Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
  • submitted
    14-06-2024 18:44

General

  • Target

    2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe

  • Size

    23.6MB

  • MD5

    2b0c4457ff9e5589f6e2f2d2dd82d507

  • SHA1

    f7628e5b892449fc4f86ea7ecf51ce796528c185

  • SHA256

    931dd35c105250ed7d9c408f20d01fbffc265daefcfba3f98d4d659054283669

  • SHA512

    9050ae8f525fc48f10e97e9fa4b8deefb638ae5ee3adce90209c6cd6e68f8f223fcdb8e9c2559240bb4be39b3ebd635915af5ae7d4fe55bc7315ec4c1e3e50ca

  • SSDEEP

    393216:2RsEP8j2IxCBZz2IxCBZz2IxCBZqggBZZZGSGSG9qCqCq3:858j2G8Z2G8Z2G8kGSGSG9qCqCq3

Score
8/10

Malware Config

Signatures

  • Sets DLL path for service in the registry 2 TTPs 2 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops file in Program Files directory 21 IoCs
  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 5 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 13 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Suspicious behavior: AddClipboardFormatListener 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious use of SetWindowsHookEx 12 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Loads dropped DLL
    • Suspicious behavior: AddClipboardFormatListener
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:2348
    • C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b0c4457ff9e5589f6e2f2d2dd82d507_magniber.exe" /INSTALL
      2⤵
      • Sets DLL path for service in the registry
      • Drops file in Program Files directory
      • Loads dropped DLL
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of SetWindowsHookEx
      PID:892
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k WinAppSvc
    1⤵
    • Sets DLL path for service in the registry
    • Enumerates connected drives
    • Drops file in Program Files directory
    • Loads dropped DLL
    • Checks SCSI registry key(s)
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of WriteProcessMemory
    PID:1584
    • C:\Windows\System32\arp.exe
      arp -a
      2⤵
        PID:2856
      • C:\Windows\System32\arp.exe
        arp -a
        2⤵
          PID:2852
        • C:\Windows\System32\arp.exe
          arp -a
          2⤵
            PID:2464
        • C:\Windows\System32\svchost.exe
          C:\Windows\System32\svchost.exe -k WinAppSvcMon
          1⤵
          • Loads dropped DLL
          • Suspicious behavior: EnumeratesProcesses
          PID:3264

        Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\DszFileSafe\ApiHook_x64.dll

          Filesize

          389KB

          MD5

          5926186ffdd09811a7d4edb9f3816515

          SHA1

          d6d7a3b4da29cfb1bce59c37a0111607ca854840

          SHA256

          8ab39856e6f90da47bc88704fa86369ced0817a99e584b6678dc3bc245d14ca4

          SHA512

          526c21dfa031bc77d3fe37def746fdad69afe2d8cd0ed674dc506c701ac6672ef0bf3b8220da13e1a170419c3e96106c2db5afcf049c9f2dc962251c816e1390

        • C:\Program Files\DszFileSafe\DszFileSafeMon_x64.dll

          Filesize

          82KB

          MD5

          310586e6f113c88ad4f15731c65ee63e

          SHA1

          58a8804387ff1eecf9a259eae8377ff128239a65

          SHA256

          52625bbef9551a6d6ef3481d64f0b7f7d64dd18fd63209a97f674ca280426555

          SHA512

          761f4924fdddfc05bff7308794dd3b3def709e3268fba88e8ca49e2cb3f51fa21087c5e212f021c3add13e0212f8ba90f58c5de97ebd5f60dd62e9692a7e13f1

        • C:\Program Files\DszFileSafe\DszFileSafe_x64.dll

          Filesize

          6.1MB

          MD5

          ff7b6b487f5e4e46625deae0f35dc149

          SHA1

          aa94791dfc2e26664f4b5e7f3776bac8f20b03e4

          SHA256

          88bdbc00c2aefa2225e2f06b80189d8bd6589681dd2efae864589d40b63be5ee

          SHA512

          35968b189fc8dda3d9b6bb721e5de8f65d4da0da124a419b123c6dfffa8fc02ba05cffc29da3ed9f5bc4772b3c963ca9cf60b47ab623ccb11adc5eba20ebc879

        • memory/2348-33-0x00007FFE27B40000-0x00007FFE27B41000-memory.dmp

          Filesize

          4KB

        • memory/2348-32-0x00007FFE27510000-0x00007FFE27511000-memory.dmp

          Filesize

          4KB