4fe5d29d3326ee5cdcb9b2d68bd7a20b2fc16fae1326219b035e0a028dd5e43a

Analysis

max time kernel
147s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
25/06/2024, 07:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Size

13.3MB
MD5

dd9169efb3151f981d3bd08d9e26b850
SHA1

68d37954bbd8a40ea74a29c18f78987d72cf59f3
SHA256

4fe5d29d3326ee5cdcb9b2d68bd7a20b2fc16fae1326219b035e0a028dd5e43a
SHA512

e28cbfd9ab723a98999833b4b8cf7aec627441688a79c2109d2f21e62747cd2cbb3c06cbf88d56b7d21cf82cde755e3ddf390188ead660da17f620f9e8cb2fd4
SSDEEP

196608:tj8Z+xSz5s+izu/9oZxKbBIqUIAtmZWS6Ri4SGTtVap0tFHDsMRtiX49sdNVayqi:Eizu/MxK+y697TtoCtFjsYioWdN8Hc/

Score

7^/10

discovery spyware stealer

Malware Config

Signatures

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\A:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\H:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\I:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\L:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\U:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\T:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\J:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\K:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\M:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\S:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\W:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\O:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\P:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\Z:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\B:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\R:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Y:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\E:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\G:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\N:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\Q:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
File opened (read-only)	\??\V:	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\wuser32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wgdi32full.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wtsapi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\rasadhlp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\version.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\shcore.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\DLL\winnsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shell32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\ucrtbase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\DLL\wkernel32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\msvcp_win.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\userenv.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\apphelp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\secur32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\winnsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\ucrtbase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wgdi32full.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\Windows.Storage.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\WLDP.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\WLDP.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\sechost.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wwin32u.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\DLL\wimm32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dnsapi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wtsapi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\DLL\wsspicli.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\shcore.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\stat_sender.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\shell32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ucrtbase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wwin32u.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\ole32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\Kernel.Appcore.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\BitsProxy.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\dbghelp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\sechost.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\winsta.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wmswsock.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\dnsapi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wrpcrt4.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wgdi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\version.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\bcryptprimitives.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wntdll.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wgdi32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\winhttp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\winhttp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dbghelp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\apphelp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\combase.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wUxTheme.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\wuser32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\Windows.Storage.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\nsi.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\userenv.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\userenv.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\winsta.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\webio.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\wgdi32full.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\symbols\dll\winhttp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\dbghelp.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wntdll.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\wuser32.pdb	sender.exe
File opened for modification	C:\Windows\SysWOW64\dll\CLBCatQ.pdb	sender.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops file in Windows directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Installer\MSIBD7A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCAB.tmp	msiexec.exe
File created	C:\Windows\Installer\SourceHash{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE48.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBDC9.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBE37.tmp	msiexec.exe
File created	C:\Windows\Installer\e57b7f6.msi	msiexec.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBC6B.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBCFA.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD1A.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\e57b7f6.msi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBB9F.tmp	msiexec.exe
File opened for modification	C:\Windows\Installer\	msiexec.exe
File created	C:\Windows\Installer\inprogressinstallinfo.ipi	msiexec.exe
File opened for modification	C:\Windows\Installer\MSIBD4A.tmp	msiexec.exe

Executes dropped EXE 3 IoCs

pid	Process
3056	lite_installer.exe
2332	seederexe.exe
4028	sender.exe

Loads dropped DLL 9 IoCs

pid	Process
436	MsiExec.exe
436	MsiExec.exe
436	MsiExec.exe
436	MsiExec.exe
436	MsiExec.exe
436	MsiExec.exe
436	MsiExec.exe
436	MsiExec.exe
2704	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 2 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\SearchScopes	seederexe.exe
Key created	\REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Software\Microsoft\Internet Explorer\Main	seederexe.exe

Modifies data under HKEY_USERS 3 IoCs

description	ioc	Process
Key deleted	\REGISTRY\USER\.DEFAULT\SOFTWARE\CLASSES\LOCAL SETTINGS\MUICACHE\2A\52C64B7E	msiexec.exe
Key deleted	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2a	msiexec.exe
Key created	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\2b	msiexec.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad040000000100000010000000c5dfb849ca051355ee2dba1ac33eb0282000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 5c000000010000000400000000080000040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab190000000100000010000000d0fd3c9c380d7b65e26b9a3fedd39b8f2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 0400000001000000100000003e455215095192e1b75d379fb187298a0f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c99140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b1d00000001000000100000006ee7f3b060d10e90a31ba3471b9992367f000000010000000c000000300a06082b060105050703097a000000010000000c000000300a06082b060105050703097e00000001000000080000000000042beb77d501030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c190000000100000010000000a823b4a20180beb460cab955c24d7e21200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B1BC968BD4F49D622AA89A81F2150152A41D829C\Blob = 5c000000010000000400000000080000190000000100000010000000a823b4a20180beb460cab955c24d7e21030000000100000014000000b1bc968bd4f49d622aa89a81f2150152a41d829c7e00000001000000080000000000042beb77d5017a000000010000000c000000300a06082b060105050703097f000000010000000c000000300a06082b060105050703091d00000001000000100000006ee7f3b060d10e90a31ba3471b999236140000000100000014000000607b661a450d97ca89502f7d04cd34a8fffcfd4b620000000100000020000000ebd41040e4bb3ec742c9e381d31ef2a41a48b6685c96e7cef3c1df6cd4331c990b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520031000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f00000001000000140000005a6d07b6371d966a2fb6ba92828ce5512a49513d0400000001000000100000003e455215095192e1b75d379fb187298a200000000100000079030000308203753082025da003020102020b040000000001154b5ac394300d06092a864886f70d01010505003057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f74204341301e170d3938303930313132303030305a170d3238303132383132303030305a3057310b300906035504061302424531193017060355040a1310476c6f62616c5369676e206e762d73613110300e060355040b1307526f6f74204341311b301906035504031312476c6f62616c5369676e20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100da0ee6998dcea3e34f8a7efbf18b83256bea481ff12ab0b9951104bdf063d1e26766cf1cddcf1b482bee8d898e9aaf298065abe9c72d12cbab1c4c7007a13d0a30cd158d4ff8ddd48c50151cef50eec42ef7fce952f2917de06dd535308e5e4373f241e9d56ae3b2893a5639386f063c88695b2a4dc5a754b86c89cc9bf93ccae5fd89f5123c927896d6dc746e934461d18dc746b2750e86e8198ad56d6cd5781695a2e9c80a38ebf224134f73549313853a1bbc1e34b58b058cb9778bb1db1f2091ab09536e90ce7b3774b97047912251631679aeb1ae412608c8192bd146aa48d6642ad78334ff2c2ac16c19434a0785e7d37cf62168efeaf2529f7f9390cf0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414607b661a450d97ca89502f7d04cd34a8fffcfd4b300d06092a864886f70d01010505000382010100d673e77c4f76d08dbfecbaa2be34c52832b57cfc6c9c2c2bbd099e53bf6b5eaa1148b6e508a3b3ca3d614dd34609b33ec3a0e363551bf2baefad39e143b938a3e62f8a263befa05056f9c60afd38cdc40b705194979804dfc35f94d515c914419cc45d7564150dff5530ec868fff0def2cb96346f6aafcdfbc69fd2e1248649ae095f0a6ef298f01b115b50c1da5fe692c6924781eb3a71c7162eecac897ac175d8ac2f847866e2ac4563195d06789852bf96ca65d469d0caa82e49951dd70b7db563d61e46ae15cd6f6fe3dde41cc07ae6352bf5353f42be9c7fdb6f7825f85d24118db81b3041cc51fa4806f1520c9de0c880a1dd66655e2fc48c9292669e0	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 0f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b1400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba953030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D69B561148F01C77C54578C10926DF5B856976AD\Blob = 040000000100000010000000c5dfb849ca051355ee2dba1ac33eb028030000000100000014000000d69b561148f01c77c54578c10926df5b856976ad1d000000010000001000000001728e1ecf7a9d86fb3cec8948aba9531400000001000000140000008ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc620000000100000020000000cbb522d7b7f127ad6a0113865bdf1cd4102e7d0759af635a7cf4720dc963c53b0b000000010000003000000047006c006f00620061006c005300690067006e00200052006f006f00740020004300410020002d002000520033000000530000000100000040000000303e301f06092b06010401a032010130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000005229ba15b31b0c6f4cca89c2985177974327d1b689a3b935a0bd975532af22ab2000000001000000630300003082035f30820247a003020102020b04000000000121585308a2300d06092a864886f70d01010b0500304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e301e170d3039303331383130303030305a170d3239303331383130303030305a304c3120301e060355040b1317476c6f62616c5369676e20526f6f74204341202d20523331133011060355040a130a476c6f62616c5369676e311330110603550403130a476c6f62616c5369676e30820122300d06092a864886f70d01010105000382010f003082010a0282010100cc2576907906782216f5c083b684ca289efd057611c5ad8872fc460243c7b28a9d045f24cb2e4be1608246e152ab0c8147706cdd64d1ebf52ca30f823d0c2bae97d7b614861079bb3b1380778c08e149d26a622f1f5efa9668df892795389f06d73ec9cb26590d73deb0c8e9260e8315c6ef5b8bd20460ca49a628f6693bf6cbc82891e59d8a615737ac7414dc74e03aee722f2e9cfbd0bbbff53d00e10633e8822bae53a63a16738cdd410e203ac0b4a7a1e9b24f902e3260e957cbb904926868e538266075b29f77ff9114efae2049fcad401548d1023161195eb897efad77b7649a7abf5fc113ef9b62fb0d6ce0546916a903da6ee983937176c6698582170203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604148ff04b7fa82e4524ae4d50fa639a8bdee2dd1bbc300d06092a864886f70d01010b050003820101004b40dbc050aafec80ceff796544549bb96000941acb3138686280733ca6be674b9ba002daea40ad3f5f1f10f8abf73674a83c7447b78e0af6e6c6f03298e333945c38ee4b9576caafc1296ec53c62de4246cb99463fbdc536867563e83b8cf3521c3c968fecedac253aacc908ae9f05d468c95dd7a58281a2f1ddecd0037418fed446dd75328977ef367041e15d78a96b4d3de4c27a44c1b737376f41799c21f7a0ee32d08ad0a1c2cff3cab550e0f917e36ebc35749bee12e2d7c608bc3415113239dcef7326b9401a899e72c331f3a3b25d28640ce3b2c8678c9612f14baeedb556fdf84ee05094dbd28d872ced36250651eeb92978331d9b3b5ca47583f5f	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe

Suspicious behavior: EnumeratesProcesses 14 IoCs

pid	Process
4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
1212	msiexec.exe
1212	msiexec.exe
3056	lite_installer.exe
3056	lite_installer.exe
2332	seederexe.exe
2332	seederexe.exe
4028	sender.exe
4028	sender.exe
4028	sender.exe
4028	sender.exe
3056	lite_installer.exe
3056	lite_installer.exe

Suspicious use of AdjustPrivilegeToken 58 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeIncreaseQuotaPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeSecurityPrivilege	1212	msiexec.exe
Token: SeCreateTokenPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeAssignPrimaryTokenPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeLockMemoryPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeIncreaseQuotaPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeMachineAccountPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeTcbPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeSecurityPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeTakeOwnershipPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeLoadDriverPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeSystemProfilePrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeSystemtimePrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeProfSingleProcessPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeIncBasePriorityPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeCreatePagefilePrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeCreatePermanentPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeBackupPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeRestorePrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeShutdownPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeDebugPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeAuditPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeSystemEnvironmentPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeChangeNotifyPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeRemoteShutdownPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeUndockPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeSyncAgentPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeEnableDelegationPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeManageVolumePrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeImpersonatePrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeCreateGlobalPrivilege	4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
Token: SeRestorePrivilege	1212	msiexec.exe
Token: SeTakeOwnershipPrivilege	1212	msiexec.exe
Token: SeRestorePrivilege	1212	msiexec.exe
Token: SeTakeOwnershipPrivilege	1212	msiexec.exe
Token: SeRestorePrivilege	1212	msiexec.exe
Token: SeTakeOwnershipPrivilege	1212	msiexec.exe
Token: SeRestorePrivilege	1212	msiexec.exe
Token: SeTakeOwnershipPrivilege	1212	msiexec.exe
Token: SeRestorePrivilege	1212	msiexec.exe
Token: SeTakeOwnershipPrivilege	1212	msiexec.exe
Token: SeRestorePrivilege	1212	msiexec.exe
Token: SeTakeOwnershipPrivilege	1212	msiexec.exe
Token: SeRestorePrivilege	1212	msiexec.exe
Token: SeTakeOwnershipPrivilege	1212	msiexec.exe
Token: SeRestorePrivilege	1212	msiexec.exe
Token: SeTakeOwnershipPrivilege	1212	msiexec.exe
Token: SeRestorePrivilege	1212	msiexec.exe
Token: SeTakeOwnershipPrivilege	1212	msiexec.exe
Token: SeRestorePrivilege	1212	msiexec.exe
Token: SeTakeOwnershipPrivilege	1212	msiexec.exe
Token: SeRestorePrivilege	1212	msiexec.exe
Token: SeTakeOwnershipPrivilege	1212	msiexec.exe
Token: SeRestorePrivilege	1212	msiexec.exe
Token: SeTakeOwnershipPrivilege	1212	msiexec.exe
Token: SeRestorePrivilege	1212	msiexec.exe
Token: SeTakeOwnershipPrivilege	1212	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
4528	2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe

Suspicious use of WriteProcessMemory 15 IoCs

description	pid	Process	procid_target
PID 1212 wrote to memory of 436	1212	msiexec.exe	83
PID 1212 wrote to memory of 436	1212	msiexec.exe	83
PID 1212 wrote to memory of 436	1212	msiexec.exe	83
PID 436 wrote to memory of 3056	436	MsiExec.exe	84
PID 436 wrote to memory of 3056	436	MsiExec.exe	84
PID 436 wrote to memory of 3056	436	MsiExec.exe	84
PID 1212 wrote to memory of 2704	1212	msiexec.exe	86
PID 1212 wrote to memory of 2704	1212	msiexec.exe	86
PID 1212 wrote to memory of 2704	1212	msiexec.exe	86
PID 2704 wrote to memory of 2332	2704	MsiExec.exe	87
PID 2704 wrote to memory of 2332	2704	MsiExec.exe	87
PID 2704 wrote to memory of 2332	2704	MsiExec.exe	87
PID 2332 wrote to memory of 4028	2332	seederexe.exe	88
PID 2332 wrote to memory of 4028	2332	seederexe.exe	88
PID 2332 wrote to memory of 4028	2332	seederexe.exe	88

C:\Users\Admin\AppData\Local\Temp\2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-25_dd9169efb3151f981d3bd08d9e26b850_magniber.exe"
1⤵
- Enumerates connected drives
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:4528

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1212
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 48B1FC2BC20F76F412E9C2CDA46A013A
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:436
- - C:\Users\Admin\AppData\Local\Temp\F04AECEF-705A-4C31-896C-FE11B861D452\lite_installer.exe
    "C:\Users\Admin\AppData\Local\Temp\F04AECEF-705A-4C31-896C-FE11B861D452\lite_installer.exe" --use-user-default-locale --silent --cumtom-welcome-page=https://browser.yandex.ru/promo/welcome_com/
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    PID:3056
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 94EF9A980107231047E1E707C851C571 E Global\MSI0000
  2⤵
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2704
- - C:\Users\Admin\AppData\Local\Temp\C1D37187-4EF6-4CF7-836E-D4478BCAC4E0\seederexe.exe
    "C:\Users\Admin\AppData\Local\Temp\C1D37187-4EF6-4CF7-836E-D4478BCAC4E0\seederexe.exe" "--yqs=" "--yhp=" "--ilight=" "--locale=us" "--browser=" "--browser_default=" "--yabm=" "--loglevel=trace" "--ess=" "--clids=C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml" "--sender=C:\Users\Admin\AppData\Local\Temp\21F1D3F5-3773-492E-9B2D-844BA2954D7F\sender.exe" "--is_elevated=yes" "--ui_level=5"
    3⤵
    - Executes dropped EXE
    - Modifies Internet Explorer settings
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:2332
  - - C:\Users\Admin\AppData\Local\Temp\21F1D3F5-3773-492E-9B2D-844BA2954D7F\sender.exe
      C:\Users\Admin\AppData\Local\Temp\21F1D3F5-3773-492E-9B2D-844BA2954D7F\sender.exe --send "/status.xml?clid=2270422&uuid=8a2ce437-c8d5-455d-90f3-899540d7f36d&vnt=Windows 10x64&file-no=8%0A25%0A37%0A38%0A45%0A57%0A59%0A102%0A106%0A108%0A111%0A129%0A"
      4⤵
      Drops file in System32 directory
      Executes dropped EXE
      Suspicious behavior: EnumeratesProcesses
      PID:4028

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Config.Msi\e57b7f7.rbs

Filesize
591B

MD5
f9f6be577fdd18484b176a3b0ffeb3ca

SHA1
9c6992ccf1b067c3eb942682c1900ad9f1341977

SHA256
f9e81df6f248cdb38675faf6943ab0f6870794aa12c760d237451b312a655533

SHA512
eac429714136f1c91a98299c37e8ff795fe3d608af5a84b590ff464086a6c9589aab8ccf172dcea9ae2cd3c90d91fb70e8a8f6dd0905de3d8c2713142fb47694

Download Submit
C:\Users\Admin\AppData\Local\Temp\21F1D3F5-3773-492E-9B2D-844BA2954D7F\sender.exe

Filesize
249KB

MD5
b4e54c83c9ea7887a500bb212910fa60

SHA1
b18b8f384c3025234987a074f30f8792fbec1122

SHA256
fe3150caf8934ac028ee28f0d09bb60f638295d3c2805fa1259ddc0eb191fade

SHA512
47cbb9ace6a6a4adf07b80e7eb1863a8313eb0b2935999645c5769d53f93fb61b329cb1ec6df2252e5e075cd5b30dfff24697b28b5a712d4e2a1039bc04dc9d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\C1D37187-4EF6-4CF7-836E-D4478BCAC4E0\seederexe.exe

Filesize
11.3MB

MD5
7da57e0c1b3cef6f521bfe659a7b6ede

SHA1
e12eb4c3a8f500abe131d6afe3c73b8720d79cd7

SHA256
f423c5cda6feabbc4f5dbb124de8d91db20026d2d60bfc9a9b3c9b28566ee412

SHA512
1b05639192e82dc5f7fd397765dc427a6c8e4a9e5c1ca39d951b1ada77f418713423611104a08f635eb43b8abcefac879542b6cc47ec05b0872c4be9d5bfd946

Download Submit
C:\Users\Admin\AppData\Local\Temp\F04AECEF-705A-4C31-896C-FE11B861D452\lite_installer.exe

Filesize
390KB

MD5
b3d8e7db7f90785a9050adba3a0f60aa

SHA1
4311153a465e7e759365004299486f1f61b7263c

SHA256
ff6ee10cc2a9eb87bc4ff95934c25c337b83bc1bee9dc2749214dfd5b71ba963

SHA512
d28cc5cd9f14dd31bdffd70e791fff0dbd169bbf645ffd1c4546585ee4649d685b53c6a50d0a22441d845c158e4cdbd85cd7bb7bee0c717e9203c122e23cba99

Download Submit
C:\Users\Admin\AppData\Local\Temp\YandexSearch00000.log

Filesize
35KB

MD5
74520da85f9c6136f732682d65f2929d

SHA1
a9ade3f8f8c131ed4a4507b338dda606dad1c375

SHA256
102aa5d80f91454c521979510c0fa4203855e5c9acb6fda82a4709f6abd758c4

SHA512
ca31bac783334526c8ca5ba029c92e7ebaa0aca47c3dce8006b02550446fcc7371bbea6700aaabe5cd320aa34d4966055a7f1f788915a6cd05dec9725b477848

Download Submit
C:\Users\Admin\AppData\Local\Temp\clids-yasearch.xml

Filesize
531B

MD5
82bc397cd7cd74f1253306d9e1a469e1

SHA1
42f2b9075fd7b3674b705c20ffb7d76b0188b579

SHA256
222418f9dadbdfef52f2662ecdb97622bf467a7aea865c1b1547368e86e32a0f

SHA512
aa401bdbb7b1425c8c6950a72b7beb67957315eaaf089eaab20710491597d9dbfe0c9951763d86ebc6983aa20eb7b9081bb297e226b2159d359ebff6bb7e7d78

Download Submit
C:\Users\Admin\AppData\Local\Temp\vendor00000.xml

Filesize
568B

MD5
1adb8c543ab77a85efa0f6a8813d5f96

SHA1
9e46c70eb446ebd54f797602cfe612e0a697e938

SHA256
f1ea3195777f399e830361b0bc72309942c827c365883963a8ebc887cb9ee26c

SHA512
7a58b4f746725f93e43a2b187405d8486f1881b02db9a0da15154270465ea52803c09ac8b0ff9ac560ca2e9143c04492af1289fada44e401acf5a9a56d660f1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{5B964E0E-B9A3-4276-9ED9-4D5A5720747A}\YandexSearch.msi

Filesize
12.9MB

MD5
f3150312ac37eaad7e1dee3ecc9028f9

SHA1
9c94f0bccab3d3124c77805c2739fbd1982516c3

SHA256
767ec72547aff3f42737f89c8dbf8ae043a050b924093e4ff8dc1c83aed3ce61

SHA512
74c94f7f7c95c1f7bff5a616e74d656899e89c74b85b576164253ae298dd189206f23289f0dd9d45fc3d15bfbbd24b09358c02688330a3c7fa5e8dd0edc7ac13

Download Submit
C:\Users\Admin\AppData\Roaming\Mozilla\Firefox\Profiles\nahd6ha2.default\places.sqlite

Filesize
68KB

MD5
d57cd95de07d3b15eb5cf8baa80471af

SHA1
322c0e13f2022ab255a8d2a50c5835779b6ccc3e

SHA256
651efdc8961efbf6476e4cc4b3965a4da72690ebedda009fd800c6d936a67696

SHA512
2e98256a9e76ae384f88b83075a321f60cb13ee6f7e8cb93f1919103b82ba79a67b5eec8a7d3043fe26b377fae58545e82323813897c0e67adfacaa885d6f68e

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Bookmarks-2024582502.355082355.backup

Filesize
1KB

MD5
3adec702d4472e3252ca8b58af62247c

SHA1
35d1d2f90b80dca80ad398f411c93fe8aef07435

SHA256
2b167248e8136c4d45c2c46e2bff6fb5e5137dd4dfdccde998599be2df2e9335

SHA512
7562e093d16ee6305c1bb143a3f5d60dafe8b5de74952709abc68a0c353b65416bf78b1fa1a6720331615898848c1464a7758c5dfe78f8098f77fbfa924784c0

Download Submit
C:\Users\Admin\AppData\Roaming\Opera Software\Opera Stable\Preferences-2024582502.355082355.backup

Filesize
313B

MD5
af006f1bcc57b11c3478be8babc036a8

SHA1
c3bb4fa8c905565ca6a1f218e39fe7494910891e

SHA256
ed6a32e11cc99728771989b01f5ae813de80c46a59d3dc68c23a4671a343cb8c

SHA512
3d20689b0f39b414349c505be607e6bfc1f33ac401cf62a32f36f7114e4a486552f3e74661e90db29402bb85866944e9f8f31baba9605aa0c6def621511a26af

Download Submit
C:\Users\Admin\AppData\Roaming\Yandex\ui

Filesize
38B

MD5
4f70b6ad464249bececc426ef95a49fa

SHA1
5265689a0690ae09333de8fb87f5a04f9285a121

SHA256
325e350cf99a8e278300419d845062de62c32eded7d696a92927d40825fb1a30

SHA512
877a9577a6f87b73237dbecd6f48206c19be6e09df41a69a5616ec252b77103a15a9fda8831e8ebd7da028416fa2dea7af53a88c534e40138e6a5c714c7f6faf

Download Submit
C:\Windows\Installer\MSIBB9F.tmp

Filesize
172KB

MD5
55d336aa2dcb71fbab59e70c77336b0b

SHA1
0166fb57f7551a31824aa8ec1b149603f52acc84

SHA256
335a289968e8bab2fddb8d313fd507244d63b99d3f23413e28436949497e155e

SHA512
ab938766bc959ea2f9e8ea6a92a63a2b64b1f7ba98c0aa31157f0916224535e893acf68b8f66debeb4413736aed7f23250a256c9928095b10c6e2235e466c37a

Download Submit
C:\Windows\Installer\MSIBC6B.tmp

Filesize
189KB

MD5
b6cecadf6fc63d78c21e33ae48e84bf3

SHA1
2ef9e6a91403d654fa5a4502f7cf1fbec9a9fa5a

SHA256
20f0324d2b5c42895c27d4ed64756d3521994c69e8537f14e6a5c51c870bc659

SHA512
06b1f88a1952c7cd05af7ea272587ac3b191d49a9386c64978af485256bb675086d13e72efa7247d808efed44b3c57107703ec14c9ca72f929f19fc3a5d426dc

Download Submit
C:\Windows\Installer\MSIBE48.tmp

Filesize
168KB

MD5
a0962dd193b82c1946dc67e140ddf895

SHA1
7f36c38d80b7c32e750e22907ac7e1f0df76e966

SHA256
b9e73e5ab78d033e0328fc74a9e4ebbd1af614bc4a7c894beb8c59d24ee3ede9

SHA512
118b0bd2941d48479446ed16ab23861073d23f9cc815f5f1d380f9977f18c34a71f61496c78b77b9a70f8b0a6cd08fe1edc1adb376dad5762ad0dd2068c64751

Download Submit