Analysis

  • max time kernel
    118s
  • max time network
    118s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    07/05/2024, 10:39

General

  • Target

    2024-05-07_32d871eaf10e0bc7326371188a74bda8_darpapox_magniber_nymaim.exe

  • Size

    2.6MB

  • MD5

    32d871eaf10e0bc7326371188a74bda8

  • SHA1

    36cd16c692b34f4609f069095568737db5051e30

  • SHA256

    2d7389d3f60f3bdc24e53f109a99a3613700c0cced44919b86ddc27f1f555c3b

  • SHA512

    d128d27dfeb8b49ea83cfc4924f3c56d3201881a4d11ddb4e7a9b10e9c8ef62a2bb2c9fc1ef66a3ad5a6e94b637cf3f61921e91ac7bfa97639f1c863aa4fefb8

  • SSDEEP

    49152:S5D2WHPT4KKcBTK8JB4byqeBbTChxKCnFnQXBbrtgb/iQvu0UHOaYmLj:mBfSgB4yB6hxvWbrtUTrUHO2X

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 6 IoCs
  • Loads dropped DLL 11 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Drops file in System32 directory 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of WriteProcessMemory 58 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-07_32d871eaf10e0bc7326371188a74bda8_darpapox_magniber_nymaim.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-07_32d871eaf10e0bc7326371188a74bda8_darpapox_magniber_nymaim.exe"
    1⤵
    • Suspicious use of WriteProcessMemory
    PID:1800
    • C:\Windows\SysWOW64\explorer.exe
      explorer.exe
      2⤵
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2104
      • C:\Users\Admin\AppData\Local\Temp\@AE167D.tmp.exe
        "C:\Users\Admin\AppData\Local\Temp\@AE167D.tmp.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:548
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat" "
          4⤵
          • Loads dropped DLL
          • Suspicious use of WriteProcessMemory
          PID:352
          • C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe
            "C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe"
            5⤵
            • Executes dropped EXE
            • Loads dropped DLL
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of WriteProcessMemory
            PID:2148
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
              6⤵
              • Loads dropped DLL
              • Suspicious use of WriteProcessMemory
              PID:1596
              • C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe
                "C:\Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe" /i 2148
                7⤵
                • Executes dropped EXE
                • Adds Run key to start application
                • Suspicious behavior: EnumeratesProcesses
                • Suspicious use of WriteProcessMemory
                PID:2028
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat" "
                  8⤵
                  • Loads dropped DLL
                  • Suspicious use of WriteProcessMemory
                  PID:1604
                  • C:\Users\Admin\AppData\Local\Temp\wtmps.exe
                    "C:\Users\Admin\AppData\Local\Temp\wtmps.exe"
                    9⤵
                    • Executes dropped EXE
                    • Drops file in System32 directory
                    • Suspicious use of WriteProcessMemory
                    PID:900
                    • C:\Windows\SysWOW64\mscaps.exe
                      "C:\Windows\system32\mscaps.exe" /C:\Users\Admin\AppData\Local\Temp\wtmps.exe
                      10⤵
                      • Executes dropped EXE
                      PID:2260
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat" "
          4⤵
            PID:1028
        • C:\Users\Admin\AppData\Local\Temp\2024-05-07_32d871eaf10e0bc7326371188a74bda8_darpapox_magniber_nymaim.exe
          "C:\Users\Admin\AppData\Local\Temp\2024-05-07_32d871eaf10e0bc7326371188a74bda8_darpapox_magniber_nymaim.exe"
          3⤵
          • Executes dropped EXE
          • Writes to the Master Boot Record (MBR)
          PID:2896

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\26F1.tmp

            Filesize

            406B

            MD5

            37512bcc96b2c0c0cf0ad1ed8cfae5cd

            SHA1

            edf7f17ce28e1c4c82207cab8ca77f2056ea545c

            SHA256

            27e678bf5dc82219d6edd744f0b82567a26e40f8a9dcd6487205e13058e3ed1f

            SHA512

            6d4252ab5aa441a76ce2127224fefcb221259ab4d39f06437b269bd6bfdaae009c8f34e9603ec734159553bc9f1359bdd70316cd426d73b171a9f17c41077641

          • C:\Users\Admin\AppData\Local\Temp\@AE167D.tmp.exe

            Filesize

            1.7MB

            MD5

            a55193f93137e304e161852ce3a6ef02

            SHA1

            05284fc2080cfbcd1a7e8d5a1be14fb1773017d0

            SHA256

            4aef31afecebd4f092e3f5c7a9a33954e07e21a56d5c7c99ad9a8b064dc90723

            SHA512

            6d40260940be59f53ed4f575a72b57f61b5255fdf005267b8037ce1547c81d38cb375366bd469fd715982c9004882a0284282e4e3fe380e6f4d2e4189b76ac5a

          • C:\Users\Admin\AppData\Local\Temp\tmp1B3E.tmp

            Filesize

            1.0MB

            MD5

            df2c63605573c2398d796370c11cb26c

            SHA1

            efba97e2184ba3941edb008fcc61d8873b2b1653

            SHA256

            07ffcde2097d0af67464907fec6a4079b92da11583013bae7d3313fa32312fe8

            SHA512

            d9726e33fcfa96415cc906bdb1b0e53eba674eaf30ed77d41d245c1c59aa53e222246f691d82fa3a45f049fbf23d441768f9da21370e489232770ad5ae91d32f

          • C:\Users\Admin\AppData\Roaming\Microsoft\Messenger\Extension\WdExt.exe

            Filesize

            1.7MB

            MD5

            432ba2b35ce607db5300f4a7a592f8fe

            SHA1

            62c9cba7b9dc91c9cdc9a52b0300f3b11d6a6a85

            SHA256

            9ffd00ddb698fd5150f27a1363dddead4607219a11515437d4aec19888229e54

            SHA512

            0666985cc98525f55b883d9f6266f01745e766131a208e0605034489128636d1c3c35d18b07b259903daaded08eaac8d7100327daed3d15bad0e1ca953901533

          • C:\Users\Admin\AppData\Roaming\Temp\Admin0.bat

            Filesize

            129B

            MD5

            d1073c9b34d1bbd570928734aacff6a5

            SHA1

            78714e24e88d50e0da8da9d303bec65b2ee6d903

            SHA256

            b3c704b1a728004fc5e25899d72930a7466d7628dd6ddd795b3000897dfa4020

            SHA512

            4f2b9330e30fcc55245dc5d12311e105b2b2b9d607fbfc4a203c69a740006f0af58d6a01e2da284575a897528da71a2e61a7321034755b78feb646c8dd12347f

          • C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

            Filesize

            196B

            MD5

            da2db26aff931241f0cf76e655e6a797

            SHA1

            b5c6c92647c0633fb5c9f7cd4843eb8966509821

            SHA256

            4049a744de14123c4dbf5f261acf4b99ec3a597362d53f1034fcf4401e512207

            SHA512

            213461e7a8107373bbb027b44021812c1e2da6c4c011339e0f80893b03bbea8a5a2b6c0776d0ae187c2a0eec328904e6a5ad1d081ed9647176dda7ae2cb931bf

          • C:\Users\Admin\AppData\Roaming\Temp\Admin1.bat

            Filesize

            126B

            MD5

            9b61fac77887683b98b5d21746901a48

            SHA1

            1ffc3bcd5db0d8645e943475cf5d13bff86f04c0

            SHA256

            3abf8012aeb1c7a513e033a0aa1eee12e98cd7d1f6b6ead581b4f26c407b567d

            SHA512

            151d19f8dbddcd7aa54d4c5525579dc409baf647528a36ddc3b30da08aad4e46fba13ced40294bd12a93150237dd0b6ab928388fc8e21d794f8badf35b9df462

          • C:\Users\Admin\AppData\Roaming\Temp\Admin2.bat

            Filesize

            102B

            MD5

            3ca08f080a7a28416774d80552d4aa08

            SHA1

            0b5f0ba641204b27adac4140fd45dce4390dbf24

            SHA256

            4e7d460b8dc9f2c01b4c5a16fb956aced10127bc940e8039a80c6455901ea1f0

            SHA512

            0c64aa462ff70473ef763ec392296fe0ea59b5340c26978531a416732bc3845adf9ca7b673cb7b4ba40cc45674351206096995c43600fccbbbe64e51b6019f01

          • C:\Windows\SysWOW64\mscaps.exe

            Filesize

            200KB

            MD5

            78d3c8705f8baf7d34e6a6737d1cfa18

            SHA1

            9f09e248a29311dbeefae9d85937b13da042a010

            SHA256

            2c4c9ec8e9291ba5c73f641af2e0c3e1bbd257ac40d9fb9d3faab7cebc978905

            SHA512

            9a3c3175276da58f1bc8d1138e63238c8d8ccfbfa1a8a1338e88525eca47f8d745158bb34396b7c3f25e4296be5f45a71781da33ad0bbdf7ad88a9c305b85609

          • \Users\Admin\AppData\Local\Temp\2024-05-07_32d871eaf10e0bc7326371188a74bda8_darpapox_magniber_nymaim.exe

            Filesize

            875KB

            MD5

            a30e2470e1d9c81597387a209b931ae2

            SHA1

            d9e6e24e2e987a6e617445eeaa1e81da45f7347f

            SHA256

            a38e442d53dc023451f43f7b9f27ed7fef47e60a67edc188f84ffe535071bfca

            SHA512

            911d721ed10711f60091141dcbbf0510fc6ba61dd0415f42dba8381f45b379e79d2fd8384d20234a8198a826809ef8732183e88f705ed1841551f8c48f28695c

          • \Users\Admin\AppData\Local\Temp\wtmps.exe

            Filesize

            276KB

            MD5

            75c1467042b38332d1ea0298f29fb592

            SHA1

            f92ea770c2ddb04cf0d20914578e4c482328f0f8

            SHA256

            3b20c853d4ca23240cd338b8cab16f1027c540ddfe9c4ffdca1624d2f923b373

            SHA512

            5c47c59ad222e2597ccdf2c100853c48f022e933f44c279154346eacf9e7e6f54214ada541d43a10424035f160b56131aab206c11512a9fd6ea614fbd3160aa0

          • \Users\Admin\AppData\Roaming\Microsoft\Defender\launch.exe

            Filesize

            172KB

            MD5

            daac1781c9d22f5743ade0cb41feaebf

            SHA1

            e2549eeeea42a6892b89d354498fcaa8ffd9cac4

            SHA256

            6a7093440420306cf7de53421a67af8a1094771e0aab9535acbd748d08ed766c

            SHA512

            190a7d5291e20002f996edf1e04456bfdff8b7b2f4ef113178bd42a9e5fd89fe6d410ae2c505de0358c4f53f9654ac1caaa8634665afa6d9691640dd4ee86160

          • \Users\Admin\AppData\Roaming\Temp\mydll.dll

            Filesize

            202KB

            MD5

            7ff15a4f092cd4a96055ba69f903e3e9

            SHA1

            a3d338a38c2b92f95129814973f59446668402a8

            SHA256

            1b594e6d057c632abb3a8cf838157369024bd6b9f515ca8e774b22fe71a11627

            SHA512

            4b015d011c14c7e10568c09bf81894681535efb7d76c3ef9071fffb3837f62b36e695187b2d32581a30f07e79971054e231a2ca4e8ad7f0f83d5876f8c086dae

          • memory/548-14-0x0000000010000000-0x0000000010015000-memory.dmp

            Filesize

            84KB

          • memory/2028-286-0x0000000010000000-0x0000000010015000-memory.dmp

            Filesize

            84KB