magniber | 06acd697bc0a41a6fa1098eba46ddd40d029a5fef3eb152fbf9d0d39e6f8673d

Analysis

max time kernel
1s
max time network
5s
platform
windows10-2004_x64
resource
win10v2004-20231127-en
resource tags

arch:x64arch:x86image:win10v2004-20231127-enlocale:en-usos:windows10-2004-x64system
submitted
01-12-2023 08:57

Target

06acd697bc0a41a6fa1098eba46ddd40d029a5fef3eb152fbf9d0d39e6f8673d.dll
Size

38KB
MD5

96d505aa061f15eff5b723ae3f82bc98
SHA1

fadec5f3bd444044ec269334cfb1ee9fff41da12
SHA256

06acd697bc0a41a6fa1098eba46ddd40d029a5fef3eb152fbf9d0d39e6f8673d
SHA512

925fdeb3b7cdf337ac809cd2e35b8301020dd1c6f9da25754e2a0b762c2a4a187090777c97c26cd43fd93297f62b00c15593579eadd9cb72f187dc1793cf7ed0
SSDEEP

768:biAFh5YBIKGMZmJ1/VTrzDSXl+h6AbUMP02Q3NYVdQDVMM:bT2nZoVTrzDSjVMEvWM

Score

10^/10

Detect magniber ransomware 2 IoCs

Processes:

resource	yara_rule
behavioral2/memory/3068-0-0x0000027C161E0000-0x0000027C1641E000-memory.dmp	family_magniber
behavioral2/memory/2336-14-0x00000236D69C0000-0x00000236D69C5000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber

Suspicious use of SetThreadContext 6 IoCs

Processes:

rundll32.exe

description	pid	Process	procid_target
PID 3068 set thread context of 2336	3068	rundll32.exe	58
PID 3068 set thread context of 2364	3068	rundll32.exe	57
PID 3068 set thread context of 2452	3068	rundll32.exe	55
PID 3068 set thread context of 3248	3068	rundll32.exe	43
PID 3068 set thread context of 3516	3068	rundll32.exe	42
PID 3068 set thread context of 3752	3068	rundll32.exe	41

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

rundll32.exe

pid	Process
3068	rundll32.exe
3068	rundll32.exe

Suspicious behavior: MapViewOfSection 6 IoCs

Processes:

rundll32.exe

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3752

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3516

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2452

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2364

memory/2336-12-0x00000236D69C0000-0x00000236D69C5000-memory.dmp

Filesize
20KB

Download
memory/2336-14-0x00000236D69C0000-0x00000236D69C5000-memory.dmp

Filesize
20KB

Download
memory/3068-6-0x0000027C16430000-0x0000027C16431000-memory.dmp

Filesize
4KB

Download
memory/3068-4-0x0000027C161C0000-0x0000027C161C1000-memory.dmp

Filesize
4KB

Download
memory/3068-3-0x0000027C161B0000-0x0000027C161B1000-memory.dmp

Filesize
4KB

Download
memory/3068-5-0x0000027C16420000-0x0000027C16421000-memory.dmp

Filesize
4KB

Download
memory/3068-1-0x0000027C16190000-0x0000027C16191000-memory.dmp

Filesize
4KB

Download
memory/3068-9-0x0000027C16490000-0x0000027C16491000-memory.dmp

Filesize
4KB

Download
memory/3068-7-0x0000027C16440000-0x0000027C16441000-memory.dmp

Filesize
4KB

Download
memory/3068-10-0x0000027C164A0000-0x0000027C164A1000-memory.dmp

Filesize
4KB

Download
memory/3068-11-0x0000027C164B0000-0x0000027C164B1000-memory.dmp

Filesize
4KB

Download
memory/3068-8-0x0000027C16480000-0x0000027C16481000-memory.dmp

Filesize
4KB

Download
memory/3068-2-0x0000027C161A0000-0x0000027C161A1000-memory.dmp

Filesize
4KB

Download
memory/3068-0-0x0000027C161E0000-0x0000027C1641E000-memory.dmp

Filesize
2.2MB

Download