16b3acd55d63206ece9b643c56d35eed5e8b581c39d51998416a9a9f98bfee14

Analysis

max time kernel
150s
max time network
122s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
16/04/2024, 18:24

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe
Size

1.6MB
MD5

e019fb4a4652620fcd58c0ea67f51ebf
SHA1

f0978d6df708cee02c7b759967a520f960714b1a
SHA256

16b3acd55d63206ece9b643c56d35eed5e8b581c39d51998416a9a9f98bfee14
SHA512

4ebc2fb9b932f7c24c450a5013f0b04f1c8760c52be34877cea165c4bcbacf3b18c73ee46ef7286f4d88e7eff9e1a7ba4fbb47c7d8d256bfc173376576f9fbb8
SSDEEP

49152:67ljFKSyZC2nhDUh3jZSGZOwqyC4a1if:OjFzyZCohDUh3AGFf

Score

7^/10

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2512	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1948	Logo1_.exe
2436	2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe

Loads dropped DLL 1 IoCs

pid	Process
2512	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\Q:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\DVD Maker\Shared\DvdStyles\VideoWall\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1046\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Mozilla Firefox\browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\MSOXMLED.EXE	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Google\Update\Install\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.ui.themes_1.0.1.v20140819-1717\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1042\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\images\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\my\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\or\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\et\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\th\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\skins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Mail\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Help\1040\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\GrayCheck\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\_desktop.ini	Logo1_.exe
File created	C:\Program Files\DVD Maker\ja-JP\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\ModuleAutoDeps\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jre7\bin\server\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\text_renderer\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\rmid.exe	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ga\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\tet\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Internet Explorer\it-IT\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\br\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\css\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Esl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\MSBuild\Microsoft\Windows Workflow Foundation\v3.5\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\MediaCenter.Gadget\fr-FR\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Help\1049\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\Portal\1033\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\BabyGirl\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\Adobe\Help\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\TextConv\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\browser\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\MSEnv\PublicAssemblies\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\BLENDS\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\it-IT\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\access_output\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Mozilla Firefox\minidump-analyzer.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Slate\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Media Player\en-US\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\css\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\mai\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\Oasis\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\ProjectTool\Project Report Type\Fancy\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\MSBuild\Microsoft\Windows Workflow Foundation\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Browser\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Media Player\setup_wm.exe	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\security\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe
File created	C:\Windows\Logo1_.exe	2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1948	Logo1_.exe
1948	Logo1_.exe
1948	Logo1_.exe
1948	Logo1_.exe
1948	Logo1_.exe
1948	Logo1_.exe
1948	Logo1_.exe
1948	Logo1_.exe
1948	Logo1_.exe
1948	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2080 wrote to memory of 2512	2080	2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe	28
PID 2080 wrote to memory of 2512	2080	2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe	28
PID 2080 wrote to memory of 2512	2080	2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe	28
PID 2080 wrote to memory of 2512	2080	2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe	28
PID 2080 wrote to memory of 1948	2080	2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe	29
PID 2080 wrote to memory of 1948	2080	2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe	29
PID 2080 wrote to memory of 1948	2080	2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe	29
PID 2080 wrote to memory of 1948	2080	2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe	29
PID 1948 wrote to memory of 2700	1948	Logo1_.exe	30
PID 1948 wrote to memory of 2700	1948	Logo1_.exe	30
PID 1948 wrote to memory of 2700	1948	Logo1_.exe	30
PID 1948 wrote to memory of 2700	1948	Logo1_.exe	30
PID 2700 wrote to memory of 2520	2700	net.exe	33
PID 2700 wrote to memory of 2520	2700	net.exe	33
PID 2700 wrote to memory of 2520	2700	net.exe	33
PID 2700 wrote to memory of 2520	2700	net.exe	33
PID 2512 wrote to memory of 2436	2512	cmd.exe	34
PID 2512 wrote to memory of 2436	2512	cmd.exe	34
PID 2512 wrote to memory of 2436	2512	cmd.exe	34
PID 2512 wrote to memory of 2436	2512	cmd.exe	34
PID 1948 wrote to memory of 1132	1948	Logo1_.exe	20
PID 1948 wrote to memory of 1132	1948	Logo1_.exe	20

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1132
- C:\Users\Admin\AppData\Local\Temp\2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe"
  2⤵
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:2080
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$a1A16.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - Suspicious use of WriteProcessMemory
    PID:2512
  - - C:\Users\Admin\AppData\Local\Temp\2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe"
      4⤵
      Executes dropped EXE
      PID:2436
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2700
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        
        PID:2520

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
7685a90a7b297c1ba99cb83883d8c034

SHA1
4db998633fe04c2067f096cb7f7a69ca1f263332

SHA256
a0355f70fd9a107a726347bea14e8c5a19db371f3a3a46427ef489e2d31e3055

SHA512
6637538c96dfe83011166046902cd366c3526ce824ff12b960502c902d2b405a4b1f5b5198008148d74bb368322f0d4bc08877c6c80668d84fad70bb26e02552

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
4cfdb20b04aa239d6f9e83084d5d0a77

SHA1
f22863e04cc1fd4435f785993ede165bd8245ac6

SHA256
30ed17ca6ae530e8bf002bcef6048f94dba4b3b10252308147031f5c86ace1b9

SHA512
35b4c2f68a7caa45f2bb14b168947e06831f358e191478a6659b49f30ca6f538dc910fe6067448d5d8af4cb8558825d70f94d4bd67709aee414b2be37d49be86

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$a1A16.bat

Filesize
650B

MD5
74f793847b9154775aa6058657dceb27

SHA1
4b50a30fdcb6b51c8f15dc9c88dbf9b1836d7936

SHA256
c7bb3490cf5bb83866ff7ce731086df2ec6fd41067382a0c880596cf370fbeb0

SHA512
159dadc0ba95c5ac49e26ab8a0c6187a4f80c3d35600da2fc12d95b91792ed7f232bbe46d5dd05ff106376863a6cb4ca90111f8f9e0b65ddd1bb5497fb8432f1

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-04-16_e019fb4a4652620fcd58c0ea67f51ebf_magniber.exe.exe

Filesize
1.6MB

MD5
03fb673ece2afbb93db39e4770e28849

SHA1
37ccf563191e3c25b513399c334a62d8a1044218

SHA256
c6827ba7b11d9a14838cc83d4f45b4cd29de31d211e1937459bbbc59780429dd

SHA512
a6111065c6e8428bf85eeb00b9bd435755d2a1e5ddd521c3e9f2bdcee8281ce6175dfc48b43b60696ec939a4dbeca090293ae0896f050b24c88ad3ad3fc91daf

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
ef2b92823a24ece470e6dc06f11db80f

SHA1
9c4d1b87886c2c787f9de6942263acaf1a1392c5

SHA256
0c5b4a7957130ba9ef94e673d47535ee8a0c3ecba79d9ee74d6aa38008a91c91

SHA512
c04c8a93630b3059b0c57f0820fc122b4a22ecca29be0d1e0e2004926200fe05a15959097ec6b125884c3e6f4e32dd5bac4e6376b064f8b29836d191511dfbf1

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-2248906074-2862704502-246302768-1000\_desktop.ini

Filesize
9B

MD5
02ced53ce3f5b175c3bbec378047e7a7

SHA1
dafdf07efa697ec99b3d7b9f7512439a52ea618d

SHA256
485bb2341321a2837fd015a36963ea549c7c6f40985e165fd56c8a1e89b3f331

SHA512
669dde3ea8628704d40681a7f8974cf52985385c92a61a540c97c18c13eb4d451207ae171b2a56cd061cadbc90e672a84eb55111b1f5016846918d73fb075c99

Download Submit
memory/1132-30-0x0000000002590000-0x0000000002591000-memory.dmp

Filesize
4KB

Download
memory/1948-841-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-97-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-32-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-3310-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-39-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-45-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-91-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-22-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-2458-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1948-1850-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-16-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/2080-17-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/2080-12-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download