Analysis

  • max time kernel
    149s
  • max time network
    149s
  • platform
    windows7_x64
  • resource
    win7-20240611-en
  • resource tags

    arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
  • submitted
    13-06-2024 05:52

General

  • Target

    2024-06-13_62613aa47bd56fbe429f67042d308324_magniber.exe

  • Size

    293KB

  • MD5

    62613aa47bd56fbe429f67042d308324

  • SHA1

    6b65041823c6d7194eb09bfab63a60d4ba47576a

  • SHA256

    500309beebda5ac4ead2222ac5bf7b6cae5203f07d283e204d5cbbad612d6fad

  • SHA512

    a23bcb4b1ed86a99d441cb9eb7f5c164dbf92ae243455874be0a48cf26edb48357e0bd4efc20c6befea6b4a0dd9c426172c019e1d1d72cb0d73b1d3761609c7e

  • SSDEEP

    3072:2qviezBmYQZhG93v9F5pxH53E4+VTs7JDuLDHXGUp1I+FF/NQvMQu+j8K/RTP9an:ziez5QZ4lnh7TDu3X+EGRr9K1TOsDR

Malware Config

Signatures

  • Modifies security service 2 TTPs 1 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 2 IoCs
  • Drops file in System32 directory 4 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 28 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_62613aa47bd56fbe429f67042d308324_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_62613aa47bd56fbe429f67042d308324_magniber.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:1468
    • C:\Users\Admin\AppData\Local\Temp\2024-06-13_62613aa47bd56fbe429f67042d308324_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-06-13_62613aa47bd56fbe429f67042d308324_magniber.exe"
      2⤵
      • Modifies security service
      • Loads dropped DLL
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:1888
      • C:\Windows\SysWOW64\cmd.exe
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tqlfcuzuyx.bat" "
        3⤵
        • Deletes itself
        PID:1592
      • C:\Windows\M-5050259729679027539035209642065\winmgr.exe
        C:\Windows\M-5050259729679027539035209642065\winmgr.exe
        3⤵
        • Executes dropped EXE
        • Suspicious use of SetThreadContext
        • Suspicious use of WriteProcessMemory
        PID:2688
        • C:\Windows\M-5050259729679027539035209642065\winmgr.exe
          C:\Windows\M-5050259729679027539035209642065\winmgr.exe
          4⤵
          • Executes dropped EXE
          • Drops file in System32 directory
          PID:2756

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\tqlfcuzuyx.bat

    Filesize

    278B

    MD5

    495c142584106a5dcdf926911f325d0c

    SHA1

    fb069d283497fe1c88bc28f2a381187d4e50cc07

    SHA256

    289a73e997fc189b7b8ac4945287e97fd2cc8cb8a58bda9bc9db7c3e60d33342

    SHA512

    860269b8d6f58ca5124464952ae0ca964764c91c426641abc810e5fc237bc6ab1e3707bd10e0382742ea9e12dc9c8419a31743a844929e8a82cec5074aee136e

  • \Windows\M-5050259729679027539035209642065\winmgr.exe

    Filesize

    293KB

    MD5

    62613aa47bd56fbe429f67042d308324

    SHA1

    6b65041823c6d7194eb09bfab63a60d4ba47576a

    SHA256

    500309beebda5ac4ead2222ac5bf7b6cae5203f07d283e204d5cbbad612d6fad

    SHA512

    a23bcb4b1ed86a99d441cb9eb7f5c164dbf92ae243455874be0a48cf26edb48357e0bd4efc20c6befea6b4a0dd9c426172c019e1d1d72cb0d73b1d3761609c7e

  • memory/1468-6-0x0000000000530000-0x0000000000630000-memory.dmp

    Filesize

    1024KB

  • memory/1888-3-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/1888-5-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/1888-1-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

    Filesize

    4KB

  • memory/1888-7-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB

  • memory/2688-27-0x00000000005D0000-0x00000000006D0000-memory.dmp

    Filesize

    1024KB

  • memory/2756-36-0x0000000000400000-0x000000000040D000-memory.dmp

    Filesize

    52KB