Analysis Overview
SHA256
390e4346cd986061f2e0ce97cd6fc33e8fe56d1d140116567133ff3143c529e6
Threat Level: Known bad
The file 2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber was found to be: Known bad.
Malicious Activity Summary
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Suspicious use of AdjustPrivilegeToken
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-03-28 02:43
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-03-28 02:43
Reported
2024-03-28 02:45
Platform
win7-20240221-en
Max time kernel
122s
Max time network
126s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A} | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\ = "Outlook Office Finder" | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\LocalServer32 | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\LocalServer32\ = "C:\\PROGRA~2\\MICROS~1\\Office14\\OUTLOOK.EXE" | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Set value (data) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\LocalServer32\LocalServer32 = 7800620027004200560035002100210021002100210021002100210021004d004b004b0053006b004f00550054004c004f004f004b00460069006c00650073003e005500330069006f006b006a0040004a0069003f0035007600320062006600790076003d0046002c0000000000 | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe"
Network
Files
memory/1948-2-0x0000000000400000-0x0000000000C30000-memory.dmp
memory/1948-0-0x0000000002DB0000-0x0000000002FA6000-memory.dmp
memory/1948-7-0x0000000002DB0000-0x0000000002FA6000-memory.dmp
memory/1948-12-0x0000000000400000-0x0000000000C30000-memory.dmp
memory/1948-13-0x0000000000400000-0x0000000000C30000-memory.dmp
memory/1948-15-0x0000000000400000-0x0000000000C30000-memory.dmp
memory/1948-18-0x0000000000400000-0x0000000000C30000-memory.dmp
memory/1948-17-0x0000000000400000-0x0000000000C30000-memory.dmp
memory/1948-19-0x0000000000400000-0x0000000000C30000-memory.dmp
memory/1948-20-0x0000000001000000-0x0000000001020000-memory.dmp
memory/1948-21-0x0000000000400000-0x0000000000C30000-memory.dmp
memory/1948-22-0x0000000002DB0000-0x0000000002FA6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-03-28 02:43
Reported
2024-03-28 02:45
Platform
win10v2004-20240226-en
Max time kernel
146s
Max time network
155s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A} | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\Instance\InitPropertyBag\Attributes = "17" | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\ShellFolder\FolderValueFlags = "41" | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\DefaultIcon\ = "%SystemRoot%\\SysWow64\\imageres.dll,-198" | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\InProcServer32\ThreadingModel = "Both" | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\ShellFolder | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\Instance\CLSID = "{0E5AAE11-A475-4c5b-AB00-C66DE400274E}" | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\Instance\InitPropertyBag | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\Instance\InitPropertyBag\TargetKnownFolder = "{31C0DD25-9439-4F12-BF41-7FF4EDA38722}" | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\ShellFolder\Attributes = "4034920525" | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\DescriptionID = "3" | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\System.IsPinnedToNameSpaceTree = "1" | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\DefaultIcon | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\InProcServer32 | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\InProcServer32\ = "%systemroot%\\SysWow64\\shell32.dll" | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\Instance | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{887BF051-ACD5-3280-2F73-B27140EDA99A}\ShellFolder\SortOrderIndex = "0" | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 33 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-03-28_14d496616700b2f6c7f04f23bbdca13b_magniber.exe"
Network
| Country | Destination | Domain | Proto |
| NL | 52.142.223.178:80 | tcp | |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 138.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 173.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 217.135.221.88.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 204.79.197.200:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.178.17.96.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.65.42.20.in-addr.arpa | udp |
Files
memory/1932-0-0x0000000000400000-0x0000000000C30000-memory.dmp
memory/1932-2-0x00000000030B0000-0x00000000032A6000-memory.dmp
memory/1932-9-0x00000000030B0000-0x00000000032A6000-memory.dmp
memory/1932-14-0x0000000000400000-0x0000000000C30000-memory.dmp
memory/1932-15-0x0000000000400000-0x0000000000C30000-memory.dmp
memory/1932-17-0x0000000000400000-0x0000000000C30000-memory.dmp
memory/1932-19-0x0000000000400000-0x0000000000C30000-memory.dmp
memory/1932-20-0x0000000000400000-0x0000000000C30000-memory.dmp
memory/1932-21-0x0000000000400000-0x0000000000C30000-memory.dmp
memory/1932-22-0x0000000003830000-0x0000000003850000-memory.dmp
memory/1932-23-0x0000000000400000-0x0000000000C30000-memory.dmp
memory/1932-24-0x00000000030B0000-0x00000000032A6000-memory.dmp