Overview

overview

10

Static

static

10

2024-05-11...xz.exe

windows7-x64

9

2024-05-11...xz.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    144s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    11-05-2024 12:01

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-11_571c4af4cedef9b6d90dd0c125dc15ae_magniber_zxxz.exe

  • Size

    5.1MB

  • MD5

    571c4af4cedef9b6d90dd0c125dc15ae

  • SHA1

    9b93f2f375c70d7f65453a6c2a19ff02642b01e9

  • SHA256

    7109dad9bf6b84cd5f7726c0da2b14d874c406ba7b61615269e8c0c8d0993814

  • SHA512

    b96bd93d05d45e20665513ac8fe90f3a8eff2a1e9c350dd869b0c8fca99f0ba38e935db97f198f2bdf31dc9d8a7aab8147f48175bf785f3659f621e8e4a53a7c

  • SSDEEP

    98304:RQvO/XAnnXrv9qCUI48Kbnk48LRYJ5wk4r3z:R76nXrv9qCUI48W3O

Score
9/10
evasionexecutionupx

Malware Config

Signatures

  • Detects JavaScript files used for persistence and executable or script execution 1 IoCs
  • UPX dump on OEP (original entry point) 2 IoCs
  • Blocklisted process makes network request 2 IoCs
  • Identifies Wine through registry keys 2 TTPs 2 IoCs

    Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

    evasion
  • UPX packed file 2 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Looks up external IP address via web service 1 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Command and Scripting Interpreter: JavaScript 1 TTPs
    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 2 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Script User-Agent 1 IoCs

    Uses user-agent string associated with script host/environment.

  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of WriteProcessMemory 16 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-11_571c4af4cedef9b6d90dd0c125dc15ae_magniber_zxxz.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-11_571c4af4cedef9b6d90dd0c125dc15ae_magniber_zxxz.exe"
    1⤵
    • Identifies Wine through registry keys
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:620
    • C:\Windows\SysWOW64\mshta.exe
      "C:\Windows\System32\mshta.exe" "C:\Users\Admin\AppData\Local\Temp\HYD26D2.tmp.1715428875\HTA\index.hta?utorrent" "C:\Users\Admin\AppData\Local\Temp\2024-05-11_571c4af4cedef9b6d90dd0c125dc15ae_magniber_zxxz.exe" /LOG "C:\Users\Admin\AppData\Local\Temp\HYD26D2.tmp.1715428875\index.hta.log" /PID "620" /CID "fAb-hJ-GBzejuIJs" /VERSION "109946050" /BUCKET "0" /SSB "2" /COUNTRY "US" /OS "6.1" /BROWSERS "\"C:\Program Files\Mozilla Firefox\firefox.exe\",\"C:\Program Files\Google\Chrome\Application\chrome.exe\",C:\Program Files\Internet Explorer\iexplore.exe" /ARCHITECTURE "64" /LANG "en" /USERNAME "Admin" /SID "S-1-5-21-3691908287-3775019229-3534252667-1000" /CLIENT "utorrent"
      2⤵
      • Blocklisted process makes network request
      • Modifies Internet Explorer settings
      • Suspicious use of WriteProcessMemory
      PID:2660
      • C:\Windows\SysWOW64\cscript.exe
        "C:\Windows\System32\cscript.exe" "shell_scripts/check_if_cscript_is_working.js"
        3⤵
          PID:2764
        • C:\Windows\SysWOW64\PING.EXE
          "C:\Windows\System32\PING.EXE" 8.8.8.8 -n 2 -w 500
          3⤵
          • Runs ping.exe
          PID:352
        • C:\Windows\SysWOW64\cscript.exe
          "C:\Windows\System32\cscript.exe" shell_scripts/shell_ping_after_close.js "http://i-50.b-000.XYZ.bench.utorrent.com/e?i=50&e=eyJldmVudE5hbWUiOiJoeWRyYTEiLCJhY3Rpb24iOiJodGFiZWdpbiIsInBpZCI6IjYyMCIsImgiOiJmQWItaEotR0J6ZWp1SUpzIiwidiI6IjEwOTk0NjA1MCIsImIiOjQyMTc4LCJjbCI6InVUb3JyZW50Iiwib3NhIjoiNjQiLCJzbG5nIjoiZW4iLCJkYiI6IkludGVybmV0IEV4cGxvcmVyIiwiZGJ2IjoiMTEuMCIsImliciI6W3sibmFtZSI6IkZpcmVmb3giLCJ2ZXJzaW9uIjoiMTA1LjAiLCJleGVOYW1lIjoiZmlyZWZveCJ9LHsibmFtZSI6Ikdvb2dsZSBDaHJvbWUiLCJ2ZXJzaW9uIjoiMTA2LjAiLCJleGVOYW1lIjoiY2hyb21lIn0seyJuYW1lIjoiSW50ZXJuZXQgRXhwbG9yZXIiLCJ2ZXJzaW9uIjoiMTEuMCIsImV4ZU5hbWUiOiJpZXhwbG9yZSJ9XSwiaXAiOiIxOTEuMTAxLjIwOS4zOSIsImNuIjoiVW5pdGVkIEtpbmdkb20iLCJwYWNraWQiOiJsYXZhc29mdF9iaW5nIn0="
          3⤵
          • Blocklisted process makes network request
          PID:2004

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\HYD26D2.tmp.1715428875\HTA\i18n\en.json
      Filesize

      5KB

      MD5

      4417dbfa9fce94752a5a2dfdc823cb92

      SHA1

      12d2fd479d85b3f26c28351bbd0e44f06bc60597

      SHA256

      2381252b689d7ef2a8e1dcea6b7366c0436e70ff29e9b63f3ae34bcc5c60aaf5

      SHA512

      922c3e44db618cb2a77ad8ae6cceeaaecda3acf47034dcfe620cc5c352bededa6e4c983c74a05a797bcbed4f595d205f21829e3393b8994feb73f8179494a93c

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HYD26D2.tmp.1715428875\HTA\images\loading.gif
      Filesize

      5KB

      MD5

      c910e2a5db424644aead18e1758c5efd

      SHA1

      fa58fc1a0c17db6c0eb573a0d548e544604114da

      SHA256

      00c62ed42795f996b5f963c69ce918c2623d72896ebb628dfd9bc800514900ce

      SHA512

      66d87ba337fc672f3f2fac50e2b32774b3a470b32fe5ba1a0e887bf74465e3db1375eca3cab91367bf88b2c6fbf0301e11d6f64c90dddc0c972fabeaefd37b7e

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HYD26D2.tmp.1715428875\HTA\images\main_icon.png
      Filesize

      3KB

      MD5

      e29ae2c3347790175085244651c40d6a

      SHA1

      0b9a15b6791439b319496950b85ab82dc2e3e5ae

      SHA256

      639bccb6ed0fce165cc979a2949d211ec8f1570133d644bf042a5400c3454c21

      SHA512

      53287d741b18275ee35eb4c4392c452e25846748ccaf3954a57f017a6e844b25ec4a39438c6ed7b24128138b8d7239cfacf69112f9803ab9d2ee981ea97a9808

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HYD26D2.tmp.1715428875\HTA\images\main_utorrent.ico
      Filesize

      104KB

      MD5

      44d122c9473107fc36412de81418c84a

      SHA1

      a0072c789a9cd50ba561683c69af8602927cf4a8

      SHA256

      7c7279daebd88f6a34246603db9c0ecf9bbfa35ef820edd3278e5bc53f9e7680

      SHA512

      b4294b80edc0566744dd98a5ab3e2ac64a4ce4851192d5610ee13f12dc24947f51b7d5b5629f7bff6004d74e5a2b728913cda1b3386cf878ab7fb365490d8067

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HYD26D2.tmp.1715428875\HTA\index.hta
      Filesize

      522B

      MD5

      76903930c0ade2285f1ab1bf54be660d

      SHA1

      0fdd5990ca58cf6c49985ffd2075baa09cd728ce

      SHA256

      61acd6e7405fad348433f8de4b12ed97b42caccbcf28fe0e4ba4b4a5d2ea707e

      SHA512

      c66c7f9f488a0ac58fc1b7c6560edb4bc6df71a3504c2567ac54f4f89aee40a7073865e67e508baf4e055555bbc2f461d5b558a427ab6ac602b9fe0b1f9f8c71

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HYD26D2.tmp.1715428875\HTA\install.1715428875.zip
      Filesize

      761KB

      MD5

      a65ca84bf2c878f87206ff596142b062

      SHA1

      8998ef455e40d8d1d0d903369ac832a7afd7fc1e

      SHA256

      68e37eed2e04830fce9f735d8a2ecebb19a651394f5d590581370ac5d7754d90

      SHA512

      bb87190b55a2192b0c3dfaecc26b5e144ffc021fe45e70baf48788ea687511cf53b5851d79b95b85841257293271e2eaab3cdc0ff0bea401127d9172e5d75ae2

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HYD26D2.tmp.1715428875\HTA\scripts\common.js
      Filesize

      354KB

      MD5

      294704ab62d0810ce15a39d08c8b1bf4

      SHA1

      9eb74fbb3eb81e6312c94ec4e3e84792e1a0aa68

      SHA256

      f6332951011366de16da034680ca2eaf06d28171aa094ed42af649823b045bdd

      SHA512

      a622b8109a5b09961dd18761abeb701b3a2956967a8373e1ea3e4648a5a0d7427f37b7d0f0e3635aad452f43d0754d30ddeeac5def88a554ad655f174d60faff

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HYD26D2.tmp.1715428875\HTA\scripts\initialize.js
      Filesize

      1005B

      MD5

      2a65c76b51a2c15eebeefa662d511af9

      SHA1

      3c5f93d39fdd573e43c7a451836d425bc1b07a5d

      SHA256

      31fc706ae4bd5093aecb6a0b7f9d3b686feb284076b1122aaff978779612dc06

      SHA512

      85b012dca5bbdbdd929de859ae41ed817c7f1e02eae70aaaf687f9ba381f696fa7751e3f2262d48c14f49c9090f106a6bb9652962d38bb7fab93214a2466e8ed

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HYD26D2.tmp.1715428875\HTA\scripts\install.js
      Filesize

      6KB

      MD5

      ade3e833add95bf0f5f1619bf816d893

      SHA1

      48df3ae9a43c6d8783dab68ec423a9ff8ab25c04

      SHA256

      bbbf5859eb80eda10d42aee0557256d161768f1db7648f65a12444fc40fb8f1d

      SHA512

      8ed6005f9801ad5e7108ca698f65f7e31ecd842ca3fc9c1086f9cd247896b2ed59c8d5aaf62ad33e96e67837757814510ce058b5ce1cbdec461453799f9abf26

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HYD26D2.tmp.1715428875\HTA\shell_scripts\check_if_cscript_is_working.js
      Filesize

      18B

      MD5

      401b092610275ba2a62376598bfd9c6b

      SHA1

      da1173bc19dd51759f06ac21237a1e8af19d96e7

      SHA256

      d1b9d32702d7d7a184ab4654c204e6d385a9499fde63e0b06bda60f8077a7862

      SHA512

      4a6b34a572864c8648ae1d3e2fe7b3ae2caada78cac726fafe4fe840afdeac1b53ea161ef27abe82ed6843e61bf853901a2d1bdf2ec255de0c395423d1b2e865

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HYD26D2.tmp.1715428875\HTA\shell_scripts\shell_ping_after_close.js
      Filesize

      312B

      MD5

      3ba92505f8af34e948f97360767d4f8a

      SHA1

      997a36be9f9f5262195b24c8c99c0688086c80ee

      SHA256

      5e872715109b381c99aa19e2435628640505794e09a1998de7b92c2a5aea38e1

      SHA512

      b33d3519684e3b54e582e401c7144d4d3783ac44ee73e8d9ce2d92b2e0a091758d330d966ab7db19f7d22fe18335d3e8effc0961ff9d9c4ac147d0ec2c91e626

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HYD26D2.tmp.1715428875\HTA\styles\common.css
      Filesize

      99KB

      MD5

      8a94d780401556cceabf35058bbd4b5a

      SHA1

      19ee91b1629f4ccf0fca1f664405a1eee9dacc5a

      SHA256

      086a7e44de35a235bc258bf1107e22a7dc27932cb4d7e3ebcd1f368acc000caa

      SHA512

      b02fdc9b46f6fa8424660f462bb290c60c0635ad5cb9fa1b386a55d85d4368d06ae5611d355f8dc0db76477c2e332b0501e70cbbba77c45aa027e1cac59ca182

      Download Submit
    • C:\Users\Admin\AppData\Local\Temp\HYD26D2.tmp.1715428875\index.hta.log
      Filesize

      57B

      MD5

      eddbaca5065a317eb1e4683776778f9f

      SHA1

      6337b5c70285cb8de5617177587107038c2d25ae

      SHA256

      00d134ca61e692ccdc91675e351eb8651355be22336c46736a52deeca8867221

      SHA512

      9e42c72d11dd30a9e1f82944ef880e119d5bd9d51717f57da18e13b91a91c592777a9d873f399f555e586c2e6fa24b94358fdf30c4dca9bf354e6ed858303af0

      Download Submit
    • memory/620-0-0x0000000000400000-0x0000000000921000-memory.dmp
      Filesize

      5.1MB

      Download
    • memory/620-106-0x0000000000400000-0x0000000000921000-memory.dmp
      Filesize

      5.1MB

      Download
    • memory/2660-75-0x00000000070C0000-0x00000000075E1000-memory.dmp
      Filesize

      5.1MB

      Download
    • memory/2660-107-0x00000000070C0000-0x00000000075E1000-memory.dmp
      Filesize

      5.1MB

      Download
    • memory/2660-108-0x00000000070C0000-0x00000000075E1000-memory.dmp
      Filesize

      5.1MB

      Download