Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
14-06-2024 18:44
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
-
Size
23.6MB
-
MD5
2b0c4457ff9e5589f6e2f2d2dd82d507
-
SHA1
f7628e5b892449fc4f86ea7ecf51ce796528c185
-
SHA256
931dd35c105250ed7d9c408f20d01fbffc265daefcfba3f98d4d659054283669
-
SHA512
9050ae8f525fc48f10e97e9fa4b8deefb638ae5ee3adce90209c6cd6e68f8f223fcdb8e9c2559240bb4be39b3ebd635915af5ae7d4fe55bc7315ec4c1e3e50ca
-
SSDEEP
393216:2RsEP8j2IxCBZz2IxCBZz2IxCBZqggBZZZGSGSG9qCqCq3:858j2G8Z2G8Z2G8kGSGSG9qCqCq3
Malware Config
Signatures
-
Sets DLL path for service in the registry 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinAppSvcMon\Parameters\ServiceDll = "C:\\Program Files\\DszFileSafe\\DszFileSafeMon_x64.dll" svchost.exe Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\WinAppSvc\Parameters\ServiceDll = "C:\\Program Files\\DszFileSafe\\DszFileSafe_x64.dll" 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\D: svchost.exe File opened (read-only) \??\F: svchost.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe -
Drops file in Program Files directory 21 IoCs
description ioc Process File created C:\Program Files\DszFileSafe\Ndis\superfirewallnetlwfex_i386.cat 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe File opened for modification C:\Program Files\DszFileSafe\Ndis\superfirewallnetlwfex_i386.cat 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe File created C:\Program Files\DszFileSafe\Ndis\amd64\SuperFireWallLwfEx.sys 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe File opened for modification C:\Program Files\DszFileSafe\Ndis\superfirewallnetlwfex_amd64.cat 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe File created C:\Program Files\DszFileSafe\DszFileSafe_x64.dll 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe File created C:\Program Files\DszFileSafe\ApiHook_x64.dll 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe File created C:\Program Files\DszFileSafe\Ndis.7z 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe File created C:\Program Files\DszFileSafe\Rhelp.exe 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe File opened for modification C:\Program Files\DszFileSafe\ 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe File created C:\Program Files\DszFileSafe\Ndis\SuperFirewallLwfEx.inf 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe File created C:\Program Files\DszFileSafe\Ndis\superfirewallnetlwfex_amd64.cat 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe File created C:\Program Files\DszFileSafe\Ndis\i386\SuperFireWallLwfEx.sys 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe File opened for modification C:\Program Files\DszFileSafe\ 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe File opened for modification C:\Program Files\DszFileSafe\Ndis\amd64\SuperFireWallLwfEx.sys 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe File opened for modification C:\Program Files\DszFileSafe\Ndis\i386\SuperFireWallLwfEx.sys 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe File created C:\Program Files\DszFileSafe\BugReport.exe 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe File created C:\Program Files\DszFileSafe\Win.ini svchost.exe File created C:\Program Files\DszFileSafe\DszFileSafeMon_x64.dll svchost.exe File opened for modification C:\Program Files\DszFileSafe\Log.db svchost.exe File opened for modification C:\Program Files\DszFileSafe\Log.db-journal svchost.exe File opened for modification C:\Program Files\DszFileSafe\Ndis\SuperFirewallLwfEx.inf 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe -
Executes dropped EXE 1 IoCs
pid Process 3436 Process not Found -
Loads dropped DLL 5 IoCs
pid Process 892 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 1584 svchost.exe 1584 svchost.exe 3264 svchost.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks SCSI registry key(s) 3 TTPs 13 IoCs
SCSI information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004\ svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_QEMU&PROD_QEMU_DVD-ROM\4&215468A5&0&010000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Phantom svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\DISK&VEN_DADY&PROD_HARDDISK\4&215468A5&0&000000 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\DeviceDesc svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_QEMU&Prod_QEMU_DVD-ROM\4&215468a5&0&010000\ConfigFlags svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000001 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\ConfigFlags svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Service svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CDROM&VEN_MSFT&PROD_VIRTUAL_DVD-ROM\2&1F4ADFFE&0&000002 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0004 svchost.exe Key value queried \REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Phantom svchost.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
pid Process 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 892 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 892 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 1584 svchost.exe 1584 svchost.exe 1584 svchost.exe 1584 svchost.exe 3264 svchost.exe 3264 svchost.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 1584 svchost.exe 1584 svchost.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 1584 svchost.exe 1584 svchost.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe -
Suspicious use of SetWindowsHookEx 12 IoCs
pid Process 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 892 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe -
Suspicious use of WriteProcessMemory 8 IoCs
description pid Process procid_target PID 2348 wrote to memory of 892 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 83 PID 2348 wrote to memory of 892 2348 2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe 83 PID 1584 wrote to memory of 2856 1584 svchost.exe 87 PID 1584 wrote to memory of 2856 1584 svchost.exe 87 PID 1584 wrote to memory of 2852 1584 svchost.exe 89 PID 1584 wrote to memory of 2852 1584 svchost.exe 89 PID 1584 wrote to memory of 2464 1584 svchost.exe 91 PID 1584 wrote to memory of 2464 1584 svchost.exe 91
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe" /INSTALL2⤵
- Sets DLL path for service in the registry
- Drops file in Program Files directory
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:892
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WinAppSvc1⤵
- Sets DLL path for service in the registry
- Enumerates connected drives
- Drops file in Program Files directory
- Loads dropped DLL
- Checks SCSI registry key(s)
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1584 -
C:\Windows\System32\arp.exearp -a2⤵PID:2856
-
-
C:\Windows\System32\arp.exearp -a2⤵PID:2852
-
-
C:\Windows\System32\arp.exearp -a2⤵PID:2464
-
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k WinAppSvcMon1⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:3264
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
389KB
MD55926186ffdd09811a7d4edb9f3816515
SHA1d6d7a3b4da29cfb1bce59c37a0111607ca854840
SHA2568ab39856e6f90da47bc88704fa86369ced0817a99e584b6678dc3bc245d14ca4
SHA512526c21dfa031bc77d3fe37def746fdad69afe2d8cd0ed674dc506c701ac6672ef0bf3b8220da13e1a170419c3e96106c2db5afcf049c9f2dc962251c816e1390
-
Filesize
82KB
MD5310586e6f113c88ad4f15731c65ee63e
SHA158a8804387ff1eecf9a259eae8377ff128239a65
SHA25652625bbef9551a6d6ef3481d64f0b7f7d64dd18fd63209a97f674ca280426555
SHA512761f4924fdddfc05bff7308794dd3b3def709e3268fba88e8ca49e2cb3f51fa21087c5e212f021c3add13e0212f8ba90f58c5de97ebd5f60dd62e9692a7e13f1
-
Filesize
6.1MB
MD5ff7b6b487f5e4e46625deae0f35dc149
SHA1aa94791dfc2e26664f4b5e7f3776bac8f20b03e4
SHA25688bdbc00c2aefa2225e2f06b80189d8bd6589681dd2efae864589d40b63be5ee
SHA51235968b189fc8dda3d9b6bb721e5de8f65d4da0da124a419b123c6dfffa8fc02ba05cffc29da3ed9f5bc4772b3c963ca9cf60b47ab623ccb11adc5eba20ebc879