Malware Analysis Report

2024-10-16 03:32

Sample ID 240221-lnm9vadg3z
Target 2024-02-21_dddecbc169f0232955c306eb02602eec_magniber
SHA256 2b09e20ee5b091b72e976f808f0369a83990e0da19bf1b8e037d065e033ba0d1
Tags
banload downloader dropper evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2b09e20ee5b091b72e976f808f0369a83990e0da19bf1b8e037d065e033ba0d1

Threat Level: Known bad

The file 2024-02-21_dddecbc169f0232955c306eb02602eec_magniber was found to be: Known bad.

Malicious Activity Summary

banload downloader dropper evasion trojan

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-02-21 09:40

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-02-21 09:40

Reported

2024-02-21 09:43

Platform

win7-20231215-en

Max time kernel

120s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\ProgID\ = "InternetExplorer.Application.1" C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\Programmable C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\ = "Internet Explorer(Ver 1.0)" C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\LocalServer32\ = "\"%ProgramFiles(x86)%\\Internet Explorer\\ielowutil.exe\" -CLSID:{0002DF01-0000-0000-C000-000000000046}" C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\TypeLib\ = "{EAB22AC0-30C1-11CF-A7EB-0000C05BAE0B}" C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\VersionIndependentProgID C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\VersionIndependentProgID\ = "InternetExplorer.Application" C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA} C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\ProgID C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\TypeLib C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe"

Network

N/A

Files

memory/1648-0-0x00000000032B0000-0x00000000034B0000-memory.dmp

memory/1648-2-0x0000000000400000-0x00000000014C0000-memory.dmp

memory/1648-7-0x00000000032B0000-0x00000000034B0000-memory.dmp

memory/1648-10-0x0000000000400000-0x00000000014C0000-memory.dmp

memory/1648-12-0x0000000000400000-0x00000000014C0000-memory.dmp

memory/1648-13-0x0000000000400000-0x00000000014C0000-memory.dmp

memory/1648-14-0x0000000000400000-0x00000000014C0000-memory.dmp

memory/1648-15-0x0000000000400000-0x00000000014C0000-memory.dmp

memory/1648-16-0x00000000032B0000-0x00000000034B0000-memory.dmp

memory/1648-17-0x00000000032B0000-0x00000000034B0000-memory.dmp

memory/1648-18-0x00000000032B0000-0x00000000034B0000-memory.dmp

memory/1648-19-0x00000000032B0000-0x00000000034B0000-memory.dmp

memory/1648-20-0x0000000000400000-0x00000000014C0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-02-21 09:40

Reported

2024-02-21 09:43

Platform

win10v2004-20231215-en

Max time kernel

142s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\InprocServer32\ = "%CommonProgramFiles%\\Microsoft Shared\\DAO\\dao360.dll" C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\InprocServer32\Class = "dao.QueryDefClass" C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\ProgID C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\ProgID\ = "DAO.QueryDef.36" C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\ = "DAO.QueryDef.36" C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\InprocServer32\Assembly = "dao, Version=10.0.4504.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\InprocServer32\RuntimeVersion = "v1.0.3705" C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA}\InprocServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{387E6242-02EE-B551-7F23-8774229ACFAA} C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-02-21_dddecbc169f0232955c306eb02602eec_magniber.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 208.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 180.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 185.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 10.179.89.13.in-addr.arpa udp

Files

memory/408-0-0x0000000000400000-0x00000000014C0000-memory.dmp

memory/408-2-0x0000000003780000-0x0000000003980000-memory.dmp

memory/408-8-0x0000000003780000-0x0000000003980000-memory.dmp

memory/408-11-0x0000000000400000-0x00000000014C0000-memory.dmp

memory/408-13-0x0000000000400000-0x00000000014C0000-memory.dmp

memory/408-14-0x0000000000400000-0x00000000014C0000-memory.dmp

memory/408-15-0x0000000000400000-0x00000000014C0000-memory.dmp

memory/408-16-0x0000000000400000-0x00000000014C0000-memory.dmp

memory/408-17-0x0000000003780000-0x0000000003980000-memory.dmp

memory/408-18-0x0000000003780000-0x0000000003980000-memory.dmp

memory/408-19-0x0000000003780000-0x0000000003980000-memory.dmp

memory/408-20-0x0000000003780000-0x0000000003980000-memory.dmp

memory/408-21-0x0000000000400000-0x00000000014C0000-memory.dmp