Overview

overview

10

Static

static

3

adcd96c04e...3e.dll

windows7-x64

10

adcd96c04e...3e.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    131s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    27-12-2023 10:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    adcd96c04e6729479b71004ec131f43e.dll

  • Size

    38KB

  • MD5

    adcd96c04e6729479b71004ec131f43e

  • SHA1

    08699a15fec12a40a1aab8cf8073c0fc4629ecfb

  • SHA256

    598e6aa444a25c2442e321af24044fbfbf22a68843586cf058c29d5ac2b48461

  • SHA512

    2400e0246eb653d254724e539b53bedc1e0817c61d23a58d9ca72c22ce4e71c480d92462dae06af8a8626d9e49a73f458a74c3aac10a735263ea11ba3c754985

  • SSDEEP

    768:40PNWfnUqS31SdW3ZM0twjSamZjDrUim1hC3WpkqJNAhMO5zFtcAK72Rcv:4wemSdW3ZM0tc6jDw145mNAh95RtcAKa

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt

Family

magniber

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://364070b0500094e0cedgkqvhhrv.hy5tprdl77synlgxroueyzpat4iszkkx52r4i3ufbg6l7b32zqkyc5ad.onion/dgkqvhhrv Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://364070b0500094e0cedgkqvhhrv.metthe.top/dgkqvhhrv http://364070b0500094e0cedgkqvhhrv.sameleg.site/dgkqvhhrv http://364070b0500094e0cedgkqvhhrv.keystwo.uno/dgkqvhhrv http://364070b0500094e0cedgkqvhhrv.iflook.club/dgkqvhhrv Note! These are temporary addresses! They will be available for a limited amount of time!
URLs

http://364070b0500094e0cedgkqvhhrv.hy5tprdl77synlgxroueyzpat4iszkkx52r4i3ufbg6l7b32zqkyc5ad.onion/dgkqvhhrv

http://364070b0500094e0cedgkqvhhrv.metthe.top/dgkqvhhrv

http://364070b0500094e0cedgkqvhhrv.sameleg.site/dgkqvhhrv

http://364070b0500094e0cedgkqvhhrv.keystwo.uno/dgkqvhhrv

http://364070b0500094e0cedgkqvhhrv.iflook.club/dgkqvhhrv

Signatures

  • Detect magniber ransomware 2 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 10 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (63) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Suspicious use of SetThreadContext 4 IoCs
  • Interacts with shadow copies 2 TTPs 5 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 13 IoCs
    adwarespyware
  • Modifies registry class 13 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: MapViewOfSection 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of UnmapMainImage 2 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\DllHost.exe
    C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1052
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2336
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
          PID:956
    • C:\Windows\Explorer.EXE
      C:\Windows\Explorer.EXE
      1⤵
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of UnmapMainImage
      • Suspicious use of WriteProcessMemory
      PID:1232
      • C:\Windows\system32\rundll32.exe
        rundll32.exe C:\Users\Admin\AppData\Local\Temp\adcd96c04e6729479b71004ec131f43e.dll,#1
        2⤵
        • Suspicious use of SetThreadContext
        • Modifies registry class
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: MapViewOfSection
        • Suspicious use of WriteProcessMemory
        PID:2664
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:1568
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            4⤵
              PID:1872
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1428
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2260
      • C:\Windows\system32\Dwm.exe
        "C:\Windows\system32\Dwm.exe"
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1176
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1156
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2508
      • C:\Windows\system32\taskhost.exe
        "taskhost.exe"
        1⤵
        • Modifies registry class
        • Suspicious use of WriteProcessMemory
        PID:1124
        • C:\Windows\system32\notepad.exe
          notepad.exe C:\Users\Public\readme.txt
          2⤵
          • Opens file in notepad (likely ransom note)
          PID:1144
        • C:\Windows\system32\cmd.exe
          cmd /c "start http://364070b0500094e0cedgkqvhhrv.metthe.top/dgkqvhhrv^&2^&24369993^&63^&345^&12"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:2376
          • C:\Program Files\Internet Explorer\iexplore.exe
            "C:\Program Files\Internet Explorer\iexplore.exe" http://364070b0500094e0cedgkqvhhrv.metthe.top/dgkqvhhrv&2&24369993&63&345&12
            3⤵
            • Modifies Internet Explorer settings
            PID:1412
        • C:\Windows\system32\cmd.exe
          cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3016
          • C:\Windows\system32\wbem\WMIC.exe
            C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
            3⤵
            • Suspicious use of AdjustPrivilegeToken
            PID:2268
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Process spawned unexpected child process
        • Suspicious use of WriteProcessMemory
        PID:1612
        • C:\Windows\system32\CompMgmtLauncher.exe
          CompMgmtLauncher.exe
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3008
          • C:\Windows\system32\wbem\wmic.exe
            "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
            3⤵
              PID:2580
        • C:\Windows\system32\cmd.exe
          cmd /c CompMgmtLauncher.exe
          1⤵
          • Process spawned unexpected child process
          • Suspicious use of WriteProcessMemory
          PID:1600
          • C:\Windows\system32\CompMgmtLauncher.exe
            CompMgmtLauncher.exe
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2588
            • C:\Windows\system32\wbem\wmic.exe
              "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
              3⤵
                PID:2592
          • C:\Windows\system32\cmd.exe
            cmd /c CompMgmtLauncher.exe
            1⤵
            • Process spawned unexpected child process
            • Suspicious use of WriteProcessMemory
            PID:2388
            • C:\Windows\system32\CompMgmtLauncher.exe
              CompMgmtLauncher.exe
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:2744
              • C:\Windows\system32\wbem\wmic.exe
                "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                3⤵
                  PID:2628
            • C:\Windows\system32\cmd.exe
              cmd /c CompMgmtLauncher.exe
              1⤵
              • Process spawned unexpected child process
              • Suspicious use of WriteProcessMemory
              PID:2088
              • C:\Windows\system32\CompMgmtLauncher.exe
                CompMgmtLauncher.exe
                2⤵
                  PID:2756
                  • C:\Windows\system32\wbem\wmic.exe
                    "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                    3⤵
                      PID:2128
                • C:\Windows\system32\cmd.exe
                  cmd /c CompMgmtLauncher.exe
                  1⤵
                  • Process spawned unexpected child process
                  • Suspicious use of WriteProcessMemory
                  PID:2156
                  • C:\Windows\system32\CompMgmtLauncher.exe
                    CompMgmtLauncher.exe
                    2⤵
                    • Suspicious use of WriteProcessMemory
                    PID:3000
                    • C:\Windows\system32\wbem\wmic.exe
                      "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
                      3⤵
                        PID:2640
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin.exe Delete Shadows /all /quiet
                    1⤵
                    • Process spawned unexpected child process
                    • Interacts with shadow copies
                    PID:2652
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin.exe Delete Shadows /all /quiet
                    1⤵
                    • Process spawned unexpected child process
                    • Interacts with shadow copies
                    PID:616
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin.exe Delete Shadows /all /quiet
                    1⤵
                    • Process spawned unexpected child process
                    • Interacts with shadow copies
                    PID:1072
                  • C:\Windows\system32\vssadmin.exe
                    vssadmin.exe Delete Shadows /all /quiet
                    1⤵
                    • Process spawned unexpected child process
                    • Interacts with shadow copies
                    PID:1032
                  • C:\Windows\system32\vssvc.exe
                    C:\Windows\system32\vssvc.exe
                    1⤵
                      PID:2892
                    • C:\Windows\system32\vssadmin.exe
                      vssadmin.exe Delete Shadows /all /quiet
                      1⤵
                      • Process spawned unexpected child process
                      • Interacts with shadow copies
                      PID:2900

                    Network

                    MITRE ATT&CK Enterprise v15

                    Replay Monitor

                    Loading Replay Monitor...

                    Downloads

                    • C:\Users\Admin\Desktop\BlockRestart.pptx.dgkqvhhrv
                      Filesize

                      229KB

                      MD5

                      8680cc92eb69c26593f5b09ff3be5567

                      SHA1

                      5057386e662e41733ad4c71f38d4da878403a254

                      SHA256

                      f2fc21e1eabca0c3fc60be27c4c6a6a9c2f95ff3a1bf4d88607ef6a75f2d0df1

                      SHA512

                      9c4e5eed37e6bb3bfbf60c633d9f53db237334ef9577e9b6eb479fb180644746dffe7af1091a7e201716eef5de95a211e446a648ed25f08720d5ddf3ddcc39f6

                      Download Submit

                    • C:\Users\Admin\Desktop\BlockSend.wmv.dgkqvhhrv
                      Filesize

                      209KB

                      MD5

                      054c889fee1b502bb1c3bc3b62ead0ce

                      SHA1

                      3cee275335fd0811c676006a1eb89f0c4701397a

                      SHA256

                      1cb633d8e612413f354a7d4e11b8cf80cf5e099dc7ff4ea21343d9b7e3f4ab07

                      SHA512

                      0f2b65876473626c0481c3ae78f584567deef07573d4acb2b098c065a19b7ed946e186c9ad4504432e2e1c18440c940f5c47cd931273d05b7717b62a3b50b625

                      Download Submit

                    • C:\Users\Admin\Desktop\DismountMerge.svg.dgkqvhhrv
                      Filesize

                      170KB

                      MD5

                      056d28dac6967bf69ae75728ab4acc51

                      SHA1

                      fa69225c3ea876233b76bb51fbd97932b61e38bb

                      SHA256

                      f97504caedec8b5d8df7feb73b7ed69204f95d1220fc24b11d308945f0d9d3da

                      SHA512

                      3906baf5b31dfe8de223ff0c33b54da537b43faabf7b2da2171c107ff1992ad544a1758700375620283b78a96f6bc33bb390b11b6d57c4ae78caf2de9f46b712

                      Download Submit

                    • C:\Users\Admin\Desktop\FindMount.jpg.dgkqvhhrv
                      Filesize

                      257KB

                      MD5

                      0d346442f437d0514f62372f21ed7be1

                      SHA1

                      c224853c39a0a0d5f063536e57caf44a103f4d47

                      SHA256

                      74b7b72b1e8d4a678860390a0f69003727698db925ff9734b1188fd97ccd1cfe

                      SHA512

                      34dc78426a886d4d2336a9ff4f3b1b7d530ab1d38c66b34639e714af45fe7b0aaee0186e59f4a55299e8a5242a68f651edefb93c5f7582f57cf44bf3b0004d0b

                      Download Submit

                    • C:\Users\Admin\Desktop\MeasureRedo.bmp.dgkqvhhrv
                      Filesize

                      287KB

                      MD5

                      0a85ec0055e4d4b9753a157d751de154

                      SHA1

                      8a40c1e5caa4f5d8550a31208613c00516a980c6

                      SHA256

                      9ac3f71dafeba8a57aab5c202fe755a015441d91d1f3c511182c5293916345a0

                      SHA512

                      be1808106e09a6021226c3ad8cd4c6fa20346319476afb3a67e8be0fa326e8d56a5658243263b41f420b906ebc0f00bf0330dc316e2c8b713a819de9467b02d0

                      Download Submit

                    • C:\Users\Admin\Desktop\RequestFind.bmp.dgkqvhhrv
                      Filesize

                      365KB

                      MD5

                      2d76a93a0708d5a695c65419de73f9fa

                      SHA1

                      10a4fccfad92ac8afe2bde17cb8ccbf712be215b

                      SHA256

                      744f48678fe585ed3411950665c243bed47077d961266d7fe197987e576e30f2

                      SHA512

                      439a9788f00e80e427cace9bab0922d1a33c86f21344d1512bca6cef7eab4fe63e651c334de4e81dd7af72e7224a6f05f4448aa0072628c446b60a38982f18e8

                      Download Submit

                    • C:\Users\Admin\Desktop\RevokeAssert.doc.dgkqvhhrv
                      Filesize

                      555KB

                      MD5

                      fd66abc9519ca9df7fdbc0e9dfb3f9f0

                      SHA1

                      011e32ebaef21b60ae36659e1ce926bfc01eb30f

                      SHA256

                      15404e6cf324ad23f526f36ec507fb857bc8a9d9433282e8f7f3135ae7f7622c

                      SHA512

                      6023796bbe4dfd2f5b6b30757ab4c31b981d0257135fbcc6bc1b80c2798f71cc22bd0f7d6d5b49e36295f0c540f369e87345ec5f431d3b3225b3c87a1e3e1ddf

                      Download Submit

                    • C:\Users\Admin\Desktop\ShowMerge.csv.dgkqvhhrv
                      Filesize

                      316KB

                      MD5

                      1924d35cfcb2bcd11308197e43d34e12

                      SHA1

                      209cb8d6200535744368fb8f6610c3480eb7ae9b

                      SHA256

                      79e62f9032f2e207469e62ca4c34a8f907bbef44a408fecb3abec282af2044c2

                      SHA512

                      bdd44e9b7fdfbb1802f94b7fe96b1cb48195f70672adb7cfccd92d8c58090cee3e44e2705f1ac7ab35c32b99d2918002efc4d45c69b5acbea60ee883edd3231c

                      Download Submit

                    • C:\Users\Admin\Pictures\readme.txt
                      Filesize

                      1KB

                      MD5

                      19068973d6e6d83d3f53f5cf234796a2

                      SHA1

                      d7fafeb93593718df1f7ebe807731878c383da2c

                      SHA256

                      220f2705300399c850309f42fe257627738ad659c8d5db453bbfd327753f862b

                      SHA512

                      0521bef6210f83acbb0ced98aa18308436464fcebf9612cb80fe9837b9141b9ea0ea88b6393ffcbe84255faab0b3253b1f1c6c2adb9bbfab2f32440d464fbfad

                      Download Submit

                    • memory/1052-247-0x0000000000370000-0x0000000000380000-memory.dmp

                      Filesize

                      64KB

                      Download

                    • memory/1124-0-0x0000000000410000-0x0000000000414000-memory.dmp

                      Filesize

                      16KB

                      Download

                    • memory/1124-103-0x0000000000410000-0x0000000000414000-memory.dmp

                      Filesize

                      16KB

                      Download

                    • memory/2664-47-0x00000000023B0000-0x00000000023B1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2664-101-0x0000000002410000-0x0000000002411000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2664-83-0x00000000023F0000-0x00000000023F1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2664-102-0x0000000002420000-0x0000000002421000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2664-104-0x0000000002760000-0x0000000002761000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2664-93-0x0000000002400000-0x0000000002401000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2664-36-0x0000000001C20000-0x0000000001C21000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2664-60-0x00000000023C0000-0x00000000023C1000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2664-39-0x0000000001C40000-0x0000000001C41000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2664-38-0x0000000001C30000-0x0000000001C31000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2664-26-0x0000000000130000-0x0000000000131000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2664-24-0x0000000000120000-0x0000000000121000-memory.dmp

                      Filesize

                      4KB

                      Download

                    • memory/2664-1-0x0000000001CD0000-0x00000000023AA000-memory.dmp

                      Filesize

                      6.9MB

                      Download