Analysis
-
max time kernel
143s -
max time network
142s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
10-03-2024 02:48
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe
Resource
win7-20240221-en
windows7-x64
9 signatures
150 seconds
Behavioral task
behavioral2
Sample
2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe
Resource
win10v2004-20240226-en
windows10-2004-x64
8 signatures
150 seconds
General
-
Target
2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe
-
Size
5.4MB
-
MD5
d40f484e42344e80f33b086974c960e5
-
SHA1
435209f34bd2368b0f99981d731ae7c02b31f4f1
-
SHA256
6441f71fabb6bfc51ae69ed5029abd3093291c7fc31ca16d7f820f193d8875c0
-
SHA512
eeee5906961a771fcf8caf6a9899f76255add0d79b58c89ecbd3335b73a8333b0f3ee272bba839baecf838371a18ec59322a506af0823bb5d14ff96e8f1350af
-
SSDEEP
98304:xwFC+e1UOteFp0IpTX/RCwF9tpyB96TrBhxCheHd00X08pT:xwFC9fteU56rpkUBhxC8HCm
Score
10/10
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe -
UPX dump on OEP (original entry point) 3 IoCs
resource yara_rule behavioral1/memory/2136-21-0x0000000000400000-0x00000000011A4000-memory.dmp UPX behavioral1/memory/2136-23-0x0000000000400000-0x00000000011A4000-memory.dmp UPX behavioral1/memory/2136-25-0x0000000000400000-0x00000000011A4000-memory.dmp UPX -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe -
Modifies registry class 9 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EF5725D-1198-1361-A97F-3D0AAB164C39} 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EF5725D-1198-1361-A97F-3D0AAB164C39}\InprocServer32\Assembly = "Microsoft.Vbe.Interop, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EF5725D-1198-1361-A97F-3D0AAB164C39}\InprocServer32\Class = "Microsoft.Vbe.Interop.PropertiesClass" 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EF5725D-1198-1361-A97F-3D0AAB164C39}\InprocServer32\14.0.0.0\Assembly = "Microsoft.Vbe.Interop, Version=14.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EF5725D-1198-1361-A97F-3D0AAB164C39}\InprocServer32\14.0.0.0\RuntimeVersion = "v2.0.50727" 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EF5725D-1198-1361-A97F-3D0AAB164C39}\InprocServer32 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EF5725D-1198-1361-A97F-3D0AAB164C39}\InprocServer32\RuntimeVersion = "v2.0.50727" 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EF5725D-1198-1361-A97F-3D0AAB164C39}\InprocServer32\14.0.0.0 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{9EF5725D-1198-1361-A97F-3D0AAB164C39}\InprocServer32\14.0.0.0\Class = "Microsoft.Vbe.Interop.PropertiesClass" 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2136 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: 33 2136 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe Token: SeIncBasePriorityPrivilege 2136 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe Token: 33 2136 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe Token: SeIncBasePriorityPrivilege 2136 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2136 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28 PID 2208 wrote to memory of 2136 2208 2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe 28
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2208 -
C:\Users\Admin\AppData\Local\Temp\2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-10_d40f484e42344e80f33b086974c960e5_magniber.exe"2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2136
-