Overview

overview

9

Static

static

1

2024-04-28...er.exe

windows7-x64

9

2024-04-28...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    141s
  • max time network
    50s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    28-04-2024 05:50

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-28_1c8abfbd35ffd0cbfddc93be61765e4a_magniber.exe

  • Size

    48.4MB

  • MD5

    1c8abfbd35ffd0cbfddc93be61765e4a

  • SHA1

    199a6fcc19294a8f8ec512cbc930b68e1cc48246

  • SHA256

    078b64078a5dc8d14b5a4223a6425e4ab650ff38eaf298cd64d8bd9284a4868d

  • SHA512

    b6b1dce16f2bc212d4e9d3f99211c079e95133ae243d1668cf63d02da312433fd247f4f42b46f386e1b5e8154899f3ea504e649312b7f03375ba1e4fc4f1efa3

  • SSDEEP

    786432:81uku651ufXEtPCpa2KWGuU/atU6Q25xKRdQ1VcpYtMwubtJSfDEdwd/:83Fzucaw2NGJ0U6HxSMKprvUEdw/

Score
9/10
bootkitevasionpersistencetrojan

Malware Config

Signatures

  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Identifies Wine through registry keys 2 TTPs 1 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Drops file in Windows directory 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 18 IoCs
  • Modifies registry class 8 IoCs
  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-28_1c8abfbd35ffd0cbfddc93be61765e4a_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-28_1c8abfbd35ffd0cbfddc93be61765e4a_magniber.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1828
    • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\InstallerGUI.exe
      C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\InstallerGUI.exe "--distrib-name=C:\Users\Admin\AppData\Local\Temp\2024-04-28_1c8abfbd35ffd0cbfddc93be61765e4a_magniber.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Identifies Wine through registry keys
      • Checks whether UAC is enabled
      • Writes to the Master Boot Record (MBR)
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Drops file in Windows directory
      • Executes dropped EXE
      • Loads dropped DLL
      • Modifies registry class
      • Suspicious behavior: AddClipboardFormatListener
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:4948

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2
T1497

Pre-OS Boot

1
T1542

Bootkit

1
T1542.003

Credential Access

Discovery

Query Registry

3
T1012

Virtualization/Sandbox Evasion

2
T1497

System Information Discovery

2
T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\BrowserUtil.dll
    Filesize

    93KB

    MD5

    6bfe93d9c106d43e083223ee0f35c4ac

    SHA1

    62da2c5d2924ab3c970941c5278fa2f91ae1dd96

    SHA256

    75cc8d1f7fc8dac55520eab0741f7b06a6cee64a54b92eb4c3bb4cc0f055254a

    SHA512

    5ad6af127a6a80b31b4c4d91c94808ebfe5d622c4324ef0712cf0ec09199af196a1efd793d04b5ad8bb8d37b98f259fcb5a5090460c93c039ab3911999fe6843

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\CoreInt.dll
    Filesize

    719KB

    MD5

    b8955f3f81776d6978c1d432e5ea064d

    SHA1

    9a614943f3fd39429f441f357ca3b992dcbb2806

    SHA256

    90a65b62745a4942aa321b3c53f0e235f2dc003baed8cd9cc838e87b3834962f

    SHA512

    085bd2b5bc139b32dcd60f7552db2100f9bbd647b44480f1a7f2b66f8ae9898825bc2eb01c9b7f3e2376de9e0b8623e6e5706a68b394a33b31c8669892345b0c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\GeneralPlugin.DLL
    Filesize

    2.9MB

    MD5

    d7087981024638597624e42d8ac822f1

    SHA1

    941a142ad207bff179b0d73d726a91432c4587a4

    SHA256

    bf234e3616323d1fab18ade9e9cb7d938fc8f5388c0dd9a1c54a945d8a32acc8

    SHA512

    c7bb135ab30f81b9ac0b9b7fa657cdcea49a2932dd05e5229666eee8a20bceb8d36865651676faf5e337586e76e73a82657dbf060cdcf0b7560217d825e60a65

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\InstallerData.7z
    Filesize

    47.7MB

    MD5

    139a19d809468b67d98f63a19dfca6ef

    SHA1

    afe8de7a7ad2cdd5d48a80f971b189c6ae1d1f0e

    SHA256

    e7545038da6eb5db244a3555d7f8d4969a1981fde4a61d5870551e7a002ac175

    SHA512

    7b8f93e35f2e979f1635f480e2bd4faccb9571e931907bc044cf5238ba47372c2f961e5ad79a2132518d56695ea6d8b1c0fea9afd75cfeda5626d4ce9939460d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\InstallerGUI.exe
    Filesize

    1.4MB

    MD5

    46e0f9bf770182454ab6c199e46f2d07

    SHA1

    68f45ec8394224f486f950a95550fb5cdee9d83d

    SHA256

    c289be917f2c77208102ef72ba1e8064a73640fb8d229885c2d9f76e404087ac

    SHA512

    1473cd1554cef1bc2351a53f08c61ae5d3ff4587ac91c83148983668f3aabf55c74c27d0d2106caa3ad85fcb481afd97d38da04e27a7cc80e5738ce28a3ba142

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\MQtUtil.dll
    Filesize

    418KB

    MD5

    7d059c51ca8f5650ffdf98309070d1c5

    SHA1

    e2f92ab999d14522598b206c7eae362d60202263

    SHA256

    424f683cef15fc3582d9a0402e5219bcaf14abe03ccf066af8dd7d2367d0e9e4

    SHA512

    6b0ae3cbed38fd6c85fa5cb7913529a3dd69369625927a20bc560937db7ef3648b43db2d3ef17a297e39bdb4a95e4e70a0aa3cf3bc57f9330365deb962438446

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\Qt5Core.dll
    Filesize

    4.4MB

    MD5

    17d745269902475305853a3b583e20ae

    SHA1

    9439507228af63ddcf7df093d58132e88669ad7b

    SHA256

    73ec1c1fb79ef848a9a3fd095d02793a21566b5ab4b5d7b8a03d8c94ef54ae7b

    SHA512

    4eedc373c0ec2daea38ba53d9fdab115e93e5f3ed485effca05f26aa5c5266661bf6f702c649c233daf47722811284a7ae94e0e0f8fb4353e9ab1f59f6158d39

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\Qt5Gui.dll
    Filesize

    4.8MB

    MD5

    011b04791b1b59de4b04d4daf7032c37

    SHA1

    6fd5e7d7d56b1694c002411b59bd99d2e1db9dee

    SHA256

    662907e8f43bdac54e732eb2f34e3fcf4ebfbbf5f40f5f08abdc91d6adb01ea6

    SHA512

    cfbcb5c16e52e1598e7b9a0475faedd2c4087df4bc2b5eceb0be3418ea9c19013a3d1755b646cc031e26dfef8405aef40ab857040037cc0c25063e0c8d737714

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\Qt5Widgets.dll
    Filesize

    4.2MB

    MD5

    7e1a15004a2ba982d3b72070b81dc2da

    SHA1

    b714e3a077ff0014470e3e68a69d55a96432b5c4

    SHA256

    30f136ff7469e7a78fec7e42e91fda2f251d79db1e4fbab26ec73a3934069ef8

    SHA512

    bde6b4ca2b733c93279a6eab0e46a3c307c47214368795dbb5a149e1c58887dd65e4944e3c9c76c5a35b7ca7603a21f764853458734f8288f8e7fd0280c073ea

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\boost_chrono-vc140-mt-1_60.dll
    Filesize

    35KB

    MD5

    84cd4f830ee48b0be3f9bf0c4a7de03d

    SHA1

    63adcffe5a9da72ae794ca356a5cde8265e33f48

    SHA256

    68bbd434fbbd12956476b28355110d39a3883596e04d2d2315671ad60e70b1b4

    SHA512

    baff34b9955bdb5748d0ec1a4ff4fc187f2ff505f6443fd75d4551b9a4485066f31d8f0421acea9bde1fb000af866ada0a31c347aedffa9a922f0776c948ed8c

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\boost_filesystem-vc140-mt-1_60.dll
    Filesize

    125KB

    MD5

    bf94e8a932581857a1e3c885ba13c898

    SHA1

    16d230570ef83a7a9da918b06c7505ec28cafd3d

    SHA256

    d98c9f232b81b4e2176172f9fdbb886fdafdd57343b59013fda1e74c60f44e28

    SHA512

    e199d7c85e1525f26c602ffb65b7df8c47d2c095f4b78febbf64538447b48658f97c065b8ebc1bbc3a02610ddad7002b3ebd7fc85e73366e99a854786755abda

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\boost_system-vc140-mt-1_60.dll
    Filesize

    26KB

    MD5

    982b2fff5d1db04862ccd8932ce230b5

    SHA1

    6dfa62f807d99cbbb783afcd198753a8f2cf055b

    SHA256

    29c7399604fad770a738c3b6021679e3c1ac4f713e5a9542d545fb2e205d23bd

    SHA512

    5d4dff7b5cc45912526f77624cc75575eac08db0981518c3d8e7edd9427c5f2f53e3b4f573c6605a629efbe213fc33071c23f3efd0ec7ba5ddcaa66c3a98a6c4

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\glog.dll
    Filesize

    93KB

    MD5

    fdecdbc5683b78ec1be4ae9388a0b1c2

    SHA1

    5193b2866e629825a55386fd381fbc9ece8bc261

    SHA256

    28ddc84cd20f7b8f530649cc291a5c7ccc27a0fe60a874b2c423ca9897d68cfb

    SHA512

    ef9bf925d48d2927286f0ee9934e1ee9dc19068ccce17a1515d9eabd4d0705534661fc654123daebf90ec36e3d33e17c8acce727f0e915e2235742f9c54a0a8f

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\msvcp140.dll
    Filesize

    429KB

    MD5

    d25c3ff7a4cbbffc7c9fff4f659051ce

    SHA1

    02fe8d84d7f74c2721ff47d72a6916028c8f2e8a

    SHA256

    9c1dc36d319382e1501cdeaae36bad5b820ea84393ef6149e377d2fb2fc361a5

    SHA512

    945fe55b43326c95f1eee643d46a53b69a463a88bd149f90e9e193d71b84f4875455d37fd4f06c1307bb2cdbe99c1f6e18cb33c0b8679cd11fea820d7e728065

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\platforms\qwindows.dll
    Filesize

    994KB

    MD5

    87d6a4c9db1a8085c1286547b0501ddf

    SHA1

    8daaabbdbadb4c0ebd29c871327ce895e02a1e7f

    SHA256

    5c78b732f8f1e84fa255f11c807afd0e251c8be190de9c0f283df74455583126

    SHA512

    6f82d8658e510942338b32f88790312062ed828799626735171b60ea120ebd19684c6f7306c25a36d501375e92e8dc1eff7d1c0984f01e619dbea4e4ed4f69e6

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\resources\locales\en_US\InstallerGUI_en_US.qm
    Filesize

    8KB

    MD5

    d3c04c3deaf098817e48b6b80cf1b574

    SHA1

    0656bb25b671c0b4a39a24b1b40a5b9baa1ffc00

    SHA256

    39f0a7e8b3736536409635d4f9f06d6bda8d8d1ca8a48789e0eb844ce27e95c3

    SHA512

    b7744ebc88e378f09448ab99d33fd7293ae99dde838d232d6ec426cefb9f8800c024926f1e0e394315d0c2bcbff2a4c6e07fca84a91e630b5a4b64a82429d14a

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\resources\locales\en_US\Installer_en_US.qm
    Filesize

    1KB

    MD5

    b163493bece2f9731edcf1c7dc7f37f1

    SHA1

    dda6e6bc8fc188de850d2370d26f6f7c13e962a2

    SHA256

    5826ab0c1a4cac5aaee0e077d9d41c7a0dfed8f9b8c19fb0ab9f1b7239f20b00

    SHA512

    3aa8420dcdacb05000939175d2e911d8aaeaa9f19c8566bc65a8d3e0a8f0fc59bc7e50650cf22d64b115dcdcc411e63efc669d22209af3878e12f4b7dfe9f8ba

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\resources\locales\en_US\MQtUtil_en_US.qm
    Filesize

    1KB

    MD5

    e2597cc50f4420144efe6dbbf4fb19cd

    SHA1

    57eb7ff750036c177d156f844c1600b1a8657d7c

    SHA256

    a6f30b5c0bd7ed3db8d6821ac1910d9a21f00770d0369765c583ad58a318ffc9

    SHA512

    07d125d75da63956d8b9bb66362581fcfe2719db48b0d5e782328797bd9342ce97e22354bd2964306948d06e1de9a1fc127a6329c40ae40e142cbd66e9a19741

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\resources\locales\en_US\qt_en_US.qm
    Filesize

    117KB

    MD5

    d83e341d031061657a9fda31982f5fea

    SHA1

    88a01ec008606047ab2fdf197047660c6dfc1b33

    SHA256

    189e0d926eb4ea0a36b5566af311506515101d06236dd4a18e6316e1e0eca170

    SHA512

    c5c0b6b0885c0c52ecc68478b0a041604a77531923dd69c9a63944e970fc67488054b8459dc404a7b8cc52812d6a50812400d8d25bd81674a6464add504fabaf

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\settings.ini
    Filesize

    7KB

    MD5

    163619672e3bcb12ec28778c151b54ac

    SHA1

    58a00c0cf6b0a921b30ae9979f3c57ac3446ea07

    SHA256

    2179163d346fe0ff00144a2ed05859b70dece3dbb3e8f4926029bf15f226020f

    SHA512

    53f8bba4967222870287ab8e453adac469c573c0c3028b4bd631aea90ba26d8de39c0a0ab42f7f163aefcadf24124fb7c6f22743005fea4c2d0c15b01459dc1d

    Download Submit
  • C:\Users\Admin\AppData\Local\Temp\Movavi-installer-1714283458\vcruntime140.dll
    Filesize

    81KB

    MD5

    a2523ea6950e248cbdf18c9ea1a844f6

    SHA1

    549c8c2a96605f90d79a872be73efb5d40965444

    SHA256

    6823b98c3e922490a2f97f54862d32193900077e49f0360522b19e06e6da24b4

    SHA512

    2141c041b6bdbee9ec10088b9d47df02bf72143eb3619e8652296d617efd77697f4dc8727d11998695768843b4e94a47b1aed2c6fb9f097ffc8a42ca7aaaf66a

    Download Submit
  • memory/4948-114-0x0000000072F50000-0x000000007362A000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4948-124-0x0000000072F50000-0x000000007362A000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4948-136-0x0000000072F50000-0x000000007362A000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4948-137-0x0000000072F50000-0x000000007362A000-memory.dmp
    Filesize

    6.9MB

    Download