872eef06f010972090cb6ec242571c4abf6ab515f682fdc0b207b54f4688b986

General

Target

2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe
Size

317KB
MD5

2393f21a726d7e759d2afe6316246a1b
SHA1

dae73f33c93974ee64c863a305b3fe2a4efa242a
SHA256

872eef06f010972090cb6ec242571c4abf6ab515f682fdc0b207b54f4688b986
SHA512

2c4275aece691349ec6fbfb749a4684dc1c355b6ddee53a4a1d63d94d6886a08516a5c2276aa7882dcfc8b0a264c8bf8e11a3a67e06ffaf36cc7dea5522545c7
SSDEEP

3072:JNxkchM4eJY+kPsSNxq8RPCUek4pZhzVrZ+Nm+5XNtOCfUY8dQgZCocgtgVsN6ff:b/hM4em+kPsgzr4PZSRfUmSNN67l2

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\Control Panel\International\Geo\Nation	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe

Executes dropped EXE 2 IoCs

pid	Process
2988	winmgr.exe
1404	winmgr.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Windows\\M-5050572947025827857375865240\\winmgr.exe"	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1045988481-1457812719-2617974652-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Windows\\M-5050572947025827857375865240\\winmgr.exe"	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe

Drops file in System32 directory 10 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE	winmgr.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMESEARCH.EXE	winmgr.exe
File opened for modification	C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE	winmgr.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMEWDBLD.EXE	winmgr.exe
File opened for modification	C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe	winmgr.exe
File created	C:\Windows\SysWOW64\IME\SHARED\IMCCPHR.exe	winmgr.exe
File created	C:\Windows\SysWOW64\IME\SHARED\imecfmui.exe	winmgr.exe
File opened for modification	C:\Windows\SysWOW64\IME\SHARED\imecfmui.exe	winmgr.exe
File opened for modification	C:\Windows\SysWOW64\IME\SHARED\IMEPADSV.EXE	winmgr.exe
File opened for modification	C:\Windows\SysWOW64\IME\SHARED\IMESEARCH.EXE	winmgr.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 2484 set thread context of 4204	2484	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe	94
PID 2988 set thread context of 1404	2988	winmgr.exe	101

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\M-5050572947025827857375865240\winmgr.exe	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe
File opened for modification	C:\Windows\M-5050572947025827857375865240\winmgr.exe	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe
File opened for modification	C:\Windows\M-5050572947025827857375865240	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 2484 wrote to memory of 4204	2484	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe	94
PID 2484 wrote to memory of 4204	2484	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe	94
PID 2484 wrote to memory of 4204	2484	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe	94
PID 2484 wrote to memory of 4204	2484	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe	94
PID 2484 wrote to memory of 4204	2484	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe	94
PID 2484 wrote to memory of 4204	2484	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe	94
PID 2484 wrote to memory of 4204	2484	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe	94
PID 2484 wrote to memory of 4204	2484	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe	94
PID 2484 wrote to memory of 4204	2484	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe	94
PID 4204 wrote to memory of 2996	4204	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe	96
PID 4204 wrote to memory of 2996	4204	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe	96
PID 4204 wrote to memory of 2996	4204	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe	96
PID 4204 wrote to memory of 2988	4204	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe	98
PID 4204 wrote to memory of 2988	4204	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe	98
PID 4204 wrote to memory of 2988	4204	2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe	98
PID 2988 wrote to memory of 1404	2988	winmgr.exe	101
PID 2988 wrote to memory of 1404	2988	winmgr.exe	101
PID 2988 wrote to memory of 1404	2988	winmgr.exe	101
PID 2988 wrote to memory of 1404	2988	winmgr.exe	101
PID 2988 wrote to memory of 1404	2988	winmgr.exe	101
PID 2988 wrote to memory of 1404	2988	winmgr.exe	101
PID 2988 wrote to memory of 1404	2988	winmgr.exe	101
PID 2988 wrote to memory of 1404	2988	winmgr.exe	101
PID 2988 wrote to memory of 1404	2988	winmgr.exe	101

C:\Users\Admin\AppData\Local\Temp\2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe
"C:\Users\Admin\AppData\Local\Temp\2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2484
- C:\Users\Admin\AppData\Local\Temp\2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe
  "C:\Users\Admin\AppData\Local\Temp\2023-08-26_2393f21a726d7e759d2afe6316246a1b_magniber_JC.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:4204
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\wypafeorcf.bat" "
    3⤵
    PID:2996
- - C:\Windows\M-5050572947025827857375865240\winmgr.exe
    C:\Windows\M-5050572947025827857375865240\winmgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:2988
  - - C:\Windows\M-5050572947025827857375865240\winmgr.exe
      C:\Windows\M-5050572947025827857375865240\winmgr.exe
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      PID:1404

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Unsecured Credentials

1

T1552

Credentials In Files

1

T1552.001

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\phqghumeay

Filesize
318KB

MD5
b07fed4bdc1e2d79999a1a4f31f5ed83

SHA1
281d19b6521984112fae58b1a63ef0e0c2869a16

SHA256
894ddece4dc02ea9f68db06e666dee6b63b87ebada8eb0c086bea5c0802425a0

SHA512
c7aac372c7e226300a92e776dc00d5331eb62104a242eb0e23b797cedf47c87eab7c0a7ec4dc12e96a54eff7819a8c116330b5c84468cabdbe2acfafd94eb005

Download Submit
C:\Users\Admin\AppData\Local\Temp\wypafeorcf.bat

Filesize
284B

MD5
71de58f01670ce2a3fc6cbc47729aff6

SHA1
78ea1f5300dcd2e5ac0c6873d6fb61a75fd6936e

SHA256
3c2db8fb630730abecda41f9cb71fdb3474be3101a5f94c07d42ea2181419744

SHA512
7a579b325990aeb59000829ad3c081ed5edf2e88bb176e3b31da971c361b66107c43e12f8683be2e7f0929d19122fbd4ff4cac1252b0fc4adf0fa2149d3371cc

Download Submit
C:\Windows\M-5050572947025827857375865240\winmgr.exe

Filesize
317KB

MD5
2393f21a726d7e759d2afe6316246a1b

SHA1
dae73f33c93974ee64c863a305b3fe2a4efa242a

SHA256
872eef06f010972090cb6ec242571c4abf6ab515f682fdc0b207b54f4688b986

SHA512
2c4275aece691349ec6fbfb749a4684dc1c355b6ddee53a4a1d63d94d6886a08516a5c2276aa7882dcfc8b0a264c8bf8e11a3a67e06ffaf36cc7dea5522545c7

Download Submit
C:\Windows\M-5050572947025827857375865240\winmgr.exe

Filesize
317KB

MD5
2393f21a726d7e759d2afe6316246a1b

SHA1
dae73f33c93974ee64c863a305b3fe2a4efa242a

SHA256
872eef06f010972090cb6ec242571c4abf6ab515f682fdc0b207b54f4688b986

SHA512
2c4275aece691349ec6fbfb749a4684dc1c355b6ddee53a4a1d63d94d6886a08516a5c2276aa7882dcfc8b0a264c8bf8e11a3a67e06ffaf36cc7dea5522545c7

Download Submit
C:\Windows\M-5050572947025827857375865240\winmgr.exe

Filesize
317KB

MD5
2393f21a726d7e759d2afe6316246a1b

SHA1
dae73f33c93974ee64c863a305b3fe2a4efa242a

SHA256
872eef06f010972090cb6ec242571c4abf6ab515f682fdc0b207b54f4688b986

SHA512
2c4275aece691349ec6fbfb749a4684dc1c355b6ddee53a4a1d63d94d6886a08516a5c2276aa7882dcfc8b0a264c8bf8e11a3a67e06ffaf36cc7dea5522545c7

Download Submit
memory/1404-23-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1404-24-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1404-26-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/2484-5-0x0000000003000000-0x000000000305C000-memory.dmp

Filesize
368KB

Download
memory/2484-0-0x0000000003000000-0x000000000305C000-memory.dmp

Filesize
368KB

Download
memory/2484-2-0x0000000000420000-0x0000000000520000-memory.dmp

Filesize
1024KB

Download
memory/2988-22-0x0000000003000000-0x000000000305C000-memory.dmp

Filesize
368KB

Download
memory/2988-19-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/4204-7-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4204-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/4204-3-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads