Malware Analysis Report

2025-01-03 09:30

Sample ID 240604-nqfc5aeg6x
Target 2024-06-04_f339756a91e40ce34ff16d6805d8b379_magniber
SHA256 be6d9cc93d0d7e63f8bca78f2a281bc5c13ce5512c07f77c3162df7aaed947b1
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

be6d9cc93d0d7e63f8bca78f2a281bc5c13ce5512c07f77c3162df7aaed947b1

Threat Level: Shows suspicious behavior

The file 2024-06-04_f339756a91e40ce34ff16d6805d8b379_magniber was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-04 11:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-04 11:35

Reported

2024-06-04 11:38

Platform

win7-20240221-en

Max time kernel

122s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_f339756a91e40ce34ff16d6805d8b379_magniber.exe"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_f339756a91e40ce34ff16d6805d8b379_magniber.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-04_f339756a91e40ce34ff16d6805d8b379_magniber.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_f339756a91e40ce34ff16d6805d8b379_magniber.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-06-04_f339756a91e40ce34ff16d6805d8b379_magniber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_f339756a91e40ce34ff16d6805d8b379_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_f339756a91e40ce34ff16d6805d8b379_magniber.exe"

Network

N/A

Files

\Users\Admin\AppData\Local\Temp\UNIFC25.tmp\dr.dll

MD5 47e5db9c8990f133d57c564c20668d38
SHA1 b8d90e8922c71935c61ecaae9a482fba6c3439ba
SHA256 5d14c76dbc223385f34e60391ca91475078c1fe35822bf91f825fc8196d95fcd
SHA512 000608913349ce84ef8eda5f68d03ef74fd57f6a16d74cb5b0945621f281b2396535f42daac33ab7bf94317b783caec9c32edfbaffa4da56c97dbfe9ea084488

memory/2868-9-0x0000000003470000-0x0000000003471000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-04 11:35

Reported

2024-06-04 11:38

Platform

win10v2004-20240426-en

Max time kernel

149s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_f339756a91e40ce34ff16d6805d8b379_magniber.exe"

Signatures

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-04_f339756a91e40ce34ff16d6805d8b379_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-04_f339756a91e40ce34ff16d6805d8b379_magniber.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 140.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 217.106.137.52.in-addr.arpa udp
US 8.8.8.8:53 26.165.165.52.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 14.173.189.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\UNIFC27.tmp\dr.dll

MD5 47e5db9c8990f133d57c564c20668d38
SHA1 b8d90e8922c71935c61ecaae9a482fba6c3439ba
SHA256 5d14c76dbc223385f34e60391ca91475078c1fe35822bf91f825fc8196d95fcd
SHA512 000608913349ce84ef8eda5f68d03ef74fd57f6a16d74cb5b0945621f281b2396535f42daac33ab7bf94317b783caec9c32edfbaffa4da56c97dbfe9ea084488

memory/5032-12-0x0000000003610000-0x0000000003611000-memory.dmp