931dd35c105250ed7d9c408f20d01fbffc265daefcfba3f98d4d659054283669

Analysis

max time kernel
150s
max time network
151s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
14/06/2024, 18:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
Size

23.6MB
MD5

2b0c4457ff9e5589f6e2f2d2dd82d507
SHA1

f7628e5b892449fc4f86ea7ecf51ce796528c185
SHA256

931dd35c105250ed7d9c408f20d01fbffc265daefcfba3f98d4d659054283669
SHA512

9050ae8f525fc48f10e97e9fa4b8deefb638ae5ee3adce90209c6cd6e68f8f223fcdb8e9c2559240bb4be39b3ebd635915af5ae7d4fe55bc7315ec4c1e3e50ca
SSDEEP

393216:2RsEP8j2IxCBZz2IxCBZz2IxCBZqggBZZZGSGSG9qCqCq3:858j2G8Z2G8Z2G8kGSGSG9qCqCq3

Score

8^/10

persistence

Malware Config

Signatures

Sets DLL path for service in the registry 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinAppSvc\Parameters\ServiceDll = "C:\\Program Files\\DszFileSafe\\DszFileSafe_x64.dll"	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\WinAppSvcMon\Parameters\ServiceDll = "C:\\Program Files\\DszFileSafe\\DszFileSafeMon_x64.dll"	svchost.exe

Enumerates connected drives 3 TTPs 2 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\F:	svchost.exe
File opened (read-only)	\??\D:	svchost.exe

Drops file in Program Files directory 21 IoCs

description	ioc	Process
File created	C:\Program Files\DszFileSafe\ApiHook_x64.dll	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
File created	C:\Program Files\DszFileSafe\Ndis.7z	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
File created	C:\Program Files\DszFileSafe\Ndis\SuperFirewallLwfEx.inf	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
File opened for modification	C:\Program Files\DszFileSafe\Ndis\SuperFirewallLwfEx.inf	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
File created	C:\Program Files\DszFileSafe\Ndis\i386\SuperFireWallLwfEx.sys	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
File opened for modification	C:\Program Files\DszFileSafe\Log.db	svchost.exe
File opened for modification	C:\Program Files\DszFileSafe\Log.db-journal	svchost.exe
File opened for modification	C:\Program Files\DszFileSafe\	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
File created	C:\Program Files\DszFileSafe\DszFileSafe_x64.dll	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
File created	C:\Program Files\DszFileSafe\Ndis\superfirewallnetlwfex_amd64.cat	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
File created	C:\Program Files\DszFileSafe\Rhelp.exe	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
File created	C:\Program Files\DszFileSafe\Win.ini	svchost.exe
File created	C:\Program Files\DszFileSafe\DszFileSafeMon_x64.dll	svchost.exe
File opened for modification	C:\Program Files\DszFileSafe\Ndis\superfirewallnetlwfex_amd64.cat	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
File created	C:\Program Files\DszFileSafe\Ndis\amd64\SuperFireWallLwfEx.sys	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
File opened for modification	C:\Program Files\DszFileSafe\Ndis\amd64\SuperFireWallLwfEx.sys	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
File opened for modification	C:\Program Files\DszFileSafe\Ndis\i386\SuperFireWallLwfEx.sys	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
File created	C:\Program Files\DszFileSafe\BugReport.exe	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
File opened for modification	C:\Program Files\DszFileSafe\	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
File created	C:\Program Files\DszFileSafe\Ndis\superfirewallnetlwfex_i386.cat	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
File opened for modification	C:\Program Files\DszFileSafe\Ndis\superfirewallnetlwfex_i386.cat	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe

Executes dropped EXE 1 IoCs

pid	Process
1132	Process not Found

Loads dropped DLL 5 IoCs

pid	Process
2736	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
2712	svchost.exe
2712	svchost.exe
2436	svchost.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2736	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
2712	svchost.exe
2712	svchost.exe
2436	svchost.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
2712	svchost.exe
2712	svchost.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
2712	svchost.exe
2712	svchost.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
2712	svchost.exe
2712	svchost.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe

Suspicious use of SetWindowsHookEx 12 IoCs

pid	Process
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
2736	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1856 wrote to memory of 2736	1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe	28
PID 1856 wrote to memory of 2736	1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe	28
PID 1856 wrote to memory of 2736	1856	2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe	28
PID 2712 wrote to memory of 2888	2712	svchost.exe	31
PID 2712 wrote to memory of 2888	2712	svchost.exe	31
PID 2712 wrote to memory of 2888	2712	svchost.exe	31
PID 2712 wrote to memory of 2148	2712	svchost.exe	33
PID 2712 wrote to memory of 2148	2712	svchost.exe	33
PID 2712 wrote to memory of 2148	2712	svchost.exe	33
PID 2712 wrote to memory of 1484	2712	svchost.exe	35
PID 2712 wrote to memory of 1484	2712	svchost.exe	35
PID 2712 wrote to memory of 1484	2712	svchost.exe	35

C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe"
1⤵
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1856
- C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe" /INSTALL
  2⤵
  - Sets DLL path for service in the registry
  - Drops file in Program Files directory
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2736

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WinAppSvc
1⤵
- Sets DLL path for service in the registry
- Enumerates connected drives
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\System32\arp.exe
  arp -a
  2⤵
  PID:2888
- C:\Windows\System32\arp.exe
  arp -a
  2⤵
  PID:2148
- C:\Windows\System32\arp.exe
  arp -a
  2⤵
  PID:1484

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k WinAppSvcMon
1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:2436

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Program Files\DszFileSafe\ApiHook_x64.dll

Filesize
389KB

MD5
5926186ffdd09811a7d4edb9f3816515

SHA1
d6d7a3b4da29cfb1bce59c37a0111607ca854840

SHA256
8ab39856e6f90da47bc88704fa86369ced0817a99e584b6678dc3bc245d14ca4

SHA512
526c21dfa031bc77d3fe37def746fdad69afe2d8cd0ed674dc506c701ac6672ef0bf3b8220da13e1a170419c3e96106c2db5afcf049c9f2dc962251c816e1390

Download Submit
\Program Files\DszFileSafe\DszFileSafeMon_x64.dll

Filesize
82KB

MD5
310586e6f113c88ad4f15731c65ee63e

SHA1
58a8804387ff1eecf9a259eae8377ff128239a65

SHA256
52625bbef9551a6d6ef3481d64f0b7f7d64dd18fd63209a97f674ca280426555

SHA512
761f4924fdddfc05bff7308794dd3b3def709e3268fba88e8ca49e2cb3f51fa21087c5e212f021c3add13e0212f8ba90f58c5de97ebd5f60dd62e9692a7e13f1

Download Submit
\Program Files\DszFileSafe\DszFileSafe_x64.dll

Filesize
6.1MB

MD5
ff7b6b487f5e4e46625deae0f35dc149

SHA1
aa94791dfc2e26664f4b5e7f3776bac8f20b03e4

SHA256
88bdbc00c2aefa2225e2f06b80189d8bd6589681dd2efae864589d40b63be5ee

SHA512
35968b189fc8dda3d9b6bb721e5de8f65d4da0da124a419b123c6dfffa8fc02ba05cffc29da3ed9f5bc4772b3c963ca9cf60b47ab623ccb11adc5eba20ebc879

Download Submit
memory/1856-34-0x00000000001D0000-0x00000000001D1000-memory.dmp

Filesize
4KB

Download
memory/1856-33-0x000007FE7DDD0000-0x000007FE7DDD1000-memory.dmp

Filesize
4KB

Download
memory/1856-32-0x000007FE7E860000-0x000007FE7E861000-memory.dmp

Filesize
4KB

Download