c

Analysis

max time kernel
2s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
12-10-2023 15:56

Target

649d1fcdc4529a221d916768edd5108a6a0172ab68fb3068b5248eae7d25143c.dll
Size

144KB
MD5

4e0b43fccdce8ac262a4c760f604a418
SHA1

fcfd2240283547cc436f2c6ee8c0d5c3b33b14bf
SHA256

649d1fcdc4529a221d916768edd5108a6a0172ab68fb3068b5248eae7d25143c
SHA512

25de71118b2d2b6111fc2a06e9b8774a3e8839d6b7f0576ea74377a2dd389a78ba225b4684f85efdd3dd48ce34d866fd38ade33642af6610ea41e3a8312556ea
SSDEEP

1536:NnYwKcxgp81CjMPdrvvXUH4+zNPq7csUEZUWv7EUxV1ZTTbifA47+rjB:NY0o4PRvvz+vV7M

Score

10^/10

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral2/memory/1132-1-0x000002326E300000-0x000002326E31A000-memory.dmp	family_magniber
behavioral2/memory/2732-0-0x000001CE7CF60000-0x000001CE7CF6A000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1132	rundll32.exe
1132	rundll32.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1132 wrote to memory of 2732	1132	rundll32.exe	47
PID 1132 wrote to memory of 2828	1132	rundll32.exe	46
PID 1132 wrote to memory of 2940	1132	rundll32.exe	45
PID 1132 wrote to memory of 3156	1132	rundll32.exe	42
PID 1132 wrote to memory of 3288	1132	rundll32.exe	41
PID 1132 wrote to memory of 3464	1132	rundll32.exe	40
PID 1132 wrote to memory of 3656	1132	rundll32.exe	39

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3656

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3464

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3288

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2940

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2828

memory/1132-1-0x000002326E300000-0x000002326E31A000-memory.dmp

Filesize
104KB

Download
memory/1132-3-0x000002326E350000-0x000002326E351000-memory.dmp

Filesize
4KB

Download
memory/1132-6-0x000002326FF40000-0x000002326FF41000-memory.dmp

Filesize
4KB

Download
memory/1132-7-0x000002326FF50000-0x000002326FF51000-memory.dmp

Filesize
4KB

Download
memory/1132-5-0x000002326FF30000-0x000002326FF31000-memory.dmp

Filesize
4KB

Download
memory/1132-2-0x000002326E320000-0x000002326E321000-memory.dmp

Filesize
4KB

Download
memory/2732-0-0x000001CE7CF60000-0x000001CE7CF6A000-memory.dmp

Filesize
40KB

Download
memory/2732-10-0x000001CE00000000-0x000001CE00001000-memory.dmp

Filesize
4KB

Download
memory/2732-9-0x000001CE7CF70000-0x000001CE7CF71000-memory.dmp

Filesize
4KB

Download