Analysis

  • max time kernel
    142s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    13-06-2024 05:52

General

  • Target

    2024-06-13_62613aa47bd56fbe429f67042d308324_magniber.exe

  • Size

    293KB

  • MD5

    62613aa47bd56fbe429f67042d308324

  • SHA1

    6b65041823c6d7194eb09bfab63a60d4ba47576a

  • SHA256

    500309beebda5ac4ead2222ac5bf7b6cae5203f07d283e204d5cbbad612d6fad

  • SHA512

    a23bcb4b1ed86a99d441cb9eb7f5c164dbf92ae243455874be0a48cf26edb48357e0bd4efc20c6befea6b4a0dd9c426172c019e1d1d72cb0d73b1d3761609c7e

  • SSDEEP

    3072:2qviezBmYQZhG93v9F5pxH53E4+VTs7JDuLDHXGUp1I+FF/NQvMQu+j8K/RTP9an:ziez5QZ4lnh7TDu3X+EGRr9K1TOsDR

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 2 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
  • Suspicious use of SetThreadContext 2 IoCs
  • Drops file in Program Files directory 4 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious use of WriteProcessMemory 24 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-13_62613aa47bd56fbe429f67042d308324_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-13_62613aa47bd56fbe429f67042d308324_magniber.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4744
    • C:\Users\Admin\AppData\Local\Temp\2024-06-13_62613aa47bd56fbe429f67042d308324_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-06-13_62613aa47bd56fbe429f67042d308324_magniber.exe"
      2⤵
      • Checks computer location settings
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious use of WriteProcessMemory
      PID:772
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\lhjyqeosnr.bat" "
        3⤵
          PID:4928
        • C:\Windows\M-5050259729679027539035209642065\winmgr.exe
          C:\Windows\M-5050259729679027539035209642065\winmgr.exe
          3⤵
          • Executes dropped EXE
          • Suspicious use of SetThreadContext
          • Suspicious use of WriteProcessMemory
          PID:3560
          • C:\Windows\M-5050259729679027539035209642065\winmgr.exe
            C:\Windows\M-5050259729679027539035209642065\winmgr.exe
            4⤵
            • Executes dropped EXE
            • Drops file in Program Files directory
            PID:3616
    • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4192 --field-trial-handle=2276,i,5697607538120380977,9987005253899555344,262144 --variations-seed-version /prefetch:8
      1⤵
        PID:3812

      Network

      MITRE ATT&CK Enterprise v15

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Users\Admin\AppData\Local\Temp\lhjyqeosnr.bat

        Filesize

        278B

        MD5

        6f4995b2cd3b9d6fae70fee6b9508fcb

        SHA1

        35e0eb4cb943a5024e50b9833535b04059574668

        SHA256

        164078468634835e03bacb65d1e298d485dea95b2da3f09f9269d965a454f6a6

        SHA512

        c6b6cee032e7fce3e32bb66948ab68668363de741bf083420d271b143547db81fa9cafc5f78e9b377df72d3280fba3c352c3ecc9e79899ba3fabc8f2b9bd9ecc

      • C:\Users\Admin\AppData\Local\Temp\phqghumeay

        Filesize

        294KB

        MD5

        aba8197ff1eade45697b8efcb0983770

        SHA1

        c34578951f44a951c771c286274a793ada18e200

        SHA256

        46719e1e1fab73fbd646a0df164962b389dde72b5f0ea13ed0f867c8365aea89

        SHA512

        2aa03acd08e2130228c39dab5dc0220d1b0fce4a3e2dad9b1371901cf91c4f800c27d6d3f231a694463a84052bffa39210a2783a33122500574bdb8ce09c200e

      • C:\Windows\M-5050259729679027539035209642065\winmgr.exe

        Filesize

        293KB

        MD5

        62613aa47bd56fbe429f67042d308324

        SHA1

        6b65041823c6d7194eb09bfab63a60d4ba47576a

        SHA256

        500309beebda5ac4ead2222ac5bf7b6cae5203f07d283e204d5cbbad612d6fad

        SHA512

        a23bcb4b1ed86a99d441cb9eb7f5c164dbf92ae243455874be0a48cf26edb48357e0bd4efc20c6befea6b4a0dd9c426172c019e1d1d72cb0d73b1d3761609c7e

      • memory/772-2-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

      • memory/772-4-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

      • memory/772-5-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

      • memory/3560-18-0x0000000000650000-0x0000000000750000-memory.dmp

        Filesize

        1024KB

      • memory/3616-20-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

      • memory/3616-21-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

      • memory/3616-23-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

      • memory/3616-32-0x0000000000400000-0x000000000040D000-memory.dmp

        Filesize

        52KB

      • memory/4744-1-0x0000000000630000-0x0000000000730000-memory.dmp

        Filesize

        1024KB