Analysis Overview
SHA256
04f729e2805d7b3827bc9d05cb145ee00bcf4c986f0ff384088c2523ff9292f2
Threat Level: Known bad
The file 2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber was found to be: Known bad.
Malicious Activity Summary
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Enumerates physical storage devices
Suspicious use of FindShellTrayWindow
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Modifies registry class
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-20 15:28
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-20 15:28
Reported
2024-02-20 15:31
Platform
win7-20240215-en
Max time kernel
141s
Max time network
132s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\TypeLib\ = "{012F24C1-35B0-11D0-BF2D-0000E8D0D146}" | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\VersionIndependentProgID\ = "Office.awsdc" | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\ = "Microsoft Office Template and Media Control" | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\InprocServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\IEAWSDC.DLL" | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\ProgID | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07} | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\ProgID\ = "Office.awsdc.1" | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\TypeLib | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\VersionIndependentProgID | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\Version | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\Version\ = "1.0" | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1288 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | C:\Windows\splwow64.exe |
| PID 1288 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | C:\Windows\splwow64.exe |
| PID 1288 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | C:\Windows\splwow64.exe |
| PID 1288 wrote to memory of 2716 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | C:\Windows\splwow64.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | sqlmanager.net | udp |
| RU | 87.242.72.40:443 | sqlmanager.net | tcp |
| RU | 87.242.72.40:443 | sqlmanager.net | tcp |
| US | 8.8.8.8:53 | www.sqlmanager.net | udp |
| RU | 87.242.72.40:443 | www.sqlmanager.net | tcp |
| RU | 87.242.72.40:443 | www.sqlmanager.net | tcp |
| US | 8.8.8.8:53 | secure.sqlmanager.net | udp |
| RU | 87.242.72.40:443 | secure.sqlmanager.net | tcp |
| RU | 87.242.72.40:443 | secure.sqlmanager.net | tcp |
Files
memory/1288-0-0x0000000006DB0000-0x0000000006FB0000-memory.dmp
memory/1288-6-0x0000000006DB0000-0x0000000006FB0000-memory.dmp
memory/1288-9-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/1288-10-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/1288-12-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/1288-14-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/1288-16-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/1288-17-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/1288-18-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/1288-19-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/1288-20-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/1288-21-0x0000000006DB0000-0x0000000006FB0000-memory.dmp
memory/1288-22-0x0000000006D40000-0x0000000006D41000-memory.dmp
memory/1288-25-0x0000000006DB0000-0x0000000006FB0000-memory.dmp
memory/1288-26-0x0000000000400000-0x0000000004FFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmp5479.mht
| MD5 | 62da7803483f9c1029a20b505e45e855 |
| SHA1 | 46a880f20307c04c4a72c2fcda785694fa82d69a |
| SHA256 | a1c27544d59f9fd58357c498349813c7b4b3b24817f6e5dee0d0ac028392940e |
| SHA512 | 8a4e9082a23af209b83ac3f00df86ed92ddc51e21b6370fea50b634833a8213517bd72c8c71ac472fdac5944e34351fd78dc5715daa355852773ca107fd57059 |
memory/1288-122-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/1288-123-0x0000000006D40000-0x0000000006D41000-memory.dmp
memory/1288-126-0x0000000000400000-0x0000000004FFB000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-20 15:28
Reported
2024-02-20 15:31
Platform
win10v2004-20240220-en
Max time kernel
146s
Max time network
153s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4123566616-543693798-272350410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4123566616-543693798-272350410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe = "11000" | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4123566616-543693798-272350410-1000\Software\Microsoft\Internet Explorer\IESettingSync | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Set value (int) | \REGISTRY\USER\S-1-5-21-4123566616-543693798-272350410-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-4123566616-543693798-272350410-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07} | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\ = "PSFactoryBuffer" | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\InProcServer32\ = "C:\\Windows\\SysWOW64\\eapphost.dll" | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | N/A |
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4952 wrote to memory of 3580 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | C:\Windows\splwow64.exe |
| PID 4952 wrote to memory of 3580 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe | C:\Windows\splwow64.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe"
C:\Windows\splwow64.exe
C:\Windows\splwow64.exe 12288
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 41.110.16.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 9.228.82.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 177.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | sqlmanager.net | udp |
| RU | 87.242.72.40:443 | sqlmanager.net | tcp |
| US | 8.8.8.8:53 | 29.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 40.72.242.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.sqlmanager.net | udp |
| US | 8.8.8.8:53 | 226.21.18.104.in-addr.arpa | udp |
| RU | 87.242.72.40:443 | www.sqlmanager.net | tcp |
| US | 8.8.8.8:53 | secure.sqlmanager.net | udp |
| RU | 87.242.72.40:443 | secure.sqlmanager.net | tcp |
Files
memory/4952-1-0x00000000071E0000-0x00000000073E0000-memory.dmp
memory/4952-7-0x00000000071E0000-0x00000000073E0000-memory.dmp
memory/4952-10-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-11-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-13-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-15-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-17-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-18-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-19-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-20-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-21-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-22-0x00000000071E0000-0x00000000073E0000-memory.dmp
memory/4952-23-0x00000000071E0000-0x00000000073E0000-memory.dmp
memory/4952-24-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-25-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-26-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-27-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-29-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-30-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-31-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-32-0x0000000000400000-0x0000000004FFB000-memory.dmp
memory/4952-33-0x0000000000400000-0x0000000004FFB000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpD4A2.mht
| MD5 | 8660cc5cf3204b6abb8452fc63aee4bd |
| SHA1 | d73bc22138281610429753272cd222c337eb0be0 |
| SHA256 | 78d1c79b4b8164ec34585b1c4964f8a18a86135704058c32e63b899d1143930d |
| SHA512 | ec46d4dba566cf6606f9b0c488aa2d37ae18e2f4de882268263c6b94c41012afdb276d16280fb199cab7f90a21ad2e1aafab637d7520f74263d9be9938cc4213 |
memory/4952-80-0x0000000000400000-0x0000000004FFB000-memory.dmp