54b26a9b95ed1fcf9f314705326208619c439e9b0d02a51892ed791ef1dabdff

Analysis

max time kernel
120s
max time network
121s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
19-02-2024 01:27

Target

2024-02-19_357f5ed6f1f2124eb1bafe166a26de6d_magniber.exe
Size

3.8MB
MD5

357f5ed6f1f2124eb1bafe166a26de6d
SHA1

30546cb222ab1e0bdf8774fca0010002c22f4f4b
SHA256

54b26a9b95ed1fcf9f314705326208619c439e9b0d02a51892ed791ef1dabdff
SHA512

33df233d4bd6253195af524510299810c6a9b4b96a12dd05f9bdfa1576e17d4025da5daaac65d87a0fb8e04b977db4fedcfd05534676a6a3854ff71dae0f9798
SSDEEP

98304:4TgNv5QiVxgbtIM/0cKZP5Cj0qhvcGx6OEKG0cC6g6v66666ES66666E6kD6666l:v/kykj0qh0Gx6gG0cC6g6v66666ES66R

Score

8^/10

Drops file in Drivers directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\sphwktog.sys	31D.tmp
File created	C:\Windows\system32\drivers\sphwktog.sys	31D.tmp

Executes dropped EXE 2 IoCs

pid	Process
1740	31D.tmp
2924	31C.tmp.exe

Loads dropped DLL 3 IoCs

pid	Process
2508	2024-02-19_357f5ed6f1f2124eb1bafe166a26de6d_magniber.exe
2508	2024-02-19_357f5ed6f1f2124eb1bafe166a26de6d_magniber.exe
2508	2024-02-19_357f5ed6f1f2124eb1bafe166a26de6d_magniber.exe

Drops file in System32 directory 3 IoCs

description	ioc	Process
File created	C:\Windows\system32\zadpkcb\coshaew.sys	31D.tmp
File created	C:\Windows\system32\zadpkcb\coshaew.exe	31D.tmp
File created	C:\Windows\system32\zadpkcb\coshaewdrv.sys	31D.tmp

Launches sc.exe 1 IoCs

Sc.exe is a Windows utlilty to control services on the system.

pid	Process
2668	sc.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1740	31D.tmp

Suspicious behavior: LoadsDriver 1 IoCs

pid	Process
476	Process not Found

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 2508 wrote to memory of 2924	2508	2024-02-19_357f5ed6f1f2124eb1bafe166a26de6d_magniber.exe	28
PID 2508 wrote to memory of 2924	2508	2024-02-19_357f5ed6f1f2124eb1bafe166a26de6d_magniber.exe	28
PID 2508 wrote to memory of 2924	2508	2024-02-19_357f5ed6f1f2124eb1bafe166a26de6d_magniber.exe	28
PID 2508 wrote to memory of 2924	2508	2024-02-19_357f5ed6f1f2124eb1bafe166a26de6d_magniber.exe	28
PID 2508 wrote to memory of 1740	2508	2024-02-19_357f5ed6f1f2124eb1bafe166a26de6d_magniber.exe	29
PID 2508 wrote to memory of 1740	2508	2024-02-19_357f5ed6f1f2124eb1bafe166a26de6d_magniber.exe	29
PID 2508 wrote to memory of 1740	2508	2024-02-19_357f5ed6f1f2124eb1bafe166a26de6d_magniber.exe	29
PID 2508 wrote to memory of 1740	2508	2024-02-19_357f5ed6f1f2124eb1bafe166a26de6d_magniber.exe	29
PID 1740 wrote to memory of 2668	1740	31D.tmp	30
PID 1740 wrote to memory of 2668	1740	31D.tmp	30
PID 1740 wrote to memory of 2668	1740	31D.tmp	30
PID 1740 wrote to memory of 2668	1740	31D.tmp	30

C:\Users\Admin\AppData\Local\Temp\2024-02-19_357f5ed6f1f2124eb1bafe166a26de6d_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-19_357f5ed6f1f2124eb1bafe166a26de6d_magniber.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2508
- C:\Users\Admin\AppData\Local\Temp\31C.tmp.exe
  C:\Users\Admin\AppData\Local\Temp\31C.tmp.exe
  2⤵
  - Executes dropped EXE
  PID:2924
- C:\Users\Admin\AppData\Local\Temp\31D.tmp
  C:\Users\Admin\AppData\Local\Temp\31D.tmp -insta
  2⤵
  - Drops file in Drivers directory
  - Executes dropped EXE
  - Drops file in System32 directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1740
- - C:\Windows\system32\sc.exe
    C:\Windows\system32\sc.exe start wcsvgnrt
    3⤵
    - Launches sc.exe
    PID:2668

C:\Users\Admin\AppData\Local\Temp\31C.tmp.exe

Filesize
51KB

MD5
b9faa132cf40132007a0ea1591ddf187

SHA1
4918ee962a60eb230b151e4e6d8f1edeb9754bcb

SHA256
8e219991a3e5132e365f1c079a4985bc2fb187abaca634eec49f62005e254596

SHA512
baec7e4064444e4f137b1ad7c4ddb0409bc1e0ea1dfd69fd323d05a213e2a0b24dc21fcf3aad6d3508e1d6803402b10276d82ec11a3fec304a51d6b82631fb46

Download Submit
C:\Users\Admin\AppData\Local\Temp\31D.tmp

Filesize
2.7MB

MD5
d7e202580243743ae6838ae3e1363074

SHA1
e4dae68e0152f23417c826158e990ef8edf1c2ea

SHA256
397ea3319c50a3a623aa0cd9415c39001565836b794cc607e9353648cb250d0b

SHA512
b8174639e4e768f722a3b4ce24a4cd36c470ca5aa991e05429f958a975ecd59624da79f6ec2d4b325073bb31081af099efb9d33f7ebbb6c4c61e05468db9ddac

Download Submit
memory/2508-8-0x0000000000190000-0x00000000001AF000-memory.dmp

Filesize
124KB

Download
memory/2508-42-0x0000000000190000-0x00000000001AF000-memory.dmp

Filesize
124KB

Download
memory/2924-17-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download
memory/2924-41-0x0000000000400000-0x000000000041F000-memory.dmp

Filesize
124KB

Download