Analysis
-
max time kernel
122s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
23-05-2024 00:30
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe
Resource
win7-20240508-en
General
-
Target
2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe
-
Size
26.3MB
-
MD5
39a694e4de1e9f828e5ac37badb7d7c6
-
SHA1
82a9c35c2ea8975f158ad77cca50834dda8cefa3
-
SHA256
0314f637928f25aee967d5bc9bc9f240b83399e3d8cba41d6b11a03582620091
-
SHA512
e6c55a8d0f789ce546339ca737063a06972656661ff2c5b5575cdc7f13005156bedc3f6231acbeb27bee0d0bc21fd20419320b1f073561a9169fdb2605d46b28
-
SSDEEP
786432:9RtgTLKoyCeXJ+Sxr4xONXWoM5qEE2aO/Nmrvd:xgTd4EEI/NGl
Malware Config
Signatures
-
Processes:
reg.exereg.exereg.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" reg.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" reg.exe -
Executes dropped EXE 1 IoCs
Processes:
bbservice.exepid process 2500 bbservice.exe -
Loads dropped DLL 3 IoCs
Processes:
bbservice.exepid process 2500 bbservice.exe 2500 bbservice.exe 2500 bbservice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exepid process 2340 ipconfig.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exemmc.exedescription pid process Token: SeShutdownPrivilege 1576 2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe Token: 33 2704 mmc.exe Token: SeIncBasePriorityPrivilege 2704 mmc.exe Token: 33 2704 mmc.exe Token: SeIncBasePriorityPrivilege 2704 mmc.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exemmc.exepid process 1576 2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe 1576 2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe 2704 mmc.exe 2704 mmc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.execmd.execmd.exemmc.exedescription pid process target process PID 1576 wrote to memory of 2148 1576 2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe cmd.exe PID 1576 wrote to memory of 2148 1576 2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe cmd.exe PID 1576 wrote to memory of 2148 1576 2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe cmd.exe PID 2148 wrote to memory of 2340 2148 cmd.exe ipconfig.exe PID 2148 wrote to memory of 2340 2148 cmd.exe ipconfig.exe PID 2148 wrote to memory of 2340 2148 cmd.exe ipconfig.exe PID 1576 wrote to memory of 2260 1576 2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe netsh.exe PID 1576 wrote to memory of 2260 1576 2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe netsh.exe PID 1576 wrote to memory of 2260 1576 2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe netsh.exe PID 1576 wrote to memory of 2948 1576 2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe cmd.exe PID 1576 wrote to memory of 2948 1576 2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe cmd.exe PID 1576 wrote to memory of 2948 1576 2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe cmd.exe PID 2948 wrote to memory of 2940 2948 cmd.exe reg.exe PID 2948 wrote to memory of 2940 2948 cmd.exe reg.exe PID 2948 wrote to memory of 2940 2948 cmd.exe reg.exe PID 2948 wrote to memory of 2512 2948 cmd.exe reg.exe PID 2948 wrote to memory of 2512 2948 cmd.exe reg.exe PID 2948 wrote to memory of 2512 2948 cmd.exe reg.exe PID 2948 wrote to memory of 2708 2948 cmd.exe reg.exe PID 2948 wrote to memory of 2708 2948 cmd.exe reg.exe PID 2948 wrote to memory of 2708 2948 cmd.exe reg.exe PID 1576 wrote to memory of 2268 1576 2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe cmd.exe PID 1576 wrote to memory of 2268 1576 2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe cmd.exe PID 1576 wrote to memory of 2268 1576 2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe cmd.exe PID 2704 wrote to memory of 2500 2704 mmc.exe bbservice.exe PID 2704 wrote to memory of 2500 2704 mmc.exe bbservice.exe PID 2704 wrote to memory of 2500 2704 mmc.exe bbservice.exe PID 2704 wrote to memory of 2500 2704 mmc.exe bbservice.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1576 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c ipconfig /all2⤵
- Suspicious use of WriteProcessMemory
PID:2148 -
C:\Windows\system32\ipconfig.exeipconfig /all3⤵
- Gathers network information
PID:2340 -
C:\Windows\System32\netsh.exe"C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\OtyPf.xml2⤵PID:2260
-
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\0iGW6.bat"2⤵
- Suspicious use of WriteProcessMemory
PID:2948 -
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F3⤵
- UAC bypass
PID:2940 -
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F3⤵
- UAC bypass
PID:2512 -
C:\Windows\system32\reg.exereg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F3⤵
- UAC bypass
PID:2708 -
C:\Windows\System32\cmd.exe"C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\KP01w\HqhLA~z1\p+C:\Users\Public\Pictures\KP01w\HqhLA~z1\w C:\Users\Public\Pictures\KP01w\HqhLA~z1\libssl-1_1.dll2⤵PID:2268
-
C:\Windows\system32\mmc.exeC:\Windows\system32\mmc.exe -Embedding1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2704 -
C:\Users\Public\Pictures\KP01w\HqhLA~z1\bbservice.exe"C:\Users\Public\Pictures\KP01w\HqhLA~z1\bbservice.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2500
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
392B
MD530d6eb22d6aeec10347239b17b023bf4
SHA1e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1
SHA256659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08
SHA512500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76
-
Filesize
173KB
MD53bb486bb9eed06ff50eb5170f667f0cc
SHA1a7d968c3465cd3c5a3619fd28ad72e1ac0d0034f
SHA2566fcff0d141f2688be8d6b13fac3a99c109c39ac51003855ca761e3c240e686c5
SHA512dd39be0a34e918834971bd5fc876eb2c2fc8aacf9f17e9898996ff637e49d5c2e89f2fbdead973675ddf853555f093e5b2af0ea788ca892e6b192d74c2551118
-
Filesize
1.2MB
MD5c60a22a37adc0d2be83d809e4aac166a
SHA1f3531db8df1fac74c13e539c620beff7fc62b699
SHA256808fd639a968290a46c475724746e0915a9c3ec96a20e20b771d447819d1c268
SHA51256b0427bb357535e6dad314be1d8864432b77d58cbabccf12a035056e86bfdcedbf713a337543332c83d4fbf5092901b8ad3db91f5758c7aae689b824baabbf6
-
Filesize
3.0MB
MD57e7b8c426d4dc9156d1285f904cb41e6
SHA11a1ff5277a130843b8f3ae2b17c88277f1e4dd07
SHA256dc7ed605c919c529b19f55f447054d5bb89b25b7ac9633c6cc8d052f2e25687d
SHA512fe5567d9d33c1c3c4748a7f6bd5b9c4fe872a10de9d31f5fee8f2ed0c750ffe069c96344f00890aba936344308d5f2afa65bc61d21fec40fe0ae105360cb190b
-
Filesize
2.0MB
MD50db9fb77a276f561c3efa1a5b9eea753
SHA11c520dae2c8beb2aa87a38d6568ffe6049d2ced7
SHA256c20ca26cc006da5a336ae5732d407a1c4d3d4701fb6cea393ab1a160f6f6dc67
SHA512500daeb90823cb72326b4ca82c3d2030b80c852bf5c1aa9201d39efb214112c2684ed0466bd61ba1543d9b6376ec10b2df7a2eb151a46449747e5d2db82e1c59
-
Filesize
1018KB
MD532c260975a711177aa19ee18864c3601
SHA1da08581f5a7142da269e23bbc6ae26b40c825eb7
SHA25651e9d8dc6699680faaa98ab50df949a26705587f3daff397fdca2c061c144e5d
SHA512a7ff7e21f71a8ef72ba08c6e003e1648ea59b942071c48756a3cb944e9543b20794c4401a65a5fd6e1a2247aac219cce4a479350009a80a49c7c939316a02060
-
Filesize
1018KB
MD5ca460704cfdf12b15b7c9beda2f47c82
SHA1c125e7dbd0e1a60cf33c2be349679042d2e4e201
SHA25607c2e82aa75fa0144c3300bc40b51241d454cc0b78a9d0575f8a9700c55d286b
SHA5128437495429400be64e27253ad2691f3377d05c1821deb3d9ce3e8e99ef03241ae5c16019954462828068d03b69773a8acdeeee2e77a97120a8fc774b49490f88
-
Filesize
1.4MB
MD59fd0a38f77247b7c7e2758135a2b23ea
SHA150e13ecbe55b86a17b3e5e71061b0ea1b5354d51
SHA256ec8103856d5886497a313eff72a622780923fc782d66fcd0fe95e690ccb201bd
SHA512c927afb93fbba015d2f286f6b97d9fe5c4887281679fc4cf7d43a610a7f9ba23c3741f04ffde37483dd54124d93d6536c2cd00baa8e220a3b23a036bbc507d8e