Analysis
-
max time kernel
133s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
24-05-2024 05:06
Static task
static1
Behavioral task
behavioral1
Sample
2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe
Resource
win7-20231129-en
Behavioral task
behavioral2
Sample
2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe
Resource
win10v2004-20240426-en
General
-
Target
2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe
-
Size
4.7MB
-
MD5
e8d2018514da477fc1c3e218a24125d6
-
SHA1
6d7cfc49bb0929c2eb0f4028fe97983b876516cc
-
SHA256
60f853180a79a596f490b01c554832dac7f2e469a94d8a213b1e5452c1e49d5b
-
SHA512
98446881984402431b960ae7bd4faa1c420b5e2c0ebca2bb1bba01e070fc314884ce97b690f7211da76b3baabb17c1a4e773c63168bc97fbe38339babc68f303
-
SSDEEP
98304:ABTTPtxvAOlouIZdRytp5UJ8rA9s9o36B:rHm2J8rACn
Malware Config
Signatures
-
Detect Blackmoon payload 1 IoCs
Processes:
resource yara_rule C:\ProgramData\cande\{bBxONrn43eEY6B6i8vd}\winfsp-x86.dll family_blackmoon -
UPX dump on OEP (original entry point) 17 IoCs
Processes:
resource yara_rule behavioral2/memory/3740-21-0x00000000027D0000-0x00000000028B7000-memory.dmp UPX behavioral2/memory/3740-20-0x00000000027D0000-0x00000000028B7000-memory.dmp UPX behavioral2/memory/3740-23-0x00000000027D0000-0x00000000028B7000-memory.dmp UPX behavioral2/memory/3740-24-0x0000000003DE0000-0x0000000003FF1000-memory.dmp UPX behavioral2/memory/3740-29-0x0000000004190000-0x000000000427B000-memory.dmp UPX behavioral2/memory/3740-28-0x0000000002640000-0x0000000002696000-memory.dmp UPX behavioral2/memory/3740-30-0x0000000004190000-0x000000000427B000-memory.dmp UPX behavioral2/memory/3740-33-0x0000000004820000-0x0000000004995000-memory.dmp UPX behavioral2/memory/3740-32-0x0000000004280000-0x0000000004319000-memory.dmp UPX behavioral2/memory/3740-34-0x0000000004820000-0x0000000004995000-memory.dmp UPX behavioral2/memory/3740-38-0x0000000003DE0000-0x0000000003FF1000-memory.dmp UPX behavioral2/memory/3740-40-0x00000000027D0000-0x00000000028B7000-memory.dmp UPX behavioral2/memory/3740-41-0x0000000003DE0000-0x0000000003FF1000-memory.dmp UPX behavioral2/memory/3740-42-0x0000000002640000-0x0000000002696000-memory.dmp UPX behavioral2/memory/3740-43-0x0000000004190000-0x000000000427B000-memory.dmp UPX behavioral2/memory/3740-44-0x0000000004280000-0x0000000004319000-memory.dmp UPX behavioral2/memory/3740-45-0x0000000004820000-0x0000000004995000-memory.dmp UPX -
Adds policy Run key to start application 2 TTPs 2 IoCs
Processes:
F5GrCPd.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run F5GrCPd.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\F5GrCPd = "C:\\ProgramData\\cande\\{bBxONrn43eEY6B6i8vd}\\F5GrCPd.exe" F5GrCPd.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe -
Executes dropped EXE 1 IoCs
Processes:
F5GrCPd.exepid process 3740 F5GrCPd.exe -
Loads dropped DLL 1 IoCs
Processes:
F5GrCPd.exepid process 3740 F5GrCPd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
F5GrCPd.exepid process 3740 F5GrCPd.exe 3740 F5GrCPd.exe 3740 F5GrCPd.exe 3740 F5GrCPd.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes:
F5GrCPd.exedescription pid process Token: SeDebugPrivilege 3740 F5GrCPd.exe -
Suspicious use of SetWindowsHookEx 4 IoCs
Processes:
F5GrCPd.exepid process 3740 F5GrCPd.exe 3740 F5GrCPd.exe 3740 F5GrCPd.exe 3740 F5GrCPd.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exedescription pid process target process PID 3932 wrote to memory of 2220 3932 2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe 2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe PID 3932 wrote to memory of 2220 3932 2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe 2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe PID 3932 wrote to memory of 2220 3932 2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe 2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe PID 2220 wrote to memory of 3740 2220 2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe F5GrCPd.exe PID 2220 wrote to memory of 3740 2220 2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe F5GrCPd.exe PID 2220 wrote to memory of 3740 2220 2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe F5GrCPd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:3932 -
C:\Users\Admin\AppData\Local\Temp\2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exeC:\Users\Admin\AppData\Local\Temp\2024-05-24_e8d2018514da477fc1c3e218a24125d6_magniber.exe 46053F055905550577056A05620577056405680541056405710564055905660564056B056105600559057E05670547057D054A054B0577056B0531053605600540055C053305470533056C053D0573056105780559054305300542057705460555056105--3652⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2220 -
C:\ProgramData\cande\{bBxONrn43eEY6B6i8vd}\F5GrCPd.exe"C:\ProgramData\cande\{bBxONrn43eEY6B6i8vd}\F5GrCPd.exe"3⤵
- Adds policy Run key to start application
- Executes dropped EXE
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3740
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\cande\{bBxONrn43eEY6B6i8vd}\F5GrCPd.exeFilesize
41KB
MD590f1cbf523b201c20adf2e6cb5a91e2d
SHA1e485907216de02d71a127623d6d8b155fa25aafa
SHA25684ef8cba9b668bf3c2f47cfe2efc6fb4821fada314959a36419443efe41967d2
SHA5126d121b48dba3a48d7dceb0baad629b7ad195b7f47d267f8f3295cead8940836ced45abac716fd54504b603ad9d3eb57ffd2a36f2c3e183d65df051ceba694521
-
C:\ProgramData\cande\{bBxONrn43eEY6B6i8vd}\F5GrCPd.txtFilesize
369B
MD54bd2afe90974a48e19b9916c7b10ef08
SHA18ffbec325a46696244f42fb13565a894bcfe3f00
SHA256af0b941914e0a9d7a65f049e9e7468dfd63e8afb465dc8849e9c56e985172ee7
SHA51259517e502f146c705cff4810ba1a2e07c37dffdf7f20352a8c8dae671333e45697387f24563553fb6d872d7396bbcf5c791c07a956caa23783721deeddaffe73
-
C:\ProgramData\cande\{bBxONrn43eEY6B6i8vd}\winfsp-x86.dllFilesize
3.3MB
MD5e705514b37a15fe778a12406ea309f0c
SHA1b517800efdfb174aa9ad14632e330a8043bd94e4
SHA256b00df8776e786fdb006f315bfe68c404d76758582eae0f92c6398e109cfee036
SHA51205ed9c0be82729c4219b83facb42dba6029aaff5545a1883cbcddb673ff0297b9abc69da6161b985545b7a24b9a022fe69ca506f96dc2524046dcb71ff611667
-
memory/3740-30-0x0000000004190000-0x000000000427B000-memory.dmpFilesize
940KB
-
memory/3740-32-0x0000000004280000-0x0000000004319000-memory.dmpFilesize
612KB
-
memory/3740-21-0x00000000027D0000-0x00000000028B7000-memory.dmpFilesize
924KB
-
memory/3740-20-0x00000000027D0000-0x00000000028B7000-memory.dmpFilesize
924KB
-
memory/3740-23-0x00000000027D0000-0x00000000028B7000-memory.dmpFilesize
924KB
-
memory/3740-17-0x0000000002330000-0x0000000002331000-memory.dmpFilesize
4KB
-
memory/3740-24-0x0000000003DE0000-0x0000000003FF1000-memory.dmpFilesize
2.1MB
-
memory/3740-29-0x0000000004190000-0x000000000427B000-memory.dmpFilesize
940KB
-
memory/3740-28-0x0000000002640000-0x0000000002696000-memory.dmpFilesize
344KB
-
memory/3740-18-0x0000000002320000-0x0000000002321000-memory.dmpFilesize
4KB
-
memory/3740-33-0x0000000004820000-0x0000000004995000-memory.dmpFilesize
1.5MB
-
memory/3740-19-0x0000000002340000-0x0000000002341000-memory.dmpFilesize
4KB
-
memory/3740-34-0x0000000004820000-0x0000000004995000-memory.dmpFilesize
1.5MB
-
memory/3740-36-0x0000000004120000-0x0000000004172000-memory.dmpFilesize
328KB
-
memory/3740-37-0x0000000002410000-0x0000000002411000-memory.dmpFilesize
4KB
-
memory/3740-38-0x0000000003DE0000-0x0000000003FF1000-memory.dmpFilesize
2.1MB
-
memory/3740-39-0x0000000004120000-0x0000000004172000-memory.dmpFilesize
328KB
-
memory/3740-40-0x00000000027D0000-0x00000000028B7000-memory.dmpFilesize
924KB
-
memory/3740-41-0x0000000003DE0000-0x0000000003FF1000-memory.dmpFilesize
2.1MB
-
memory/3740-42-0x0000000002640000-0x0000000002696000-memory.dmpFilesize
344KB
-
memory/3740-43-0x0000000004190000-0x000000000427B000-memory.dmpFilesize
940KB
-
memory/3740-44-0x0000000004280000-0x0000000004319000-memory.dmpFilesize
612KB
-
memory/3740-46-0x0000000004120000-0x0000000004172000-memory.dmpFilesize
328KB
-
memory/3740-45-0x0000000004820000-0x0000000004995000-memory.dmpFilesize
1.5MB