Analysis
-
max time kernel
142s -
max time network
109s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
03-05-2024 11:41
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe
Resource
win10v2004-20240419-en
General
-
Target
2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe
-
Size
5.5MB
-
MD5
d30ccf0a28e6fc788601e01f38fdc7db
-
SHA1
fef23c0535ab2b7ceb7c2bec4ecb6837a4f0189f
-
SHA256
15cbaa5e7c3db729ec2a4062aaed7f2d481efca5f5d875e4b3ef1d6483dbb0ab
-
SHA512
a2f7e989d2d6d715ab1ee1d52f50143413811a04fb33fef7e9a3c52cca0ae303d0e194a76246b379805bbf4f8c9257b17e5edf35de952fc8fa5ab609a22b2a0f
-
SSDEEP
98304:LUGUCECOmlvm/1ZVhPtQAkxyFUbt2aKGlx1zrda4RhHc61q1sBDQ4djloa183FNz:LUGUC1lviBeyFI2aKEJ4UZq1WJj+TFd
Malware Config
Signatures
-
Banload
Banload variants download malicious files, then install and execute the files.
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe -
Modifies registry class 18 IoCs
Processes:
2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate\shell 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.itm 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.itm\ = "ImportTemplate" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F2A2244-1058-F8D0-3924-57B94745DFEE} 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F2A2244-1058-F8D0-3924-57B94745DFEE}\InProcServer32\ThreadingModel = "Both" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F2A2244-1058-F8D0-3924-57B94745DFEE}\ShellFolder\FolderValueFlags = "524288" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F2A2244-1058-F8D0-3924-57B94745DFEE}\InProcServer32\ = "%SystemRoot%\\SysWow64\\Windows.Storage.dll" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F2A2244-1058-F8D0-3924-57B94745DFEE}\ShellFolder 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate\DefaultIcon\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe\",0" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate\shell\Open\Command 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate\shell\Open 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate\shell\Open\Command\ = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe\" \"%1\"" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F2A2244-1058-F8D0-3924-57B94745DFEE}\ = "Shell File System Folder" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4F2A2244-1058-F8D0-3924-57B94745DFEE}\InProcServer32 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate\ = "EMS Data Import Template File" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate\DefaultIcon 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\ImportTemplate\shell\ = "open" 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exedescription pid process Token: 33 3468 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe Token: SeIncBasePriorityPrivilege 3468 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe -
Suspicious use of SetWindowsHookEx 6 IoCs
Processes:
2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exepid process 3468 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe 3468 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe 3468 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe 3468 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe 3468 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe 3468 2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-03_d30ccf0a28e6fc788601e01f38fdc7db_magniber.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/3468-7-0x0000000003550000-0x000000000375C000-memory.dmpFilesize
2.0MB
-
memory/3468-1-0x0000000003550000-0x000000000375C000-memory.dmpFilesize
2.0MB
-
memory/3468-8-0x0000000000400000-0x00000000011C2000-memory.dmpFilesize
13.8MB
-
memory/3468-11-0x0000000000400000-0x00000000011C2000-memory.dmpFilesize
13.8MB
-
memory/3468-12-0x0000000000400000-0x00000000011C2000-memory.dmpFilesize
13.8MB
-
memory/3468-14-0x0000000000400000-0x00000000011C2000-memory.dmpFilesize
13.8MB
-
memory/3468-16-0x0000000000400000-0x00000000011C2000-memory.dmpFilesize
13.8MB
-
memory/3468-17-0x0000000000400000-0x00000000011C2000-memory.dmpFilesize
13.8MB
-
memory/3468-19-0x0000000000400000-0x00000000011C2000-memory.dmpFilesize
13.8MB
-
memory/3468-20-0x0000000000400000-0x00000000011C2000-memory.dmpFilesize
13.8MB
-
memory/3468-18-0x0000000000400000-0x00000000011C2000-memory.dmpFilesize
13.8MB
-
memory/3468-23-0x0000000003F10000-0x0000000003F4C000-memory.dmpFilesize
240KB
-
memory/3468-22-0x0000000003F10000-0x0000000003F4C000-memory.dmpFilesize
240KB
-
memory/3468-21-0x0000000003550000-0x000000000375C000-memory.dmpFilesize
2.0MB
-
memory/3468-28-0x0000000003FA0000-0x000000000401F000-memory.dmpFilesize
508KB
-
memory/3468-29-0x0000000003FA0000-0x000000000401F000-memory.dmpFilesize
508KB
-
memory/3468-35-0x0000000004180000-0x00000000041A5000-memory.dmpFilesize
148KB
-
memory/3468-34-0x0000000004180000-0x00000000041A5000-memory.dmpFilesize
148KB
-
memory/3468-40-0x0000000003550000-0x000000000375C000-memory.dmpFilesize
2.0MB
-
memory/3468-43-0x00000000043A0000-0x00000000043AF000-memory.dmpFilesize
60KB
-
memory/3468-45-0x0000000000400000-0x00000000011C2000-memory.dmpFilesize
13.8MB
-
memory/3468-47-0x0000000003550000-0x000000000375C000-memory.dmpFilesize
2.0MB