Analysis

  • max time kernel
    122s
  • max time network
    123s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    23-05-2024 00:30

General

  • Target

    2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe

  • Size

    26.3MB

  • MD5

    39a694e4de1e9f828e5ac37badb7d7c6

  • SHA1

    82a9c35c2ea8975f158ad77cca50834dda8cefa3

  • SHA256

    0314f637928f25aee967d5bc9bc9f240b83399e3d8cba41d6b11a03582620091

  • SHA512

    e6c55a8d0f789ce546339ca737063a06972656661ff2c5b5575cdc7f13005156bedc3f6231acbeb27bee0d0bc21fd20419320b1f073561a9169fdb2605d46b28

  • SSDEEP

    786432:9RtgTLKoyCeXJ+Sxr4xONXWoM5qEE2aO/Nmrvd:xgTd4EEI/NGl

Score
10/10

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Gathers network information 2 TTPs 1 IoCs

    Uses commandline utility to view network configuration.

  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe"
    1⤵
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1576
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2148
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:2340
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\OtyPf.xml
      2⤵
        PID:2260
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\0iGW6.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:2948
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
          3⤵
          • UAC bypass
          PID:2940
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
          3⤵
          • UAC bypass
          PID:2512
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
          3⤵
          • UAC bypass
          PID:2708
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\KP01w\HqhLA~z1\p+C:\Users\Public\Pictures\KP01w\HqhLA~z1\w C:\Users\Public\Pictures\KP01w\HqhLA~z1\libssl-1_1.dll
        2⤵
          PID:2268
      • C:\Windows\system32\mmc.exe
        C:\Windows\system32\mmc.exe -Embedding
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2704
        • C:\Users\Public\Pictures\KP01w\HqhLA~z1\bbservice.exe
          "C:\Users\Public\Pictures\KP01w\HqhLA~z1\bbservice.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          PID:2500

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\0iGW6.bat

        Filesize

        392B

        MD5

        30d6eb22d6aeec10347239b17b023bf4

        SHA1

        e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

        SHA256

        659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

        SHA512

        500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

      • C:\Users\Public\Pictures\KP01w\HqhLA~z1\NH.txt

        Filesize

        173KB

        MD5

        3bb486bb9eed06ff50eb5170f667f0cc

        SHA1

        a7d968c3465cd3c5a3619fd28ad72e1ac0d0034f

        SHA256

        6fcff0d141f2688be8d6b13fac3a99c109c39ac51003855ca761e3c240e686c5

        SHA512

        dd39be0a34e918834971bd5fc876eb2c2fc8aacf9f17e9898996ff637e49d5c2e89f2fbdead973675ddf853555f093e5b2af0ea788ca892e6b192d74c2551118

      • C:\Users\Public\Pictures\KP01w\HqhLA~z1\bbservice.exe

        Filesize

        1.2MB

        MD5

        c60a22a37adc0d2be83d809e4aac166a

        SHA1

        f3531db8df1fac74c13e539c620beff7fc62b699

        SHA256

        808fd639a968290a46c475724746e0915a9c3ec96a20e20b771d447819d1c268

        SHA512

        56b0427bb357535e6dad314be1d8864432b77d58cbabccf12a035056e86bfdcedbf713a337543332c83d4fbf5092901b8ad3db91f5758c7aae689b824baabbf6

      • C:\Users\Public\Pictures\KP01w\HqhLA~z1\libcrypto-1_1.dll

        Filesize

        3.0MB

        MD5

        7e7b8c426d4dc9156d1285f904cb41e6

        SHA1

        1a1ff5277a130843b8f3ae2b17c88277f1e4dd07

        SHA256

        dc7ed605c919c529b19f55f447054d5bb89b25b7ac9633c6cc8d052f2e25687d

        SHA512

        fe5567d9d33c1c3c4748a7f6bd5b9c4fe872a10de9d31f5fee8f2ed0c750ffe069c96344f00890aba936344308d5f2afa65bc61d21fec40fe0ae105360cb190b

      • C:\Users\Public\Pictures\KP01w\HqhLA~z1\libssl-1_1.dll

        Filesize

        2.0MB

        MD5

        0db9fb77a276f561c3efa1a5b9eea753

        SHA1

        1c520dae2c8beb2aa87a38d6568ffe6049d2ced7

        SHA256

        c20ca26cc006da5a336ae5732d407a1c4d3d4701fb6cea393ab1a160f6f6dc67

        SHA512

        500daeb90823cb72326b4ca82c3d2030b80c852bf5c1aa9201d39efb214112c2684ed0466bd61ba1543d9b6376ec10b2df7a2eb151a46449747e5d2db82e1c59

      • C:\Users\Public\Pictures\KP01w\HqhLA~z1\p

        Filesize

        1018KB

        MD5

        32c260975a711177aa19ee18864c3601

        SHA1

        da08581f5a7142da269e23bbc6ae26b40c825eb7

        SHA256

        51e9d8dc6699680faaa98ab50df949a26705587f3daff397fdca2c061c144e5d

        SHA512

        a7ff7e21f71a8ef72ba08c6e003e1648ea59b942071c48756a3cb944e9543b20794c4401a65a5fd6e1a2247aac219cce4a479350009a80a49c7c939316a02060

      • C:\Users\Public\Pictures\KP01w\HqhLA~z1\w

        Filesize

        1018KB

        MD5

        ca460704cfdf12b15b7c9beda2f47c82

        SHA1

        c125e7dbd0e1a60cf33c2be349679042d2e4e201

        SHA256

        07c2e82aa75fa0144c3300bc40b51241d454cc0b78a9d0575f8a9700c55d286b

        SHA512

        8437495429400be64e27253ad2691f3377d05c1821deb3d9ce3e8e99ef03241ae5c16019954462828068d03b69773a8acdeeee2e77a97120a8fc774b49490f88

      • \Users\Public\Pictures\KP01w\HqhLA~z1\arphadump.dll

        Filesize

        1.4MB

        MD5

        9fd0a38f77247b7c7e2758135a2b23ea

        SHA1

        50e13ecbe55b86a17b3e5e71061b0ea1b5354d51

        SHA256

        ec8103856d5886497a313eff72a622780923fc782d66fcd0fe95e690ccb201bd

        SHA512

        c927afb93fbba015d2f286f6b97d9fe5c4887281679fc4cf7d43a610a7f9ba23c3741f04ffde37483dd54124d93d6536c2cd00baa8e220a3b23a036bbc507d8e

      • memory/1576-2-0x0000000180000000-0x00000001803D4000-memory.dmp

        Filesize

        3.8MB

      • memory/1576-0-0x0000000180000000-0x00000001803D4000-memory.dmp

        Filesize

        3.8MB

      • memory/1576-1-0x0000000180000000-0x00000001803D4000-memory.dmp

        Filesize

        3.8MB

      • memory/1576-25-0x0000000180000000-0x00000001803D4000-memory.dmp

        Filesize

        3.8MB

      • memory/2500-24-0x0000000002020000-0x000000000208A000-memory.dmp

        Filesize

        424KB