Overview

overview

10

Static

static

3

2024-04-16...er.exe

windows7-x64

10

2024-04-16...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    118s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    16/04/2024, 16:00

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-16_22cbc52d2fed8798d1d19e466c3ad974_magniber.exe

  • Size

    4.1MB

  • MD5

    22cbc52d2fed8798d1d19e466c3ad974

  • SHA1

    ed4242e8d266a90c0d022c8764936a71accd1667

  • SHA256

    6e9d968723cdcb4d329e560820d30880fbfb2422ca254d128a30989efaa64543

  • SHA512

    c6535341198e6f66959c7fb43895e5f9f16e2a8cad9c1ab74f35db42cfbd8edaf771c30ba32030c514393e111d4f7d739eaab3665a68a62de3944e6adeb9d902

  • SSDEEP

    49152:KwkZwsIkuZyNQSJAhZLurjZI36en+stGmUI8PWzmnTiXjgQ6h+0yyP+kVhezlniZ:KwkZ3IPZbvirjZIl7ImqT0cQ6vj19J

Score
10/10
salitybackdoordiscoveryevasiontrojanupx

Malware Config

Extracted

Family

sality

C2

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

http://www.klkjwre9fqwieluoi.info/

http://kukutrustnet777888.info/

Signatures

  • Modifies firewall policy service 2 TTPs 3 IoCs
    evasion
  • Sality

    Sality is backdoor written in C++, first discovered in 2003.

    backdoorsality
  • UAC bypass 3 TTPs 1 IoCs
    evasiontrojan
  • Windows security bypass 2 TTPs 6 IoCs
    evasiontrojan
  • Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 11 IoCs
  • UPX dump on OEP (original entry point) 13 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • UPX packed file 12 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Windows security modification 2 TTPs 7 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks whether UAC is enabled 1 TTPs 1 IoCs
    evasiontrojan
  • Drops file in Program Files directory 6 IoCs
  • Drops file in Windows directory 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 22 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • System policy modification 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Windows\system32\taskhost.exe
    "taskhost.exe"
    1⤵
      PID:1116
    • C:\Windows\system32\Dwm.exe
      "C:\Windows\system32\Dwm.exe"
      1⤵
        PID:1164
      • C:\Windows\Explorer.EXE
        C:\Windows\Explorer.EXE
        1⤵
          PID:1232
          • C:\Users\Admin\AppData\Local\Temp\2024-04-16_22cbc52d2fed8798d1d19e466c3ad974_magniber.exe
            "C:\Users\Admin\AppData\Local\Temp\2024-04-16_22cbc52d2fed8798d1d19e466c3ad974_magniber.exe"
            2⤵
            • Modifies firewall policy service
            • UAC bypass
            • Windows security bypass
            • Loads dropped DLL
            • Windows security modification
            • Checks whether UAC is enabled
            • Drops file in Windows directory
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            • Suspicious use of WriteProcessMemory
            • System policy modification
            PID:1760
            • C:\temp\NVIDIA\NvDisplayContainerInstallerTemp\setup.exe
              "C:\temp\NVIDIA\NvDisplayContainerInstallerTemp\setup.exe"
              3⤵
              • Executes dropped EXE
              • Loads dropped DLL
              • Drops file in Program Files directory
              • Suspicious use of AdjustPrivilegeToken
              PID:2608
        • C:\Windows\system32\DllHost.exe
          C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
          1⤵
            PID:1196

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\temp\NVIDIA\NvDisplayContainerInstallerTemp\NVDisplayContainer.nvi
            Filesize

            5KB

            MD5

            865952253b930005fec2009fd1caffc9

            SHA1

            5f6c04adff239100a05359e80fb0fb7d03b71575

            SHA256

            bd33f034c1f261632d424c0b55e260b37a0dc4501058c28c611311b9848c3e0f

            SHA512

            d5a37a41aa78583eba3a0b1869948e1bb50036af91b6eea8ebbcf712d3aa5c90e14a4142e1e4945c336df20cc5b3e7f5505b439306a65c9d79b15e520c767cbd

            Download Submit

          • C:\temp\NVIDIA\NvDisplayContainerInstallerTemp\NVDisplayContainerLS.nvi
            Filesize

            6KB

            MD5

            d534a679f51d3457cc3ff0744afdc388

            SHA1

            be91e81f253fcae51e0dc521fc8c628b12a52fa3

            SHA256

            a0b39edcf03a50072d44bb95f2e81d13cf4ab022550de2fa17d5e8e63ca1181b

            SHA512

            fd0afe184fc4518a4b29810372530a20a96bcaa971ee1ee49d54e857aeaece2aede7063d678666e4b57d282f09eab0bcbb032b1dbb9b41fce885c72d9b3061f6

            Download Submit

          • C:\temp\NVIDIA\NvDisplayContainerInstallerTemp\NVDisplayPluginWatchdog.nvi
            Filesize

            2KB

            MD5

            551bef7c03460cbf0b30936ee00727b5

            SHA1

            205b2bde380e6b8c2863a159695eb3c71d2bd14c

            SHA256

            dbba019249862b67e797289c03e44fc7189dd2097c849cde98acdcfd548f819a

            SHA512

            c2fd938ecc070df0b7bb896cf69ce7c41f5f08829e47c588b3fe65962da3fbf461f7ac3cb4e66e3737b090d053b4a586fed519410568243fb5ae0c353bbb36f1

            Download Submit

          • C:\temp\NVIDIA\NvDisplayContainerInstallerTemp\NVDisplaySessionContainer.nvi
            Filesize

            4KB

            MD5

            8673a2ae23959b54f40b8788a279d474

            SHA1

            fbbf574478d439e008c893c7c175d032ef9fdcb3

            SHA256

            838a922a93343f932b9844d57490d681723d5a25cd7b69ec6a541958f9808616

            SHA512

            7c985f4e854fbf6b55717651b119cecfe14d29e251f7022809a8cea0a0d159a74a102cbbaff5ea4857eb1fe220e1fec26276387c96be7370830f8274590296f7

            Download Submit

          • C:\temp\NVIDIA\NvDisplayContainerInstallerTemp\NVI2.DLL
            Filesize

            4.8MB

            MD5

            8d50f49f7577e79fa70e03a3ed9da7d3

            SHA1

            d1b73cf9231b21b10c3a406d6efbde2156605445

            SHA256

            ea12e7ac28ef97c5ad60a33a4c1fa96779f534e45259ef77e1625dc6e1dcbacc

            SHA512

            612d9e0fd51babdc5acfe3b97a8cff88ea0cf0c681c678706763dd41e2230b67c658946558dd38ad06795e9b8c6f2f2233077ee8d44cc2ee7c504bf6e0b41fd7

            Download Submit

          • C:\temp\NVIDIA\NvDisplayContainerInstallerTemp\NVPrxy32.dll
            Filesize

            871KB

            MD5

            699bd69b622d018b093e0b4b2db64d34

            SHA1

            d5d4c10c7a16c5ab2de5286b112957e3aec6f5e8

            SHA256

            5da5f8bc973caafa8e0e0abd403024d821708e4cf8dbf24710276b7090e697c5

            SHA512

            372958047f6f26cb4c18e8a88d10da1588698e6772cfb2bd5f51e548363e487376fe4e9d7961341808b267366d01699a3821fd18ddeaeaaefc6a9db07692b70b

            Download Submit

          • C:\temp\NVIDIA\NvDisplayContainerInstallerTemp\NVPrxy64.dll
            Filesize

            1.5MB

            MD5

            b96e376bce20108b18dee7e7ba36ad2f

            SHA1

            0b9134a048a871e1427e8ae72daa99507cde0bf0

            SHA256

            2bfa778374eacd8d812fdcab120cbe1ec09600b15ab7bedcd4e55b42d9255cea

            SHA512

            a9316afda6271d0a7736c785758a19a4bd5ed4fbe6b9aff3d0fb94bc99bbaed9334b9936d794baa86e77f12db59948a1fa1158e03a2fd27cd1c30c3ac15a6e08

            Download Submit

          • C:\temp\NVIDIA\NvDisplayContainerInstallerTemp\setup.CFG
            Filesize

            9KB

            MD5

            73aec12e6ff2f188f8b7a662bdd4aff0

            SHA1

            70f93b95c802c33050c0e3c87a8521416c625ec8

            SHA256

            6faa9ad365849c91084c82181432fb3d11a75b35a5bdcf19ee69fcff72742f69

            SHA512

            a9b9828a7ba2bfc01db9a76827d07ee9b0adcc3b1ad174c4aef3f83e0a3e221047409906c8e791e72542cf635b1c9f5df7eec59eee4f3dabc7671a6e0ef76e25

            Download Submit

          • C:\temp\NVIDIA\NvDisplayContainerInstallerTemp\setup.exe
            Filesize

            407KB

            MD5

            cf444eab2be9f5d3a21f37827e95e81d

            SHA1

            03b32b233e89f7458afb5ad77584f046ee4f0017

            SHA256

            89423aa74ac3a30f097a500152b3e7ad61ef94c4d1cee282e6fdc94382cf72b3

            SHA512

            752d036bbf7a55fb3efb1047ebc01c9a3de69389c9a57eb04b5ffe524e8bba97d35d83c727ed472d4f1c6ffb4568b7f2db3e9070cc308b11c4914ed066672b19

            Download Submit

          • memory/1116-171-0x0000000001CA0000-0x0000000001CA2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1760-229-0x0000000001FD0000-0x000000000305E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1760-176-0x0000000001FD0000-0x000000000305E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1760-260-0x00000000002E0000-0x00000000002E2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1760-250-0x0000000000300000-0x0000000000301000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1760-239-0x0000000001FD0000-0x000000000305E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1760-249-0x0000000001FD0000-0x000000000305E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1760-269-0x0000000001FD0000-0x000000000305E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1760-244-0x00000000002E0000-0x00000000002E2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1760-0-0x0000000000400000-0x00000000004F4000-memory.dmp

            Filesize

            976KB

            Download

          • memory/1760-265-0x0000000000300000-0x0000000000301000-memory.dmp

            Filesize

            4KB

            Download

          • memory/1760-172-0x0000000001FD0000-0x000000000305E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1760-20-0x0000000001FD0000-0x000000000305E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1760-1-0x0000000001FD0000-0x000000000305E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1760-4-0x0000000001FD0000-0x000000000305E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1760-271-0x0000000001FD0000-0x000000000305E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1760-301-0x0000000001FD0000-0x000000000305E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1760-302-0x0000000001FD0000-0x000000000305E000-memory.dmp

            Filesize

            16.6MB

            Download

          • memory/1760-491-0x00000000002E0000-0x00000000002E2000-memory.dmp

            Filesize

            8KB

            Download

          • memory/1760-502-0x0000000000400000-0x00000000004F4000-memory.dmp

            Filesize

            976KB

            Download