azorult | 403fe5fca6fe4c90585fbf7533c7755619a5d5455933b5798eaf95b14bd510ed

General

Target

2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Size

1.9MB
MD5

640a2b28957aeb7b3147b796a3e9fe57
SHA1

5998e9ec9a3574c62bb73179f5b212b19add2bc0
SHA256

403fe5fca6fe4c90585fbf7533c7755619a5d5455933b5798eaf95b14bd510ed
SHA512

4887f11085ae8ab85258445c1e902eb69901f9cb2720cf8251985662872d83aac150e32bbdb797fd2a6197da2b79a575b06ae70bef37ac403b2fb9d7f9ff7365
SSDEEP

49152:XbwTDIrh3crgiLGBLHTLJRPgMnlsEqSb0q5VWy7EeNL:8TDIrh3crkr5gMnlsEqGPtQAL

Score

10^/10

azorult banload discovery downloader dropper evasion infostealer trojan

Malware Config

Extracted

Family

azorult

C2

http://account.protonvpn.store/index.php

Signatures

Azorult
An information stealer that was first discovered in 2016, targeting browsing history and passwords.
trojan infostealer azorult
Banload
Banload variants download malicious files, then install and execute the files.
trojan dropper downloader banload

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 2 IoCs

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe

Suspicious use of SetThreadContext 1 IoCs

Processes:

2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe

description	pid	process	target process
PID 4260 set thread context of 4440	4260	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe

Modifies registry class 55 IoCs

Processes:

2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\InprocServer32\ThreadingModel = "Apartment"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\Version	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\makhhcKjqxtl = "rc]_ZJqLKQB~Ey}hSNbXSjUXPRrkt"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\jlBFfno = "qd`EflbzIQYhNRgrPawDV\x7fWj"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\jlBFfno = "hgLwGiaXolBlv@DwS`{z]NZO"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\makhhcKjqxtl = "ahLadcz_b]AciFwJtatt}\\fdqo[eN"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\InprocServer32	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\ProgID	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\makhhcKjqxtl = "ahLadcz_b]AciFwJtatt}\\fdso[eN"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\ABpca = "NR]nd@^qfEQWb}VS"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\ABpca = "nWnJxmvFh[TiQDnh"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\pmcg = "k\|\\BPNW@S}cGs[DEsKNUtt\\\x7f"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\nxjeshC = "R{HWqz_t@g[f_FCOG\|uM`Zo]"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\makhhcKjqxtl = "rc]_ZJqLKQB~Ey}hSNbXSjUX]Rrkt"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\InprocServer32\ = "C:\\Windows\\SysWOW64\\wmpdxm.dll"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\MiscStatus\1	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\fFegTbjtsMv = "T~LqUGkXAiC_wnEaIuthg{pk"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\unrrRdclYJxau = "ai_f\\vT"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\Uitsumu = "d\|RQIIGuYHEfeZDakZIHpcHY"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\makhhcKjqxtl = "ahLadcz_b]AciFwJtatt}\\fdpo[eN"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\Version\ = "2.0"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\yzvoqgk = "A\|oGJh_CsSlFb[N~Zy\|"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\pmcg = "krbOuUpx`j@q\x7f]~{c[OUe\x7f]k"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\unrrRdclYJxau = "ab_ODu`"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\jlBFfno = "qdPEflbzIQYhNRgrPawDV\x7fWj"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\makhhcKjqxtl = "ahLadcz_b]AciFwJtatt}\\fd~o[eN"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\TypeLib\ = "{05589fa0-c356-11ce-bf01-00aa0055595a}"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key created	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\jlBFfno = "qd`EflbzISyhNRgrPawDV\x7fWj"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\unrrRdclYJxau = "t\x7fl\|@hx"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\ = "ActiveMovieControl Object"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\yzvoqgk = "wfLQ^twkiyhvEJRw_PD"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\unrrRdclYJxau = "a`YLW\x7fD"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\ToolboxBitmap32	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\Uitsumu = "O{POdXm`sVxCZIohuIRVCGfW"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\MiscStatus	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\makhhcKjqxtl = "rc]_ZJqLKQB~Ey}hSNbXSjUXSRrkt"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\unrrRdclYJxau = "t}j\x7fSb\\"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\MiscStatus\ = "0"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\MiscStatus\1\ = "131473"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\VersionIndependentProgID\ = "AMOVIE.ActiveMovieControl"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\jlBFfno = "hgLwGiaXonblv@DwS`{z]NZO"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\ABpca = "NR]nd@^qfEaWb}VS"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\makhhcKjqxtl = "rc]_ZJqLKQB~Ey}hSNbXSjUXRRrkt"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\ProgID\ = "AMOVIE.ActiveMovieControl.2"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\TypeLib	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\unrrRdclYJxau = "t\x7fFLz\\`"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\nxjeshC = "WQ_guBUBD[UvQWBvbXOfY`]X"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\jlBFfno = "hg\|wGiaXolBlv@DwS`{z]NZO"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\fFegTbjtsMv = "D[N{HtzN\|I{kO`nflwKC_PGG"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\unrrRdclYJxau = "tvjVKah"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\VersionIndependentProgID	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{0C6D12CC-C522-0FA5-34C5-DB2168552EE7}\ABpca = "nWnJxmvFh[diQDnh"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000_Classes\{502E4348-1366-13D1-B2E4-0060975B8649}\unrrRdclYJxau = "a`s\|mK\\"	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe

Suspicious use of AdjustPrivilegeToken 8 IoCs

Processes:

2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe

description	pid	process
Token: 33	2784	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Token: SeIncBasePriorityPrivilege	2784	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Token: 33	2784	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Token: SeIncBasePriorityPrivilege	2784	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Token: 33	4260	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Token: SeIncBasePriorityPrivilege	4260	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Token: 33	4260	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
Token: SeIncBasePriorityPrivilege	4260	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe

C:\Users\Admin\AppData\Local\Temp\2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4220
- C:\Users\Admin\AppData\Local\Temp\2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe"
  2⤵
  - Identifies VirtualBox via ACPI registry values (likely anti-VM)
  - Checks BIOS information in registry
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2784
- - C:\Users\Admin\AppData\Local\Temp\2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
    C:\Users\Admin\AppData\Local\Temp\2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe V8
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1672
  - - C:\Users\Admin\AppData\Local\Temp\2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
      C:\Users\Admin\AppData\Local\Temp\2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe V8
      4⤵
      Identifies VirtualBox via ACPI registry values (likely anti-VM)
      Checks BIOS information in registry
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Modifies registry class
      Suspicious use of AdjustPrivilegeToken
      PID:4260
    - - C:\Users\Admin\AppData\Local\Temp\2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
        
        "C:\Users\Admin\AppData\Local\Temp\2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:4440

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

2

T1012

System Information Discovery

1

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/1672-19-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/1672-73-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2784-3-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2784-4-0x0000000002A30000-0x0000000002C3C000-memory.dmp

Filesize
2.0MB

Download
memory/2784-11-0x0000000002A30000-0x0000000002C3C000-memory.dmp

Filesize
2.0MB

Download
memory/2784-16-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2784-17-0x0000000002A30000-0x0000000002C3C000-memory.dmp

Filesize
2.0MB

Download
memory/2784-15-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2784-14-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/2784-21-0x0000000002A30000-0x0000000002C3C000-memory.dmp

Filesize
2.0MB

Download
memory/4220-0-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4220-22-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4260-32-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4260-72-0x00000000029F0000-0x0000000002BFC000-memory.dmp

Filesize
2.0MB

Download
memory/4260-28-0x00000000029F0000-0x0000000002BFC000-memory.dmp

Filesize
2.0MB

Download
memory/4260-31-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4260-33-0x00000000029F0000-0x0000000002BFC000-memory.dmp

Filesize
2.0MB

Download
memory/4260-34-0x00000000029F0000-0x0000000002BFC000-memory.dmp

Filesize
2.0MB

Download
memory/4260-25-0x00000000029F0000-0x0000000002BFC000-memory.dmp

Filesize
2.0MB

Download
memory/4260-30-0x0000000000400000-0x000000000061D000-memory.dmp

Filesize
2.1MB

Download
memory/4440-69-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-67-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-65-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-63-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-39-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-71-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-37-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download
memory/4440-75-0x0000000000480000-0x0000000000549000-memory.dmp

Filesize
804KB

Download
memory/4440-76-0x0000000000400000-0x0000000000429000-memory.dmp

Filesize
164KB

Download

description	pid	process	target process
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 2784 wrote to memory of 1672	2784	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 2784 wrote to memory of 1672	2784	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 2784 wrote to memory of 1672	2784	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 1672 wrote to memory of 4260	1672	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 1672 wrote to memory of 4260	1672	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 1672 wrote to memory of 4260	1672	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 1672 wrote to memory of 4260	1672	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 4220 wrote to memory of 2784	4220	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 1672 wrote to memory of 4260	1672	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 1672 wrote to memory of 4260	1672	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 1672 wrote to memory of 4260	1672	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 1672 wrote to memory of 4260	1672	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 1672 wrote to memory of 4260	1672	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe
PID 1672 wrote to memory of 4260	1672	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe	2024-09-17_640a2b28957aeb7b3147b796a3e9fe57_magniber.exe

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads