Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    31s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240705-en
  • resource tags

    arch:x64arch:x86image:win7-20240705-enlocale:en-usos:windows7-x64system
  • submitted
    10/08/2024, 05:23 UTC

General

  • Target

    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe

  • Size

    12.2MB

  • MD5

    24aaef994cfd0a3fbc365113e77b3581

  • SHA1

    77b2e31bcf0ad92a33a9646d5b77764ced1b0d24

  • SHA256

    3447e7723ea026da14b1a2842d2ce6f1c6898c5fe255dd78d120a4d6b87f106a

  • SHA512

    c0e4922e8aabc4c59047d72f135e52a81be3d66c435601bffc7e530e203d257f4a3d6f7d71c6c8b5c75f24c002b81ef1e7af1f544875a3eae2c49b50b30236c9

  • SSDEEP

    196608:jPg2CWhGuZvjwQklner7/0S+6JfRbkebsN/cJ67DgKEl9sMvrrqNJ2R7v:jYgGG7wFln+3fRb0V7El9s+rqNcv

Score
3/10

Malware Config

Signatures

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies registry class 3 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe"
    1⤵
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Modifies system certificate store
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    PID:1212

Network

  • flag-us
    DNS
    wsgeoip.pdf-suite.com
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    Remote address:
    8.8.8.8:53
    Request
    wsgeoip.pdf-suite.com
    IN A
    Response
    wsgeoip.pdf-suite.com
    IN A
    104.21.57.28
    wsgeoip.pdf-suite.com
    IN A
    172.67.158.191
  • flag-us
    POST
    https://wsgeoip.pdf-suite.com/ipservice.asmx
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    Remote address:
    104.21.57.28:443
    Request
    POST /ipservice.asmx HTTP/1.1
    Accept: text/*
    SOAPAction: "http://upclick.com/GetLocationInfo"
    Content-Type: text/xml; charset=utf-8
    User-Agent: VCSoapClient
    Host: wsgeoip.pdf-suite.com
    Content-Length: 346
    Connection: Keep-Alive
    Cache-Control: no-cache
    Response
    HTTP/1.1 200 OK
    Date: Sat, 10 Aug 2024 05:23:10 GMT
    Content-Type: text/xml; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    strict-transport-security: max-age=31536000; includeSubDomains
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=cBd12%2BHAyqT1clYgh26dSLdVvAvcFfQUPq5LmtQoTabO8HT0IsJapq%2FqyDc5oaQp4PHKaCeMks4w82gzK9PYRnuBjdbvasacHWZRUMVwRRPfdeAZRbPpjyqkClxMK3N0uegZdXXsarI%3D"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8b0d8d64282260fd-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    c.pki.goog
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    Remote address:
    8.8.8.8:53
    Request
    c.pki.goog
    IN A
    Response
    c.pki.goog
    IN CNAME
    pki-goog.l.google.com
    pki-goog.l.google.com
    IN A
    142.250.179.131
  • flag-nl
    GET
    http://c.pki.goog/r/gsr1.crl
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    Remote address:
    142.250.179.131:80
    Request
    GET /r/gsr1.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 1739
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Sat, 10 Aug 2024 04:48:03 GMT
    Expires: Sat, 10 Aug 2024 05:38:03 GMT
    Cache-Control: public, max-age=3000
    Age: 2106
    Last-Modified: Mon, 08 Jul 2024 07:38:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-nl
    GET
    http://c.pki.goog/r/r4.crl
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    Remote address:
    142.250.179.131:80
    Request
    GET /r/r4.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: c.pki.goog
    Response
    HTTP/1.1 200 OK
    Accept-Ranges: bytes
    Content-Security-Policy-Report-Only: require-trusted-types-for 'script'; report-uri https://csp.withgoogle.com/csp/cacerts
    Cross-Origin-Resource-Policy: cross-origin
    Cross-Origin-Opener-Policy: same-origin; report-to="cacerts"
    Report-To: {"group":"cacerts","max_age":2592000,"endpoints":[{"url":"https://csp.withgoogle.com/csp/report-to/cacerts"}]}
    Content-Length: 436
    X-Content-Type-Options: nosniff
    Server: sffe
    X-XSS-Protection: 0
    Date: Sat, 10 Aug 2024 04:48:03 GMT
    Expires: Sat, 10 Aug 2024 05:38:03 GMT
    Cache-Control: public, max-age=3000
    Age: 2107
    Last-Modified: Thu, 25 Jul 2024 14:48:00 GMT
    Content-Type: application/pkix-crl
    Vary: Accept-Encoding
  • flag-us
    DNS
    avqservice.avanquest.com
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    Remote address:
    8.8.8.8:53
    Request
    avqservice.avanquest.com
    IN A
    Response
    avqservice.avanquest.com
    IN A
    104.18.6.41
    avqservice.avanquest.com
    IN A
    104.18.7.41
  • flag-us
    POST
    https://avqservice.avanquest.com/api/v4/services/installers/socialidupdate/pdfsuite/
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    Remote address:
    104.18.6.41:443
    Request
    POST /api/v4/services/installers/socialidupdate/pdfsuite/ HTTP/1.1
    Host: avqservice.avanquest.com
    User-Agent: PDF Suite 20 Installer 20.0.14.3253
    Connection: TE
    TE: gzip
    Accept-Encoding: deflate, gzip
    Accept: application/json
    Content-Type: application/json
    Content-Length: 90
    Expect: 100-continue
    Response
    HTTP/1.1 404 Not Found
    Date: Sat, 10 Aug 2024 05:23:13 GMT
    Content-Type: application/json; charset=utf-8
    Content-Length: 45
    Connection: keep-alive
    X-Powered-By: Express
    ETag: W/"2d-fzSH650WcRVLKdcIgeRvTs/vlCU"
    CF-Cache-Status: DYNAMIC
    Server: cloudflare
    CF-RAY: 8b0d8d7808d3beab-LHR
  • flag-us
    DNS
    api-updateservice.pdf-suite.com
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    Remote address:
    8.8.8.8:53
    Request
    api-updateservice.pdf-suite.com
    IN A
    Response
    api-updateservice.pdf-suite.com
    IN A
    172.67.158.191
    api-updateservice.pdf-suite.com
    IN A
    104.21.57.28
  • flag-us
    POST
    https://api-updateservice.pdf-suite.com/api/v1/products/info
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    Remote address:
    172.67.158.191:443
    Request
    POST /api/v1/products/info HTTP/1.1
    Host: api-updateservice.pdf-suite.com
    User-Agent: PDF Suite 20 Installer 20.0.14.3253
    Connection: TE
    TE: gzip
    Accept-Encoding: deflate, gzip
    Accept: application/json
    Content-Type: application/json
    Content-Length: 605
    Expect: 100-continue
    Response
    HTTP/1.1 200 OK
    Date: Sat, 10 Aug 2024 05:23:14 GMT
    Content-Type: application/json; charset=utf-8
    Transfer-Encoding: chunked
    Connection: keep-alive
    vary: Accept-Encoding
    strict-transport-security: max-age=31536000; includeSubDomains
    Content-Encoding: gzip
    CF-Cache-Status: DYNAMIC
    Report-To: {"endpoints":[{"url":"https:\/\/a.nel.cloudflare.com\/report\/v4?s=eB%2FKETFUWlUXe2Bofg5gDwChUN0df1QPHI%2FdhxslbsoO0Bd0%2FueP3ZCX48BAhhLqjwhF4a3GWnqgCcfVejr95d23Iy5FSPVLDHCiqkqQyHxuwvYIi1DhjlfYZxNx%2FExwioc7KCaLDH2zns3ED3j2NrAE"}],"group":"cf-nel","max_age":604800}
    NEL: {"success_fraction":0,"report_to":"cf-nel","max_age":604800}
    Server: cloudflare
    CF-RAY: 8b0d8d7c2bcc9460-LHR
    alt-svc: h3=":443"; ma=86400
  • flag-us
    DNS
    crl.microsoft.com
    Remote address:
    8.8.8.8:53
    Request
    crl.microsoft.com
    IN A
    Response
    crl.microsoft.com
    IN CNAME
    crl.www.ms.akadns.net
    crl.www.ms.akadns.net
    IN CNAME
    a1363.dscg.akamai.net
    a1363.dscg.akamai.net
    IN A
    2.18.190.71
    a1363.dscg.akamai.net
    IN A
    2.18.190.80
  • flag-gb
    GET
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    Remote address:
    2.18.190.71:80
    Request
    GET /pki/crl/products/MicRooCerAut2011_2011_03_22.crl HTTP/1.1
    Connection: Keep-Alive
    Accept: */*
    If-Modified-Since: Wed, 01 May 2024 09:28:59 GMT
    User-Agent: Microsoft-CryptoAPI/6.1
    Host: crl.microsoft.com
    Response
    HTTP/1.1 200 OK
    Content-Length: 1036
    Content-Type: application/octet-stream
    Content-MD5: 5xIscz+eN7ugykyYXOEdbQ==
    Last-Modified: Thu, 11 Jul 2024 01:45:51 GMT
    ETag: 0x8DCA14B323B2CC0
    Server: Windows-Azure-Blob/1.0 Microsoft-HTTPAPI/2.0
    x-ms-request-id: a4477661-c01e-0047-59b2-e33cb1000000
    x-ms-version: 2009-09-19
    x-ms-lease-status: unlocked
    x-ms-blob-type: BlockBlob
    Date: Sat, 10 Aug 2024 05:23:40 GMT
    Connection: keep-alive
  • 104.21.57.28:443
    https://wsgeoip.pdf-suite.com/ipservice.asmx
    tls, http
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    1.4kB
    5.0kB
    11
    11

    HTTP Request

    POST https://wsgeoip.pdf-suite.com/ipservice.asmx

    HTTP Response

    200
  • 142.250.179.131:80
    http://c.pki.goog/r/r4.crl
    http
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    606 B
    5.0kB
    8
    6

    HTTP Request

    GET http://c.pki.goog/r/gsr1.crl

    HTTP Response

    200

    HTTP Request

    GET http://c.pki.goog/r/r4.crl

    HTTP Response

    200
  • 127.0.0.1:49218
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
  • 104.18.6.41:443
    https://avqservice.avanquest.com/api/v4/services/installers/socialidupdate/pdfsuite/
    tls, http
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    1.2kB
    3.7kB
    10
    11

    HTTP Request

    POST https://avqservice.avanquest.com/api/v4/services/installers/socialidupdate/pdfsuite/

    HTTP Response

    404
  • 172.67.158.191:443
    https://api-updateservice.pdf-suite.com/api/v1/products/info
    tls, http
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    1.8kB
    5.3kB
    11
    13

    HTTP Request

    POST https://api-updateservice.pdf-suite.com/api/v1/products/info

    HTTP Response

    200
  • 127.0.0.1:49221
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
  • 2.18.190.71:80
    http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl
    http
    399 B
    1.7kB
    4
    4

    HTTP Request

    GET http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl

    HTTP Response

    200
  • 8.8.8.8:53
    wsgeoip.pdf-suite.com
    dns
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    67 B
    99 B
    1
    1

    DNS Request

    wsgeoip.pdf-suite.com

    DNS Response

    104.21.57.28
    172.67.158.191

  • 8.8.8.8:53
    c.pki.goog
    dns
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    56 B
    107 B
    1
    1

    DNS Request

    c.pki.goog

    DNS Response

    142.250.179.131

  • 8.8.8.8:53
    avqservice.avanquest.com
    dns
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    70 B
    102 B
    1
    1

    DNS Request

    avqservice.avanquest.com

    DNS Response

    104.18.6.41
    104.18.7.41

  • 8.8.8.8:53
    api-updateservice.pdf-suite.com
    dns
    2024-08-10_24aaef994cfd0a3fbc365113e77b3581_hijackloader_magniber.exe
    77 B
    109 B
    1
    1

    DNS Request

    api-updateservice.pdf-suite.com

    DNS Response

    172.67.158.191
    104.21.57.28

  • 8.8.8.8:53
    crl.microsoft.com
    dns
    63 B
    162 B
    1
    1

    DNS Request

    crl.microsoft.com

    DNS Response

    2.18.190.71
    2.18.190.80

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

    Filesize

    342B

    MD5

    16ade691900d191c5189320b8bcd16cc

    SHA1

    fc504b6ce36390897852e17e98e13110caf5857f

    SHA256

    eebc9c4ff1781f83e0aa5b2aa31ecdf40cb035fd4dd460ec67602e90bb165cb3

    SHA512

    af68f697a7454c718ce96329c1b57f5ac1416473c3909cd7c8dea1bde2f586c5549bce9ff1505a8a7ff84bfa8994bb9cd0bb659848ad3c332e67e95a91d61206

  • C:\Users\Admin\AppData\Local\Temp\CabF588.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\TarF59A.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.