Analysis
-
max time kernel
121s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
04-03-2024 05:01
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe
-
Size
4.9MB
-
MD5
84077d0d389983e7dc332740ccbade19
-
SHA1
51e54abab6878b1c14a71557a2c48152b829df8c
-
SHA256
7c620843361c577c94297f4a16eba109328dd8880b776b6764baeb2d898865a4
-
SHA512
3620a43ac1b287aaf65ce0c8f06f594f70adf1f9791c4ffc7df4631611accff9f58dc6e9777ee7729874db5a895bc26632bf21fdb264cc24346fc23f04333543
-
SSDEEP
98304:GS5I0l9dF0PWG/tPfX8i3hmwIAbhSO9qBS6g1lu:GS5j9mPB/VX8MmzA9RsSx
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe -
Modifies registry class 13 IoCs
Processes:
2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B158CAC9-568C-6DE8-CA16-0D06B339EA0A}\InprocServer32\ = "%ProgramFiles(x86)%\\Windows Photo Viewer\\PhotoAcq.dll" 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B158CAC9-568C-6DE8-CA16-0D06B339EA0A}\InprocServer32\ThreadingModel = "Apartment" 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B158CAC9-568C-6DE8-CA16-0D06B339EA0A}\Version 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B158CAC9-568C-6DE8-CA16-0D06B339EA0A}\VersionIndependentProgID 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B158CAC9-568C-6DE8-CA16-0D06B339EA0A} 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B158CAC9-568C-6DE8-CA16-0D06B339EA0A}\ProgID 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B158CAC9-568C-6DE8-CA16-0D06B339EA0A}\ProgID\ = "Microsoft.PhotoAcqDropTarget.1" 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B158CAC9-568C-6DE8-CA16-0D06B339EA0A}\TypeLib\ = "{00f25ae8-3625-4e34-92d4-f0918cf010ee}" 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B158CAC9-568C-6DE8-CA16-0D06B339EA0A}\InprocServer32 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B158CAC9-568C-6DE8-CA16-0D06B339EA0A}\TypeLib 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B158CAC9-568C-6DE8-CA16-0D06B339EA0A}\Version\ = "1.0" 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B158CAC9-568C-6DE8-CA16-0D06B339EA0A}\ = "PhotoAcqDropTarget" 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{B158CAC9-568C-6DE8-CA16-0D06B339EA0A}\VersionIndependentProgID\ = "Microsoft.PhotoAcqDropTarget" 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exepid process 2220 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exedescription pid process target process PID 2236 wrote to memory of 2220 2236 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe PID 2236 wrote to memory of 2220 2236 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe PID 2236 wrote to memory of 2220 2236 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe PID 2236 wrote to memory of 2220 2236 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe PID 2236 wrote to memory of 2220 2236 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe PID 2236 wrote to memory of 2220 2236 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe 2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2236 -
C:\Users\Admin\AppData\Local\Temp\2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-04_84077d0d389983e7dc332740ccbade19_mafia_magniber.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
PID:2220