Overview

overview

10

Static

static

3

3088d9d808...13.dll

windows7-x64

10

3088d9d808...13.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    139s
  • max time network
    133s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    25-12-2023 17:22

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3088d9d808dd030a756633437f351b13.dll

  • Size

    33KB

  • MD5

    3088d9d808dd030a756633437f351b13

  • SHA1

    a4e78428c7aa5f14681a313fd3f92c9267e9469a

  • SHA256

    9209b297a4d3af1a82e4a60fa45fa558f08a502ebcf5dc2fa487505fd72be331

  • SHA512

    2db4cc645b040f5e5e73d61db8342b40b5fd592ad96b5187d8513e5fd6864da6306ebc887b58df7ebf94f00aac703a3acfe30e326bd9bf7eec49a27276d75b70

  • SSDEEP

    768:JxnHytUcpkucln36De22PJNFai4OLS5wz3YKUt4fSsDZ:J0DkVV6Dh2dHrdzrbNZ

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt婍

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://70b064b89cc49020e6emkyhecy.yeipgu36oui5z4yvck5w6d252oo3h7ktcsxvs3m2wac6ezmti2iotzad.onion/emkyhecy Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://70b064b89cc49020e6emkyhecy.mixedon.xyz/emkyhecy http://70b064b89cc49020e6emkyhecy.actmake.site/emkyhecy http://70b064b89cc49020e6emkyhecy.spiteor.space/emkyhecy http://70b064b89cc49020e6emkyhecy.bearsat.space/emkyhecy Note! These are temporary addresses! They will be available for a limited amount of time! ?�
URLs

http://70b064b89cc49020e6emkyhecy.yeipgu36oui5z4yvck5w6d252oo3h7ktcsxvs3m2wac6ezmti2iotzad.onion/emkyhecy

http://70b064b89cc49020e6emkyhecy.mixedon.xyz/emkyhecy

http://70b064b89cc49020e6emkyhecy.actmake.site/emkyhecy

http://70b064b89cc49020e6emkyhecy.spiteor.space/emkyhecy

http://70b064b89cc49020e6emkyhecy.bearsat.space/emkyhecy

Signatures

  • Detect magniber ransomware 1 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 3 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (66) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3088d9d808dd030a756633437f351b13.dll,#1
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:2100
    • C:\Windows\system32\notepad.exe
      notepad.exe C:\Users\Public\readme.txt?
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2248
    • C:\Windows\system32\cmd.exe
      cmd /c "start http://70b064b89cc49020e6emkyhecy.mixedon.xyz/emkyhecy^&2^&32289442^&66^&323^&12"?
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1692
      • C:\Program Files\Internet Explorer\iexplore.exe
        "C:\Program Files\Internet Explorer\iexplore.exe" http://70b064b89cc49020e6emkyhecy.mixedon.xyz/emkyhecy&2&32289442&66&323&12?
        3⤵
        • Modifies Internet Explorer settings
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2484
        • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
          "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2484 CREDAT:275457 /prefetch:2
          4⤵
          • Modifies Internet Explorer settings
          • Suspicious use of SetWindowsHookEx
          PID:1884
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1640
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:860
    • C:\Windows\system32\wbem\wmic.exe
      C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:2072
  • C:\Windows\system32\vssadmin.exe
    vssadmin.exe Delete Shadows /all /quiet
    1⤵
    • Process spawned unexpected child process
    • Interacts with shadow copies
    PID:2392
  • C:\Windows\system32\cmd.exe
    cmd /c CompMgmtLauncher.exe
    1⤵
    • Process spawned unexpected child process
    • Suspicious use of WriteProcessMemory
    PID:2432
    • C:\Windows\system32\CompMgmtLauncher.exe
      CompMgmtLauncher.exe
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1628
      • C:\Windows\system32\wbem\wmic.exe
        "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
        3⤵
          PID:924
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:1900
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe Delete Shadows /all /quiet
        1⤵
        • Process spawned unexpected child process
        • Interacts with shadow copies
        PID:2428

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        1fee37e03c98e84bbbad1735ecb787fa

        SHA1

        538b34da5b5542315708357008d2730efc1d2547

        SHA256

        bb46fb4ff19cf02ac6d0fe72d8f0dead7819f6d2e8a49fcc412ddc1884c31e11

        SHA512

        c3317a3c0e6f575f05742a1446ed304b32f4952adb186087cfe64d634c0df379a10cd0e6c2e156985d1eb97bc4cbf7941a377f94907b58a422b78fb20d334a3d

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        9139dbb133aaeac9a49ed49c5e37ec83

        SHA1

        25181ab50ef26bc872c77465853e34869409cad9

        SHA256

        dc7a0eb1e2d92ea0f8a86dd0e12488f3d52bb7b396d311de867c95e2aea26a78

        SHA512

        48fc5cbf548aad92f98249559c975e9f03959ba29ecf79880004ab9e6736746ee2e910a4ac6710df9d5efdbe14cfbf477d3ae02c090ece5601fcc66eeda4c20c

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        c3f49d0db8659b88368c00d2d1d7ba5d

        SHA1

        b8a3509f8771f65928127a6fb66e39fb9d7d3fea

        SHA256

        4ad46c9591298b8df76d2902b0f649b698d2d127ebc3b2fd3a2675dc366f8f2e

        SHA512

        0579ea8a8b9255ce7d12753ab924cc805f2e0e31efa401a90fff6312cf76f1b78c4fba2a4ccd111788b9fd2ce5226c41e09d23b53ae910a2d0637f4d74d65be7

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        9ae1d9eef15db7621f94adc8012e2a24

        SHA1

        872554b01a851dddaeebee03bc5bb07f145aff9b

        SHA256

        f97a4c0856ad8a04052755b10ee450b716330e3b8f84fa37bea2393f842afc81

        SHA512

        c4a7be63e6df811e665d17e951a9bbc0e197174cb1e96bf2ddc244df78e39b80d0a52e671c00702ded49ccac0fa75e25e3df53f2269b3c9aca68894f294137e0

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        5f277b3c7b67216f708eb4d7370a9f95

        SHA1

        edaef8b77a6b162d854275fb90ca91918eb4f8b8

        SHA256

        ca0b9f5e6d852f77a57ece3b76a0ea86f2696c21d033c190b3132eec8ab602a1

        SHA512

        8f00b7ada3ab73ec7a517ae68428edbda3ec7ed2a27537f87a0c4ce374070bc08d775735320f484f227b590e204a741d6ef7cb3e60ae14605d03024f0dfb64e7

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Cab2281.tmp
        Filesize

        65KB

        MD5

        ac05d27423a85adc1622c714f2cb6184

        SHA1

        b0fe2b1abddb97837ea0195be70ab2ff14d43198

        SHA256

        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

        SHA512

        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\Tar236E.tmp
        Filesize

        171KB

        MD5

        9c0c641c06238516f27941aa1166d427

        SHA1

        64cd549fb8cf014fcd9312aa7a5b023847b6c977

        SHA256

        4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

        SHA512

        936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

        Download Submit

      • C:\Users\Admin\Pictures\readme.txt婍
        Filesize

        1KB

        MD5

        ab68d1f23e1c254d3e6ff57930079cc4

        SHA1

        4583210496084284c46d82f06de0b7dd5b247710

        SHA256

        8b61b19f68af696197f7360197965272313613717af0ecff0849058da538de0b

        SHA512

        58a582f3b45d6c9f4391d96021ce4415d0408ebda4d0ef546bc9321ecae66900ba05fb33a03cf44bc62c455e24bf81b7b90b657cfc3fec0c5c6375d1e872b1da

        Download Submit

      • memory/2100-24-0x0000000002030000-0x0000000002975000-memory.dmp

        Filesize

        9.3MB

        Download