Analysis
-
max time kernel
150s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
12-03-2024 10:35
Static task
static1
Behavioral task
behavioral1
Sample
2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe
-
Size
5.0MB
-
MD5
78fd1a74f6554015f37871b849249439
-
SHA1
5ece33105aae923c124706ec153fb7aad7d777ff
-
SHA256
959d2659155808671dc3cacd98d5a6e54ce3c1034375e2181c58e440460e5b9f
-
SHA512
388e0355682b975552838ce00396d243ccd779c0abc7beb4bed7b908ee3726e2dbdafaa7d1b8c8cebf51d3f1ba8300854fc5d865c9d1524aa07a5b91a0c0d893
-
SSDEEP
98304:8BDTQ10ut8c9FUYuUKNLb99cOvXwbfD6bCPtrki1Pii0JXcH:8BDc1/QDN39OOIbWSeiBii0J
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe -
Modifies registry class 13 IoCs
Processes:
2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C71FEC-9C1E-4F23-DFDA-9D0FA541BD42}\InprocServer32\ThreadingModel = "Both" 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C71FEC-9C1E-4F23-DFDA-9D0FA541BD42}\InprocServer32\ = "%SystemRoot%\\SysWow64\\Speech\\Common\\sapi.dll" 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C71FEC-9C1E-4F23-DFDA-9D0FA541BD42}\ProgID\ = "SAPI.SpTextSelectionInformation.1" 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C71FEC-9C1E-4F23-DFDA-9D0FA541BD42} 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C71FEC-9C1E-4F23-DFDA-9D0FA541BD42}\TypeLib 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C71FEC-9C1E-4F23-DFDA-9D0FA541BD42}\Version 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C71FEC-9C1E-4F23-DFDA-9D0FA541BD42}\Version\ = "5.4" 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C71FEC-9C1E-4F23-DFDA-9D0FA541BD42}\VersionIndependentProgID 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C71FEC-9C1E-4F23-DFDA-9D0FA541BD42}\VersionIndependentProgID\ = "SAPI.SpTextSelectionInformation" 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C71FEC-9C1E-4F23-DFDA-9D0FA541BD42}\ = "SpTextSelectionInformation Class" 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C71FEC-9C1E-4F23-DFDA-9D0FA541BD42}\InprocServer32 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C71FEC-9C1E-4F23-DFDA-9D0FA541BD42}\ProgID 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{78C71FEC-9C1E-4F23-DFDA-9D0FA541BD42}\TypeLib\ = "{C866CA3A-32F7-11D2-9602-00C04F8EE628}" 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exedescription pid process Token: 33 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe Token: SeIncBasePriorityPrivilege 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
Processes:
2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exepid process 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe -
Suspicious use of SendNotifyMessage 5 IoCs
Processes:
2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exepid process 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe -
Suspicious use of SetWindowsHookEx 64 IoCs
Processes:
2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exepid process 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe 5116 2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-03-12_78fd1a74f6554015f37871b849249439_magniber.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of SetWindowsHookEx
PID:5116
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2KB
MD5a83fd68bd230e6dbe063042fd97e94ad
SHA1b2c990d7bf795d94c1f60ffe95c0b016e81ba295
SHA2564f3985742882f0d1fda624cc731364192f21f5330ef19624a3578b6897afc1b2
SHA512145dcbff2d69c93089f3237c59a6b0876734f95866ff181ca0e1e50624609899c907d68b7784cbf1bd3868377fead3b361c496f033a4332ea7e0cec2b4dd1e06
-
Filesize
18KB
MD56cb44002258871fd72a9fdc8450035d1
SHA170eb449dd73b19ca9a54d1a5ed11fc18cf60380d
SHA2560ce52042d83421360ce6a5f3e4adba9de9f9235f2f6293fe41d6d82c6f340c11
SHA512583d7d18087b85273ab794731067303d92198af3390ab94da5a0e8ec8c66652c9dc85d0fb699a48033f8b8fbe52ab24309706139fbbe49e5cef6b0f65b7b55be