0b7a0fb7708381c7a1e2053fa95db0e99dba1d67e65bb93b31bc65abe757ed2a

General

Target

2024-05-21_88521ad3a95adf93a09205a232d89777_magniber.exe
Size

9.6MB
MD5

88521ad3a95adf93a09205a232d89777
SHA1

39a7856b276a146add65ff978fabe012b9cc620b
SHA256

0b7a0fb7708381c7a1e2053fa95db0e99dba1d67e65bb93b31bc65abe757ed2a
SHA512

2f59450d37cc916874806c7b215915978c975b482aee8e0d8e9b39a1a40fff69b5e6ea78c35d4f024ff6f4764539d6af120f076ce788f139e1362c14d30aaf95
SSDEEP

98304:Hbq0uT61rzExfby9vArtAhyZ0r8A/s5sa/11iy79/pB0ilQiqnwWvtovwfVM1DRx:HGghyZ0r7erv7qilYnDJuR9KaC

Score

9^/10

Malware Config

Signatures

UPX dump on OEP (original entry point) 9 IoCs

resource	yara_rule
behavioral2/memory/3084-23-0x00000000036F0000-0x00000000037D7000-memory.dmp	UPX
behavioral2/memory/3084-27-0x00000000036F0000-0x00000000037D7000-memory.dmp	UPX
behavioral2/memory/3084-25-0x00000000036F0000-0x00000000037D7000-memory.dmp	UPX
behavioral2/memory/3084-28-0x0000000004830000-0x0000000004A41000-memory.dmp	UPX
behavioral2/memory/3084-31-0x0000000004B50000-0x0000000004C3B000-memory.dmp	UPX
behavioral2/memory/3084-33-0x0000000005280000-0x00000000053F5000-memory.dmp	UPX
behavioral2/memory/3084-36-0x0000000004830000-0x0000000004A41000-memory.dmp	UPX
behavioral2/memory/3084-38-0x00000000036F0000-0x00000000037D7000-memory.dmp	UPX
behavioral2/memory/3084-39-0x0000000004830000-0x0000000004A41000-memory.dmp	UPX

Adds policy Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	f3Kb25.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\f3Kb25 = "C:\\ProgramData\\cande\\{udwZWx70K8U79}\\f3Kb25.exe"	f3Kb25.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation	2024-05-21_88521ad3a95adf93a09205a232d89777_magniber.exe

Executes dropped EXE 1 IoCs

pid	Process
3084	f3Kb25.exe

Loads dropped DLL 3 IoCs

pid	Process
3084	f3Kb25.exe
3084	f3Kb25.exe
3084	f3Kb25.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
3084	f3Kb25.exe
3084	f3Kb25.exe
3084	f3Kb25.exe
3084	f3Kb25.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3084	f3Kb25.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
956	2024-05-21_88521ad3a95adf93a09205a232d89777_magniber.exe
2960	2024-05-21_88521ad3a95adf93a09205a232d89777_magniber.exe
3084	f3Kb25.exe
3084	f3Kb25.exe
3084	f3Kb25.exe
3084	f3Kb25.exe
3084	f3Kb25.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 956 wrote to memory of 2960	956	2024-05-21_88521ad3a95adf93a09205a232d89777_magniber.exe	85
PID 956 wrote to memory of 2960	956	2024-05-21_88521ad3a95adf93a09205a232d89777_magniber.exe	85
PID 956 wrote to memory of 2960	956	2024-05-21_88521ad3a95adf93a09205a232d89777_magniber.exe	85
PID 2960 wrote to memory of 3084	2960	2024-05-21_88521ad3a95adf93a09205a232d89777_magniber.exe	98
PID 2960 wrote to memory of 3084	2960	2024-05-21_88521ad3a95adf93a09205a232d89777_magniber.exe	98
PID 2960 wrote to memory of 3084	2960	2024-05-21_88521ad3a95adf93a09205a232d89777_magniber.exe	98

C:\Users\Admin\AppData\Local\Temp\2024-05-21_88521ad3a95adf93a09205a232d89777_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-21_88521ad3a95adf93a09205a232d89777_magniber.exe"
1⤵
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:956
- C:\Users\Admin\AppData\Local\Temp\2024-05-21_88521ad3a95adf93a09205a232d89777_magniber.exe
  C:\Users\Admin\AppData\Local\Temp\2024-05-21_88521ad3a95adf93a09205a232d89777_magniber.exe 410238025E02520270026D026502700263026F0246026302760263025E02610263026C02660267025E027902770266027502580255027A023502320249023A02570235023B027F025E02640231024902600230023702--365
  2⤵
  - Checks computer location settings
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2960
- - C:\ProgramData\cande\{udwZWx70K8U79}\f3Kb25.exe
    "C:\ProgramData\cande\{udwZWx70K8U79}\f3Kb25.exe"
    3⤵
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    PID:3084

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\cande\{udwZWx70K8U79}\crt.dll

Filesize
5.6MB

MD5
7d24bd09e376141b1eb9bdc1f9ed1085

SHA1
6e2261ee3f0bac3de2bc75466a0ad6c43a5fc3d5

SHA256
959a77aac81758c1576e5709bd653b32c24cf5a8b39f91eb4c051281acadda11

SHA512
a4c12ed5ccf8a30cbb096e8062ebb4b666af8f68e433c422de11102790371fc373e6c35cbb8d4aff921891a716c61ba85547012d60816bfa32fd90e2cac65a71

Download Submit
C:\ProgramData\cande\{udwZWx70K8U79}\f3Kb25.exe

Filesize
765KB

MD5
6cb7404b404cb74710553d9028bbe4bd

SHA1
b36f7f2a25fa91bb71eb1780fd03b9fe99dcfa67

SHA256
6bc5f4901e0fe9ee9df17272a12b051e3bb6184183318509c951d80d2dc1b7d8

SHA512
5c0709f59f06ef927e1b2232fee192d37639ee64eb563def51300689b8e3ac6406c7a1dd2d75cae2291e3e4db89e2885b4730fa48c2d33e43edb6a689a2df1d5

Download Submit
C:\ProgramData\cande\{udwZWx70K8U79}\f3Kb25.txt

Filesize
635B

MD5
4dcf44d789ddc1e1d213133ec253f1a2

SHA1
70c3d306b99836d3e04715233b1382a4eeb5ec36

SHA256
23ac1cd7ad1a3221cdfd036a86fb72674369c67509901890249a52dee22d2ab0

SHA512
ea442ebe116962a14f6b2c24ea5573fbfbd293959bbb826447b31a31fbc8a2b71046e8aed58f70d6cb0b453396f912460bdfc7351b87bfb9941aca46771c6801

Download Submit
C:\ProgramData\cande\{udwZWx70K8U79}\msvcp100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\ProgramData\cande\{udwZWx70K8U79}\msvcr100.dll

Filesize
752KB

MD5
67ec459e42d3081dd8fd34356f7cafc1

SHA1
1738050616169d5b17b5adac3ff0370b8c642734

SHA256
1221a09484964a6f38af5e34ee292b9afefccb3dc6e55435fd3aaf7c235d9067

SHA512
9ed1c106df217e0b4e4fbd1f4275486ceba1d8a225d6c7e47b854b0b5e6158135b81be926f51db0ad5c624f9bd1d09282332cf064680dc9f7d287073b9686d33

Download Submit
memory/3084-27-0x00000000036F0000-0x00000000037D7000-memory.dmp

Filesize
924KB

Download
memory/3084-31-0x0000000004B50000-0x0000000004C3B000-memory.dmp

Filesize
940KB

Download
memory/3084-26-0x0000000002FF0000-0x0000000002FF1000-memory.dmp

Filesize
4KB

Download
memory/3084-22-0x0000000001370000-0x0000000001371000-memory.dmp

Filesize
4KB

Download
memory/3084-21-0x0000000001380000-0x0000000001381000-memory.dmp

Filesize
4KB

Download
memory/3084-25-0x00000000036F0000-0x00000000037D7000-memory.dmp

Filesize
924KB

Download
memory/3084-28-0x0000000004830000-0x0000000004A41000-memory.dmp

Filesize
2.1MB

Download
memory/3084-23-0x00000000036F0000-0x00000000037D7000-memory.dmp

Filesize
924KB

Download
memory/3084-33-0x0000000005280000-0x00000000053F5000-memory.dmp

Filesize
1.5MB

Download
memory/3084-35-0x0000000002FE0000-0x0000000002FE1000-memory.dmp

Filesize
4KB

Download
memory/3084-36-0x0000000004830000-0x0000000004A41000-memory.dmp

Filesize
2.1MB

Download
memory/3084-37-0x0000000004F50000-0x0000000004FA2000-memory.dmp

Filesize
328KB

Download
memory/3084-38-0x00000000036F0000-0x00000000037D7000-memory.dmp

Filesize
924KB

Download
memory/3084-39-0x0000000004830000-0x0000000004A41000-memory.dmp

Filesize
2.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads