322798dd214a40efc0862c85e8f1988bc02a076c00dd8d49328a28c0e98e179b

Analysis

max time kernel
145s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 04:43

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Size

8.6MB
MD5

04b91f14b2a6b45be59309bc3e76695a
SHA1

a52b9c3e210ba393a65ee10216d4c91709ca72dc
SHA256

322798dd214a40efc0862c85e8f1988bc02a076c00dd8d49328a28c0e98e179b
SHA512

3df5ab1d08e2f1103070ebcb9a3997e71cbe8d4a49180a7fd0b49bef2d64a280e4a05eec9ab9a871ee5d4a65159dd8ebe75ab421936ebdcdc3cde647a8433dc4
SSDEEP

98304:o76wMlkYxXKNgR7YjTMbk+ust6tXHJwWkHmPh7gCNq7N2/wK0pmsCWrqufezvktp:Dwi3K+lYMIstaiOgC8KVWrqufezvS

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exe2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe

description	ioc	process
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Y:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\L:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\G:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\J:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\K:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\M:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\Q:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\S:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\V:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\P:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\T:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\X:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\Z:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\O:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\W:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\N:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\H:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\R:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\U:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\I:	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe

Drops file in System32 directory 64 IoCs

Processes:

sender.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dll\sechost.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\BitsProxy.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\iphlpapi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\Kernel.Appcore.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wUxTheme.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\wsspicli.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shcore.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\version.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\winsta.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\DLL\winnsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\rasadhlp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wwin32u.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\version.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\winsta.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\combase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wtsapi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\nsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dbghelp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\dbghelp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\winhttp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\WLDP.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\webio.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\userenv.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wUxTheme.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\winsta.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\CLBCatQ.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ws2_32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wkernel32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wkernelbase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\sechost.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\userenv.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\bcryptprimitives.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\winnsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\dnsapi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\apphelp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wgdi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\combase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\bcryptprimitives.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\ws2_32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\rasadhlp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msvcrt.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wgdi32full.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\userenv.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dnsapi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wuser32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\nsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\apphelp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shell32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\msvcp_win.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wrpcrt4.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\msvcp_win.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\BitsProxy.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wmswsock.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\rasadhlp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\ucrtbase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ucrtbase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wmswsock.pdb	sender.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exe

description	ioc	process
File created	C:\Windows\Installer\e57733c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7522.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI75C2.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7631.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7691.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57733c.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI74F2.tmp	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7593.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI74A3.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7562.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7582.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSI7670.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

Processes:

lite_installer.exeseederexe.exesender.exe

pid process

4752 lite_installer.exe
4772 seederexe.exe
2896 sender.exe
Loads dropped DLL 9 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid process

1224 MsiExec.exe
1224 MsiExec.exe
1224 MsiExec.exe
1224 MsiExec.exe
1224 MsiExec.exe
1224 MsiExec.exe
1224 MsiExec.exe
1224 MsiExec.exe
2828 MsiExec.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
4752	lite_installer.exe
4772	seederexe.exe
2896	sender.exe

pid	process
1224	MsiExec.exe
1224	MsiExec.exe
1224	MsiExec.exe
1224	MsiExec.exe
1224	MsiExec.exe
1224	MsiExec.exe
1224	MsiExec.exe
1224	MsiExec.exe
2828	MsiExec.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

seederexe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\SearchScopes	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Software\Microsoft\Internet Explorer\Main	seederexe.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exemsiexec.exelite_installer.exeseederexe.exesender.exe

pid	process
3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
2476	msiexec.exe
2476	msiexec.exe
4752	lite_installer.exe
4752	lite_installer.exe
4772	seederexe.exe
4772	seederexe.exe
2896	sender.exe
2896	sender.exe
2896	sender.exe
2896	sender.exe
4752	lite_installer.exe
4752	lite_installer.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeIncreaseQuotaPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeSecurityPrivilege	2476	msiexec.exe
Token: SeCreateTokenPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeAssignPrimaryTokenPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeLockMemoryPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeIncreaseQuotaPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeMachineAccountPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeTcbPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeSecurityPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeTakeOwnershipPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeLoadDriverPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeSystemProfilePrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeSystemtimePrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeProfSingleProcessPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeIncBasePriorityPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeCreatePagefilePrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeCreatePermanentPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeBackupPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeRestorePrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeShutdownPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeDebugPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeAuditPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeSystemEnvironmentPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeChangeNotifyPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeRemoteShutdownPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeUndockPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeSyncAgentPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeEnableDelegationPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeManageVolumePrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeImpersonatePrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeCreateGlobalPrivilege	3152	2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe
Token: SeRestorePrivilege	2476	msiexec.exe
Token: SeTakeOwnershipPrivilege	2476	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe

pid process

3152 2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
3152 2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

msiexec.exeMsiExec.exeMsiExec.exeseederexe.exe

description	pid	process	target process
PID 2476 wrote to memory of 1224	2476	msiexec.exe	MsiExec.exe
PID 2476 wrote to memory of 1224	2476	msiexec.exe	MsiExec.exe
PID 2476 wrote to memory of 1224	2476	msiexec.exe	MsiExec.exe
PID 1224 wrote to memory of 4752	1224	MsiExec.exe	lite_installer.exe
PID 1224 wrote to memory of 4752	1224	MsiExec.exe	lite_installer.exe
PID 1224 wrote to memory of 4752	1224	MsiExec.exe	lite_installer.exe
PID 2476 wrote to memory of 2828	2476	msiexec.exe	MsiExec.exe
PID 2476 wrote to memory of 2828	2476	msiexec.exe	MsiExec.exe
PID 2476 wrote to memory of 2828	2476	msiexec.exe	MsiExec.exe
PID 2828 wrote to memory of 4772	2828	MsiExec.exe	seederexe.exe
PID 2828 wrote to memory of 4772	2828	MsiExec.exe	seederexe.exe
PID 2828 wrote to memory of 4772	2828	MsiExec.exe	seederexe.exe
PID 4772 wrote to memory of 2896	4772	seederexe.exe	sender.exe
PID 4772 wrote to memory of 2896	4772	seederexe.exe	sender.exe
PID 4772 wrote to memory of 2896	4772	seederexe.exe	sender.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_04b91f14b2a6b45be59309bc3e76695a_magniber.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:3152

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2476

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2859DC7B4883A6077E14D86E37D4E4B1
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1224

C:\Users\Admin\AppData\Local\Temp\29EE5EAE-DDA9-4F4E-8E33-2237CCACC15D\lite_installer.exe
"C:\Users\Admin\AppData\Local\Temp\29EE5EAE-DDA9-4F4E-8E33-2237CCACC15D\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:4752

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 93D4D64194F34D046BB4CF0233B1303B E Global\MSI0000
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2828

C:\Users\Admin\AppData\Local\Temp\5218FDFB-59FB-4E5D-84A0-EF3AF3C8F702\seederexe.exe
"C:\Users\Admin\AppData\Local\Temp\5218FDFB-59FB-4E5D-84A0-EF3AF3C8F702\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--locale=us" "--browser=" "--browser_default=" "--yabm=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\5ECBB2DD-C5D8-466E-BD99-20A682D361E6\sender.exe" "--is_elevated=yes" "--ui_level=5"
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4772

C:\Users\Admin\AppData\Local\Temp\5ECBB2DD-C5D8-466E-BD99-20A682D361E6\sender.exe
C:\Users\Admin\AppData\Local\Temp\5ECBB2DD-C5D8-466E-BD99-20A682D361E6\sender.exe --send "/status.xml?clid=2255361&uuid=cea94c22-d456-436c-b7d7-e833bf34bcd0&vnt=Windows 10x64&file-no=8%0A25%0A37%0A38%0A45%0A57%0A59%0A102%0A106%0A108%0A111%0A129%0A"
4⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:2896

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57733d.rbs
Filesize
591B

MD5
c0e732684453119e1dfa29c662654152

SHA1
89292a4a6abc6301b908f7db5e2e89317f443e62

SHA256
59f67a1481474bc7085c5e4178283b517935242bebf4cbf1e126268a0c668771

SHA512
04b7b5c7588151c82985049a15f44707f3bc491250b51d275ffe28032714e3c7a60898a095a18a8075760ac8cdcac7a6ac5237988798e9de049a89e00687f2cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\29EE5EAE-DDA9-4F4E-8E33-2237CCACC15D\lite_installer.exe
Filesize
390KB

MD5
d76e1d741effdfbed89984c77b180fa7

SHA1
966734fcf45a54485e821a7f3af537001d0caa6a

SHA256
0e3bde3de1a5decc4ce438bc945c532ee0d3674aeae2f2a259f685d58d53fd8f

SHA512
8dc5f11f716ac2066e542cf4f6faa2236a360386861e4c3e4a216ee9dba62bc099700e2241f75ba9db61fd56081fc1c8521f31cba4ff953241cc19560ae6a4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\5218FDFB-59FB-4E5D-84A0-EF3AF3C8F702\seederexe.exe
Filesize
6.7MB

MD5
f9df2f062bdb4c2be3a3129230103030

SHA1
9cc3b360f49962f4fd4dff057315fa5531210707

SHA256
4867db55dfebe3c66f907b0214c6a746c3ed774338c85999d756d2bcca00b76e

SHA512
1398c9c1b0b1be117fc082068d67aacbf0e9899c6dc424ab883f58d5deeb4cac75b42d1ba64c4a3a7f6553dd05dbb54e67b84215f3bb9b0a0e2fdaf76787be73

Download Submit
C:\Users\Admin\AppData\Local\Temp\5ECBB2DD-C5D8-466E-BD99-20A682D361E6\sender.exe
Filesize
249KB

MD5
6e7542de2100ae4b5070ddf52d6e94d4

SHA1
564d7867f7e10efc64af9e6d755ff6bca0b08891

SHA256
ed9b52c3ef991944a62c8c47555abe6b459eb51096da4312a09ac09e8b534b31

SHA512
67fbc9507c26ea37666e975c51a41c0ab1c68df2118034680ea8f8604e41383a4f3a7a57015e87bb3544ed1d462161bc53b7aecdd2436f88fcc0f1399f33c2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log
Filesize
35KB

MD5
8f7773ff33d30de9532426f763457da6

SHA1
24137cd88fcd61e06a0e7e72b13b6d039f1bad0d

SHA256
4b3a03d526e05af826d0bb10b17f4346230e051d7c11825cbbf0021d79561370

SHA512
692c7bc5d4ef27b97df2f3aa9e6191f6fee61c1285c7c1760e9079843850d970b573c93ec8ed75c29c304fda0b472a9aa5bda7993dd3bd739cc4df617cce925b

Download Submit
C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml
Filesize
554B

MD5
f0263311f701ef7d142847733843d7e5

SHA1
c0e1890e5286748b4356a886a4c65e715b1dcf7f

SHA256
c969b7acd68707081b1ffa361fdf152ebf31ead27bf9466bdc815cd9857adaff

SHA512
8e7e6737fbbf8fbcf5b05cf16e81c18384258768a9db21e7eef14aa3ef6783391bbf0768eed883802ef85d42a660bec4d6c2c61722d54298046ce157c0878993

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml
Filesize
591B

MD5
63f86bb6766291c2d1b05bdddc619e8d

SHA1
9c48aaf7f013df7576594bc261d8b30bec348d44

SHA256
5a708b9361136a4f8926958504fdc186fe11701c277564fcdc5f36f2d103ae5a

SHA512
f206997415c24d4e5141abe699e7676c54ac70d4838052d7026995ac3f44c4bcd5097b5dbc0986e3fec77fea9a69ce01b828e3497df5f3008d7545c6ecd706f3

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi
Filesize
8.2MB

MD5
562c5c292f474c4d579859aadbc7cadb

SHA1
995a72f2a1e7635427cc86d1fb0d8a47ada547d6

SHA256
0b092f8c37813ea08188ff6aebe115ea278e1b302e1351d59184d2edbc77f046

SHA512
34ba7d7fab2e88f9c9387214a132693200c3d2653a64b0f1b69e7881df143c90b197ba643f68d65e5decc750ab856e04a09dfb11eb7828833c00987c4ac78cd2

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nahd6ha2.default\places.sqlite
Filesize
68KB

MD5
d57cd95de07d3b15eb5cf8baa80471af

SHA1
322c0e13f2022ab255a8d2a50c5835779b6ccc3e

SHA256
651efdc8961efbf6476e4cc4b3965a4da72690ebedda009fd800c6d936a67696

SHA512
2e98256a9e76ae384f88b83075a321f60cb13ee6f7e8cb93f1919103b82ba79a67b5eec8a7d3043fe26b377fae58545e82323813897c0e67adfacaa885d6f68e

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-2024432838.258928258.backup
Filesize
1KB

MD5
3adec702d4472e3252ca8b58af62247c

SHA1
35d1d2f90b80dca80ad398f411c93fe8aef07435

SHA256
2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

SHA512
7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-2024432838.258928258.backup
Filesize
313B

MD5
af006f1bcc57b11c3478be8babc036a8

SHA1
c3bb4fa8c905565ca6a1f218e39fe7494910891e

SHA256
ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c

SHA512
3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\ui
Filesize
38B

MD5
6005aa16ecd88c963dbe237b60155a2e

SHA1
9fa124c8d7b963fe1bec3731366f11fab2208505

SHA256
49c182ef1ecbf6609890a7b5b4582603f102ee0fbc52ec0a09a50c62b1824a17

SHA512
8eb4c93d256b668b5ef75b6ff61b5b58e7d2474e4b981574debc986857b259ddd802b70876396c1cac6d8bded0c912b3fd872f70731c49ee7056c1baaf2ca5cb

Download Submit
C:\Windows\Installer\MSI74A3.tmp
Filesize
172KB

MD5
17d3de1fd7f7c6c3a6520d0fadea3e0e

SHA1
92587dfb70fcfc8db5aba782b414043ba24a5918

SHA256
fb28a17904096b3ee385d2fe1f033298519c0ebf69ced454b45fdad5247589c9

SHA512
1be8de8180e8a86735d8b3d97c808b85a6be545d9946b117b39c6e1c37124ac4ee6acf314d1982249b531fd24097d6a30a0b5228f0b30ccd66a5fdb4ed3e4f5a

Download Submit
C:\Windows\Installer\MSI74F2.tmp
Filesize
189KB

MD5
84be3b020067fb25e77e72710291a70a

SHA1
792feeafa52d93e5ec6538794cd97df49666b7ea

SHA256
8591f02e50663689043d6dec34ade65cb24732914b73de5faa43e74ed5b6450c

SHA512
1eb0fe8f5501e623efcd033665132ee3859968aede5f496634ac107008eaa3964941d019a207c63e21c8b76f45bad718ca70c10ab81f8dccdf0fb89acfb9a0bc

Download Submit
C:\Windows\Installer\MSI7691.tmp
Filesize
168KB

MD5
a0962dd193b82c1946dc67e140ddf895

SHA1
7f36c38d80b7c32e750e22907ac7e1f0df76e966

SHA256
b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9

SHA512
118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

Download Submit