Analysis Overview
SHA256
182c0b3fd1ec4a01c9a6e0f9d7ac8210737a84556a8974b192b551e90d149d7f
Threat Level: Known bad
The file 2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber was found to be: Known bad.
Malicious Activity Summary
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
Checks BIOS information in registry
Enumerates physical storage devices
Modifies registry class
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
Modifies Internet Explorer settings
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-04-11 13:50
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-04-11 13:50
Reported
2024-04-11 13:53
Platform
win7-20240220-en
Max time kernel
141s
Max time network
142s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
Enumerates physical storage devices
Modifies Internet Explorer settings
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Internet Explorer\Main | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8D9B497A-CB89-EE18-165D-B5C0581F3D03} | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{8D9B497A-CB89-EE18-165D-B5C0581F3D03}\ = "Outlook CalendarView" | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe"
C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | gears.builtbp.com | udp |
| US | 54.153.69.28:80 | gears.builtbp.com | tcp |
| US | 54.153.69.28:80 | gears.builtbp.com | tcp |
Files
memory/3044-0-0x0000000003930000-0x0000000003B26000-memory.dmp
memory/3036-1-0x0000000000400000-0x00000000018F1000-memory.dmp
memory/3044-4-0x0000000000400000-0x00000000018F1000-memory.dmp
memory/3036-8-0x0000000003570000-0x0000000004A61000-memory.dmp
memory/3044-10-0x0000000003930000-0x0000000003B26000-memory.dmp
memory/3044-14-0x0000000003930000-0x0000000003B26000-memory.dmp
memory/3044-23-0x0000000003930000-0x0000000003B26000-memory.dmp
memory/3036-56-0x0000000000400000-0x00000000018F1000-memory.dmp
memory/3044-57-0x0000000000400000-0x00000000018F1000-memory.dmp
memory/3036-58-0x0000000003570000-0x0000000004A61000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-04-11 13:50
Reported
2024-04-11 13:53
Platform
win10v2004-20240226-en
Max time kernel
149s
Max time network
153s
Command Line
Signatures
Banload
Identifies VirtualBox via ACPI registry values (likely anti-VM)
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
Checks BIOS information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D9B497A-CB89-EE18-165D-B5C0581F3D03} | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D9B497A-CB89-EE18-165D-B5C0581F3D03}\InprocServer32\Assembly = "Microsoft.Vbe.Interop, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D9B497A-CB89-EE18-165D-B5C0581F3D03}\InprocServer32\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D9B497A-CB89-EE18-165D-B5C0581F3D03}\InprocServer32\15.0.0.0\Assembly = "Microsoft.Vbe.Interop, Version=15.0.0.0, Culture=neutral, PublicKeyToken=71E9BCE111E9429C" | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D9B497A-CB89-EE18-165D-B5C0581F3D03}\InprocServer32\15.0.0.0\RuntimeVersion = "v2.0.50727" | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D9B497A-CB89-EE18-165D-B5C0581F3D03}\InprocServer32 | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D9B497A-CB89-EE18-165D-B5C0581F3D03}\InprocServer32\Class = "Microsoft.Vbe.Interop.LinkedWindowsClass" | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D9B497A-CB89-EE18-165D-B5C0581F3D03}\InprocServer32\15.0.0.0 | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{8D9B497A-CB89-EE18-165D-B5C0581F3D03}\InprocServer32\15.0.0.0\Class = "Microsoft.Vbe.Interop.LinkedWindowsClass" | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe"
C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-11_85cdd8a8301936a7513b5ec9f3412860_magniber.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 249.197.17.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | www.google.com | udp |
| GB | 142.250.178.4:80 | www.google.com | tcp |
| US | 8.8.8.8:53 | gears.builtbp.com | udp |
| US | 54.153.69.28:80 | gears.builtbp.com | tcp |
| US | 8.8.8.8:53 | 4.178.250.142.in-addr.arpa | udp |
| US | 54.153.69.28:80 | gears.builtbp.com | tcp |
| US | 8.8.8.8:53 | 28.69.153.54.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 17.143.109.104.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.210.232.199.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 90.136.73.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
memory/740-2-0x0000000000400000-0x00000000018F1000-memory.dmp
memory/4608-3-0x0000000003D10000-0x0000000003F06000-memory.dmp
memory/4608-5-0x0000000000400000-0x00000000018F1000-memory.dmp
memory/4608-10-0x0000000003D10000-0x0000000003F06000-memory.dmp
memory/4608-13-0x0000000003D10000-0x0000000003F06000-memory.dmp
memory/4608-21-0x0000000003D10000-0x0000000003F06000-memory.dmp
memory/740-33-0x0000000000400000-0x00000000018F1000-memory.dmp
memory/4608-34-0x0000000000400000-0x00000000018F1000-memory.dmp