77c7cfa81b20a3fba1cbb3f7612a58257e26c007765f1febe9c15ee6c7a308cc

Analysis

max time kernel
141s
max time network
139s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
30/09/2024, 18:22

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-09-30_5929b74b30aff9c6dfc44aeee7d7fc92_jeefo_magniber.exe
Size

7.1MB
MD5

5929b74b30aff9c6dfc44aeee7d7fc92
SHA1

639e7c7ac028e99d4370d4873a614e2c5b5e8e18
SHA256

77c7cfa81b20a3fba1cbb3f7612a58257e26c007765f1febe9c15ee6c7a308cc
SHA512

98d83b5d5e9c4bb6713b44713287bd94b559feeb575bdfc4e6404b8aa40c408e78589ed87e47311f44ab7b52a7efeb60b723fcd25def311d7d9799fbc891bb6c
SSDEEP

196608:I6bi6bX8FVUtzyVUH/YlN7EqRWl+mIlF3PaPLF7sXBbHpvLw+fimzyC2ejccP0Cd:97cVUghRWgv02

Score

7^/10

discovery link pdf

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3300	svchost.exe
1288	2024-09-30_5929b74b30aff9c6dfc44aeee7d7fc92_jeefo_magniber.exe
3016	svchost.exe

Drops file in Program Files directory 38 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jabswitch.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	svchost.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\extcheck.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\idlj.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java-rmi.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	svchost.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\notification_helper.exe	svchost.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	svchost.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	svchost.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javap.exe	svchost.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File created	C:\Windows\svchost.exe	2024-09-30_5929b74b30aff9c6dfc44aeee7d7fc92_jeefo_magniber.exe

HTTP links in PDF interactive object 1 IoCs

Detects HTTP links in interactive objects within PDF files.

pdf link

resource	yara_rule
behavioral2/files/0x0007000000023477-8.dat	pdf_with_link_action

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-09-30_5929b74b30aff9c6dfc44aeee7d7fc92_jeefo_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 1104 wrote to memory of 3300	1104	2024-09-30_5929b74b30aff9c6dfc44aeee7d7fc92_jeefo_magniber.exe	85
PID 1104 wrote to memory of 3300	1104	2024-09-30_5929b74b30aff9c6dfc44aeee7d7fc92_jeefo_magniber.exe	85
PID 1104 wrote to memory of 3300	1104	2024-09-30_5929b74b30aff9c6dfc44aeee7d7fc92_jeefo_magniber.exe	85
PID 3300 wrote to memory of 1288	3300	svchost.exe	86
PID 3300 wrote to memory of 1288	3300	svchost.exe	86
PID 3300 wrote to memory of 1288	3300	svchost.exe	86

C:\Users\Admin\AppData\Local\Temp\2024-09-30_5929b74b30aff9c6dfc44aeee7d7fc92_jeefo_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-09-30_5929b74b30aff9c6dfc44aeee7d7fc92_jeefo_magniber.exe"
1⤵
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1104
- C:\Windows\svchost.exe
  "C:\Windows\svchost.exe" "C:\Users\Admin\AppData\Local\Temp\2024-09-30_5929b74b30aff9c6dfc44aeee7d7fc92_jeefo_magniber.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3300
- - C:\Users\Admin\AppData\Local\Temp\2024-09-30_5929b74b30aff9c6dfc44aeee7d7fc92_jeefo_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-30_5929b74b30aff9c6dfc44aeee7d7fc92_jeefo_magniber.exe"
    3⤵
    - Executes dropped EXE
    PID:1288

C:\Windows\svchost.exe
C:\Windows\svchost.exe
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3016

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\2024-09-30_5929b74b30aff9c6dfc44aeee7d7fc92_jeefo_magniber.exe

Filesize
7.1MB

MD5
cc1ebe0fdfa38da11745da42e89d6485

SHA1
405c77f6a6e1462336d462e629c8ba4128ff47c2

SHA256
f98dd530af2abda0ab6c571b12cdd885668df10008688fc8d63a0e8e16afffa9

SHA512
b42decb88994be8f17d804fc8c04da30dcf54eb931fa57dd18296d760b5e8d6447d47b2157f68d991da1042d1a6d6aa633275236c754d5ac526ec2ab5a0e0697

Download Submit
C:\Windows\svchost.exe

Filesize
35KB

MD5
9e3c13b6556d5636b745d3e466d47467

SHA1
2ac1c19e268c49bc508f83fe3d20f495deb3e538

SHA256
20af03add533a6870d524a7c4753b42bfceb56cddd46016c051e23581ba743f8

SHA512
5a07ba8a7fcb15f64b129fada2621252b8bc37eb34d4f614c075c064f8ac0d367301eba0c32c5e28b8aa633f6ab604f0dfcc363b34734ce0207ef0d4e8817c4b

Download Submit
memory/1104-3-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/3016-13-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3016-15-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3016-21-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3016-25-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3300-10-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download