Overview

overview

10

Static

static

3

2024-05-23...er.exe

windows7-x64

10

2024-05-23...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    23-05-2024 00:30

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe

  • Size

    26.3MB

  • MD5

    39a694e4de1e9f828e5ac37badb7d7c6

  • SHA1

    82a9c35c2ea8975f158ad77cca50834dda8cefa3

  • SHA256

    0314f637928f25aee967d5bc9bc9f240b83399e3d8cba41d6b11a03582620091

  • SHA512

    e6c55a8d0f789ce546339ca737063a06972656661ff2c5b5575cdc7f13005156bedc3f6231acbeb27bee0d0bc21fd20419320b1f073561a9169fdb2605d46b28

  • SSDEEP

    786432:9RtgTLKoyCeXJ+Sxr4xONXWoM5qEE2aO/Nmrvd:xgTd4EEI/NGl

Score
10/10
evasiontrojan

Malware Config

Signatures

  • UAC bypass 3 TTPs 3 IoCs
    evasiontrojan
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 2 IoCs

    Uses commandline utility to view network configuration.

  • Modifies registry class 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 25 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-23_39a694e4de1e9f828e5ac37badb7d7c6_magniber.exe"
    1⤵
    • Checks computer location settings
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:1996
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /c ipconfig /all
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2240
      • C:\Windows\system32\ipconfig.exe
        ipconfig /all
        3⤵
        • Gathers network information
        PID:4852
    • C:\Windows\System32\netsh.exe
      "C:\Windows\System32\netsh.exe" -f C:\Users\Public\Pictures\OtyPf.xml
      2⤵
        PID:1756
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Roaming\0iGW6.bat"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4676
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v ConsentPromptBehaviorAdmin /t reg_dword /d 0 /F
          3⤵
          • UAC bypass
          PID:2572
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v EnableLUA /t reg_dword /d 0 /F
          3⤵
          • UAC bypass
          PID:964
        • C:\Windows\system32\reg.exe
          reg add HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System /v PromptOnSecureDesktop /t reg_dword /d 0 /F
          3⤵
          • UAC bypass
          PID:2692
      • C:\Windows\System32\cmd.exe
        "C:\Windows\System32\cmd.exe" /c copy /b C:\Users\Public\Pictures\KP01w\HqhLA~z1\p+C:\Users\Public\Pictures\KP01w\HqhLA~z1\w C:\Users\Public\Pictures\KP01w\HqhLA~z1\libssl-1_1.dll
        2⤵
          PID:2284
      • C:\Windows\system32\mmc.exe
        C:\Windows\system32\mmc.exe -Embedding
        1⤵
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:1028
        • C:\Users\Public\Pictures\KP01w\HqhLA~z1\bbservice.exe
          "C:\Users\Public\Pictures\KP01w\HqhLA~z1\bbservice.exe"
          2⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Enumerates connected drives
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of SetWindowsHookEx
          • Suspicious use of WriteProcessMemory
          PID:4796
          • C:\Windows\SysWOW64\cmd.exe
            C:\Windows\system32\cmd.exe /c ipconfig /all
            3⤵
            • Suspicious use of WriteProcessMemory
            PID:4340
            • C:\Windows\SysWOW64\ipconfig.exe
              ipconfig /all
              4⤵
              • Gathers network information
              PID:4332

      Network

      MITRE ATT&CK Matrix ATT&CK v13

      Initial Access

      Execution

      Command and Scripting Interpreter

      1
      T1059

      Persistence

      Privilege Escalation

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Defense Evasion

      Abuse Elevation Control Mechanism

      1
      T1548

      Bypass User Account Control

      1
      T1548.002

      Impair Defenses

      1
      T1562

      Disable or Modify Tools

      1
      T1562.001

      Modify Registry

      1
      T1112

      Credential Access

      Discovery

      Query Registry

      3
      T1012

      System Information Discovery

      5
      T1082

      Peripheral Device Discovery

      1
      T1120

      Lateral Movement

      Collection

      Exfiltration

      Command and Control

      Impact

      Resource Development

      Reconnaissance

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Roaming\0iGW6.bat
        Filesize

        392B

        MD5

        30d6eb22d6aeec10347239b17b023bf4

        SHA1

        e2a6f86d66c699f6e0ff1ac4e140af4a2a4637d1

        SHA256

        659df6b190a0b92fc34e3a4457b4a8d11a26a4caf55de64dfe79eb1276181f08

        SHA512

        500872c3f2f3f801ec51717690873194675cb7f32cc4a862c09d90c18638d364d49b0e04c32323f52734e5c806e3503a63ac755c7019d762786a72840123df76

        Download Submit
      • C:\Users\Public\Pictures\KP01w\HqhLA~z1\NH.txt
        Filesize

        173KB

        MD5

        3bb486bb9eed06ff50eb5170f667f0cc

        SHA1

        a7d968c3465cd3c5a3619fd28ad72e1ac0d0034f

        SHA256

        6fcff0d141f2688be8d6b13fac3a99c109c39ac51003855ca761e3c240e686c5

        SHA512

        dd39be0a34e918834971bd5fc876eb2c2fc8aacf9f17e9898996ff637e49d5c2e89f2fbdead973675ddf853555f093e5b2af0ea788ca892e6b192d74c2551118

        Download Submit
      • C:\Users\Public\Pictures\KP01w\HqhLA~z1\arphaDump.dll
        Filesize

        1.4MB

        MD5

        9fd0a38f77247b7c7e2758135a2b23ea

        SHA1

        50e13ecbe55b86a17b3e5e71061b0ea1b5354d51

        SHA256

        ec8103856d5886497a313eff72a622780923fc782d66fcd0fe95e690ccb201bd

        SHA512

        c927afb93fbba015d2f286f6b97d9fe5c4887281679fc4cf7d43a610a7f9ba23c3741f04ffde37483dd54124d93d6536c2cd00baa8e220a3b23a036bbc507d8e

        Download Submit
      • C:\Users\Public\Pictures\KP01w\HqhLA~z1\bbservice.exe
        Filesize

        1.2MB

        MD5

        c60a22a37adc0d2be83d809e4aac166a

        SHA1

        f3531db8df1fac74c13e539c620beff7fc62b699

        SHA256

        808fd639a968290a46c475724746e0915a9c3ec96a20e20b771d447819d1c268

        SHA512

        56b0427bb357535e6dad314be1d8864432b77d58cbabccf12a035056e86bfdcedbf713a337543332c83d4fbf5092901b8ad3db91f5758c7aae689b824baabbf6

        Download Submit
      • C:\Users\Public\Pictures\KP01w\HqhLA~z1\libcrypto-1_1.dll
        Filesize

        3.0MB

        MD5

        7e7b8c426d4dc9156d1285f904cb41e6

        SHA1

        1a1ff5277a130843b8f3ae2b17c88277f1e4dd07

        SHA256

        dc7ed605c919c529b19f55f447054d5bb89b25b7ac9633c6cc8d052f2e25687d

        SHA512

        fe5567d9d33c1c3c4748a7f6bd5b9c4fe872a10de9d31f5fee8f2ed0c750ffe069c96344f00890aba936344308d5f2afa65bc61d21fec40fe0ae105360cb190b

        Download Submit
      • C:\Users\Public\Pictures\KP01w\HqhLA~z1\libssl-1_1.dll
        Filesize

        2.0MB

        MD5

        0db9fb77a276f561c3efa1a5b9eea753

        SHA1

        1c520dae2c8beb2aa87a38d6568ffe6049d2ced7

        SHA256

        c20ca26cc006da5a336ae5732d407a1c4d3d4701fb6cea393ab1a160f6f6dc67

        SHA512

        500daeb90823cb72326b4ca82c3d2030b80c852bf5c1aa9201d39efb214112c2684ed0466bd61ba1543d9b6376ec10b2df7a2eb151a46449747e5d2db82e1c59

        Download Submit
      • C:\Users\Public\Pictures\KP01w\HqhLA~z1\p
        Filesize

        1018KB

        MD5

        32c260975a711177aa19ee18864c3601

        SHA1

        da08581f5a7142da269e23bbc6ae26b40c825eb7

        SHA256

        51e9d8dc6699680faaa98ab50df949a26705587f3daff397fdca2c061c144e5d

        SHA512

        a7ff7e21f71a8ef72ba08c6e003e1648ea59b942071c48756a3cb944e9543b20794c4401a65a5fd6e1a2247aac219cce4a479350009a80a49c7c939316a02060

        Download Submit
      • C:\Users\Public\Pictures\KP01w\HqhLA~z1\w
        Filesize

        1018KB

        MD5

        ca460704cfdf12b15b7c9beda2f47c82

        SHA1

        c125e7dbd0e1a60cf33c2be349679042d2e4e201

        SHA256

        07c2e82aa75fa0144c3300bc40b51241d454cc0b78a9d0575f8a9700c55d286b

        SHA512

        8437495429400be64e27253ad2691f3377d05c1821deb3d9ce3e8e99ef03241ae5c16019954462828068d03b69773a8acdeeee2e77a97120a8fc774b49490f88

        Download Submit
      • memory/1996-2-0x0000000180000000-0x00000001803D4000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/1996-3-0x0000000180000000-0x00000001803D4000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/1996-0-0x0000000180000000-0x00000001803D4000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/1996-33-0x0000000180000000-0x00000001803D4000-memory.dmp
        Filesize

        3.8MB

        Download
      • memory/4796-25-0x0000000002470000-0x00000000024DA000-memory.dmp
        Filesize

        424KB

        Download
      • memory/4796-27-0x0000000002470000-0x00000000024DA000-memory.dmp
        Filesize

        424KB

        Download
      • memory/4796-26-0x0000000002470000-0x00000000024DA000-memory.dmp
        Filesize

        424KB

        Download
      • memory/4796-34-0x0000000002470000-0x00000000024DA000-memory.dmp
        Filesize

        424KB

        Download
      • memory/4796-35-0x0000000002470000-0x00000000024DA000-memory.dmp
        Filesize

        424KB

        Download
      • memory/4796-36-0x0000000002470000-0x00000000024DA000-memory.dmp
        Filesize

        424KB

        Download
      • memory/4796-37-0x0000000002470000-0x00000000024DA000-memory.dmp
        Filesize

        424KB

        Download
      • memory/4796-38-0x0000000002470000-0x00000000024DA000-memory.dmp
        Filesize

        424KB

        Download