f408cb47c120faff219d11cac9bfb39764f2e9cff307e1b3f833a0d38ddc2947

Analysis

max time kernel
149s
max time network
120s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14-08-2024 15:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe
Size

1.8MB
MD5

a08d5e1d617f392d108fb39e0c5fac79
SHA1

74db691867205c99442c787124a28e1bec774709
SHA256

f408cb47c120faff219d11cac9bfb39764f2e9cff307e1b3f833a0d38ddc2947
SHA512

92b55c8f113b4e307ef763c146499a75d352a1fe12fdd95a8194d9f9615059c1ad3ba469db87863d63d154560f38f0ed112f306d27c46c6cc3b2d17398ab381c
SSDEEP

49152:H71fMaeZgHCvLaqvcBVjhr0Lvb+0oC2pHyQMJjkEiNpE1sk4:RfMaeZgizaqv8L0jb+OG

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

pid	Process
2484	cmd.exe

Executes dropped EXE 2 IoCs

pid	Process
1240	Logo1_.exe
1852	2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe

Loads dropped DLL 1 IoCs

pid	Process
2484	cmd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	Logo1_.exe
File opened (read-only)	\??\L:	Logo1_.exe
File opened (read-only)	\??\H:	Logo1_.exe
File opened (read-only)	\??\Z:	Logo1_.exe
File opened (read-only)	\??\W:	Logo1_.exe
File opened (read-only)	\??\U:	Logo1_.exe
File opened (read-only)	\??\S:	Logo1_.exe
File opened (read-only)	\??\I:	Logo1_.exe
File opened (read-only)	\??\G:	Logo1_.exe
File opened (read-only)	\??\Y:	Logo1_.exe
File opened (read-only)	\??\P:	Logo1_.exe
File opened (read-only)	\??\N:	Logo1_.exe
File opened (read-only)	\??\M:	Logo1_.exe
File opened (read-only)	\??\V:	Logo1_.exe
File opened (read-only)	\??\T:	Logo1_.exe
File opened (read-only)	\??\R:	Logo1_.exe
File opened (read-only)	\??\K:	Logo1_.exe
File opened (read-only)	\??\X:	Logo1_.exe
File opened (read-only)	\??\O:	Logo1_.exe
File opened (read-only)	\??\J:	Logo1_.exe
File opened (read-only)	\??\E:	Logo1_.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files\Reference Assemblies\Microsoft\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\Web Folders\1033\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows NT\Accessories\fr-FR\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\profiler\lib\deployed\jdk16\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\it-IT\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\gl\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\Legal\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Visual Studio 8\Common7\IDE\VSTA\ItemTemplates\CSharp\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\BabyBlue\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\CPU.Gadget\de-DE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\VGX\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Google\Chrome\Application\106.0.5249.119\VisualElements\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ko\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\plugins\demux\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms4\FormsStyles\Desert\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveProjectToolset\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.core.ssl.feature_1.0.0.v20140827-1444\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.ecore_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\default_apps\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\DVD Maker\Shared\DvdStyles\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ach\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\VideoLAN\VLC\locale\ne\LC_MESSAGES\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Adobe\Reader 9.0\Reader\SPPlugins\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\SlideShow.Gadget\de-DE\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\ECLIPSE\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\bn_IN\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\en-US\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Certificates\Verisign\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.emf.common_2.10.1.v20140901-1043\META-INF\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\lib\jfr\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ca@valencia\LC_MESSAGES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\ru\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\MSInfo\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms3\FormsStyles\SoftBlue\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\dropins\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\wab.exe	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\es-ES\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Microsoft Games\Multiplayer\Backgammon\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Reference Assemblies\Microsoft\Framework\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\Sounds\Places\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PROOF\1036\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\Clock.Gadget\en-US\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\js\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\zi\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\SATIN\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolIcons\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Mail\es-ES\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\jre\bin\plugin2\_desktop.ini	Logo1_.exe
File created	C:\Program Files\VideoLAN\VLC\locale\fr\_desktop.ini	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Office.en-us\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jre7\bin\jabswitch.exe	Logo1_.exe
File created	C:\Program Files (x86)\Common Files\microsoft shared\THEMES14\STUDIO\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\de-DE\js\_desktop.ini	Logo1_.exe
File created	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\_desktop.ini	Logo1_.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\core\_desktop.ini	Logo1_.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File created	C:\Windows\Logo1_.exe	2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe
File opened for modification	C:\Windows\rundl132.exe	Logo1_.exe
File created	C:\Windows\vDll.dll	Logo1_.exe
File created	C:\Windows\rundl132.exe	2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Logo1_.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
1240	Logo1_.exe
1240	Logo1_.exe
1240	Logo1_.exe
1240	Logo1_.exe
1240	Logo1_.exe
1240	Logo1_.exe
1240	Logo1_.exe
1240	Logo1_.exe
1240	Logo1_.exe
1240	Logo1_.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 816 wrote to memory of 2484	816	2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe	31
PID 816 wrote to memory of 2484	816	2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe	31
PID 816 wrote to memory of 2484	816	2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe	31
PID 816 wrote to memory of 2484	816	2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe	31
PID 816 wrote to memory of 1240	816	2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe	32
PID 816 wrote to memory of 1240	816	2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe	32
PID 816 wrote to memory of 1240	816	2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe	32
PID 816 wrote to memory of 1240	816	2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe	32
PID 1240 wrote to memory of 1988	1240	Logo1_.exe	33
PID 1240 wrote to memory of 1988	1240	Logo1_.exe	33
PID 1240 wrote to memory of 1988	1240	Logo1_.exe	33
PID 1240 wrote to memory of 1988	1240	Logo1_.exe	33
PID 1988 wrote to memory of 2788	1988	net.exe	36
PID 1988 wrote to memory of 2788	1988	net.exe	36
PID 1988 wrote to memory of 2788	1988	net.exe	36
PID 1988 wrote to memory of 2788	1988	net.exe	36
PID 2484 wrote to memory of 1852	2484	cmd.exe	37
PID 2484 wrote to memory of 1852	2484	cmd.exe	37
PID 2484 wrote to memory of 1852	2484	cmd.exe	37
PID 2484 wrote to memory of 1852	2484	cmd.exe	37
PID 1240 wrote to memory of 1188	1240	Logo1_.exe	21
PID 1240 wrote to memory of 1188	1240	Logo1_.exe	21

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:1188
- C:\Users\Admin\AppData\Local\Temp\2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe"
  2⤵
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:816
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c C:\Users\Admin\AppData\Local\Temp\$$aDB80.bat
    3⤵
    - Deletes itself
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Users\Admin\AppData\Local\Temp\2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe"
      4⤵
      Executes dropped EXE
      PID:1852
- - C:\Windows\Logo1_.exe
    C:\Windows\Logo1_.exe
    3⤵
    - Executes dropped EXE
    - Enumerates connected drives
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1240
  - - C:\Windows\SysWOW64\net.exe
      net stop "Kingsoft AntiVirus Service"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1988
    - - C:\Windows\SysWOW64\net1.exe
        
        C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2788

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleUpdateCore.exe

Filesize
251KB

MD5
2492e501b8755b3dccbcf6aed7170608

SHA1
3c93004d566f78655f1530534074bf36c246dc6c

SHA256
959c5b549d7d0e54f55ba99bcec600febd2c74a2f6ef02ecadacc8465339c3d0

SHA512
ca1d4a5f1ff2a4ffe0e43839b2fd049ca8a79d2d75fb9fd2cd96afce8628c07092d369fdc603209fe1d95e77c058dcbc691d34bce2c7715869a6980a2a834500

Download Submit
C:\ProgramData\Package Cache\{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}\vcredist_x64.exe

Filesize
471KB

MD5
99ea9b604a7a734d3087fa6159684c42

SHA1
709fa1068ad4d560fe03e05b68056f1b0bedbfc8

SHA256
3f733f9e6fec7c4165ca8ba41eb23f604a248babe794c4ad2c6c3ce8032aab1c

SHA512
7af8008c7e187f925c62efc97e1891a7a38d089302dba39fbde137fb895e0592847ed0982c824c2075be8e6b95b6ce165ecb848ab85adf53779ebef613410fbb

Download Submit
C:\Users\Admin\AppData\Local\Temp\$$aDB80.bat

Filesize
692B

MD5
a7faf4f3d71eaf84dc64ba15c8b213c0

SHA1
ed78b2ecb1242626ab5936d1d832b1d0157f2703

SHA256
40cb1cd1cc8693c190ea65cbd0c5518091c5ae583b5503e1843e4bf0adc66a44

SHA512
39be62107ef364dd6556f69c05548106f3a2101d317c8a96819e66bd3e5edf01a65f3913ad574c6b26761b69aae47cd1778ada599603e6dc33fab3b309b4b114

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-08-14_a08d5e1d617f392d108fb39e0c5fac79_magniber_viking.exe.exe

Filesize
1.7MB

MD5
626c79da751474f691e2e94df54c435f

SHA1
a8d61caec047066a7019213ba60b84b11e0389a1

SHA256
c8c64291571212e628707b15d4a4c8910ffc4233166a2fb184c8f85d3d3a17a2

SHA512
f16d92663eae90f1c26397297b1837fb2b76fe49009888376f58e7fe23d16686762235af0c034ede10e33ec76d2c74430468a70974d791146d7f122a008d33f7

Download Submit
C:\Windows\rundl132.exe

Filesize
26KB

MD5
f9b3dab069668bf11ce7ad403e0e270f

SHA1
edc90cba107110307160eb0364ff1db3ce438d12

SHA256
b9fa61e706b429e15d5c61ce570fe2466ed27d7261578c17c632b0dd92e31902

SHA512
ba6639e59b727a3708c17e5f1ade152748642cfb31ce9832746fa190454f632ec1e4ca20e63b58b9b216404d9fe7c07aa7e82f3a6c90c315d2e49d7162760137

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-940600906-3464502421-4240639183-1000\_desktop.ini

Filesize
9B

MD5
fa81249b1f991386d1e1de2a5a03499e

SHA1
70e9b6e238a42e7472c1f5f2f4ea3f86f8352185

SHA256
5421d45a710074ffe77329c2300e528ce8feceb0748aacbd89ef2ed0aae5a87f

SHA512
bc652d20db7ab6bde42b15f5639c2b36e000179c232c4b9e3e218e670b93a6d7b73530b3bd6fdfca5d61c5a578c1e7508fb97f9bffdfa17dff214359b094e409

Download Submit
memory/816-16-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/816-17-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/816-18-0x0000000000220000-0x0000000000254000-memory.dmp

Filesize
208KB

Download
memory/816-0-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1188-31-0x0000000002520000-0x0000000002521000-memory.dmp

Filesize
4KB

Download
memory/1240-46-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-40-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-92-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-98-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-915-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-1875-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-33-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-2992-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-3335-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download
memory/1240-20-0x0000000000400000-0x0000000000434000-memory.dmp

Filesize
208KB

Download