Malware Analysis Report

2024-10-16 03:32

Sample ID 240825-gfekhsyhqr
Target 2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber
SHA256 2cc7100ac0684b2c94e5268583e534b62d78859c35679a381616f2bca3f39676
Tags
banload discovery downloader dropper evasion trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2cc7100ac0684b2c94e5268583e534b62d78859c35679a381616f2bca3f39676

Threat Level: Known bad

The file 2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber was found to be: Known bad.

Malicious Activity Summary

banload discovery downloader dropper evasion trojan

Banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

Checks BIOS information in registry

Enumerates connected drives

System Location Discovery: System Language Discovery

Unsigned PE

Enumerates physical storage devices

Program crash

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Modifies registry class

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-25 05:44

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-25 05:44

Reported

2024-08-25 05:47

Platform

win10v2004-20240802-en

Max time kernel

135s

Max time network

104s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\K: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\L: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\O: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\I: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\M: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\N: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\P: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\Q: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\W: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\Y: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\E: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\H: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\J: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\V: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\Z: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\G: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\R: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\S: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\T: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\U: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
File opened (read-only) \??\X: C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7} C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InProcServer32 C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InProcServer32\ = "%SystemRoot%\\SysWow64\\UIRibbon.dll" C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InProcServer32\ThreadingModel = "Apartment" C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 428 -p 228 -ip 228

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 228 -s 1488

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 81.144.22.2.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 192.142.123.92.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 35.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/228-1-0x0000000000400000-0x0000000001693000-memory.dmp

memory/228-2-0x0000000003930000-0x0000000003B30000-memory.dmp

memory/228-8-0x0000000003930000-0x0000000003B30000-memory.dmp

memory/228-11-0x0000000000400000-0x0000000001693000-memory.dmp

memory/228-12-0x0000000000400000-0x0000000001693000-memory.dmp

memory/228-14-0x0000000000400000-0x0000000001693000-memory.dmp

memory/228-16-0x00000000038F0000-0x0000000003910000-memory.dmp

memory/228-17-0x0000000000400000-0x0000000001693000-memory.dmp

memory/228-15-0x0000000000400000-0x0000000001693000-memory.dmp

memory/228-20-0x0000000003930000-0x0000000003B30000-memory.dmp

memory/228-19-0x0000000000400000-0x0000000001693000-memory.dmp

memory/228-41-0x0000000003930000-0x0000000003B30000-memory.dmp

memory/228-44-0x0000000000400000-0x0000000001693000-memory.dmp

C:\Users\Admin\AppData\Roaming\Itsth\Easy2Sync_for_Outlook\logfile.txt

MD5 798543447e701c9fcdb0704b1100088a
SHA1 dac037dc9b24bfcbe51d198d4384a2e341fbd0b0
SHA256 db7a31734c0027ab19d09384c001953acff0bb67583993bf3dcad82bf31a3852
SHA512 e37432ec66c39751c07455069e1966204209e34721c9ccabd156e85daf1f438d8bfbb436beef49ddcfd83673b864e80bf532679f550eaf52ca767696968adeff

memory/228-53-0x0000000000400000-0x0000000001693000-memory.dmp

memory/228-54-0x0000000003930000-0x0000000003B30000-memory.dmp

memory/228-56-0x0000000000400000-0x0000000001693000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-25 05:44

Reported

2024-08-25 05:47

Platform

win7-20240708-en

Max time kernel

140s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe"

Signatures

Banload

trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM)

evasion
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\ = "Audio Renderer Property Page" C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InprocServer32 C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InprocServer32\ = "C:\\Windows\\SysWOW64\\quartz.dll" C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7}\InprocServer32\ThreadingModel = "Both" C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{64EDD3F2-7AA3-8105-AE3F-99664D2D41E7} C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-08-25_d5568bd7cb5aef02d1f19dbc9c42b060_magniber.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1820 -s 1320

Network

N/A

Files

memory/1820-6-0x00000000034B0000-0x00000000036B0000-memory.dmp

memory/1820-0-0x00000000034B0000-0x00000000036B0000-memory.dmp

memory/1820-7-0x0000000000400000-0x0000000001693000-memory.dmp

memory/1820-12-0x0000000000400000-0x0000000001693000-memory.dmp

memory/1820-13-0x0000000000400000-0x0000000001693000-memory.dmp

memory/1820-15-0x0000000001830000-0x0000000001850000-memory.dmp

memory/1820-14-0x0000000000400000-0x0000000001693000-memory.dmp

memory/1820-10-0x0000000000400000-0x0000000001693000-memory.dmp

memory/1820-19-0x00000000034B0000-0x00000000036B0000-memory.dmp

memory/1820-16-0x0000000000400000-0x0000000001693000-memory.dmp

memory/1820-18-0x0000000000400000-0x0000000001693000-memory.dmp

memory/1820-29-0x00000000034B0000-0x00000000036B0000-memory.dmp

memory/1820-28-0x00000000034B0000-0x00000000036B0000-memory.dmp

memory/1820-31-0x0000000000400000-0x0000000001693000-memory.dmp