Malware Analysis Report

2024-10-16 03:32

Sample ID 240328-c7khmaba89
Target 2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber
SHA256 390e4346cd986061f2e0ce97cd6fc33e8fe56d1d140116567133ff3143c529e6
Tags
banload downloader dropper evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

390e4346cd986061f2e0ce97cd6fc33e8fe56d1d140116567133ff3143c529e6

Threat Level: Known bad

The file 2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber was found to be: Known bad.

Malicious Activity Summary

banload downloader dropper evasion trojan

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-03-28 02:43

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-03-28 02:43

Reported

2024-03-28 02:45

Platform

win7-20240221-en

Max time kernel

122s

Max time network

126s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A} C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\ = "Outlook Office Finder" C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\LocalServer32 C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE" C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\LocalServer32\LocalServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b004f00550054004c004f004f004b00460069006c00650073003e005500330069006f006b006a0040004a0069003f0035007600320062006600790076003d0046002c0000000000 C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe"

Network

N/A

Files

memory/1948-2-0x0000000000400000-0x0000000000C30000-memory.dmp

memory/1948-0-0x0000000002DB0000-0x0000000002FA6000-memory.dmp

memory/1948-7-0x0000000002DB0000-0x0000000002FA6000-memory.dmp

memory/1948-12-0x0000000000400000-0x0000000000C30000-memory.dmp

memory/1948-13-0x0000000000400000-0x0000000000C30000-memory.dmp

memory/1948-15-0x0000000000400000-0x0000000000C30000-memory.dmp

memory/1948-18-0x0000000000400000-0x0000000000C30000-memory.dmp

memory/1948-17-0x0000000000400000-0x0000000000C30000-memory.dmp

memory/1948-19-0x0000000000400000-0x0000000000C30000-memory.dmp

memory/1948-20-0x0000000001000000-0x0000000001020000-memory.dmp

memory/1948-21-0x0000000000400000-0x0000000000C30000-memory.dmp

memory/1948-22-0x0000000002DB0000-0x0000000002FA6000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-03-28 02:43

Reported

2024-03-28 02:45

Platform

win10v2004-20240226-en

Max time kernel

146s

Max time network

155s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A} C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\Instance\InitPropertyBag\Attributes = "17" C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\ShellFolder\FolderValueFlags = "41" C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\DefaultIcon\ = "%SystemRoot%\\SysWow64\\imageres.dll,-198" C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\InProcServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\ShellFolder C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}" C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\Instance\InitPropertyBag C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\Instance\InitPropertyBag\TargetKnownFolder = "{31C0DD25-9439-4F12-BF41-7FF4EDA38722}" C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\ShellFolder\Attributes = "4034920525" C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\DescriptionID = "3" C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\System.IsPinnedToNameSpaceTree = "1" C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\DefaultIcon C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll" C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\Instance C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\ShellFolder\SortOrderIndex = "0" C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe"

Network

Country Destination Domain Proto
NL 52.142.223.178:80 tcp
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 138.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 173.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 217.135.221.88.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 209.178.17.96.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 88.65.42.20.in-addr.arpa udp

Files

memory/1932-0-0x0000000000400000-0x0000000000C30000-memory.dmp

memory/1932-2-0x00000000030B0000-0x00000000032A6000-memory.dmp

memory/1932-9-0x00000000030B0000-0x00000000032A6000-memory.dmp

memory/1932-14-0x0000000000400000-0x0000000000C30000-memory.dmp

memory/1932-15-0x0000000000400000-0x0000000000C30000-memory.dmp

memory/1932-17-0x0000000000400000-0x0000000000C30000-memory.dmp

memory/1932-19-0x0000000000400000-0x0000000000C30000-memory.dmp

memory/1932-20-0x0000000000400000-0x0000000000C30000-memory.dmp

memory/1932-21-0x0000000000400000-0x0000000000C30000-memory.dmp

memory/1932-22-0x0000000003830000-0x0000000003850000-memory.dmp

memory/1932-23-0x0000000000400000-0x0000000000C30000-memory.dmp

memory/1932-24-0x00000000030B0000-0x00000000032A6000-memory.dmp