Malware Analysis Report

2024-10-16 03:32

Sample ID 240220-swlvbaae81
Target 2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber
SHA256 04f729e2805d7b3827bc9d05cb145ee00bcf4c986f0ff384088c2523ff9292f2
Tags
banload downloader dropper evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

04f729e2805d7b3827bc9d05cb145ee00bcf4c986f0ff384088c2523ff9292f2

Threat Level: Known bad

The file 2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber was found to be: Known bad.

Malicious Activity Summary

banload downloader dropper evasion trojan

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Enumerates physical storage devices

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious use of WriteProcessMemory

Modifies Internet Explorer settings

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-20 15:28

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-20 15:28

Reported

2024-02-20 15:31

Platform

win7-20240215-en

Max time kernel

141s

Max time network

132s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\TypeLib\ = "{012F24C1-35B0-11D0-BF2D-0000E8D0D146}" C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\VersionIndependentProgID\ = "Office.awsdc" C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\ = "Microsoft Office Template and Media Control" C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\InprocServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\IEAWSDC.DLL" C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\ProgID C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07} C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\ProgID\ = "Office.awsdc.1" C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\Version C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\Version\ = "1.0" C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 sqlmanager.net udp
RU 87.242.72.40:443 sqlmanager.net tcp
RU 87.242.72.40:443 sqlmanager.net tcp
US 8.8.8.8:53 www.sqlmanager.net udp
RU 87.242.72.40:443 www.sqlmanager.net tcp
RU 87.242.72.40:443 www.sqlmanager.net tcp
US 8.8.8.8:53 secure.sqlmanager.net udp
RU 87.242.72.40:443 secure.sqlmanager.net tcp
RU 87.242.72.40:443 secure.sqlmanager.net tcp

Files

memory/1288-0-0x0000000006DB0000-0x0000000006FB0000-memory.dmp

memory/1288-6-0x0000000006DB0000-0x0000000006FB0000-memory.dmp

memory/1288-9-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/1288-10-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/1288-12-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/1288-14-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/1288-16-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/1288-17-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/1288-18-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/1288-19-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/1288-20-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/1288-21-0x0000000006DB0000-0x0000000006FB0000-memory.dmp

memory/1288-22-0x0000000006D40000-0x0000000006D41000-memory.dmp

memory/1288-25-0x0000000006DB0000-0x0000000006FB0000-memory.dmp

memory/1288-26-0x0000000000400000-0x0000000004FFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmp5479.mht

MD5 62da7803483f9c1029a20b505e45e855
SHA1 46a880f20307c04c4a72c2fcda785694fa82d69a
SHA256 a1c27544d59f9fd58357c498349813c7b4b3b24817f6e5dee0d0ac028392940e
SHA512 8a4e9082a23af209b83ac3f00df86ed92ddc51e21b6370fea50b634833a8213517bd72c8c71ac472fdac5944e34351fd78dc5715daa355852773ca107fd57059

memory/1288-122-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/1288-123-0x0000000006D40000-0x0000000006D41000-memory.dmp

memory/1288-126-0x0000000000400000-0x0000000004FFB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-20 15:28

Reported

2024-02-20 15:31

Platform

win10v2004-20240220-en

Max time kernel

146s

Max time network

153s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4123566616-543693798-272350410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4123566616-543693798-272350410-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FeatureControl\FEATURE_BROWSER_EMULATION\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe = "11000" C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4123566616-543693798-272350410-1000\Software\Microsoft\Internet Explorer\IESettingSync C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4123566616-543693798-272350410-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2" C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4123566616-543693798-272350410-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07} C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\ = "PSFactoryBuffer" C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\InProcServer32\ = "C:\\Windows\\SysWOW64\\eapphost.dll" C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E28BF99A-ADA8-2131-08FA-08B35F6DAF07}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-20_533dde317a8bfd625e1ecff97179bc4a_magniber.exe"

C:\Windows\splwow64.exe

C:\Windows\splwow64.exe 12288

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 41.110.16.96.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 9.228.82.20.in-addr.arpa udp
US 8.8.8.8:53 177.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 sqlmanager.net udp
RU 87.242.72.40:443 sqlmanager.net tcp
US 8.8.8.8:53 29.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 40.72.242.87.in-addr.arpa udp
US 8.8.8.8:53 www.sqlmanager.net udp
US 8.8.8.8:53 226.21.18.104.in-addr.arpa udp
RU 87.242.72.40:443 www.sqlmanager.net tcp
US 8.8.8.8:53 secure.sqlmanager.net udp
RU 87.242.72.40:443 secure.sqlmanager.net tcp

Files

memory/4952-1-0x00000000071E0000-0x00000000073E0000-memory.dmp

memory/4952-7-0x00000000071E0000-0x00000000073E0000-memory.dmp

memory/4952-10-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-11-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-13-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-15-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-17-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-18-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-19-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-20-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-21-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-22-0x00000000071E0000-0x00000000073E0000-memory.dmp

memory/4952-23-0x00000000071E0000-0x00000000073E0000-memory.dmp

memory/4952-24-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-25-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-26-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-27-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-29-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-30-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-31-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-32-0x0000000000400000-0x0000000004FFB000-memory.dmp

memory/4952-33-0x0000000000400000-0x0000000004FFB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpD4A2.mht

MD5 8660cc5cf3204b6abb8452fc63aee4bd
SHA1 d73bc22138281610429753272cd222c337eb0be0
SHA256 78d1c79b4b8164ec34585b1c4964f8a18a86135704058c32e63b899d1143930d
SHA512 ec46d4dba566cf6606f9b0c488aa2d37ae18e2f4de882268263c6b94c41012afdb276d16280fb199cab7f90a21ad2e1aafab637d7520f74263d9be9938cc4213

memory/4952-80-0x0000000000400000-0x0000000004FFB000-memory.dmp