03df1f6e2edb2b74748f63299f0ab99090d829bdac6e4b4a7be66eff8c8c6a1e

Analysis

max time kernel
100s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240419-en
resource tags

arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
submitted
28-04-2024 05:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Size

8.6MB
MD5

d7899e7b510b52edce32328fba8761b7
SHA1

fc75b915bd3b3892a39a33fd7e1d75c33eef4386
SHA256

03df1f6e2edb2b74748f63299f0ab99090d829bdac6e4b4a7be66eff8c8c6a1e
SHA512

581ba7bfbfe5bc93b8b256dff9dbbb075be45e25de79beb3e6fb8efcdf478da2c21b09aa9aa081ab5160bf9d5a6914b9385f6eab894ed15161f0fa8f7c9cc565
SSDEEP

98304:K76wMlkYxXKNgR7YjTMbk+ust6tXHJwWkHmPh7gCNq7N2/wK0pmsCWrqufezvktp:pwi3K+lYMIstaiOgC8KVWrqufezv+

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\B:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\L:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\P:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\S:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\W:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\H:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\K:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\U:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\E:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\G:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\R:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\Z:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\A:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\M:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\V:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\J:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\N:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\X:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\O:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\Q:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\T:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
File opened (read-only)	\??\Y:	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe

Drops file in System32 directory 64 IoCs

Processes:

sender.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\dll\webio.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\iphlpapi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wntdll.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\shlwapi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\Windows.Storage.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\Windows.Storage.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\ws2_32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shell32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\bcryptprimitives.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\DLL\winnsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dnsapi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\advapi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\msvcp_win.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\webio.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wmswsock.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\nsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\ole32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wsspicli.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wUxTheme.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\winnsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\DLL\wkernel32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\wkernel32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\dbghelp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\apphelp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\winsta.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\WLDP.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\WLDP.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shcore.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ws2_32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\secur32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\msvcrt.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\shell32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wuser32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wkernelbase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wgdi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\userenv.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\Kernel.Appcore.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\BitsProxy.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\dbghelp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\winhttp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wtsapi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\msvcrt.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\ucrtbase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ole32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\combase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shlwapi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\iphlpapi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wwin32u.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wgdi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\combase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\combase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\DLL\wimm32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\Kernel.Appcore.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\stat_sender.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wntdll.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\winhttp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\version.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\Windows.Storage.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wmswsock.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\shell32.pdb	sender.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 16 IoCs

Processes:

msiexec.exe

description	ioc	process
File opened for modification	C:\Windows\Installer\MSIB930.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB9DE.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBA7C.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB1B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB834.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBAAC.tmp	msiexec.exe
File created	C:\Windows\Installer\e57b5f2.msi	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB99E.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBAFB.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b5f2.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIB8E1.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBA3D.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

Processes:

lite_installer.exeseederexe.exesender.exe

pid process

1680 lite_installer.exe
1060 seederexe.exe
1056 sender.exe
Loads dropped DLL 9 IoCs

Processes:

MsiExec.exeMsiExec.exe

pid process

4012 MsiExec.exe
4012 MsiExec.exe
4012 MsiExec.exe
4012 MsiExec.exe
4012 MsiExec.exe
4012 MsiExec.exe
4012 MsiExec.exe
4012 MsiExec.exe
3324 MsiExec.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1680	lite_installer.exe
1060	seederexe.exe
1056	sender.exe

pid	process
4012	MsiExec.exe
4012	MsiExec.exe
4012	MsiExec.exe
4012	MsiExec.exe
4012	MsiExec.exe
4012	MsiExec.exe
4012	MsiExec.exe
4012	MsiExec.exe
3324	MsiExec.exe

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

Processes:

seederexe.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\SearchScopes	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Software\Microsoft\Internet Explorer\Main	seederexe.exe

Modifies data under HKEY_USERS 3 IoCs

Processes:

msiexec.exe

description	ioc	process
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

Processes:

2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exemsiexec.exelite_installer.exeseederexe.exesender.exe

pid	process
4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
1920	msiexec.exe
1920	msiexec.exe
1680	lite_installer.exe
1680	lite_installer.exe
1060	seederexe.exe
1060	seederexe.exe
1680	lite_installer.exe
1680	lite_installer.exe
1056	sender.exe
1056	sender.exe
1056	sender.exe
1056	sender.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

Processes:

2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exemsiexec.exe

description	pid	process
Token: SeShutdownPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeIncreaseQuotaPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeSecurityPrivilege	1920	msiexec.exe
Token: SeCreateTokenPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeAssignPrimaryTokenPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeLockMemoryPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeIncreaseQuotaPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeMachineAccountPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeTcbPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeSecurityPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeTakeOwnershipPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeLoadDriverPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeSystemProfilePrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeSystemtimePrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeProfSingleProcessPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeIncBasePriorityPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeCreatePagefilePrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeCreatePermanentPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeBackupPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeRestorePrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeShutdownPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeDebugPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeAuditPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeSystemEnvironmentPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeChangeNotifyPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeRemoteShutdownPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeUndockPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeSyncAgentPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeEnableDelegationPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeManageVolumePrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeImpersonatePrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeCreateGlobalPrivilege	4808	2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe
Token: SeRestorePrivilege	1920	msiexec.exe
Token: SeTakeOwnershipPrivilege	1920	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe

pid process

4808 2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
4808 2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe

Suspicious use of WriteProcessMemory 15 IoCs

Processes:

msiexec.exeMsiExec.exeMsiExec.exeseederexe.exe

description	pid	process	target process
PID 1920 wrote to memory of 4012	1920	msiexec.exe	MsiExec.exe
PID 1920 wrote to memory of 4012	1920	msiexec.exe	MsiExec.exe
PID 1920 wrote to memory of 4012	1920	msiexec.exe	MsiExec.exe
PID 4012 wrote to memory of 1680	4012	MsiExec.exe	lite_installer.exe
PID 4012 wrote to memory of 1680	4012	MsiExec.exe	lite_installer.exe
PID 4012 wrote to memory of 1680	4012	MsiExec.exe	lite_installer.exe
PID 1920 wrote to memory of 3324	1920	msiexec.exe	MsiExec.exe
PID 1920 wrote to memory of 3324	1920	msiexec.exe	MsiExec.exe
PID 1920 wrote to memory of 3324	1920	msiexec.exe	MsiExec.exe
PID 3324 wrote to memory of 1060	3324	MsiExec.exe	seederexe.exe
PID 3324 wrote to memory of 1060	3324	MsiExec.exe	seederexe.exe
PID 3324 wrote to memory of 1060	3324	MsiExec.exe	seederexe.exe
PID 1060 wrote to memory of 1056	1060	seederexe.exe	sender.exe
PID 1060 wrote to memory of 1056	1060	seederexe.exe	sender.exe
PID 1060 wrote to memory of 1056	1060	seederexe.exe	sender.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-28_d7899e7b510b52edce32328fba8761b7_magniber.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4808

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1920

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 09790D29C987957BE06DE5EC99B1F868
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4012

C:\Users\Admin\AppData\Local\Temp\13244961-125D-41A3-9AAD-38425B22394D\lite_installer.exe
"C:\Users\Admin\AppData\Local\Temp\13244961-125D-41A3-9AAD-38425B22394D\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1680

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding 2C7BAEDBEDD4A86F2C3F40D99299DB03 E Global\MSI0000
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3324

C:\Users\Admin\AppData\Local\Temp\1690BCE3-E741-4635-A1F0-013A54C1DF10\seederexe.exe
"C:\Users\Admin\AppData\Local\Temp\1690BCE3-E741-4635-A1F0-013A54C1DF10\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--locale=us" "--browser=" "--browser_default=" "--yabm=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\7F2866BD-8C35-462C-89B1-50DC94C7EEF5\sender.exe" "--is_elevated=yes" "--ui_level=5"
3⤵
- Executes dropped EXE
- Modifies Internet Explorer settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1060

C:\Users\Admin\AppData\Local\Temp\7F2866BD-8C35-462C-89B1-50DC94C7EEF5\sender.exe
C:\Users\Admin\AppData\Local\Temp\7F2866BD-8C35-462C-89B1-50DC94C7EEF5\sender.exe --send "/status.xml?clid=2256843&uuid=047c5ca9-b7c8-43ed-b8c6-80c149a07fde&vnt=Windows 10x64&file-no=8%0A25%0A37%0A38%0A45%0A57%0A59%0A102%0A106%0A108%0A111%0A129%0A"
4⤵
- Drops file in System32 directory
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
PID:1056

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b5f3.rbs
Filesize
591B

MD5
ac58a0804ab9ce299df1665adef102a3

SHA1
296df307dc7a28d5ebbf713954921e65b3f3849e

SHA256
04060ca73ea24208f04c453cd32dd984c523ceb6e85cd44a8a9f589d8d926e6a

SHA512
21e68a0d8066c4f38dc8ab62e5446abb974bcfdab8ae0a9af68c8d714d9cb494445a874da872cc9f894e2be508a91ef3a75a76962ac7d8ece3192c20dfe4b8bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\13244961-125D-41A3-9AAD-38425B22394D\lite_installer.exe
Filesize
390KB

MD5
d76e1d741effdfbed89984c77b180fa7

SHA1
966734fcf45a54485e821a7f3af537001d0caa6a

SHA256
0e3bde3de1a5decc4ce438bc945c532ee0d3674aeae2f2a259f685d58d53fd8f

SHA512
8dc5f11f716ac2066e542cf4f6faa2236a360386861e4c3e4a216ee9dba62bc099700e2241f75ba9db61fd56081fc1c8521f31cba4ff953241cc19560ae6a4e5

Download Submit
C:\Users\Admin\AppData\Local\Temp\1690BCE3-E741-4635-A1F0-013A54C1DF10\seederexe.exe
Filesize
6.7MB

MD5
f9df2f062bdb4c2be3a3129230103030

SHA1
9cc3b360f49962f4fd4dff057315fa5531210707

SHA256
4867db55dfebe3c66f907b0214c6a746c3ed774338c85999d756d2bcca00b76e

SHA512
1398c9c1b0b1be117fc082068d67aacbf0e9899c6dc424ab883f58d5deeb4cac75b42d1ba64c4a3a7f6553dd05dbb54e67b84215f3bb9b0a0e2fdaf76787be73

Download Submit
C:\Users\Admin\AppData\Local\Temp\7F2866BD-8C35-462C-89B1-50DC94C7EEF5\sender.exe
Filesize
249KB

MD5
6e7542de2100ae4b5070ddf52d6e94d4

SHA1
564d7867f7e10efc64af9e6d755ff6bca0b08891

SHA256
ed9b52c3ef991944a62c8c47555abe6b459eb51096da4312a09ac09e8b534b31

SHA512
67fbc9507c26ea37666e975c51a41c0ab1c68df2118034680ea8f8604e41383a4f3a7a57015e87bb3544ed1d462161bc53b7aecdd2436f88fcc0f1399f33c2c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log
Filesize
35KB

MD5
a594fe1473fc205189d36c448487fca9

SHA1
efa7a31fe21ad5a93681638563fbf39e00ee4385

SHA256
8720a210cea59d3f03750acd748cd2745e1df22cc495bcc32edc236310d5a4a0

SHA512
2fc05d24badda80809678985082ef960cb019650d93b8bf9ac16f0c5050e82ab14470a7487d844dcc3b6724f8a479dfc9f777c71e24a25b630b65b211bab7c0a

Download Submit
C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml
Filesize
555B

MD5
efc4597d2468d2525e29dffbf7d987ff

SHA1
c9563614a72089eb4e8ea771c33a5d4e4123a352

SHA256
001fe375f7a17e1b7ee7e03328ca683a5f5866d6d91fe0c901e71b30cfe27a8b

SHA512
963cc6da41982ce65bc7a9e5aca1c9e0233e907acf577e36d4e4857d61954f334a6661a2b4c2bd6c10a1fd4444c22eb40034585006bcc91557b01144aa877143

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml
Filesize
592B

MD5
e3580f7e2974c123e2bfe421357d39d4

SHA1
c4c9e3177f042819a2baa1380ecd59e7e90cb291

SHA256
8401083e9b190f9855f45e8c962e946049222c8ab01cdb0ef1efdc9742e40aaa

SHA512
bad3b788e76c1e7d037845f23b1d4c90be2a195b8cb9d8f0540618fe5eae7a9da542cb3fb0715a94c140cd5ef6e82fd4479ea75ee0ae05f83e779a5e16a307a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi
Filesize
8.2MB

MD5
1408829ee431dc9fecf4be83edf4c702

SHA1
ebe3b7e5e1e566d0ab0a6a0146c2aada8c5ae3fe

SHA256
d3583b29b04c974e7da9eb2e63e11327e962b0eef09c2577cb48d0ffa17921b7

SHA512
ef304922efff1e4263c0ca636cb2d98cfa30c67c6fb6ac9a5c0712c821a4f48634407e1bcd7afddb3bccfedacbc20c970b19934b42838ed6e0cff7cb9cd1efc7

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nahd6ha2.default\places.sqlite
Filesize
68KB

MD5
d57cd95de07d3b15eb5cf8baa80471af

SHA1
322c0e13f2022ab255a8d2a50c5835779b6ccc3e

SHA256
651efdc8961efbf6476e4cc4b3965a4da72690ebedda009fd800c6d936a67696

SHA512
2e98256a9e76ae384f88b83075a321f60cb13ee6f7e8cb93f1919103b82ba79a67b5eec8a7d3043fe26b377fae58545e82323813897c0e67adfacaa885d6f68e

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-2024062838.675081675.backup
Filesize
1KB

MD5
3adec702d4472e3252ca8b58af62247c

SHA1
35d1d2f90b80dca80ad398f411c93fe8aef07435

SHA256
2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

SHA512
7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-2024062838.675081675.backup
Filesize
313B

MD5
af006f1bcc57b11c3478be8babc036a8

SHA1
c3bb4fa8c905565ca6a1f218e39fe7494910891e

SHA256
ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c

SHA512
3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\ui
Filesize
38B

MD5
5038c8444c7b08382049551f3892f94b

SHA1
987f0746aaed046698719777671691f959d14c81

SHA256
d4041e45b7a3844ee94db63d8c64c85fd241c3525745d348bf496317454c7749

SHA512
ff63299933e15abef3d45127265656ef6dfe87364fe53d482e831ab845eaeaa483fa8af3fab7904ab936e7a244a6721d23bef749fe24973365f6c4786ad78a3e

Download Submit
C:\Windows\Installer\MSIB834.tmp
Filesize
172KB

MD5
17d3de1fd7f7c6c3a6520d0fadea3e0e

SHA1
92587dfb70fcfc8db5aba782b414043ba24a5918

SHA256
fb28a17904096b3ee385d2fe1f033298519c0ebf69ced454b45fdad5247589c9

SHA512
1be8de8180e8a86735d8b3d97c808b85a6be545d9946b117b39c6e1c37124ac4ee6acf314d1982249b531fd24097d6a30a0b5228f0b30ccd66a5fdb4ed3e4f5a

Download Submit
C:\Windows\Installer\MSIB8E1.tmp
Filesize
189KB

MD5
84be3b020067fb25e77e72710291a70a

SHA1
792feeafa52d93e5ec6538794cd97df49666b7ea

SHA256
8591f02e50663689043d6dec34ade65cb24732914b73de5faa43e74ed5b6450c

SHA512
1eb0fe8f5501e623efcd033665132ee3859968aede5f496634ac107008eaa3964941d019a207c63e21c8b76f45bad718ca70c10ab81f8dccdf0fb89acfb9a0bc

Download Submit
C:\Windows\Installer\MSIBB1B.tmp
Filesize
168KB

MD5
a0962dd193b82c1946dc67e140ddf895

SHA1
7f36c38d80b7c32e750e22907ac7e1f0df76e966

SHA256
b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9

SHA512
118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

Download Submit