Analysis

  • max time kernel
    143s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-06-2024 13:03

General

  • Target

    2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe

  • Size

    10.1MB

  • MD5

    51d5200e15ebda388c63a38a0d0105ff

  • SHA1

    085e836dd0adb10f3cc7a80270ea729626c32076

  • SHA256

    05e7c78141093b0ca5a02cfec727a5ba40002cc731a589a098f46b221c3240d4

  • SHA512

    64154fc84557c4c1a7f2d764da56d5be3250ec6a9bb9ce2124301fb01fe1e5456b0628ea243775b9f1b1c091763a33fc0d4ed770eb1c61efbf8d5e28fbf5f9a9

  • SSDEEP

    196608:kdad4T0xcsSB5orrcbSsi0s/lmPJ7N3VvXWrqufezvq:AadCoXrlAJ7N3pXW2uGzy

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 10 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Windows directory 17 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies Internet Explorer settings 1 TTPs 2 IoCs
  • Modifies system certificate store 2 TTPs 8 IoCs
  • Suspicious behavior: EnumeratesProcesses 12 IoCs
  • Suspicious use of AdjustPrivilegeToken 60 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-12_51d5200e15ebda388c63a38a0d0105ff_magniber.exe"
    1⤵
    • Enumerates connected drives
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1856
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=3452,i,16710585221322798697,8586257254049248207,262144 --variations-seed-version --mojo-platform-channel-handle=4604 /prefetch:8
    1⤵
      PID:3524
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Enumerates connected drives
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2036
      • C:\Windows\syswow64\MsiExec.exe
        C:\Windows\syswow64\MsiExec.exe -Embedding 4C6EA568D1A62173C21F69B7299F4D2A
        2⤵
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:1940
        • C:\Users\Admin\AppData\Local\Temp\4D6BDF39-A8AF-47BE-BABD-82BE444AB126\lite_installer.exe
          "C:\Users\Admin\AppData\Local\Temp\4D6BDF39-A8AF-47BE-BABD-82BE444AB126\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/5/
          3⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          PID:4556
        • C:\Users\Admin\AppData\Local\Temp\073E2BE6-D6A3-4719-8614-F9AC146CD624\seederexe.exe
          "C:\Users\Admin\AppData\Local\Temp\073E2BE6-D6A3-4719-8614-F9AC146CD624\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--oem=" "--nopin=n" "--pin_custom=n" "--pin_desktop=n" "--pin_taskbar=y" "--locale=us" "--browser=" "--browser_default=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe" "--is_elevated=yes" "--ui_level=5" "--good_token=x" "--no_opera=n"
          3⤵
          • Executes dropped EXE
          • Modifies Internet Explorer settings
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:4316
          • C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe
            C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe --send "/status.xml?clid=2765538&uuid=5070d918-3619-45bf-b2e7-df73bc92486f&vnt=Windows 10x64&file-no=8%0A15%0A25%0A45%0A57%0A59%0A102%0A111%0A125%0A129%0A"
            4⤵
            • Executes dropped EXE
            • Drops file in System32 directory
            • Suspicious behavior: EnumeratesProcesses
            PID:13040

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Config.Msi\e58438d.rbs

      Filesize

      575B

      MD5

      31d2753e55767ab2597bf531661d2151

      SHA1

      b1f4742930cb928fc570ff273a161c844fc28d64

      SHA256

      986593c10baf38f0aeb9a890986ac603f9c2327034d69f4292bef55b40e48f03

      SHA512

      930fbc4aa5107a6d7a7dee82a0086f41980f7aaa82d562042884c77329c9675fdb7702b742156d26f15a6576e366ea6c434e4c105044ebf321ba4db76fdb610c

    • C:\Users\Admin\AppData\Local\Temp\073E2BE6-D6A3-4719-8614-F9AC146CD624\seederexe.exe

      Filesize

      8.6MB

      MD5

      225ba20fa3edd13c9c72f600ff90e6cb

      SHA1

      5f1a9baa85c2afe29619e7cc848036d9174701e4

      SHA256

      35585d12899435e13e186490fcf1d270adbe3c74a1e0578b3d9314858bf2d797

      SHA512

      97e699cffe28d3c3611570d341ccbc1a0f0eec233c377c70e0e20d4ed3b956b6fe200a007f7e601a5724e733c97eaddc39d308b9af58d45f7598f10038d94ab3

    • C:\Users\Admin\AppData\Local\Temp\4D6BDF39-A8AF-47BE-BABD-82BE444AB126\lite_installer.exe

      Filesize

      419KB

      MD5

      aafdfaa7a989ddb216510fc9ae5b877f

      SHA1

      41cf94692968a7d511b6051b7fe2b15c784770cb

      SHA256

      688d0b782437ccfae2944281ade651a2da063f222e80b3510789dbdce8b00fdc

      SHA512

      6e2b76ff6df79c6de6887cf739848d05c894fbd70dc9371fff95e6ccd9938d695c46516cb18ec8edd01e78cad1a6029a3d633895f7ddba4db4bf9cd39271bd44

    • C:\Users\Admin\AppData\Local\Temp\DFF170D8-18D1-4E76-AB70-242D33E3F47D\sender.exe

      Filesize

      260KB

      MD5

      f1a8f60c018647902e70cf3869e1563f

      SHA1

      3caf9c51dfd75206d944d4c536f5f5ff8e225ae9

      SHA256

      36022c6ecb3426791e6edee9074a3861fe5b660d98f2b2b7c13b80fe11a75577

      SHA512

      c02dfd6276ad136283230cdf07d30ec2090562e6c60d6c0d4ac3110013780fcafd76e13931be53b924a35cf473d0f5ace2f6b5c3f1f70ce66b40338e53d38d1e

    • C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

      Filesize

      34KB

      MD5

      e1cb51bc98b3c4562d37252df45e7444

      SHA1

      6fbfd14b4767c83148f6415e9bae094bca485eed

      SHA256

      16ee84230bbf672e20c36170e8f5e34c351ed0aa1e9423533ea1d2f19e7bf47b

      SHA512

      e5a13d7217f0538ec32b33719219f91465878fa36c34e537806fb7d35e1b9d009051268928210490e29ea8d0c81e604e6c54f30965e78ec353a56c58a1006293

    • C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml

      Filesize

      531B

      MD5

      c569a73140c7682adb47b64117c4144f

      SHA1

      d894792b4dfa7c5f6e696f05fd7dfd9c3f9a2ebd

      SHA256

      761715b9e682b75c6c41c9664263c0cddac295d4725ddf92fe267aac2fc1e54b

      SHA512

      b30001a70cd1265f206bf0c7458791e37d7890d5777fe43ec6c901368b3788efba849ce91c364da47c9084b73382b1eccc8c3614fe7fc9d1b8155021014e46e0

    • C:\Users\Admin\AppData\Local\Temp\omnija-20240312.zip

      Filesize

      40.8MB

      MD5

      dc5128fcb8d7f6b849f1166532db2dc8

      SHA1

      8427501d440d5edbbb2662294bc5650d2bc8aab5

      SHA256

      36e682f419c2b5d8e7c285d36088b56d59df3869dbd181943280696d4ca391ca

      SHA512

      bcf0d463ed4f01a313b8e6be745ad55b42108be84cc5850c411dec19aa7c6d996782da49fc208559f1188941bdd1082d954cfa316f08c0ad2efcf0662952e524

    • C:\Users\Admin\AppData\Local\Temp\tmp4316aaaaaa

      Filesize

      2.5MB

      MD5

      fefc3d677388386c29d8720c15b9db3f

      SHA1

      370f1f40ae5c652d87b3b8f42e67d827af2b1754

      SHA256

      74d5e8d3cd8d659d8df8e6f306832dfc252e1a6e676bb60334e31b5943deb4fb

      SHA512

      b462ca1ffb0798bedc39c945daa75ff73e0efbb1c6dfdb262e6b2936158933f514f0b4169e811069df11aaeaebd39c826ce0caf9f6eb6d77de249fca6abe39fe

    • C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

      Filesize

      510B

      MD5

      10cdb2ce3fe53937c8a0879033424135

      SHA1

      061e1fc38f7075d0e6b40b00004225f64f046cbd

      SHA256

      1bd0f826e60de8c54b4becd496b5f7b642ec10a3a0c4b827479c7c6e0d50ae00

      SHA512

      4539da3e183e4856614b5baa50f54a384edf3bea4bfebade45c019a046fc2bac94734e019ac3420905707e19907241452f6b72214a373ddfd6a684dd04f67ed7

    • C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

      Filesize

      9.8MB

      MD5

      a685e7710dfd278be21aad1d88f6037f

      SHA1

      c40bdb55e24180aeb3f94927f4ab857a10bae870

      SHA256

      3274d31cd9e5ee72687e8fc0bd2d53e47cd61301a0a715a572b4c29fcb808ed4

      SHA512

      fd77dc748bfbe53f871f18c3449a7ccc3c9b44a41aff4f2475f5c5a667cdfefd7231a23a723bb9599cdf884473abce42752067201d4aaf6245f65ffd4ebf3375

    • C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\kwvh0l1k.Admin\places.sqlite-20240612130339.630260.backup

      Filesize

      68KB

      MD5

      314cb7ffb31e3cc676847e03108378ba

      SHA1

      3667d2ade77624e79d9efa08a2f1d33104ac6343

      SHA256

      b6d278384a3684409a2a86f03e4f52869818ce7dd8b5779876960353f7d35dc1

      SHA512

      dc795fa35ea214843a781ee2b2ef551b91b6841a799bef2c6fb1907d90f6c114071a951ebb7b2b30e81d52b594d447a26ab12ddb57c331e854577d11e5febef5

    • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-20240612130339.958373.backup

      Filesize

      1KB

      MD5

      3adec702d4472e3252ca8b58af62247c

      SHA1

      35d1d2f90b80dca80ad398f411c93fe8aef07435

      SHA256

      2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

      SHA512

      7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

    • C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-20240612130339.958373.backup

      Filesize

      313B

      MD5

      af006f1bcc57b11c3478be8babc036a8

      SHA1

      c3bb4fa8c905565ca6a1f218e39fe7494910891e

      SHA256

      ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c

      SHA512

      3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

    • C:\Users\Admin\AppData\Roaming\Yandex\ui

      Filesize

      38B

      MD5

      a1b396bc3f125a7a0b1e33e8557f21aa

      SHA1

      1a116b9ad05547e217c52f37df7f8fcf387d2128

      SHA256

      02ba4a6e2d8037e2fed43d76d15909f8bac5fb3e15491aedc2eb6b37d15d1a45

      SHA512

      85160da65d11c7f175ed8b2757d89d2626e0586509ca1fd0f38e25ba5e03dbc5f3bb7db78d91b9cb830fb1d2048ebd377a8b99fde7e075d9c71616d638f429f8

    • C:\Windows\Installer\MSI467A.tmp

      Filesize

      181KB

      MD5

      0c80a997d37d930e7317d6dac8bb7ae1

      SHA1

      018f13dfa43e103801a69a20b1fab0d609ace8a5

      SHA256

      a5dd2f97c6787c335b7807ff9b6966877e9dd811f9e26326837a7d2bd224de86

      SHA512

      fe1caef6d727344c60df52380a6e4ab90ae1a8eb5f96d6054eced1b7734357ce080d944fa518cf1366e14c4c0bd9a41db679738a860800430034a75bb90e51a5

    • C:\Windows\Installer\MSI46D9.tmp

      Filesize

      189KB

      MD5

      e6fd0e66cf3bfd3cc04a05647c3c7c54

      SHA1

      6a1b7f1a45fb578de6492af7e2fede15c866739f

      SHA256

      669cc0aae068ced3154acaecb0c692c4c5e61bc2ca95b40395a3399e75fcb9b2

      SHA512

      fc8613f31acaf6155852d3ad6130fc3b76674b463dcdcfcd08a3b367dfd9e5b991e3f0a26994bcaf42f9e863a46a81e2520e77b1d99f703bcb08800bdca4efcb