12b67d235de5bfd0c1f958229210743af02e19e09a6df9f52fb5e178602856c7

Analysis

max time kernel
159s
max time network
168s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
09/05/2024, 04:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Size

8.6MB
MD5

7bde7e7db7a164071a0eb435f463fe1a
SHA1

85f0d4b62868a3ea30d3e426f6f3bf805a455fcc
SHA256

12b67d235de5bfd0c1f958229210743af02e19e09a6df9f52fb5e178602856c7
SHA512

e192b6d842eabfacd91279a5781632003fa6e7807c9b054a596499e178366388de9e24d7694b94c17a3e264673ad5991173c209c2a1be7ba11abef1567c571dd
SSDEEP

98304:37cMZuyxXKNgR7YjTMbk+ust6tXHJwWkHmPh7gCNq7N2/wK0pmsCWrqufezvk/sz:ogK+lYMIstaiOgC8KVWrqufezvP

Score

6^/10

Malware Config

Signatures

Blocklisted process makes network request 2 IoCs

flow	pid	Process
63	3248	msiexec.exe
64	3248	msiexec.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\R:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\W:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\G:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\H:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\L:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\I:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\B:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\J:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\K:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\M:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\P:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\V:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\N:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\O:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\S:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\T:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\Y:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\Q:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\U:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\Z:	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File created	C:\Windows\Installer\e5a510f.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\e5a510f.msi	msiexec.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe

Suspicious use of AdjustPrivilegeToken 34 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeIncreaseQuotaPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeSecurityPrivilege	3248	msiexec.exe
Token: SeCreateTokenPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeAssignPrimaryTokenPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeLockMemoryPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeIncreaseQuotaPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeMachineAccountPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeTcbPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeSecurityPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeTakeOwnershipPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeLoadDriverPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeSystemProfilePrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeSystemtimePrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeProfSingleProcessPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeIncBasePriorityPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeCreatePagefilePrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeCreatePermanentPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeBackupPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeRestorePrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeShutdownPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeDebugPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeAuditPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeSystemEnvironmentPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeChangeNotifyPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeRemoteShutdownPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeUndockPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeSyncAgentPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeEnableDelegationPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeManageVolumePrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeImpersonatePrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeCreateGlobalPrivilege	4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
Token: SeRestorePrivilege	3248	msiexec.exe
Token: SeTakeOwnershipPrivilege	3248	msiexec.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4984	2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-09_7bde7e7db7a164071a0eb435f463fe1a_magniber.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4984

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1408 --field-trial-handle=2744,i,16362475727591565961,3676688664819797550,262144 --variations-seed-version /prefetch:8
1⤵
PID:2196

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Blocklisted process makes network request
- Enumerates connected drives
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:3248

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\0DA515F703BB9B49479E8697ADB0B955_A026C9CD7BA14377D055F4A2325D4501

Filesize
1KB

MD5
e3518d7ef0f909aecbc1948462216b69

SHA1
4e1b64f253aa7596022fc0bbb1543da9d77a681f

SHA256
e1f1c2397b7082ba26243a42b6ed54847f2257ce9470a8d319690d8edfbf6838

SHA512
e3fb8bd4229887972d308665f5d038dd78027406290beaf58eb53d22b7c23f3f1a398dbf643290569cbcfab045acef591c2dcb07cf5f7119d5dfdef80008d5a3

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\769F85394FB15C375FF89A7488274D5B_22252D7CC6CD0EA80FCE3FF30A53AFB2

Filesize
1KB

MD5
9b37de7feb7cced2dbd7943247af84ff

SHA1
9f322014df78a0fd23a63d068d517b18a363dac7

SHA256
d51b93dc53d749e9ccf8262ae76c04a0b2edba8d5a9d07a6e17dc265ac457f7a

SHA512
de61bbf832837cb3af15980ff812e862b91cc3c012b4b92b84c4072277f5074b3f79732ad86b0f4643708c7503054e8c892a2c8699a1fd797681c652c3359977

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B039FEA45CB4CC4BBACFC013C7C55604_4BB72A60CF9C652B353353202101C0E4

Filesize
1KB

MD5
ccd2edb9813db029375b704238f737ed

SHA1
cbb089193ccacf5a56a03486ae4ff91eb4cf80e5

SHA256
c3e47535225664555cfbaa115f50a5b85503bf7a852181087811dc4e8cf48993

SHA512
55ad01c141d8684d78b1ceb11ad69f4abaf413653ddf19cca2f7ab25c973359bde7a1612dfcecd8feb790b1a9672373f6515883e17d4cfc3178e2f522800b996

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B0B1E3C3B1330A269DBEE4BA6313E7B4

Filesize
1KB

MD5
2ffbdb98df2a2b022a48adeb94a3af50

SHA1
6c86923b5c5832bb102f041cb7d38db397074f12

SHA256
dd12c5733bc4b682e1da6353c8c27650f53d11a8ada8fd8a2d06f23cecae5ebd

SHA512
a5f29661ac78ea205dd945fcc53e015152277426af4bcce688231ca1a564dc49144b2953409651737733fec72e9042468c780917543c007d7de74ed44058dbfb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\DDA81A73291E20E6ACF6CACA76D5C942_4EA93225B46C4B45501FF0DDE9E306D0

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\0DA515F703BB9B49479E8697ADB0B955_A026C9CD7BA14377D055F4A2325D4501

Filesize
508B

MD5
6f28c29738e2c41976c0a6f1bfc13cba

SHA1
97a28d6f68a39cc15a49eb4832624a9bedacf8be

SHA256
c46d819fbc69bdf579fd3f10263c340e7b2421ef2b3ee0f81dbcd149163cc221

SHA512
d70c39b400cc41f2dccfff219c84eec222f5e1220002943430427ce3f0f0edf00a74816d1a69d9b51f0c2de88b280c76317c96b61ecf415e7792dc89474993e8

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\769F85394FB15C375FF89A7488274D5B_22252D7CC6CD0EA80FCE3FF30A53AFB2

Filesize
522B

MD5
7739a1c34352c49fbd4b3370b8e5ecbd

SHA1
1b28727e7e7c58179651a565096fd3670a7f3192

SHA256
ff003e31ce293e9ab3615fbe071ca22cfd8e396d81340e71b21928f6badfd4e2

SHA512
1b308750763327b08d660782279bcc8e01e696c677b10beb4d25c93b5fd05a816eb4e675c3580d5b7af299e7e41f41bd2a543abd5069153b54a85f3728c66c1c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B039FEA45CB4CC4BBACFC013C7C55604_4BB72A60CF9C652B353353202101C0E4

Filesize
502B

MD5
2e825b3b3f48860dde1c6471bd0d9fae

SHA1
8400a45153c4a2dcdd0e018e408aa8484da99d99

SHA256
07352c69b0ce90fa81fdc14225b39c1cc9987854fa166d1a12c4243e96894df8

SHA512
08b097b620ef810aa0d1ec9badfeca30dfb9f727508586df763acf9f7b3b63bcf7cd6136460112f862a00d5290833b09bca8a46328b37636c5ce61c24a4a6ca0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B0B1E3C3B1330A269DBEE4BA6313E7B4

Filesize
208B

MD5
ecab2813bcb9ecaea7e6b1f790b3fa3a

SHA1
d3151bf39d41d807b0d47229a71414de746166d0

SHA256
d1ae6029bd408ad1d193f4cf5cc2236cdc8987b440acae0e7105bdfc3d253a46

SHA512
f6e53d4172a58e3c11ddadec5ed440c8d4e65159942300f94d6f11fb9bd9ff05c3d9fe964805eb5df8a22a51a4dc2b6f8dba564e9de4e32d4757c241e39cdb1f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\DDA81A73291E20E6ACF6CACA76D5C942_4EA93225B46C4B45501FF0DDE9E306D0

Filesize
440B

MD5
62a5f8940f1cb5b8dc1f9d43d8b53550

SHA1
3b444a4df1b60ff5e81b5512069c752c7d8a3536

SHA256
a18ceba645ebdda6035e965138af3b699647c1303d7af7a703fa8a5469110d37

SHA512
dd80343151a01968d7acc2d186ac3ed0e9c77d5ff17ded09f281e4260c0874f0e3490693041c4576836ff01e9e31b32b47b5dc6fbcaf72ef577a873827fedefc

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

Filesize
35KB

MD5
c098def3299348122a6ba8d6d72483e4

SHA1
718f5ca777ffab68aaa4985d4e3a64d8397a9bd6

SHA256
59114835d79e2771455d989ab4f38bbf9a3116f88a3c92f5308abdc876989ac5

SHA512
e14a7270b51772a33f8183a9218ba73d851d0ff17ad1d9c1f67ab4a054c37a05a69f68b44acba045ac8cc76ac41fffaf2a23426d54ce63bf9a4a42c0cd3ec9d9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

Filesize
8.3MB

MD5
61487350b4226df24c23621a49daeb7b

SHA1
38600663e835772dec524a4ee977a5e1170b1be2

SHA256
a5151614ed9a058615b1fc155694c608193dd7d55b106ec639b6f4d4a9658038

SHA512
e5a3872e19a021be66355f591ddef6985633940b32c5718896f60cfb128d7603cf2cb7e2d864323008cb8ce71e212307108d3be9304b20cace60940231966387

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

Filesize
1.9MB

MD5
3e608d101fae0272ee65fe4cc17a6c7c

SHA1
35bb0c1568185d575059bddb31c776e8aeb46829

SHA256
cba8c8830134e12a95020d3e22402073da9fc0e7873510dfbcdabd896259ca97

SHA512
c05388306678068d571f388ce91954be4b59c93fb30bfd1c89c1ab2994765d9aec2f6450cea163254203420ff104a7f1c8dc919a765e3d10ee3276aefba9cd79

Download Submit