Malware Analysis Report

2024-09-23 11:16

Sample ID 240615-d5bndaxgqa
Target 2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber
SHA256 4c8a7284b9cceb1ddb4175a231cff80784271b37ce53491cb069d32b4873a795
Tags
bootkit persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

4c8a7284b9cceb1ddb4175a231cff80784271b37ce53491cb069d32b4873a795

Threat Level: Shows suspicious behavior

The file 2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Writes to the Master Boot Record (MBR)

Modifies registry class

Suspicious use of FindShellTrayWindow

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-15 03:35

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-15 03:35

Reported

2024-06-15 03:37

Platform

win7-20240508-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367" C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAnTh7I1GIXU+uPkNl6OeLmwQAAAACAAAAAAAQZgAAAAEAACAAAABHeW3lNB133CQ74dykZ92LSYL3UKxo77+g47q1AJ2e+AAAAAAOgAAAAAIAACAAAADH6uIM9K4pgEENE3ZIIp6fE5oBLex9lKueEA/QdkX44zAAAAAoqxCsJboZ3+cegoOe0Tn2mtm+YPOKC8mjAJQGwhW5iJTZ/hEX7Ohn9j4IQQ4Va8VAAAAA/Z17Y3Z8lDeXuaMJo0mcwsscfO5qm2s4WD2BeuXdILPwCjgJYLuewiqJZo7HRupuGN8vNcfv4tCp3ES3uKYvPg==" C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "65a3ad39-108c-4831-a602-395cdd76571d" C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 analytics.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 analytics.avcdn.net udp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-15 03:35

Reported

2024-06-15 03:37

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367" C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAOLbpEIifR0KmjO3/Fi+9NQQAAAACAAAAAAAQZgAAAAEAACAAAABDBlW1lIl7vClAdb9k9MxkGOxXoZeCj6WLXrTDsoha8gAAAAAOgAAAAAIAACAAAABO2WZqNe7BK68WW1IQttw0ZxrjmGY46KkdI33XHbwfszAAAADTf4wZ0IEVur2Ee3wR7OyPkh0o4PlpmmZJF0nE4q9o7v/Eh9xmPFXVelwBjUs3kTpAAAAAr2dHQZIGhF8EUp68ALkPiN9stawqR97ZlXOMqSKTqBDMAPzgzF1vCxRQs7aTDQnTMRXcJsv864mWyTOtU6qzng==" C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "2c4a71f1-46b9-41a6-bdb5-374f9ec83ced" C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-15_9730d9f8735915782ea1e1b7a4c4256b_magniber.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 analytics.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 analytics.avcdn.net udp

Files

N/A