254a4c221d382ae5e47f2134b403d225f0f2010494fbab24689c0c19dd16b3f5

Analysis

max time kernel
100s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 04:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Size

8.8MB
MD5

30663e3b8f0273b857dc2abcc9b0759b
SHA1

cd0230b966e9328129a7036e890cf48cfbf43471
SHA256

254a4c221d382ae5e47f2134b403d225f0f2010494fbab24689c0c19dd16b3f5
SHA512

e28e414670eaced37e9b4927467c7bda5f19c54789793c160e38e082ebb18f393b386cd44e4c63f47d26966948d6a81e0cdcc3c9443562cb0abb72fd932e572c
SSDEEP

98304:bmCMLyAw3LNIsVqygGP0w1sBJ1QttoFCqkKq7NO55f0pmsOWrqufezvWq/vUv2Ty:VJBILX6svTCZWfFWrqufezvWqHU1

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe

description	ioc	process
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\G:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\T:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\V:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\W:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\M:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\N:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\B:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\I:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\R:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\J:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\Y:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\Z:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\K:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\Q:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\X:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\S:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\U:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\L:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\O:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\P:	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe

Drops file in System32 directory 64 IoCs

Processes:

sender.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dll\wkernelbase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wrpcrt4.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wUxTheme.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ws2_32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ucrtbase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wuser32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\rasadhlp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wrpcrt4.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\winhttp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\dbghelp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wrpcrt4.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wuser32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wuser32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\CLBCatQ.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\iphlpapi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\ole32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\winhttp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wUxTheme.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\nsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\winhttp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\bcryptprimitives.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\nsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\nsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\rasadhlp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shell32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wtsapi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wtsapi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\winsta.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\CLBCatQ.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wmswsock.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wgdi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\DLL\wsspicli.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wimm32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\shcore.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\sechost.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\advapi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\msvcp_win.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\msvcp_win.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\winnsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wUxTheme.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\exe\stat_sender.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wntdll.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wntdll.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\advapi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\sechost.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\version.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\Kernel.Appcore.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\rasadhlp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\ws2_32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\exe\stat_sender.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wntdll.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\sechost.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wgdi32full.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\combase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\winsta.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\ws2_32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\winnsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\advapi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\secur32.pdb	sender.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB0A7.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB135.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB175.tmp	msiexec.exe
File created	C:\Windows\Installer\e57acda.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB008.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAFC9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB067.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57acda.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIAF5A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB203.tmp	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB1C4.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB0E6.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

Processes:

lite_installer.exeseederexe.exesender.exe

pid process

4216 lite_installer.exe
212 seederexe.exe
6828 sender.exe
Loads dropped DLL 9 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid process

656 MsiExec.exe
656 MsiExec.exe
656 MsiExec.exe
656 MsiExec.exe
656 MsiExec.exe
656 MsiExec.exe
656 MsiExec.exe
656 MsiExec.exe
4252 MsiExec.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4216	lite_installer.exe
212	seederexe.exe
6828	sender.exe

pid	process
656	MsiExec.exe
656	MsiExec.exe
656	MsiExec.exe
656	MsiExec.exe
656	MsiExec.exe
656	MsiExec.exe
656	MsiExec.exe
656	MsiExec.exe
4252	MsiExec.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

seederexe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\SearchScopes	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Software\Microsoft\Internet Explorer\Main	seederexe.exe

Modifies data under HKEY_USERS 5 IoCs

Processes:

seederexe.exemsiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached	seederexe.exe
Set value (data)	\REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E88DCCE0-B7B3-11D1-A9F0-00AA0060FA31} {000214E6-0000-0000-C000-000000000046} 0xFFFF = 010000000000000044d9c98e2499da01	seederexe.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exemsiexec.exelite_installer.exeseederexe.exesender.exe

pid	process
3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
2352	msiexec.exe
2352	msiexec.exe
4216	lite_installer.exe
4216	lite_installer.exe
212	seederexe.exe
212	seederexe.exe
4216	lite_installer.exe
4216	lite_installer.exe
6828	sender.exe
6828	sender.exe
6828	sender.exe
6828	sender.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeIncreaseQuotaPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeSecurityPrivilege	2352	msiexec.exe
Token: SeCreateTokenPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeAssignPrimaryTokenPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeLockMemoryPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeIncreaseQuotaPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeMachineAccountPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeTcbPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeSecurityPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeTakeOwnershipPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeLoadDriverPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeSystemProfilePrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeSystemtimePrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeProfSingleProcessPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeIncBasePriorityPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeCreatePagefilePrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeCreatePermanentPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeBackupPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeRestorePrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeShutdownPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeDebugPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeAuditPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeSystemEnvironmentPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeChangeNotifyPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeRemoteShutdownPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeUndockPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeSyncAgentPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeEnableDelegationPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeManageVolumePrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeImpersonatePrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeCreateGlobalPrivilege	3652	2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe

pid process

3652 2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
3652 2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

msiexec.exeMsiExec.exeMsiExec.exeseederexe.exe

description	pid	process	target process
PID 2352 wrote to memory of 656	2352	msiexec.exe	MsiExec.exe
PID 2352 wrote to memory of 656	2352	msiexec.exe	MsiExec.exe
PID 2352 wrote to memory of 656	2352	msiexec.exe	MsiExec.exe
PID 656 wrote to memory of 4216	656	MsiExec.exe	lite_installer.exe
PID 656 wrote to memory of 4216	656	MsiExec.exe	lite_installer.exe
PID 656 wrote to memory of 4216	656	MsiExec.exe	lite_installer.exe
PID 2352 wrote to memory of 4252	2352	msiexec.exe	MsiExec.exe
PID 2352 wrote to memory of 4252	2352	msiexec.exe	MsiExec.exe
PID 2352 wrote to memory of 4252	2352	msiexec.exe	MsiExec.exe
PID 4252 wrote to memory of 212	4252	MsiExec.exe	seederexe.exe
PID 4252 wrote to memory of 212	4252	MsiExec.exe	seederexe.exe
PID 4252 wrote to memory of 212	4252	MsiExec.exe	seederexe.exe
PID 212 wrote to memory of 6828	212	seederexe.exe	sender.exe
PID 212 wrote to memory of 6828	212	seederexe.exe	sender.exe
PID 212 wrote to memory of 6828	212	seederexe.exe	sender.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_30663e3b8f0273b857dc2abcc9b0759b_magniber.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3652

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2352

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 72C5EE0D97AA77003F76181BCA20743A
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:656

C:\Users\Admin\AppData\Local\Temp\3F5A776F-3856-4E0D-81E7-0C3A4C142459\lite_installer.exe
"C:\Users\Admin\AppData\Local\Temp\3F5A776F-3856-4E0D-81E7-0C3A4C142459\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4216

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding CC4E2B0194649D597F81BE731EECCADE E Global\MSI0000
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4252

C:\Users\Admin\AppData\Local\Temp\CA52DC78-9149-4D65-ACB0-6A4415502821\seederexe.exe
"C:\Users\Admin\AppData\Local\Temp\CA52DC78-9149-4D65-ACB0-6A4415502821\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--locale=us" "--browser=" "--browser_default=" "--yabm=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\96213934-BA7E-4E4D-892C-A633950AC7BF\sender.exe" "--is_elevated=yes" "--ui_level=5"
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:212

C:\Users\Admin\AppData\Local\Temp\96213934-BA7E-4E4D-892C-A633950AC7BF\sender.exe
C:\Users\Admin\AppData\Local\Temp\96213934-BA7E-4E4D-892C-A633950AC7BF\sender.exe --send "/status.xml?clid=2256219&uuid=5d31a133-a5fe-4c29-a9b0-b42f3471905c&vnt=Windows 10x64&file-no=8%0A15%0A25%0A37%0A38%0A45%0A57%0A59%0A102%0A106%0A108%0A111%0A129%0A"
4⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:6828

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57acdb.rbs
Filesize
591B

MD5
c281c9fc36e9fab98ede41b9e1cd685c

SHA1
1da3758618441a7682a6700321ca68f6d8a208ae

SHA256
db65d53573960c6eba6d4e55af8ed61de0eb19889795ca19af99f0f4eb2778f6

SHA512
608fc70da746029ff647c0bba32f9d26c47e69fcba775cb4f70c452742dc9d9759f037d7bc2be7bf6978ae7348b4d6c5692b20ca8789e79f9783817c43814e8b

Download Submit
C:\Users\Admin\AppData\Local\Temp\2da51033-19a9-4abe-be15-b93bf3e85b66\[email protected]
Filesize
1KB

MD5
5a40649cf7f6923e1e00e67a8e5fc6c8

SHA1
fc849b64b31f2b3d955f0cb205db6921eacc1b53

SHA256
6d432ba7096090837f9533a33a686c846ad67aed8ecc43af7ce8af42649cd51a

SHA512
0fc42a2cc61528b14478f4b9ae098ea90e6b05ddbe10f3a6cdd6326d0d8e6185b49d2b8143b76a9f329bdc277cf02b54d98f374edd65df68a1ffc41e1c817786

Download Submit
C:\Users\Admin\AppData\Local\Temp\2da51033-19a9-4abe-be15-b93bf3e85b66\[email protected]
Filesize
688KB

MD5
ab6d42f949df8d7e6a48c07e9b0d86e0

SHA1
1830399574b1973e2272e5dcc368c4c10dbbe06b

SHA256
205ebf52c47b42fa0ad1a734a1d882d96b567e15a32b19bdb907562db8ea09e2

SHA512
6c4f9bb726384c87b6523e08339f7821ad4ec8717b26db902ca51df74eb89b46e4ded1504a131683b07b2bba3e6e911a549a8a83b2aad3971047c0fe315a1ad5

Download Submit
C:\Users\Admin\AppData\Local\Temp\2da51033-19a9-4abe-be15-b93bf3e85b66\[email protected]
Filesize
5KB

MD5
856242624386f56874a3f3e71d7993f4

SHA1
96d3199c5eebb0d48c944050fbc753535ee09801

SHA256
d86ed80d2a9e4e1af843a991a6553a2fefd5433b2144be0cfb63a2f18deb86be

SHA512
76d440fe2ed535677a1d249b289463bfedfc5d2afc0e269e4593bb113393f165856c07117735cf3e5a230b5d04a61c7126df24a466594d8c27b47b2047834a09

Download Submit
C:\Users\Admin\AppData\Local\Temp\2da51033-19a9-4abe-be15-b93bf3e85b66\[email protected]
Filesize
1.7MB

MD5
e68cea8c6d4b16641f30dd930a952ebb

SHA1
7e8c4b51e6e56f35a2983ab6cb121341aeda565c

SHA256
a7f3f788323a12158d66f341c4711d71fc2244a2b07a68fb8df4baec0ff76f35

SHA512
96351e36a4c5020ed464b96b72bb3063db819981440bde7c6c3a50f7fe470e1d70f0350ec7c4bcd4808fcabe2ddfbdebfc7039ae2248c1455e2245f53ce44ec0

Download Submit
C:\Users\Admin\AppData\Local\Temp\3F5A776F-3856-4E0D-81E7-0C3A4C142459\lite_installer.exe
Filesize
390KB

MD5
28b10eff9b78787aa18e424fd9319064

SHA1
0bd2bc3665e8988567607460ea6bfc51d45d4d5c

SHA256
dbbbf54115fb97f777180f67ee341cf16803ed6e85bf9af60ea13d9b99be362d

SHA512
a908a231c9db21767066ab13ec4a8ac451bc978f5d8bccf5032e5ecbcaa996c7e2afff0121036cc184a3c19a4caf542bb15dbe6ad6dae16c422f6ac6bc5a791a

Download Submit
C:\Users\Admin\AppData\Local\Temp\96213934-BA7E-4E4D-892C-A633950AC7BF\sender.exe
Filesize
249KB

MD5
4ce9460ed83b599b1176c4161e0e5816

SHA1
ca1bd4f28ec3e6f4b0253764e6339e480d3549bd

SHA256
118d277f46df036ffb1ca69d9da7890c65c3807a6e88248f3ba703b0f51cd308

SHA512
1064da56e85d3b0c34c47e9fa0821b2ceb79e338e602e705b7f801c0a1bfb83246c340fa1351fc222216a12968bcc52540e105f186a3ef6f3e7c32348936daf3

Download Submit
C:\Users\Admin\AppData\Local\Temp\CA52DC78-9149-4D65-ACB0-6A4415502821\seederexe.exe
Filesize
6.8MB

MD5
6df2e368846222aef04e596d9ea43aac

SHA1
57b59e1002d9d971fc504df0493d5ac54380027b

SHA256
f4adf79355ff21c11faf8283d06e28013478834a64d9473d27194f4dbcfed359

SHA512
a40636178285fa12b1b6f99802fdfd3b569c674b1864f5c6893ccb6a48c90232539704da8ea478457ead39c1f94c319467b41142c8aa26473a280c4fb329f662

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log
Filesize
35KB

MD5
6cf4c6cb727185152a160b9b2fccb515

SHA1
d2c4f757081e10dc7a462dd879459583de5dbba0

SHA256
613b2680451491af13d9f30684fb52d27ed4b4e255f859b59d3b27dfd02b5f77

SHA512
ceb12e54c4b9ccb2e4955ceccbf4494df3cf8f87962043b4022b5b0c129a62465babfa3c7f76c446ea0d76c5317597cc83a1c74ef998697b597f058f21f51858

Download Submit
C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml
Filesize
560B

MD5
d0c684aea4b8e443b29c3e4b7bc11477

SHA1
4305871a4dc747e15ddf0f3edf78d15202f83479

SHA256
12762de5a4a8e3af546d7e0872771807707f84a2a66f33fb79763174be20cd01

SHA512
bb27ca7f5790112ccfd910bba3d2c619b105d8b5e4bee3c872aa6a6d1b5e81212414489d1584192547e96cef8a381037cc482335c98da56e6fcd148f36286505

Download Submit
C:\Users\Admin\AppData\Local\Temp\omnija-20242828.zip
Filesize
42.1MB

MD5
bf952b53408934f1d48596008f252b8d

SHA1
758d76532fdb48c4aaf09a24922333c4e1de0d01

SHA256
2183a97932f51d5b247646985b4e667d8be45f18731c418479bbd7743c825686

SHA512
a510a96e17090ada1a107e0f6d4819787652ab3d38cd17237f255c736817c7cfcb3fd5cf25f56d5693f4923375b2ab9548e9215070e252aae25c3528b2186d99

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml
Filesize
597B

MD5
e9e5899eea3bdc5712b23cb05b4b171a

SHA1
da497d404b5812a1314f81b347e282b13c8e445a

SHA256
5a14ae5159e4844fdfbc0d586b6fe92c7c1095fae04fd9ac28f1410ec8e82872

SHA512
48efdce194e8c2f670622afbaf981d3050f059d336011fb41320122e8f2b9d2dbe8ff32c5a63524432055f5ed022e3f639f4ae7bc0956edec8a02199a25e1274

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi
Filesize
8.5MB

MD5
e0b388e242a70b6208f9767ad1337007

SHA1
3993afc626b49b9b595e348830faa1e16c26a5e6

SHA256
492a71c6af8c0fa0aaac56c3c6b6a9ba2c8921ba8acb012a4378afce0275ca30

SHA512
4a2eb6aee6d82f6eb96674033671c348e47587e328beb512ba7cbfc4a97d343c49b625bceeaaa7780cfbd560ce978b6ca48e234c88329f70a0aab5a81aaa0f17

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\7poa3l2w.Admin\places.sqlite-2024282849.165995165.backup
Filesize
68KB

MD5
d57cd95de07d3b15eb5cf8baa80471af

SHA1
322c0e13f2022ab255a8d2a50c5835779b6ccc3e

SHA256
651efdc8961efbf6476e4cc4b3965a4da72690ebedda009fd800c6d936a67696

SHA512
2e98256a9e76ae384f88b83075a321f60cb13ee6f7e8cb93f1919103b82ba79a67b5eec8a7d3043fe26b377fae58545e82323813897c0e67adfacaa885d6f68e

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-2024282849.244120244.backup
Filesize
1KB

MD5
3adec702d4472e3252ca8b58af62247c

SHA1
35d1d2f90b80dca80ad398f411c93fe8aef07435

SHA256
2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

SHA512
7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-2024282849.244120244.backup
Filesize
313B

MD5
af006f1bcc57b11c3478be8babc036a8

SHA1
c3bb4fa8c905565ca6a1f218e39fe7494910891e

SHA256
ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c

SHA512
3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\ui
Filesize
38B

MD5
2799525d08a68eae43f5744fa929d6eb

SHA1
33e35ee139528c5a8584bb5cd496dcf2091ca86d

SHA256
115220bbd8f2473463e6e9b5ee8aeba068f1b19d862d2044f4632296b44fbaa8

SHA512
131b5a8d75dbfc5f6fc822b1cebd31cc729a072117fe36f75246e422cf6aacc46815253fccc437c866778692711198d05159c37fafe0e1ceaba38d43d4dad274

Download Submit
C:\Windows\Installer\MSIAF5A.tmp
Filesize
172KB

MD5
694a088ff8fa0e3155881bb6500868bc

SHA1
096626661b9bcb3b3197b92e7e3c4e77ad4b2df4

SHA256
6f3a5bbd29f669712d6c2c7e5174dea6807cb86fda293acbe360bde81d29a633

SHA512
bd3a9cdf9ea591d462be8e00e9bc44c391897c40d598ada19f0377f3a6aea97aba03627d97d6362edbb81763fe3c7570d07bdfd5a004dd9e7af4531bc490bdeb

Download Submit
C:\Windows\Installer\MSIAFC9.tmp
Filesize
189KB

MD5
c3a831564e7b54fb7b502b728e232542

SHA1
82a4f969b1f19dc6489e13d357ccad9fef4837ab

SHA256
43097d66f86e3a1103d4cc7c410e46daba8d1a7a991ab6c222d41bd2620c19ca

SHA512
4855ca4429974a0b111d42b86cb8f89188310aaaf9174b4cf462a968163c8b92e38d4a519c78133301b341be5cd02e34b55b55575e84f0d01c2cd11ae74cce05

Download Submit
C:\Windows\Installer\MSIB203.tmp
Filesize
202KB

MD5
ba84dd4e0c1408828ccc1de09f585eda

SHA1
e8e10065d479f8f591b9885ea8487bc673301298

SHA256
3cff4ac91288a0ff0c13278e73b282a64e83d089c5a61a45d483194ab336b852

SHA512
7a38418f6ee8dbc66fab2cd5ad8e033e761912efc465daa484858d451da4b8576079fe90fd3b6640410edc8b3cac31c57719898134f246f4000d60a252d88290

Download Submit