Overview

overview

10

Static

static

magnibar_f...75.exe

windows7_x64

10

magnibar_f...75.exe

windows11_x64

10

magnibar_f...75.exe

windows10_x64

10

Resubmissions

23-08-2021 16:26

210823-tx5an7s74s 10

18-08-2021 20:35

210818-2gkvb49v8e 10

22-07-2021 19:24

210722-68c2armfnx 10

Analysis

  • max time kernel
    104s
  • max time network
    111s
  • platform
    windows11_x64
  • resource
    win11
  • submitted
    23-08-2021 16:26

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    magnibar_f2ab74ce11c4462db427db65ff5755db4d5267d373172384a241017150e14675.exe

  • Size

    21KB

  • MD5

    4160c35d3c600712b528e8072de1bc58

  • SHA1

    12c822103678fed7b928f0202eb7e51714ab3b56

  • SHA256

    f2ab74ce11c4462db427db65ff5755db4d5267d373172384a241017150e14675

  • SHA512

    f722f7a5560641b0cbeb73dfb9d495cf2920858acfdcd5806f619256f2810569486be00eee4547b07298ca20c18d478f3f567809a7b2ff9cf81519e057a3a962

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Drops file in System32 directory 6 IoCs
  • Drops file in Windows directory 6 IoCs
  • Program crash 1 IoCs
  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\magnibar_f2ab74ce11c4462db427db65ff5755db4d5267d373172384a241017150e14675.exe
    "C:\Users\Admin\AppData\Local\Temp\magnibar_f2ab74ce11c4462db427db65ff5755db4d5267d373172384a241017150e14675.exe"
    1⤵
      PID:4992
      • C:\Windows\system32\WerFault.exe
        C:\Windows\system32\WerFault.exe -u -p 4992 -s 152
        2⤵
        • Program crash
        • Checks processor information in registry
        • Enumerates system info in registry
        • Suspicious behavior: EnumeratesProcesses
        PID:4608
    • C:\Windows\system32\WerFault.exe
      C:\Windows\system32\WerFault.exe -pss -s 452 -p 4992 -ip 4992
      1⤵
      • Suspicious use of NtCreateProcessExOtherParentProcess
      • Suspicious use of WriteProcessMemory
      PID:4148
    • C:\Windows\System32\svchost.exe
      C:\Windows\System32\svchost.exe -k netsvcs -p -s BITS
      1⤵
      • Drops file in Windows directory
      • Modifies data under HKEY_USERS
      PID:3420
    • C:\Windows\system32\svchost.exe
      C:\Windows\system32\svchost.exe -k LocalServiceAndNoImpersonation -p -s SSDPSRV
      1⤵
        PID:4564
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe 681ea2316bbc2a72a0a1da8b81252cab R3q930x020WnyfI9gsy3Ow.0.1.0.3.0
        1⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        PID:4568
      • C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe
        C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.22000.100_none_04da31ff4c67c24a\TiWorker.exe -Embedding
        1⤵
        • Drops file in Windows directory
        • Suspicious use of AdjustPrivilegeToken
        PID:1052
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe 681ea2316bbc2a72a0a1da8b81252cab R3q930x020WnyfI9gsy3Ow.0.1.0.3.0
        1⤵
        • Drops file in System32 directory
        • Modifies data under HKEY_USERS
        PID:1360
      • C:\Windows\System32\WaaSMedicAgent.exe
        C:\Windows\System32\WaaSMedicAgent.exe 681ea2316bbc2a72a0a1da8b81252cab R3q930x020WnyfI9gsy3Ow.0.1.0.3.0
        1⤵
        • Modifies data under HKEY_USERS
        PID:1984
      • C:\Windows\System32\sihclient.exe
        C:\Windows\System32\sihclient.exe /cv R3q930x020WnyfI9gsy3Ow.0.2
        1⤵
        • Drops file in System32 directory
        • Drops file in Windows directory
        • Modifies data under HKEY_USERS
        PID:4928

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • memory/3420-146-0x0000021E38970000-0x0000021E38980000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3420-147-0x0000021E389F0000-0x0000021E38A00000-memory.dmp

        Filesize

        64KB

        Download

      • memory/3420-148-0x0000021E38DF0000-0x0000021E38DF4000-memory.dmp

        Filesize

        16KB

        Download