Overview

overview

8

Static

static

7

2024-08-26...er.exe

windows7-x64

8

2024-08-26...er.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    149s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-08-2024 01:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-26_d66143f7c2c11bab45ce1356af0f99ef_magniber.exe

  • Size

    2.0MB

  • MD5

    d66143f7c2c11bab45ce1356af0f99ef

  • SHA1

    2a57661fc30fcc8a9bf96b8e252c9f10185b6143

  • SHA256

    de2f88e3b2cfcf6aa44f88b6a8e74ee25afec3bd1930718e78141cbab7f5550c

  • SHA512

    065592b8429db19719b385b615341130bb75961faf82d0e780bd73aedfedff5b88a45ee11aeb3816f95756d5af91c8e638ca4d90f20a94fb1e0f53fa35534f87

  • SSDEEP

    24576:DNlaW5n274tWa9spJIi1pTG05RwbLR1bLvJbKkKF/eMNPjsbD:DSW5wpWiXG1Z39KFeMYD

Score
8/10
discoveryvmprotect

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Modifies file permissions 1 TTPs 1 IoCs
    discovery
  • Unexpected DNS network traffic destination 1 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 12 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in System32 directory 2 IoCs
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 14 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3568
    • C:\Users\Admin\AppData\Local\Temp\2024-08-26_d66143f7c2c11bab45ce1356af0f99ef_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-08-26_d66143f7c2c11bab45ce1356af0f99ef_magniber.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5048
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\2024-08-26_d66143f7c2c11bab45ce1356af0f99ef_magniber.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2896
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:1716
    • C:\Windows\Logs\icacls.exe
      "C:\Windows\Logs\icacls.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Modifies file permissions
      • Drops file in System32 directory
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4308
  • C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=4408,i,7447299413640964517,4240724842020506306,262144 --variations-seed-version --mojo-platform-channel-handle=4360 /prefetch:8
    1⤵
      PID:3220

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Windows\Logs\icacls.exe
      Filesize

      38KB

      MD5

      48c87e3b3003a2413d6399ea77707f5d

      SHA1

      2b52b53fab6c50f3852f55b786ff16d7fe25bcb8

      SHA256

      222ea0e9d8ed1d337dbaedd75a13b8f28fa5c3711dcdf4307e75cede5b5f6b9a

      SHA512

      503d567172d532040b9ef0cbbd9b7d8bad1f2afa41acb68b19ab91775b69ad327bfbd907102fa9a8e0c99e9b7e9b1e3c20d720839dadc7b94ac819c6a4d5d9e3

      Download Submit

    • memory/3568-37-0x000000000AE60000-0x000000000B0F1000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/3568-13-0x000000000AE60000-0x000000000B0F1000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/3568-19-0x0000000003430000-0x0000000003433000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3568-14-0x000000000AE60000-0x000000000B0F1000-memory.dmp

      Filesize

      2.6MB

      Download

    • memory/3568-8-0x0000000003430000-0x0000000003433000-memory.dmp

      Filesize

      12KB

      Download

    • memory/3568-10-0x0000000003430000-0x0000000003433000-memory.dmp

      Filesize

      12KB

      Download

    • memory/4308-55-0x000002899DFB0000-0x000002899E0C8000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4308-47-0x00007FFBC4AD0000-0x00007FFBC4AE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4308-38-0x000002899BCD0000-0x000002899BF3B000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/4308-39-0x000002899BB80000-0x000002899BB81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4308-71-0x000002899DFB0000-0x000002899E0C8000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4308-26-0x000002899BCD0000-0x000002899BF3B000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/4308-24-0x000002899BCD0000-0x000002899BF3B000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/4308-27-0x000002899BCD0000-0x000002899BF3B000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/4308-35-0x00007FFBC4AD0000-0x00007FFBC4AE0000-memory.dmp

      Filesize

      64KB

      Download

    • memory/4308-36-0x000002899BB80000-0x000002899BB81000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4308-34-0x000002899BCD0000-0x000002899BF3B000-memory.dmp

      Filesize

      2.4MB

      Download

    • memory/4308-64-0x000002899DFB0000-0x000002899E0C8000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4308-63-0x000002899BCB0000-0x000002899BCB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4308-72-0x000002899BCA0000-0x000002899BCA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4308-48-0x000002899BCA0000-0x000002899BCA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4308-57-0x000002899BCA0000-0x000002899BCA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4308-50-0x000002899BCA0000-0x000002899BCA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4308-49-0x000002899BCA0000-0x000002899BCA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4308-51-0x000002899DDB0000-0x000002899DDB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4308-52-0x000002899BCB0000-0x000002899BCB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4308-53-0x000002899BCA0000-0x000002899BCA1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4308-54-0x000002899DDB0000-0x000002899DDB1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4308-59-0x000002899DFB0000-0x000002899E0C8000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/4308-58-0x000002899DFB0000-0x000002899E0C8000-memory.dmp

      Filesize

      1.1MB

      Download

    • memory/5048-5-0x0000000003580000-0x0000000003581000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5048-9-0x0000000003580000-0x0000000003581000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5048-7-0x0000000000C60000-0x0000000000D58000-memory.dmp

      Filesize

      992KB

      Download

    • memory/5048-0-0x0000000000C60000-0x0000000000D58000-memory.dmp

      Filesize

      992KB

      Download

    • memory/5048-1-0x0000000000C60000-0x0000000000D58000-memory.dmp

      Filesize

      992KB

      Download

    • memory/5048-6-0x0000000003580000-0x0000000003581000-memory.dmp

      Filesize

      4KB

      Download

    • memory/5048-77-0x0000000000C60000-0x0000000000D58000-memory.dmp

      Filesize

      992KB

      Download