2a757cddfeb3316229d382b6d1a3192cb6fd535738d000fe7264c885050edb14

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
18/08/2024, 18:56

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-18_50f324c27790530f7ed04008fe514ca5_magniber.exe
Size

12.6MB
MD5

50f324c27790530f7ed04008fe514ca5
SHA1

a57eae6a95a42ae8601ba64e955e7503ec948c3b
SHA256

2a757cddfeb3316229d382b6d1a3192cb6fd535738d000fe7264c885050edb14
SHA512

3d29675c9e0746725263650b197bfecfdcb160ed7c03557b6cb679f887bd8d5f0e4f9be1ea5a28966e2adebfa5ef893c08d8b3c893f340e7b3a4481f01ba71a1
SSDEEP

393216:iwESnIe84dE0Prfzhr5fcrGnz5hHdNlrII:iwvnIe84dDK6z5hHBrII

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
2548	2024-08-18_50f324c27790530f7ed04008fe514ca5_magniber.exe
2548	2024-08-18_50f324c27790530f7ed04008fe514ca5_magniber.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2024-08-18_50f324c27790530f7ed04008fe514ca5_magniber.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\LuDaShi\{9EF2878C-D4A5-4b3e-B949-1907375CFDE9}.tmp\{CF6949C6-627A-4e9c-A543-E5F554929B9B}.tf	2024-08-18_50f324c27790530f7ed04008fe514ca5_magniber.exe
File created	C:\Program Files (x86)\LuDaShi\{179E7703-1357-47ad-9698-CEA28B2797FD}.tf	2024-08-18_50f324c27790530f7ed04008fe514ca5_magniber.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2616	2548	WerFault.exe	28

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-18_50f324c27790530f7ed04008fe514ca5_magniber.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 2548 wrote to memory of 2616	2548	2024-08-18_50f324c27790530f7ed04008fe514ca5_magniber.exe	29
PID 2548 wrote to memory of 2616	2548	2024-08-18_50f324c27790530f7ed04008fe514ca5_magniber.exe	29
PID 2548 wrote to memory of 2616	2548	2024-08-18_50f324c27790530f7ed04008fe514ca5_magniber.exe	29
PID 2548 wrote to memory of 2616	2548	2024-08-18_50f324c27790530f7ed04008fe514ca5_magniber.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-08-18_50f324c27790530f7ed04008fe514ca5_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-18_50f324c27790530f7ed04008fe514ca5_magniber.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2548
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 2548 -s 1036
  2⤵
  - Program crash
  PID:2616

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\lds_setup.log

Filesize
966B

MD5
6ea0e9757e705f41815bafeb9b02a2ce

SHA1
7bfcc8c41610a545425d99c8e9e3ed64cd485f33

SHA256
b77141a9c0ad912bb86dffea70b7fe84a0f1151ed1f9fa2ca7c178b15f299fa3

SHA512
ef63eaee5aae6b974c4391e4cbae70702faa991e0e14bdf2da1cd3a3a8f32aa00e6d935e21dfb45fac5a7f09ce5b153b213afb63cb9d20f67b1869dc1fd89191

Download Submit
\Users\Admin\AppData\Local\Temp\{5E2800EC-7532-4ca2-9E18-462051CE1E91}.tmp\NetBridge.dll

Filesize
231KB

MD5
9d145902fb5b9a6da62ac85761434e31

SHA1
c817d77f59e3767d75cf5f5298d6b5711308f7e5

SHA256
98d795d55329b1057f4fd590468e648a8c34b620207fd9a0a6953f3e98d1ea43

SHA512
bbb3109bcd5ded909bfdaeb7f4f006fc5928a9bc501bad5ae8ba9805bc0d924a2c4da8bbd215480db936d663852abd9b0435fa241a40224a4cd93c4b7aff79a9

Download Submit
\Users\Admin\AppData\Local\Temp\{8AA81B1D-6DB0-426d-892D-3397DBB27CED}.tmp\7z.dll

Filesize
1.1MB

MD5
2888126384d873cc49af32bbe34bb296

SHA1
fe74877bcaec93c7d67dab2ce8c86cfc38402d22

SHA256
aba19501a8033495664879e09e60e4788537d387cf038fa8769e5b178bccdcb4

SHA512
f283b721b27d85fbc7a4e1e91ab1683da0c3888f632873625c4c2b48caa170471aaa84e107230988f615d3f43e40a640607d6e6f641aed59788dee441801748a

Download Submit
memory/2548-39-0x0000000000FB0000-0x0000000000FB1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads