Analysis
-
max time kernel
142s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
03-05-2024 11:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe
-
Size
5.5MB
-
MD5
d30ccf0a28e6fc788601e01f38fdc7db
-
SHA1
fef23c0535ab2b7ceb7c2bec4ecb6837a4f0189f
-
SHA256
15cbaa5e7c3db729ec2a4062aaed7f2d481efca5f5d875e4b3ef1d6483dbb0ab
-
SHA512
a2f7e989d2d6d715ab1ee1d52f50143413811a04fb33fef7e9a3c52cca0ae303d0e194a76246b379805bbf4f8c9257b17e5edf35de952fc8fa5ab609a22b2a0f
-
SSDEEP
98304:LUGUCECOmlvm/1ZVhPtQAkxyFUbt2aKGlx1zrda4RhHc61q1sBDQ4djloa183FNz:LUGUC1lviBeyFI2aKEJ4UZq1WJj+TFd
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe -
Modifies registry class 18 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate\shell 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.itm 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.itm\ = "ImportTemplate" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F2A2244-1058-F8D0-3924-57B94745DFEE} 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F2A2244-1058-F8D0-3924-57B94745DFEE}\InProcServer32\ThreadingModel = "Both" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F2A2244-1058-F8D0-3924-57B94745DFEE}\ShellFolder\FolderValueFlags = "524288" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F2A2244-1058-F8D0-3924-57B94745DFEE}\InProcServer32\ = "%SystemRoot%\\SysWow64\\Windows.Storage.dll" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F2A2244-1058-F8D0-3924-57B94745DFEE}\ShellFolder 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe\",0" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate\shell\Open\Command 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate\shell\Open 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate\shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe\" \"%1\"" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F2A2244-1058-F8D0-3924-57B94745DFEE}\ = "Shell File System Folder" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F2A2244-1058-F8D0-3924-57B94745DFEE}\InProcServer32 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate\ = "EMS Data Import Template File" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate\DefaultIcon 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate\shell\ = "open" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
description pid Process Token: 33 3468 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Token: SeIncBasePriorityPrivilege 3468 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
pid Process 3468 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe 3468 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe 3468 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe 3468 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe 3468 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe 3468 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3468