d43e0665bc9fba59aad128c2cc214be3b3b8de36ffb277dab7acfdf4011cf5fd

Analysis

max time kernel
120s
max time network
123s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
25-05-2024 13:29

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe
Size

20.2MB
MD5

da6fadff594e49220686d33ace1aa6b1
SHA1

142fba30ea63da8f0812eca7748b7825b22b9d40
SHA256

d43e0665bc9fba59aad128c2cc214be3b3b8de36ffb277dab7acfdf4011cf5fd
SHA512

df64a5b58140bdf93d3a650d43c83c9df2084b25db7f8dbdf8db66b1c6e9af70b3796c1556cb732688ad00fb392de3145cd83f932fbe40db4e6446856e67f419
SSDEEP

393216:7g0Azj26jAr3IwoUW8bqTU5NL9aVM8FaL46K95f0FVYV5lgAC/Bz:s0yAP1bAU5NLEtErK95fOmX+Bz

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 1 IoCs

Processes:

2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe

pid process

1804 2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe

description ioc process

File opened for modification \??\PhysicalDrive0 2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe
Drops file in Program Files directory 1 IoCs

Processes:

2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe

description ioc process

File created C:\Program Files (x86)\360\360DrvMgr\259396652.tmp 2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe

description	ioc	process
File created	C:\Program Files (x86)\360\360DrvMgr\259396652.tmp	2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe

Modifies registry class 3 IoCs

Processes:

2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A893393-71A8-4a50-95A1-2B89DE87B24C}	2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A893393-71A8-4a50-95A1-2B89DE87B24C}\ = "0"	2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{1A893393-71A8-4a50-95A1-2B89DE87B24C}	2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe

Suspicious behavior: EnumeratesProcesses 7 IoCs

Processes:

2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe

pid	process
1804	2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe
1804	2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe
1804	2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe
1804	2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe
1804	2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe
1804	2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe
1804	2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-25_da6fadff594e49220686d33ace1aa6b1_magniber.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
PID:1804

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\{B6A23954-63CA-4d2f-BE1B-12E26A629587}.tmp
Filesize
949KB

MD5
e421a1ec939ad95483bba5e326264184

SHA1
5d50f278be5f80ed2f84ace4750fc2a5a3ac169b

SHA256
6b9288cfef00524762e23f5acb3f419ab8f5c36d62271053e447dd075e4510bc

SHA512
330ce107d0d3d54342feb8dc19d10c940a7a09df34404eabb986117b983dd32ce6032ebe6a0256e254b1ddc64d9153db1cff6466072958baadf9a1bc322d2a61

Download Submit
memory/1804-0-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download
memory/1804-9-0x0000000000210000-0x0000000000211000-memory.dmp

Filesize
4KB

Download