Analysis Overview
SHA256
42c3a733e37a6079a83f8ba4209d3558db203b3314dbc5d49fa30237a46a0b35
Threat Level: Known bad
The file 2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber was found to be: Known bad.
Malicious Activity Summary
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-02-23 02:45
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-02-23 02:45
Reported
2024-02-23 02:47
Platform
win7-20240215-en
Max time kernel
141s
Max time network
120s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B897E62-A993-89B4-2ABF-23B848BF7E76} | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B897E62-A993-89B4-2ABF-23B848BF7E76}\ = "Custom Composition Segment from Data Services to XDS" | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B897E62-A993-89B4-2ABF-23B848BF7E76}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B897E62-A993-89B4-2ABF-23B848BF7E76}\InprocServer32\ = "C:\\Windows\\SysWOW64\\msvidctl.dll" | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8B897E62-A993-89B4-2ABF-23B848BF7E76}\InprocServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe"
C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe"
Network
Files
memory/1540-0-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2288-2-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2288-1-0x0000000002D20000-0x0000000002EFF000-memory.dmp
memory/1540-4-0x0000000002C40000-0x0000000003775000-memory.dmp
memory/2288-7-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2288-10-0x0000000002D20000-0x0000000002EFF000-memory.dmp
memory/2288-13-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2288-14-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2288-15-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2288-17-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2288-18-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2288-19-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2288-20-0x00000000032E0000-0x0000000003300000-memory.dmp
memory/2288-21-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2288-22-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2288-23-0x0000000002D20000-0x0000000002EFF000-memory.dmp
memory/2288-24-0x0000000000FD0000-0x0000000000FD1000-memory.dmp
memory/2288-25-0x0000000002D20000-0x0000000002EFF000-memory.dmp
memory/2288-26-0x0000000002D20000-0x0000000002EFF000-memory.dmp
memory/1540-27-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2288-28-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2288-29-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/1540-30-0x0000000002C40000-0x0000000003775000-memory.dmp
memory/2288-31-0x0000000002D20000-0x0000000002EFF000-memory.dmp
memory/2288-33-0x0000000000FD0000-0x0000000000FD1000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-02-23 02:45
Reported
2024-02-23 02:47
Platform
win10v2004-20240221-en
Max time kernel
148s
Max time network
150s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B897E62-A993-89B4-2ABF-23B848BF7E76} | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B897E62-A993-89B4-2ABF-23B848BF7E76}\ = "User Account Control Settings" | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B897E62-A993-89B4-2ABF-23B848BF7E76}\AppID = "{06C792F8-6212-4F39-BF70-E8C0AC965C23}" | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B897E62-A993-89B4-2ABF-23B848BF7E76}\LocalizedString = "@%SystemRoot%\\system32\\UserAccountControlSettings.dll,-70" | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B897E62-A993-89B4-2ABF-23B848BF7E76}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B897E62-A993-89B4-2ABF-23B848BF7E76}\InProcServer32\ = "%SystemRoot%\\SysWow64\\UserAccountControlSettings.dll" | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8B897E62-A993-89B4-2ABF-23B848BF7E76}\InProcServer32\ThreadingModel = "Apartment" | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe"
C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-02-23_67a511e02da5a44d5a71e3b73e889c47_magniber.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.200:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 180.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.134.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.204.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
Files
memory/2184-1-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2952-3-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2952-4-0x00000000030F0000-0x00000000032CF000-memory.dmp
memory/2952-10-0x00000000030F0000-0x00000000032CF000-memory.dmp
memory/2952-13-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2952-14-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2952-15-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2952-17-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2952-18-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2952-20-0x0000000003A80000-0x0000000003AA0000-memory.dmp
memory/2952-19-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2952-21-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2952-22-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2952-23-0x00000000030F0000-0x00000000032CF000-memory.dmp
memory/2952-24-0x00000000030F0000-0x00000000032CF000-memory.dmp
memory/2952-25-0x00000000030F0000-0x00000000032CF000-memory.dmp
memory/2184-26-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2952-27-0x0000000000400000-0x0000000000F35000-memory.dmp
memory/2952-28-0x00000000030F0000-0x00000000032CF000-memory.dmp