f1bcdd2b108a85ffa57f4b99e4e605a2f18b320ce3e275ae95bde5994895ab34

General

Target

2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe
Size

251KB
MD5

7555658294636c965d58a43e02c14888
SHA1

811aae2ad4be0ea6a96b026980bca9e201bc05ff
SHA256

f1bcdd2b108a85ffa57f4b99e4e605a2f18b320ce3e275ae95bde5994895ab34
SHA512

cec4eb9817b554dc06469ce6675c80be846876ecc38d85b8106c940f9b287faab58390b71f3ad27e4f205e0950e1bb7ea78d3af145ee1446fbfafd586f28b145
SSDEEP

3072:ZZAxFmJZHBdf848pHO8yp26vE4qZGV6R2fBkjLSzuxZ2pv+oH7FsOFFOA5gfxR7b:ALmXBdf8Vu5dHV30Z2pGo5sOFECgfxpD

Score

7^/10

persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe

Executes dropped EXE 2 IoCs

pid	Process
3288	winmgr.exe
1592	winmgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Windows\\M-50507627057205928477583929470\\winmgr.exe"	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Windows\\M-50507627057205928477583929470\\winmgr.exe"	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 996 set thread context of 1468	996	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe	86
PID 3288 set thread context of 1592	3288	winmgr.exe	93

Drops file in Program Files directory 10 IoCs

description	ioc	Process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	winmgr.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File created	C:\Windows\M-50507627057205928477583929470\winmgr.exe	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe
File opened for modification	C:\Windows\M-50507627057205928477583929470\winmgr.exe	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe
File opened for modification	C:\Windows\M-50507627057205928477583929470	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 996 wrote to memory of 1468	996	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe	86
PID 996 wrote to memory of 1468	996	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe	86
PID 996 wrote to memory of 1468	996	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe	86
PID 996 wrote to memory of 1468	996	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe	86
PID 996 wrote to memory of 1468	996	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe	86
PID 996 wrote to memory of 1468	996	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe	86
PID 996 wrote to memory of 1468	996	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe	86
PID 996 wrote to memory of 1468	996	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe	86
PID 996 wrote to memory of 1468	996	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe	86
PID 1468 wrote to memory of 3648	1468	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe	87
PID 1468 wrote to memory of 3648	1468	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe	87
PID 1468 wrote to memory of 3648	1468	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe	87
PID 1468 wrote to memory of 3288	1468	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe	88
PID 1468 wrote to memory of 3288	1468	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe	88
PID 1468 wrote to memory of 3288	1468	2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe	88
PID 3288 wrote to memory of 1592	3288	winmgr.exe	93
PID 3288 wrote to memory of 1592	3288	winmgr.exe	93
PID 3288 wrote to memory of 1592	3288	winmgr.exe	93
PID 3288 wrote to memory of 1592	3288	winmgr.exe	93
PID 3288 wrote to memory of 1592	3288	winmgr.exe	93
PID 3288 wrote to memory of 1592	3288	winmgr.exe	93
PID 3288 wrote to memory of 1592	3288	winmgr.exe	93
PID 3288 wrote to memory of 1592	3288	winmgr.exe	93
PID 3288 wrote to memory of 1592	3288	winmgr.exe	93

C:\Users\Admin\AppData\Local\Temp\2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:996
- C:\Users\Admin\AppData\Local\Temp\2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-06-07_7555658294636c965d58a43e02c14888_magniber.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - Suspicious use of WriteProcessMemory
  PID:1468
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ostzfrrjqu.bat" "
    3⤵
    PID:3648
- - C:\Windows\M-50507627057205928477583929470\winmgr.exe
    C:\Windows\M-50507627057205928477583929470\winmgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - Suspicious use of WriteProcessMemory
    PID:3288
  - - C:\Windows\M-50507627057205928477583929470\winmgr.exe
      C:\Windows\M-50507627057205928477583929470\winmgr.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      PID:1592

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\ostzfrrjqu.bat

Filesize
278B

MD5
50cce3e9691a4f26c4854a41982fee7f

SHA1
cd0db71ed17e5c61028239609d5bfa3f9d97c8b5

SHA256
3b81c1a85f4a56eaf41d4929d6584dea4569114775c4c1f2fbd0e3d4c2ebd18f

SHA512
2896c5234e0a0b212bd112141baacc47ef43d1eff72a312ed095cf33e76c5aec1688ee7b2a8e146eb299623b9ffeacbfc67bae3faaeab34e1fcf895804449208

Download Submit
C:\Users\Admin\AppData\Local\Temp\phqghumeay

Filesize
252KB

MD5
260e64f10b8374dc40a931b89d2f2e37

SHA1
5669ccb214e74a8a1510328a4fd11d4a9f9a9eb2

SHA256
75b3e4405e1a5cf48b187b1fdc444940a377613efc9ff4fea620b005e5bccab0

SHA512
8bb974e060a183136e9b8b22fc1c78784bc366a9636beb1c502b02fd54b507acae14c716418c2dcafcdbb1ebfe80418c6a7327a6871b75666e3579d917e3bbd3

Download Submit
C:\Windows\M-50507627057205928477583929470\winmgr.exe

Filesize
251KB

MD5
7555658294636c965d58a43e02c14888

SHA1
811aae2ad4be0ea6a96b026980bca9e201bc05ff

SHA256
f1bcdd2b108a85ffa57f4b99e4e605a2f18b320ce3e275ae95bde5994895ab34

SHA512
cec4eb9817b554dc06469ce6675c80be846876ecc38d85b8106c940f9b287faab58390b71f3ad27e4f205e0950e1bb7ea78d3af145ee1446fbfafd586f28b145

Download Submit
memory/996-3-0x0000000000575000-0x0000000000582000-memory.dmp

Filesize
52KB

Download
memory/1468-1-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1468-4-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1468-5-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1592-20-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1592-21-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1592-23-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/1592-32-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/3288-18-0x00000000004A0000-0x00000000005A0000-memory.dmp

Filesize
1024KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads