Analysis
-
max time kernel
450s -
max time network
361s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
-
submitted
28-04-2024 05:10
General
-
Target
Magicmida.exe
-
Size
4.8MB
-
MD5
cbd33d0e1cace68f044d3f1b44bbba7b
-
SHA1
8a9c635d76cd59147c294bc8ad890d317f95ebcd
-
SHA256
b724e1d087d12cf6b9ada01bfa555a3047250546f3add75b1e9086c111633b9c
-
SHA512
cf614895009d93a8c8769bfb0691c78a7b1a23ce2729d6346fa19487b4bf598bdb6f3ed7da43a571137d8d09080ffdf1cfa171080941e28b34cb2450b296f35b
-
SSDEEP
98304:YXzhW148Pd+Tf1mpcOldJQ3/Vk0dRWRbbVcNbCyfioB:sFK4s0TfLOdo/pdR6w
Malware Config
Signatures
-
Modifies visiblity of hidden/system files in Explorer 2 TTPs 2 IoCs
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 6 IoCs
-
Checks BIOS information in registry 2 TTPs 12 IoCs
BIOS information is often read in order to detect sandboxing environments.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 6 IoCs
-
Themida packer 22 IoCs
Detects Themida, an advanced Windows software protection system.
-
Adds Run key to start application 2 TTPs 4 IoCs
-
Checks whether UAC is enabled 1 TTPs 6 IoCs
-
Drops file in System32 directory 2 IoCs
-
Suspicious use of NtSetInformationThreadHideFromDebugger 6 IoCs
-
Drops file in Windows directory 6 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Creates scheduled task(s) 1 TTPs 8 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 64 IoCs
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
-
Suspicious use of SetWindowsHookEx 24 IoCs
-
Suspicious use of WriteProcessMemory 60 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\Magicmida.exe"C:\Users\Admin\AppData\Local\Temp\Magicmida.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\users\admin\appdata\local\temp\magicmida.exec:\users\admin\appdata\local\temp\magicmida.exe2⤵
- Executes dropped EXE
- Drops file in Windows directory
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\Resources\Themes\icsys.icn.exeC:\Windows\Resources\Themes\icsys.icn.exe2⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\themes\explorer.exec:\windows\resources\themes\explorer.exe3⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe SE4⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Drops file in Windows directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\svchost.exec:\windows\resources\svchost.exe5⤵
- Modifies visiblity of hidden/system files in Explorer
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
\??\c:\windows\resources\spoolsv.exec:\windows\resources\spoolsv.exe PR6⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Executes dropped EXE
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:12 /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:13 /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:14 /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:15 /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:16 /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:17 /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:18 /f6⤵
- Creates scheduled task(s)
-
C:\Windows\SysWOW64\schtasks.exeschtasks /create /tn "svchost" /tr "c:\windows\resources\svchost.exe" /sc daily /st 05:19 /f6⤵
- Creates scheduled task(s)
-
C:\Windows\Explorer.exeC:\Windows\Explorer.exe4⤵
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Scheduled Task/Job
1Defense Evasion
Hide Artifacts
1Hidden Files and Directories
1Modify Registry
2Virtualization/Sandbox Evasion
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Resources\spoolsv.exeFilesize
2.6MB
MD5e6cd9dced5c6557632b78aee54bb134e
SHA1e17d1816400dc167fde9d49eddca26058a543f55
SHA256e5f97e1ce0fb47fe37010326441c0be17bbe28524119b2572c75ffe323c7a79d
SHA5121e5b06ac4a8f08af071197ebcfe690df6a1134bc5b361593c822b852e4c88dcc3b5475d9a5ead8fd64018826353f04c47fc2c61463f1d7d20f4b64d04c3ca5fc
-
\Users\Admin\AppData\Local\Temp\magicmida.exeFilesize
2.3MB
MD50da6bfd0202e990a086c05d1255b839b
SHA1d1fa6558b42cbb233439e7cd3a9f216f8e0ae6fb
SHA25653b60e285e98c837ec40abe19cb02fb647a5286623105cd5deccb5b32a604188
SHA5120c73d83ab531a47d94c44cc6d148704964fdad0587295327854148c3766246a4a1c56cda0ee33fa36b807db4cefea4534b09cd8a3aed55ce37fc10387bf521aa
-
\Windows\Resources\Themes\explorer.exeFilesize
2.6MB
MD52fbfe5883a3ed640121f5dede72e8120
SHA1b3ab4519623135b908ea1ca9b6de6aa9527b2a71
SHA2564cf8b43bb9e7e974db1ed0ead07bc04b6090aefaeed8d61a0871a1176614de54
SHA512b426231b99742b9892d721a0b6a8182528bd28a6af308eb63843eb192243f9feb9d244f9145124091d887dcf434b9f70d8a5ea5bf84621516b07634b36600b5a
-
\Windows\Resources\Themes\icsys.icn.exeFilesize
2.6MB
MD5bb720aa66d96ee76e6200aa0518b2367
SHA1fa6a7d1fe19aafe319a32ceb57db44f743e2af78
SHA2562a2cfbe23d2b7f32c43a5eee79f60915f44d1a0f833e2b2b62bd51301a52f0dc
SHA512dad6334d9f35ca4c08e268867822ed7d3b79f55b3677841aa94b6a3cbde7afa4b9af3ff30ba5ba3b796816e32fc7bf05e2eb807161b993ce47d8cc7fe221f053
-
\Windows\Resources\svchost.exeFilesize
2.6MB
MD5d8e6a4b3e21705825399eb80bd92d29e
SHA12a93a87b24e4982c6587621e47840a29b823d998
SHA256a1d0059e1a2fdf81233217ceb8ed6282c126b2ffbc38fa8f48fc8d4fe60432c6
SHA512d263ab28d4c9c6d51bcb769ee2ce4950371badb49ca81b1e8e21a8b4031421a965b83b1a6c6c63b1791dc376a3b13ea54ef7c447356f9f73b68dd4816bc72db1
-
memory/884-74-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/884-102-0x00000000012B0000-0x00000000014FD000-memory.dmpFilesize
2.3MB
-
memory/884-11-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/884-98-0x00000000012B0000-0x00000000014FD000-memory.dmpFilesize
2.3MB
-
memory/884-89-0x00000000012B0000-0x00000000014FD000-memory.dmpFilesize
2.3MB
-
memory/884-88-0x0000000004140000-0x0000000004142000-memory.dmpFilesize
8KB
-
memory/884-75-0x00000000012B0000-0x00000000014FD000-memory.dmpFilesize
2.3MB
-
memory/2240-16-0x0000000003380000-0x0000000003996000-memory.dmpFilesize
6.1MB
-
memory/2240-73-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2240-53-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2240-1-0x0000000077150000-0x0000000077152000-memory.dmpFilesize
8KB
-
memory/2240-0-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2548-17-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2548-27-0x00000000037D0000-0x0000000003DE6000-memory.dmpFilesize
6.1MB
-
memory/2548-71-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2568-62-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2568-68-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2680-78-0x0000000003750000-0x0000000003D66000-memory.dmpFilesize
6.1MB
-
memory/2680-93-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2680-76-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2680-106-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2680-29-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2680-40-0x0000000003750000-0x0000000003D66000-memory.dmpFilesize
6.1MB
-
memory/2736-52-0x0000000003830000-0x0000000003E46000-memory.dmpFilesize
6.1MB
-
memory/2736-69-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2736-41-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2800-77-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2800-54-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2800-84-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB
-
memory/2800-61-0x0000000003280000-0x0000000003896000-memory.dmpFilesize
6.1MB
-
memory/2800-126-0x0000000000400000-0x0000000000A16000-memory.dmpFilesize
6.1MB