0314f637928f25aee967d5bc9bc9f240b83399e3d8cba41d6b11a03582620091

General

Target

2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe
Size

26.3MB
MD5

39a694e4de1e9f828e5ac37badb7d7c6
SHA1

82a9c35c2ea8975f158ad77cca50834dda8cefa3
SHA256

0314f637928f25aee967d5bc9bc9f240b83399e3d8cba41d6b11a03582620091
SHA512

e6c55a8d0f789ce546339ca737063a06972656661ff2c5b5575cdc7f13005156bedc3f6231acbeb27bee0d0bc21fd20419320b1f073561a9169fdb2605d46b28
SSDEEP

786432:9RtgTLKoyCeXJ+Sxr4xONXWoM5qEE2aO/Nmrvd:xgTd4EEI/NGl

Score

10^/10

evasion trojan

Malware Config

Signatures

UAC bypass 3 TTPs 3 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

reg.exereg.exereg.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	reg.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	reg.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation	2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe

Executes dropped EXE 1 IoCs

Processes:

bbservice.exe

pid process

4796 bbservice.exe
Loads dropped DLL 3 IoCs

Processes:

bbservice.exe

pid process

4796 bbservice.exe
4796 bbservice.exe
4796 bbservice.exe

pid	process
4796	bbservice.exe

pid	process
4796	bbservice.exe
4796	bbservice.exe
4796	bbservice.exe

Enumerates connected drives 3 TTPs 22 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

bbservice.exe

description	ioc	process
File opened (read-only)	\??\I:	bbservice.exe
File opened (read-only)	\??\M:	bbservice.exe
File opened (read-only)	\??\G:	bbservice.exe
File opened (read-only)	\??\H:	bbservice.exe
File opened (read-only)	\??\W:	bbservice.exe
File opened (read-only)	\??\X:	bbservice.exe
File opened (read-only)	\??\Y:	bbservice.exe
File opened (read-only)	\??\B:	bbservice.exe
File opened (read-only)	\??\S:	bbservice.exe
File opened (read-only)	\??\Q:	bbservice.exe
File opened (read-only)	\??\R:	bbservice.exe
File opened (read-only)	\??\T:	bbservice.exe
File opened (read-only)	\??\V:	bbservice.exe
File opened (read-only)	\??\Z:	bbservice.exe
File opened (read-only)	\??\E:	bbservice.exe
File opened (read-only)	\??\L:	bbservice.exe
File opened (read-only)	\??\N:	bbservice.exe
File opened (read-only)	\??\O:	bbservice.exe
File opened (read-only)	\??\P:	bbservice.exe
File opened (read-only)	\??\U:	bbservice.exe
File opened (read-only)	\??\J:	bbservice.exe
File opened (read-only)	\??\K:	bbservice.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

bbservice.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	bbservice.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	bbservice.exe

Gathers network information 2 TTPs 2 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exe

pid process

4852 ipconfig.exe
4332 ipconfig.exe

pid	process
4852	ipconfig.exe
4332	ipconfig.exe

Modifies registry class 1 IoCs

Processes:

2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings	2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

bbservice.exe

pid process

4796 bbservice.exe
4796 bbservice.exe

pid	process
4796	bbservice.exe
4796	bbservice.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

Processes:

2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exemmc.exebbservice.exe

description	pid	process
Token: SeShutdownPrivilege	1996	2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe
Token: 33	1028	mmc.exe
Token: SeIncBasePriorityPrivilege	1028	mmc.exe
Token: 33	1028	mmc.exe
Token: SeIncBasePriorityPrivilege	1028	mmc.exe
Token: SeDebugPrivilege	4796	bbservice.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exemmc.exebbservice.exe

pid	process
1996	2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe
1996	2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe
1028	mmc.exe
1028	mmc.exe
4796	bbservice.exe

Suspicious use of WriteProcessMemory 25 IoCs

Processes:

2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.execmd.execmd.exemmc.exebbservice.execmd.exe

description	pid	process	target process
PID 1996 wrote to memory of 2240	1996	2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe	cmd.exe
PID 1996 wrote to memory of 2240	1996	2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe	cmd.exe
PID 2240 wrote to memory of 4852	2240	cmd.exe	ipconfig.exe
PID 2240 wrote to memory of 4852	2240	cmd.exe	ipconfig.exe
PID 1996 wrote to memory of 1756	1996	2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe	netsh.exe
PID 1996 wrote to memory of 1756	1996	2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe	netsh.exe
PID 1996 wrote to memory of 4676	1996	2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe	cmd.exe
PID 1996 wrote to memory of 4676	1996	2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe	cmd.exe
PID 4676 wrote to memory of 2572	4676	cmd.exe	reg.exe
PID 4676 wrote to memory of 2572	4676	cmd.exe	reg.exe
PID 4676 wrote to memory of 964	4676	cmd.exe	reg.exe
PID 4676 wrote to memory of 964	4676	cmd.exe	reg.exe
PID 4676 wrote to memory of 2692	4676	cmd.exe	reg.exe
PID 4676 wrote to memory of 2692	4676	cmd.exe	reg.exe
PID 1996 wrote to memory of 2284	1996	2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe	cmd.exe
PID 1996 wrote to memory of 2284	1996	2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe	cmd.exe
PID 1028 wrote to memory of 4796	1028	mmc.exe	bbservice.exe
PID 1028 wrote to memory of 4796	1028	mmc.exe	bbservice.exe
PID 1028 wrote to memory of 4796	1028	mmc.exe	bbservice.exe
PID 4796 wrote to memory of 4340	4796	bbservice.exe	cmd.exe
PID 4796 wrote to memory of 4340	4796	bbservice.exe	cmd.exe
PID 4796 wrote to memory of 4340	4796	bbservice.exe	cmd.exe
PID 4340 wrote to memory of 4332	4340	cmd.exe	ipconfig.exe
PID 4340 wrote to memory of 4332	4340	cmd.exe	ipconfig.exe
PID 4340 wrote to memory of 4332	4340	cmd.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe"
1⤵
- Checks computer location settings
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1996

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /all
2⤵
- Suspicious use of WriteProcessMemory
PID:2240

C:\Windows\system32\ipconfig.exe
ipconfig /all
3⤵
- Gathers network information
PID:4852

C:\Windows\System32\netsh.exe
"C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\OtyPf.xml
2⤵
PID:1756

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\0iGW6.bat"
2⤵
- Suspicious use of WriteProcessMemory
PID:4676

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
3⤵
- UAC bypass
PID:2572

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
3⤵
- UAC bypass
PID:964

C:\Windows\system32\reg.exe
reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
3⤵
- UAC bypass
PID:2692

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\KP01w\HqhLA~z1\p+C:\Users\Public\Pictures\KP01w\HqhLA~z1\w C:\Users\Public\Pictures\KP01w\HqhLA~z1\libssl-1_1.dll
2⤵
PID:2284

C:\Windows\system32\mmc.exe
C:\Windows\system32\mmc.exe -Embedding
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1028

C:\Users\Public\Pictures\KP01w\HqhLA~z1\bbservice.exe
"C:\Users\Public\Pictures\KP01w\HqhLA~z1\bbservice.exe"
2⤵
- Executes dropped EXE
- Loads dropped DLL
- Enumerates connected drives
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4796

C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ipconfig /all
3⤵
- Suspicious use of WriteProcessMemory
PID:4340

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
4⤵
- Gathers network information
PID:4332

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Persistence

Privilege Escalation

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Defense Evasion

Abuse Elevation Control Mechanism

1

T1548

Bypass User Account Control

1

T1548.002

Impair Defenses

1

T1562

Disable or Modify Tools

Modify Registry

Credential Access

Discovery

Peripheral Device Discovery

Query Registry

System Information Discovery

5

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\0iGW6.bat

Filesize
392B

MD5
30d6eb22d6aeec10347239b17b023bf4

SHA1
e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

SHA256
659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

SHA512
500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

Download Submit
C:\Users\Public\Pictures\KP01w\HqhLA~z1\NH.txt

Filesize
173KB

MD5
3bb486bb9eed06ff50eb5170f667f0cc

SHA1
a7d968c3465cd3c5a3619fd28ad72e1ac0d0034f

SHA256
6fcff0d141f2688be8d6b13fac3a99c109c39ac51003855ca761e3c240e686c5

SHA512
dd39be0a34e918834971bd5fc876eb2c2fc8aacf9f17e9898996ff637e49d5c2e89f2fbdead973675ddf853555f093e5b2af0ea788ca892e6b192d74c2551118

Download Submit
C:\Users\Public\Pictures\KP01w\HqhLA~z1\arphaDump.dll

Filesize
1.4MB

MD5
9fd0a38f77247b7c7e2758135a2b23ea

SHA1
50e13ecbe55b86a17b3e5e71061b0ea1b5354d51

SHA256
ec8103856d5886497a313eff72a622780923fc782d66fcd0fe95e690ccb201bd

SHA512
c927afb93fbba015d2f286f6b97d9fe5c4887281679fc4cf7d43a610a7f9ba23c3741f04ffde37483dd54124d93d6536c2cd00baa8e220a3b23a036bbc507d8e

Download Submit
C:\Users\Public\Pictures\KP01w\HqhLA~z1\bbservice.exe

Filesize
1.2MB

MD5
c60a22a37adc0d2be83d809e4aac166a

SHA1
f3531db8df1fac74c13e539c620beff7fc62b699

SHA256
808fd639a968290a46c475724746e0915a9c3ec96a20e20b771d447819d1c268

SHA512
56b0427bb357535e6dad314be1d8864432b77d58cbabccf12a035056e86bfdcedbf713a337543332c83d4fbf5092901b8ad3db91f5758c7aae689b824baabbf6

Download Submit
C:\Users\Public\Pictures\KP01w\HqhLA~z1\libcrypto-1_1.dll

Filesize
3.0MB

MD5
7e7b8c426d4dc9156d1285f904cb41e6

SHA1
1a1ff5277a130843b8f3ae2b17c88277f1e4dd07

SHA256
dc7ed605c919c529b19f55f447054d5bb89b25b7ac9633c6cc8d052f2e25687d

SHA512
fe5567d9d33c1c3c4748a7f6bd5b9c4fe872a10de9d31f5fee8f2ed0c750ffe069c96344f00890aba936344308d5f2afa65bc61d21fec40fe0ae105360cb190b

Download Submit
C:\Users\Public\Pictures\KP01w\HqhLA~z1\libssl-1_1.dll

Filesize
2.0MB

MD5
0db9fb77a276f561c3efa1a5b9eea753

SHA1
1c520dae2c8beb2aa87a38d6568ffe6049d2ced7

SHA256
c20ca26cc006da5a336ae5732d407a1c4d3d4701fb6cea393ab1a160f6f6dc67

SHA512
500daeb90823cb72326b4ca82c3d2030b80c852bf5c1aa9201d39efb214112c2684ed0466bd61ba1543d9b6376ec10b2df7a2eb151a46449747e5d2db82e1c59

Download Submit
C:\Users\Public\Pictures\KP01w\HqhLA~z1\p

Filesize
1018KB

MD5
32c260975a711177aa19ee18864c3601

SHA1
da08581f5a7142da269e23bbc6ae26b40c825eb7

SHA256
51e9d8dc6699680faaa98ab50df949a26705587f3daff397fdca2c061c144e5d

SHA512
a7ff7e21f71a8ef72ba08c6e003e1648ea59b942071c48756a3cb944e9543b20794c4401a65a5fd6e1a2247aac219cce4a479350009a80a49c7c939316a02060

Download Submit
C:\Users\Public\Pictures\KP01w\HqhLA~z1\w

Filesize
1018KB

MD5
ca460704cfdf12b15b7c9beda2f47c82

SHA1
c125e7dbd0e1a60cf33c2be349679042d2e4e201

SHA256
07c2e82aa75fa0144c3300bc40b51241d454cc0b78a9d0575f8a9700c55d286b

SHA512
8437495429400be64e27253ad2691f3377d05c1821deb3d9ce3e8e99ef03241ae5c16019954462828068d03b69773a8acdeeee2e77a97120a8fc774b49490f88

Download Submit
memory/1996-2-0x0000000180000000-0x00000001803D4000-memory.dmp

Filesize
3.8MB

Download
memory/1996-3-0x0000000180000000-0x00000001803D4000-memory.dmp

Filesize
3.8MB

Download
memory/1996-0-0x0000000180000000-0x00000001803D4000-memory.dmp

Filesize
3.8MB

Download
memory/1996-33-0x0000000180000000-0x00000001803D4000-memory.dmp

Filesize
3.8MB

Download
memory/4796-25-0x0000000002470000-0x00000000024DA000-memory.dmp

Filesize
424KB

Download
memory/4796-27-0x0000000002470000-0x00000000024DA000-memory.dmp

Filesize
424KB

Download
memory/4796-26-0x0000000002470000-0x00000000024DA000-memory.dmp

Filesize
424KB

Download
memory/4796-34-0x0000000002470000-0x00000000024DA000-memory.dmp

Filesize
424KB

Download
memory/4796-35-0x0000000002470000-0x00000000024DA000-memory.dmp

Filesize
424KB

Download
memory/4796-36-0x0000000002470000-0x00000000024DA000-memory.dmp

Filesize
424KB

Download
memory/4796-37-0x0000000002470000-0x00000000024DA000-memory.dmp

Filesize
424KB

Download
memory/4796-38-0x0000000002470000-0x00000000024DA000-memory.dmp

Filesize
424KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads