Analysis

  • max time kernel
    121s
  • max time network
    122s
  • platform
    windows7_x64
  • resource
    win7-20240419-en
  • resource tags

    arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
  • submitted
    23/06/2024, 13:37 UTC

General

  • Target

    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe

  • Size

    13.0MB

  • MD5

    70f7355e709ad3f976d517d5a0f85a06

  • SHA1

    9456bc0541460644b9c1597f4ead5ee76094dfb9

  • SHA256

    579bf5f3133d83831ae97629127bd959c05f4217be907e13cc3164a62cbbc979

  • SHA512

    5de2d283aa6789673e5051569d5b44eb64ed059f635768b7d5127915d5891fbbea65facb4145178781f1bea31bc84d9a4852a113fe6933c046e0c812fda74189

  • SSDEEP

    196608:inC20D8MFxKhdj9O0AoHWrXoLGI+zNLdmODAH06tWnJ1ebrqNH2R7ojm:inA8ywhdRvbWr49hFH06ttbrqNeoi

Score
1/10

Malware Config

Signatures

  • Modifies registry class 3 IoCs
  • Modifies system certificate store 2 TTPs 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe"
    1⤵
    • Modifies registry class
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1860

Network

  • flag-us
    DNS
    wsgeoip.pdf-suite.com
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    Remote address:
    8.8.8.8:53
    Request
    wsgeoip.pdf-suite.com
    IN A
    Response
    wsgeoip.pdf-suite.com
    IN A
    172.67.158.191
    wsgeoip.pdf-suite.com
    IN A
    104.21.57.28
  • flag-us
    POST
    https://wsgeoip.pdf-suite.com/ipservice.asmx
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    Remote address:
    172.67.158.191:443
    Request
    POST /ipservice.asmx HTTP/1.1
    Accept: text/*
    SOAPAction: "http://upclick.com/GetLocationInfo"
    Content-Type: text/xml; charset=utf-8
    User-Agent: VCSoapClient
    Host: wsgeoip.pdf-suite.com
    Content-Length: 346
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sun, 23 Jun 2024 13:37:30 GMT
    Content-Type: text/xml; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    strict-transport-security: max-age=31536000; includeSubDomains
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=Wbc%2FMaszEkQgLgjb5cdOiTaGDhakdcu%2FECRfJh7RS%2FPvklqZk22TKToZc54T5hI4%2FiOCq0WOMmdu%2Fd9j3bsgkmutpfNg3tjGxAmbZq10jqRx4uPhdO7ad45LZahVLtUpnjBQFpklzVk%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8984df854b36068e-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    apps.identrust.com
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    Remote address:
    8.8.8.8:53
    Request
    apps.identrust.com
    IN A
    Response
    apps.identrust.com
    IN CNAME
    identrust.edgesuite.net
    identrust.edgesuite.net
    IN CNAME
    a1952.dscq.akamai.net
    a1952.dscq.akamai.net
    IN A
    23.63.101.153
    a1952.dscq.akamai.net
    IN A
    23.63.101.171
  • flag-nl
    GET
    http://apps.identrust.com/roots/dstrootcax3.p7c
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    Remote address:
    23.63.101.153:80
    Request
    GET /roots/dstrootcax3.p7c HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: apps.identrust.com
    Response
    HTTP/1.1 200 OK
    X-XSS-Protection: 1; mode=block
    X-Frame-Options: SAMEORIGIN
    X-Content-Type-Options: nosniff
    X-Robots-Tag: noindex
    Referrer-Policy: same-origin
    Last-Modified: Fri, 13 Oct 2023 16:28:31 GMT
    ETag: "37d-6079b8c0929c0"
    Accept-Ranges: bytes
    Content-Length: 893
    X-Content-Type-Options: nosniff
    X-Frame-Options: sameorigin
    Content-Type: application/pkcs7-mime
    Cache-Control: max-age=3600
    Expires: Sun, 23 Jun 2024 14:37:29 GMT
    Date: Sun, 23 Jun 2024 13:37:29 GMT
    Connection: keep-alive
  • flag-us
    DNS
    x2.c.lencr.org
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    Remote address:
    8.8.8.8:53
    Request
    x2.c.lencr.org
    IN A
    Response
    x2.c.lencr.org
    IN CNAME
    crl.root-x1.letsencrypt.org.edgekey.net
    crl.root-x1.letsencrypt.org.edgekey.net
    IN CNAME
    e8652.dscx.akamaiedge.net
    e8652.dscx.akamaiedge.net
    IN A
    23.55.97.11
  • flag-be
    GET
    http://x2.c.lencr.org/
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    Remote address:
    23.55.97.11:80
    Request
    GET / HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: x2.c.lencr.org
    Response
    HTTP/1.1 200 OK
    Server: nginx
    Content-Type: application/pkix-crl
    Last-Modified: Mon, 12 Feb 2024 22:07:27 GMT
    ETag: "65ca969f-12b"
    Cache-Control: max-age=3600
    Expires: Sun, 23 Jun 2024 14:37:30 GMT
    Date: Sun, 23 Jun 2024 13:37:30 GMT
    Content-Length: 299
    Connection: keep-alive
  • flag-us
    DNS
    api-updateservice.pdf-suite.com
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    Remote address:
    8.8.8.8:53
    Request
    api-updateservice.pdf-suite.com
    IN A
    Response
    api-updateservice.pdf-suite.com
    IN A
    172.67.158.191
    api-updateservice.pdf-suite.com
    IN A
    104.21.57.28
  • flag-us
    POST
    https://api-updateservice.pdf-suite.com/api/v1/products/info
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    Remote address:
    172.67.158.191:443
    Request
    POST /api/v1/products/info HTTP/1.1
    Host: api-updateservice.pdf-suite.com
    User-Agent: PDF Suite 20 Installer 20.0.10.3187
    Connection: TE
    TE: gzip
    Accept-Encoding: deflate, gzip
    Accept: application/json
    Content-Type: application/json
    Content-Length: 564
    Expect: 100-continue
    Response
    HTTP/1.1 200 OK
    Date: Sun, 23 Jun 2024 13:37:33 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    vary: Accept-Encoding
    strict-transport-security: max-age=31536000; includeSubDomains
    Content-Encoding: gzip
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=dKRJ3LpHavPr5F%2FqfmAXrExEXPMzvMkCuwEkvJwO08Y4NMX79M2juz9EYMlau3rkNdnq%2BjSYc0yFyNsHqZivR2tUUxAb6ch%2BZSLKoWVknmAg14EXmGh2fGTQPqvmsaj%2FGe8Orqb%2FLd03aFYk1qtPThYu"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8984df989ff993eb-LHR
    alt-svc: h3=":443"; ma=86400
  • 172.67.158.191:443
    https://wsgeoip.pdf-suite.com/ipservice.asmx
    tls, http
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    1.5kB
    6.7kB
    12
    12

    HTTP Request

    POST https://wsgeoip.pdf-suite.com/ipservice.asmx

    HTTP Response

    200
  • 23.63.101.153:80
    http://apps.identrust.com/roots/dstrootcax3.p7c
    http
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    369 B
    1.6kB
    5
    4

    HTTP Request

    GET http://apps.identrust.com/roots/dstrootcax3.p7c

    HTTP Response

    200
  • 23.55.97.11:80
    http://x2.c.lencr.org/
    http
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    344 B
    720 B
    5
    3

    HTTP Request

    GET http://x2.c.lencr.org/

    HTTP Response

    200
  • 172.67.158.191:443
    https://api-updateservice.pdf-suite.com/api/v1/products/info
    tls, http
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    1.8kB
    7.0kB
    12
    14

    HTTP Request

    POST https://api-updateservice.pdf-suite.com/api/v1/products/info

    HTTP Response

    200
  • 127.0.0.1:49276
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
  • 8.8.8.8:53
    wsgeoip.pdf-suite.com
    dns
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    67 B
    99 B
    1
    1

    DNS Request

    wsgeoip.pdf-suite.com

    DNS Response

    172.67.158.191
    104.21.57.28

  • 8.8.8.8:53
    apps.identrust.com
    dns
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    64 B
    165 B
    1
    1

    DNS Request

    apps.identrust.com

    DNS Response

    23.63.101.153
    23.63.101.171

  • 8.8.8.8:53
    x2.c.lencr.org
    dns
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    60 B
    165 B
    1
    1

    DNS Request

    x2.c.lencr.org

    DNS Response

    23.55.97.11

  • 8.8.8.8:53
    api-updateservice.pdf-suite.com
    dns
    2024-06-23_70f7355e709ad3f976d517d5a0f85a06_magniber_metamorfo.exe
    77 B
    109 B
    1
    1

    DNS Request

    api-updateservice.pdf-suite.com

    DNS Response

    172.67.158.191
    104.21.57.28

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    274d2bc82240035025e266d71ea02e43

    SHA1

    99d50eebbad876da4c26a0afc3d21ff9741e7447

    SHA256

    99c34c756fd33d60a0257bdec4589ba28ee2e8466ba157fd5e82e0f61806171d

    SHA512

    1fef322665b22f4194202bfa4127af91ee29dbaff8013c0e80c4250a8b8423063057b4b8077c81b0fc51408815edd8a51de6390ae3a18963bf6f1033d554e99e

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    e362226b5f27c87b9881ddf4afad0c6e

    SHA1

    277c59912fe58ec039737025f69eb32c3d1b840a

    SHA256

    06f772ccfa70d86ac46e97a5a41b8e71a066f6f8e40389b6787e632f99dc68c6

    SHA512

    133bce021b5dc69cb7b7ae3ffa1a0602803b6829ad407c421c255eb080507e5951b324c8532b95724c057fc3f9e0a48d08f631d39abb172e7a32682373b09fd9

  • C:\Users\Admin\AppData\Local\Temp\CabAEB.tmp

    Filesize

    68KB

    MD5

    29f65ba8e88c063813cc50a4ea544e93

    SHA1

    05a7040d5c127e68c25d81cc51271ffb8bef3568

    SHA256

    1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

    SHA512

    e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

  • C:\Users\Admin\AppData\Local\Temp\TarBAD.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.