Overview

overview

8

Static

static

7

2024-08-26...er.exe

windows7-x64

8

2024-08-26...er.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    26-08-2024 01:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-08-26_ee2dc4ebfc31a74ddabf33676df9ffff_magniber.exe

  • Size

    2.3MB

  • MD5

    ee2dc4ebfc31a74ddabf33676df9ffff

  • SHA1

    e8277f1976747640f998935356ceda5796870526

  • SHA256

    3e85b2dce61c586e6a69c6d48a3cc3a63b9aba019a4e44a04137004d840ec5d6

  • SHA512

    435bf29c818a2221ced714976a142d02292d271e7c90eaa616fbf97f4e3c9001dce70d0935edd66531896b9c7aeec373c269593f02dbf3fd8d034fe6bd8bd47b

  • SSDEEP

    24576:qNlaW5n274tWa9spu1pTG05RwbLR1bTJbKkKF/eMNPja/:qSW5wpuXG1Z39KFeMo

Score
8/10
discoveryvmprotect

Malware Config

Signatures

  • Drops file in Drivers directory 1 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Unexpected DNS network traffic destination 2 IoCs

    Network traffic to other servers than the configured DNS servers was detected on the DNS port.

  • VMProtect packed file 12 IoCs

    Detects executables packed with VMProtect commercial packer.

    vmprotect
  • Drops file in System32 directory 2 IoCs
  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Drops file in Windows directory 3 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks SCSI registry key(s) 3 TTPs 3 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Delays execution with timeout.exe 1 IoCs
    evasion
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: LoadsDriver 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 12 IoCs
  • Suspicious use of UnmapMainImage 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of UnmapMainImage
    • Suspicious use of WriteProcessMemory
    PID:3472
    • C:\Users\Admin\AppData\Local\Temp\2024-08-26_ee2dc4ebfc31a74ddabf33676df9ffff_magniber.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-08-26_ee2dc4ebfc31a74ddabf33676df9ffff_magniber.exe"
      2⤵
      • Checks computer location settings
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:892
      • C:\Windows\SysWOW64\cmd.exe
        "C:\Windows\System32\cmd.exe" /c timeout /t 1 & del /Q /F "C:\Users\Admin\AppData\Local\Temp\2024-08-26_ee2dc4ebfc31a74ddabf33676df9ffff_magniber.exe"
        3⤵
        • System Location Discovery: System Language Discovery
        • Suspicious use of WriteProcessMemory
        PID:2784
        • C:\Windows\SysWOW64\timeout.exe
          timeout /t 1
          4⤵
          • System Location Discovery: System Language Discovery
          • Delays execution with timeout.exe
          PID:4012
    • C:\Windows\Help\tasklist.exe
      "C:\Windows\Help\tasklist.exe"
      2⤵
      • Drops file in Drivers directory
      • Executes dropped EXE
      • Drops file in System32 directory
      • Enumerates processes with tasklist
      • Drops file in Windows directory
      • Checks SCSI registry key(s)
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4868

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Windows\Help\tasklist.exe
    Filesize

    104KB

    MD5

    d0a49a170e13d7f6aebbefed9df88aaa

    SHA1

    d61ffd641c2f6d45dadc26c02daeea8dabee8204

    SHA256

    be7241a74fe9a9d30e0631e41533a362b21c8f7aae3e5b6ad319cc15c024ec3f

    SHA512

    8fab3a6ed410c44e05f5cf13ad732be00a1d72db9a35124d385e1d7e3b081377b98b91715269bd858d3044d413dc7527e103c882a9bed9637f2b46f3247af9a9

    Download Submit

  • memory/892-11-0x00000000030F0000-0x00000000030F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/892-1-0x00000000009A0000-0x0000000000A98000-memory.dmp

    Filesize

    992KB

    Download

  • memory/892-5-0x00000000030F0000-0x00000000030F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/892-6-0x00000000030F0000-0x00000000030F1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/892-7-0x00000000009A0000-0x0000000000A98000-memory.dmp

    Filesize

    992KB

    Download

  • memory/892-71-0x00000000009A0000-0x0000000000A98000-memory.dmp

    Filesize

    992KB

    Download

  • memory/892-0-0x00000000009A0000-0x0000000000A98000-memory.dmp

    Filesize

    992KB

    Download

  • memory/3472-9-0x0000000000DA0000-0x0000000000DA3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3472-15-0x000000000B9B0000-0x000000000BC41000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3472-19-0x0000000000DA0000-0x0000000000DA3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3472-13-0x000000000B9B0000-0x000000000BC41000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/3472-8-0x0000000000DA0000-0x0000000000DA3000-memory.dmp

    Filesize

    12KB

    Download

  • memory/3472-38-0x000000000B9B0000-0x000000000BC41000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/4868-35-0x00007FF7C8040000-0x00007FF7C8050000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4868-51-0x000001E0F5CD0000-0x000001E0F5CD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4868-25-0x000001E0F5750000-0x000001E0F59BB000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4868-37-0x000001E0F3B50000-0x000001E0F3B51000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4868-34-0x000001E0F5750000-0x000001E0F59BB000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4868-27-0x000001E0F5750000-0x000001E0F59BB000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4868-46-0x00007FF7C8040000-0x00007FF7C8050000-memory.dmp

    Filesize

    64KB

    Download

  • memory/4868-47-0x000001E0F5750000-0x000001E0F59BB000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4868-48-0x000001E0F5B70000-0x000001E0F5B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4868-49-0x000001E0F5B60000-0x000001E0F5B61000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4868-50-0x000001E0F5B70000-0x000001E0F5B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4868-28-0x000001E0F5750000-0x000001E0F59BB000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/4868-54-0x000001E0F60B0000-0x000001E0F61C8000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4868-52-0x000001E0F60B0000-0x000001E0F61C8000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4868-60-0x000001E0F5B70000-0x000001E0F5B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4868-59-0x000001E0F60B0000-0x000001E0F61C8000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4868-58-0x000001E0F60B0000-0x000001E0F61C8000-memory.dmp

    Filesize

    1.1MB

    Download

  • memory/4868-24-0x000001E0F3980000-0x000001E0F3983000-memory.dmp

    Filesize

    12KB

    Download

  • memory/4868-72-0x000001E0F5B70000-0x000001E0F5B71000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4868-73-0x000001E0F5CD0000-0x000001E0F5CD1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4868-74-0x000001E0F60B0000-0x000001E0F61C8000-memory.dmp

    Filesize

    1.1MB

    Download