3d61202f9e3cc3c033bfee04ce1ad74f734aac24aeb4f72a6611b6db46f08d43

General

Target

2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe
Size

151KB
MD5

d5a43b4aafb075f95106e57de2b7ecf4
SHA1

44fd1ab2d88ccf4cc68c9ea0eb5caea5e2e72721
SHA256

3d61202f9e3cc3c033bfee04ce1ad74f734aac24aeb4f72a6611b6db46f08d43
SHA512

bba6c42de21af442b7de4482a2542bfc593394e79ff55c066332e30b2dd21f4f736a60fb0d9461e174d7f04f796bfd6130cab13965fce2751cadbc805cebcb57
SSDEEP

1536:lVwvLO1zPAihVLrdrbUkgtwYRvKWzXzpa5JF7ErTwXHE24iS333ulpiNIgmBzNMT:3r1cWI8i05JurTwXU/ulPgc9qz+9+++7

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\Control Panel\International\Geo\Nation	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe

Executes dropped EXE 2 IoCs

pid	Process
1604	winmgr.exe
3540	winmgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3270530367-132075249-2153716227-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Windows\\M-50502979739026720652860250\\winmgr.exe"	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Windows\\M-50502979739026720652860250\\winmgr.exe"	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5068 set thread context of 1300	5068	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe	93
PID 1604 set thread context of 3540	1604	winmgr.exe	102

Drops file in Program Files directory 8 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.Compression.ZipFile.dll	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\createdump.exe	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Compression.ZipFile.dll	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.25\System.IO.Compression.ZipFile.dll	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\createdump.exe	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.0\System.IO.Compression.ZipFile.dll	winmgr.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\M-50502979739026720652860250\winmgr.exe	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe
File opened for modification	C:\Windows\M-50502979739026720652860250\winmgr.exe	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe
File opened for modification	C:\Windows\M-50502979739026720652860250	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 5068 wrote to memory of 1300	5068	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe	93
PID 5068 wrote to memory of 1300	5068	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe	93
PID 5068 wrote to memory of 1300	5068	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe	93
PID 5068 wrote to memory of 1300	5068	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe	93
PID 5068 wrote to memory of 1300	5068	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe	93
PID 5068 wrote to memory of 1300	5068	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe	93
PID 5068 wrote to memory of 1300	5068	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe	93
PID 5068 wrote to memory of 1300	5068	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe	93
PID 5068 wrote to memory of 1300	5068	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe	93
PID 1300 wrote to memory of 3616	1300	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe	94
PID 1300 wrote to memory of 3616	1300	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe	94
PID 1300 wrote to memory of 3616	1300	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe	94
PID 1300 wrote to memory of 1604	1300	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe	95
PID 1300 wrote to memory of 1604	1300	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe	95
PID 1300 wrote to memory of 1604	1300	2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe	95
PID 1604 wrote to memory of 3540	1604	winmgr.exe	102
PID 1604 wrote to memory of 3540	1604	winmgr.exe	102
PID 1604 wrote to memory of 3540	1604	winmgr.exe	102
PID 1604 wrote to memory of 3540	1604	winmgr.exe	102
PID 1604 wrote to memory of 3540	1604	winmgr.exe	102
PID 1604 wrote to memory of 3540	1604	winmgr.exe	102
PID 1604 wrote to memory of 3540	1604	winmgr.exe	102
PID 1604 wrote to memory of 3540	1604	winmgr.exe	102
PID 1604 wrote to memory of 3540	1604	winmgr.exe	102

C:\Users\Admin\AppData\Local\Temp\2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:5068
- C:\Users\Admin\AppData\Local\Temp\2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-03-26_d5a43b4aafb075f95106e57de2b7ecf4_magniber.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1300
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\jynarvzjiu.bat" "
    3⤵
    PID:3616
- - C:\Windows\M-50502979739026720652860250\winmgr.exe
    C:\Windows\M-50502979739026720652860250\winmgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:1604
  - - C:\Windows\M-50502979739026720652860250\winmgr.exe
      C:\Windows\M-50502979739026720652860250\winmgr.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:3540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\jynarvzjiu.bat

Filesize
278B

MD5
46c7470517fc38f76069686c9547a1df

SHA1
aa16c25dd515285f51719f5c821b0b447c7eef47

SHA256
a49fc9e20cfad3b21c269d0e78ceb3c99a1fc6394a0481f44b839262064f7c6c

SHA512
280822d9617a0c7b6f76fdfbac91fe433340e1735537af21de59f4bc44648331f3275a78d15b6ad3ad4cc1155b55a0c72737937119cc4c77b7789da669a231c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\phqghumeay

Filesize
153KB

MD5
24ca5d00878259c255449289f7b09ebb

SHA1
c43ae97bd9e16fd761a5d0283dea1a7bd7d70ddf

SHA256
0ed6404f1fcdf531d52fe78c14f658fa223dd2aa73bfa96723a55b90a9652933

SHA512
e888c3d25333bcb7ff25533fa77fa22bb62bcdce92e31f0bd6c50095979e3b1c810c22cd1a04dd61344d68f68e89b3572d19ab8280f9b58d6e469c325c584f3e

Download Submit
C:\Windows\M-50502979739026720652860250\winmgr.exe

Filesize
151KB

MD5
d5a43b4aafb075f95106e57de2b7ecf4

SHA1
44fd1ab2d88ccf4cc68c9ea0eb5caea5e2e72721

SHA256
3d61202f9e3cc3c033bfee04ce1ad74f734aac24aeb4f72a6611b6db46f08d43

SHA512
bba6c42de21af442b7de4482a2542bfc593394e79ff55c066332e30b2dd21f4f736a60fb0d9461e174d7f04f796bfd6130cab13965fce2751cadbc805cebcb57

Download Submit
memory/1300-3-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1300-6-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1300-7-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/1604-25-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/1604-22-0x0000000000680000-0x0000000000780000-memory.dmp

Filesize
1024KB

Download
memory/1604-17-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/3540-39-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3540-40-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3540-26-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3540-27-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3540-29-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3540-66-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3540-64-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3540-63-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3540-46-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3540-47-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/3540-56-0x0000000000400000-0x000000000040C000-memory.dmp

Filesize
48KB

Download
memory/5068-0-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5068-5-0x0000000000400000-0x000000000042C000-memory.dmp

Filesize
176KB

Download
memory/5068-2-0x00000000004E0000-0x00000000005E0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads