Malware Analysis Report

2025-01-03 09:37

Sample ID 240604-kpztlabg83
Target 2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber
SHA256 c819a63a113a678baa6d46a7b087777fcc20dc71c03263a54a5e1f66b689a33b
Tags
upx bootkit persistence
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

c819a63a113a678baa6d46a7b087777fcc20dc71c03263a54a5e1f66b689a33b

Threat Level: Known bad

The file 2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber was found to be: Known bad.

Malicious Activity Summary

upx bootkit persistence

UPX dump on OEP (original entry point)

UPX dump on OEP (original entry point)

Loads dropped DLL

UPX packed file

Enumerates connected drives

Writes to the Master Boot Record (MBR)

Unsigned PE

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 08:47

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 08:47

Reported

2024-06-04 08:49

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\F: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PHYSICALDRIVE0 C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe server

Network

N/A

Files

memory/2696-0-0x0000000000400000-0x0000000000D46000-memory.dmp

memory/1768-1-0x0000000000400000-0x0000000000D46000-memory.dmp

memory/2696-2-0x0000000000400000-0x0000000000D46000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\ENGLISH.ini

MD5 b2d5f3f5f1a64cb8ae6fb81912cc6f76
SHA1 1ea85f1566d9186ca1da997a35e663a2da372b22
SHA256 eca9cced6338f47c794cc3507af5488d4ca6276215e2f1cf8f0069c7af3f1ef9
SHA512 cea44dc73791d59cf7be482e725f3c453a0d6e0b671e2432757cfd3797429eab371b74c2068ea0dfff3f2ec4b30f8e6e46e03ee84d45e035baae5958c393ed5a

memory/2224-104-0x0000000000400000-0x0000000000D46000-memory.dmp

\Windows\Temp\MZDNDIS.SYS

MD5 4d31c95a04b005835f2e84afff174428
SHA1 90e63378510cdbc48f02a5cad55203406fabb299
SHA256 c6e497dca50dec8b11ed66e00eb7e37ec5e508fd3f4e8a404bded9992b057359
SHA512 e3ec7f0be0e324ff0b8cf8d040f04d06f0cfd82a4765ac0894f4eef432d66a46f3706c45ecf1c62842be17703c3e18096e191de681378e02352300b9164bc4e6

\Windows\Temp\MZDSCSI.SYS

MD5 a4cfb02aca31cf1a9b10e208b902d7d0
SHA1 80d4a2a1c049dadcdc271f960db1c96d845c25c6
SHA256 28060b1068b504e2a767b46c72f7ab0676460852bf49ac3328f17e23bbce19ad
SHA512 d7cd75780c1803848f75d9f3650f1d6884773c8ed880139ec8b5ff25e5cd5fe148823281b0ad456bd27aee622e8f032f9c69d28cc3c246cab5ce9e524fb508a2

memory/2224-130-0x0000000000290000-0x0000000000295000-memory.dmp

memory/2224-129-0x0000000000290000-0x0000000000295000-memory.dmp

memory/2224-131-0x0000000000290000-0x0000000000295000-memory.dmp

\Windows\Temp\MZDPNP.SYS

MD5 3e239567f5f9bb18f7f1697ba3b1b807
SHA1 ed04770124a2110b7d77756fd09afc7b464df4a2
SHA256 243fd5e4aa98f24c832db127e106ea6cb8c2b6c87add2ac1c6c60888163f3245
SHA512 22c2e1c9b1ca4d03e641ad176f42f2b3b4fe1f542c2184180101edb390d6e1220d12703b0ba6c012ab955c38b2185e795772bbc568228f8710d093e398459c7f

memory/2224-141-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2224-144-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2224-143-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2224-142-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2224-128-0x0000000000290000-0x0000000000295000-memory.dmp

\Windows\Temp\MOUSEHOOK.DLL

MD5 9ae8b088c75acdf27e24e6d1e1b551a1
SHA1 7936a5182a003eaea0c2b3d97dda30e0f6bf3a07
SHA256 8fd9bfaf157ba9e75d46abad246e67d14fde4cbafa8622b5e74956fadaa83ba2
SHA512 193f4e2cba929aafb7d05f1dd08f0d30091fc3d1b9f3f05eab64a0862fe43ab9397732cbac01d628ee922f9930b0924963a69bf4f888654c0437091c1c7ebc7d

memory/2224-118-0x0000000000290000-0x0000000000298000-memory.dmp

memory/2224-117-0x0000000000290000-0x0000000000298000-memory.dmp

memory/2224-116-0x0000000000290000-0x0000000000298000-memory.dmp

memory/2224-115-0x0000000000290000-0x0000000000298000-memory.dmp

\Windows\Temp\MZDCLIENT.EXE

MD5 ca7af2ff555e5e92f056a47f7d15104a
SHA1 7f23a2cb64884dbb542f7bb6a12fb8ed7aaa5b88
SHA256 88d6931ebd16b1322df5a9a4089a2317f452093334d9f6e4267eb82a131f1ce4
SHA512 00297e9e51aced8739d85be6c07e0b53d2bb634358e19b52b2bc9cc587ad07a736c0b9f15321885f6ffcf704be6498852eaa2fb09a752e7ad1c6c6ab02118965

C:\MZDSETUP\NETCARD.INI

MD5 15ffd75687d7949544142474489f4002
SHA1 7d7f0e3b28a1b1b0aa346e4ff5266286380f0915
SHA256 57a22b1ee5e4e7ff2f57aa658493c05c9c5200c85210f0670e6acdddb42cb397
SHA512 534e2a7957e4211c4bc480031e12fcb1a04e179b4d2debe5bf7ac6e41b16f87977fcb8528861126469b7882aef53d08e35cc932f3b0f2d14fd57bbdd6d821ae0

memory/2224-280-0x0000000003220000-0x00000000037ED000-memory.dmp

memory/2224-279-0x0000000003220000-0x00000000037ED000-memory.dmp

memory/2224-278-0x0000000003220000-0x00000000037ED000-memory.dmp

memory/2224-168-0x0000000003220000-0x00000000037ED000-memory.dmp

\Windows\Temp\MZDRUNCLIENT.EXE

MD5 08564e44dd5d8548d8ebe6c207d97d35
SHA1 43903be3909ccda3904b5c8310abb53c2a0f1f89
SHA256 0e01036287045f630e1b630285f592e3c6d9be9f6a06e6d8757cabaa45e8d92b
SHA512 4c2fe534b034c608533f39dcd9b6293055f431f186e06aacca3d92b7ccf72df803a36a87419c32e9076cd38f365b7417b885e9fd7dd1bed582f08494598fee8a

memory/1768-281-0x0000000000400000-0x0000000000D46000-memory.dmp

memory/2224-282-0x0000000000400000-0x0000000000D46000-memory.dmp

memory/2224-284-0x0000000000290000-0x0000000000298000-memory.dmp

memory/2224-283-0x0000000000290000-0x0000000000298000-memory.dmp

memory/2224-286-0x0000000000290000-0x0000000000298000-memory.dmp

memory/2224-285-0x0000000000290000-0x0000000000298000-memory.dmp

memory/2224-288-0x0000000000290000-0x0000000000295000-memory.dmp

memory/2224-287-0x0000000000290000-0x0000000000295000-memory.dmp

memory/2224-289-0x0000000000290000-0x0000000000295000-memory.dmp

memory/2224-290-0x0000000000290000-0x0000000000295000-memory.dmp

memory/2224-291-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2224-293-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2224-292-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2224-294-0x0000000000290000-0x0000000000297000-memory.dmp

memory/2224-295-0x0000000003220000-0x00000000037ED000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 08:47

Reported

2024-06-04 08:49

Platform

win10v2004-20240226-en

Max time kernel

141s

Max time network

151s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe"

Signatures

UPX dump on OEP (original entry point)

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe"

C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-04_4b9905036bf7f8ea05108c44d196bd68_magniber.exe

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=3100 --field-trial-handle=2280,i,1836084024518340990,18250262151825427757,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 74.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
GB 142.250.187.202:443 tcp
US 8.8.8.8:53 133.211.185.52.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 8.179.89.13.in-addr.arpa udp

Files

memory/3544-0-0x0000000000400000-0x0000000000D46000-memory.dmp

memory/3876-1-0x0000000000400000-0x0000000000D46000-memory.dmp

memory/3544-2-0x0000000000400000-0x0000000000D46000-memory.dmp

memory/3876-3-0x0000000000400000-0x0000000000D46000-memory.dmp