Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

9

Static

static

3

2024-10-14...er.exe

windows7-x64

9

2024-10-14...er.exe

windows10-2004-x64

9

Analysis

  • max time kernel
    149s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    14/10/2024, 08:46

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe

  • Size

    5.3MB

  • MD5

    0271bf83ad3127f16367a7662f2247b4

  • SHA1

    cc30247eb021648e11ae84b7afacfa476129b2ef

  • SHA256

    9473531e370d7a45e1ff2bd214c0365f07c78f6ce52ec35f141fbedf76c2ed1f

  • SHA512

    17419cd882d6a812a051993450136fb3c4d59d2b5854989efeaaf6e8eea0d285a4bd940f3c51f46ec4b5efa5417d748ca58f51ece77210d32448f63178968173

  • SSDEEP

    98304:PkB/qoHMdnJE7hAlKnsz2C2PYdhIqHpnq0EB:bJEul4szEonqtB

Score
9/10
discoverypersistenceransomwarespywarestealer

Malware Config

Signatures

  • Renames multiple (177) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

    ransomware
  • Drops file in Drivers directory 2 IoCs
  • Deletes itself 1 IoCs
  • Executes dropped EXE 1 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Runs net.exe
  • Suspicious behavior: EnumeratesProcesses 43 IoCs
  • Suspicious use of WriteProcessMemory 34 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1212
      • C:\Users\Admin\AppData\Local\Temp\2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe
        "C:\Users\Admin\AppData\Local\Temp\2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe"
        2⤵
        • Drops file in Drivers directory
        • Adds Run key to start application
        • Drops file in Windows directory
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of WriteProcessMemory
        PID:1688
        • C:\Windows\SysWOW64\net.exe
          net stop "Kingsoft AntiVirus Service"
          3⤵
          • System Location Discovery: System Language Discovery
          • Suspicious use of WriteProcessMemory
          PID:2216
          • C:\Windows\SysWOW64\net1.exe
            C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            PID:3056
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c C:\Users\Admin\AppData\Local\Temp\$$a53BB.bat
          3⤵
          • Deletes itself
          • System Location Discovery: System Language Discovery
          PID:2636
        • C:\Windows\Logo1_.exe
          C:\Windows\Logo1_.exe
          3⤵
          • Drops file in Drivers directory
          • Executes dropped EXE
          • Adds Run key to start application
          • Enumerates connected drives
          • Drops file in Program Files directory
          • Drops file in Windows directory
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of WriteProcessMemory
          PID:2776
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2616
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2652
          • C:\Windows\SysWOW64\net.exe
            net stop "Kingsoft AntiVirus Service"
            4⤵
            • System Location Discovery: System Language Discovery
            • Suspicious use of WriteProcessMemory
            PID:2984
            • C:\Windows\SysWOW64\net1.exe
              C:\Windows\system32\net1 stop "Kingsoft AntiVirus Service"
              5⤵
              • System Location Discovery: System Language Discovery
              PID:2244

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Common Files\Adobe AIR\Versions\1.0\RCXEC30.tmp
      Filesize

      94KB

      MD5

      8ee6d107f45f4b178e2fa93929761804

      SHA1

      8dbbcb12577b6e84b5c595105a663708026375ae

      SHA256

      09839c8a3ebdded5f8d940858fb0e36cf34e541e13418e149ab31c9648eee017

      SHA512

      3ef8d870c5482b90d8a0f7d4a1e5d157e72254aa22cd6d4d0836cdfca878c9e4cef747a551428726bd6ec32193dd8c92054444c353b9a72b3bd7a303038cdc98

      Download Submit

    • C:\Program Files (x86)\Google\Update\1.3.36.151\GoogleCrashHandler.exe.Exe
      Filesize

      392KB

      MD5

      9e45dbf2ba255eff25101c5e3e222cbb

      SHA1

      03a27eba4c0219982f366ddd798bf6c3d07482aa

      SHA256

      de0e1887b7ee7148caff437a2b6f5bfb67af0f7de5cc80523192982635a3402a

      SHA512

      fcaf60a254bbada9b36aec819ff2dbe85b5b62e14535ba273a91d5a123dfe6824e944aeeed4161aa8c15882bfdd0517de32c6be6621cb0993d2e1b5e11992e6b

      Download Submit

    • C:\Program Files\7-Zip\RCXE522.tmp
      Filesize

      91KB

      MD5

      4c5a194a25c48be173dd3a64af0084ac

      SHA1

      538608aa8608c8af1fb9f168aa3dc0a8ed9be8b9

      SHA256

      0c4ab2e6902d67c12b803af0292a7d94b13551640cb6cceb34266fda02554264

      SHA512

      ebdbc0f117ed16eb0135672f12b89d14bad2e0affd06cbfb49cd785a7ee7f570dec73c0948c12fc0282bc3d1054edf69a5a8a2b71d3fbbdbf9bfd022ead01483

      Download Submit

    • C:\Program Files\Java\jdk1.7.0_80\bin\RCXE596.tmp
      Filesize

      91KB

      MD5

      21b2afe2b7a1f7a9dbc0e1d1ef93a712

      SHA1

      3222c94f2f457b16f01b1a7ebfca35382b037a75

      SHA256

      9ace1817c3e5736d5b86c95809c45a3df219a8abf4078022ba099f37b60f684a

      SHA512

      c5baf41242899c0f71bde14ff947a6be9a7d682367be8493767529bb73a93051579f32bb08aec92e43a1569ade7a0401dd9182d691c3ca01f56b8a059ad339ea

      Download Submit

    • C:\Program Files\Mozilla Firefox\uninstall\RCXE757.tmp
      Filesize

      99KB

      MD5

      8bf62cf8fc663f35aea0fcc8388138cc

      SHA1

      caff0a288c1eaa5a2c43ad4a1787a892718a2f29

      SHA256

      ae89218d6415eebd9ada2a23e4b36fb114659026d5952cc99bc3d4e1b6543271

      SHA512

      7fe823a37d1b4c6fc27ceaa073041b91388360354fcdd763bed3632f69a601b7ff1dd6b6b78f124e8abe53fb98a18b90a7ec03b461f6df21dcb316dbf4ee50b6

      Download Submit

    • C:\ProgramData\Package Cache\{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}\RCXF180.tmp
      Filesize

      92KB

      MD5

      9f71409d74c492bde324824066d8df3e

      SHA1

      6ab1e8af700e91d61fda7e2adcbce132a532c7cc

      SHA256

      60b7cc01ae655611930ff7f017f9258accb8682da5bf14abf980eaa1077453d0

      SHA512

      222b50232a232a60bc26e87250d356b61f09409c62dfde33f7ee4c0410567ff3599fab124a2caba6160ed4e869cb53f28539a0e9386e954a51deca06f23b6ec3

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\$$a53BB.bat
      Filesize

      728B

      MD5

      3f77b39cd2ec8f163bdf050346148992

      SHA1

      0e09421760db1f3d631879b5b5c75014b41dd6ee

      SHA256

      e5d5c26dfb577db48c3da9af69f58b1b39e1a30ff99a8fcfb292f195114b273a

      SHA512

      769d80d66e2a75faa5271a64cc95dfb6314c46382574124613c93c7dc86e29f416bcd7c2f7f9f173389d66241ed81691fa60d4863c63ef27f51b182395015772

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\2024-10-14_0271bf83ad3127f16367a7662f2247b4_hijackloader_magniber.exe.exe
      Filesize

      5.3MB

      MD5

      1862d5f0e9903c6c6dda216f0755a581

      SHA1

      6721684d8fa7cebc21a4507671db37f0bbcd4a42

      SHA256

      80935f6ce2b782ad94e30e5e3d7b7e2b22d96696a1f266e00855b98b994a5321

      SHA512

      40d0eabbe1945e4097720ce996481a21549a0a0b9089270622c67977f8a819f959221f4b9c252a90a817345be17170c12ee8b18d62e7c7a50ffe08d1e897c0ec

      Download Submit

    • C:\Windows\Logo1_.exe
      Filesize

      93KB

      MD5

      176ca437b5cb121deb548be2f7061b0d

      SHA1

      7cd7bbe31d411a368236ddd490e7ff1eaa659fd1

      SHA256

      28f394e55e4bfa629c8f844cc265e9d529795aaba4d59e17b97d8a638f9293ec

      SHA512

      33e18b7025106cebcef26486d48beba282568241fd1117f45211f7151cfb3489cbf37703d03109c8b6a481a61e3c9668f804933592df8196e96c1c8e107cdb1f

      Download Submit

    • C:\Windows\system32\drivers\etc\hosts
      Filesize

      832B

      MD5

      7e3a0edd0c6cd8316f4b6c159d5167a1

      SHA1

      753428b4736ffb2c9e3eb50f89255b212768c55a

      SHA256

      1965854dfa54c72529c88c7d9f41fa31b4140cad04cf03d3f0f2e7601fcbdc6c

      SHA512

      9c68f7f72dfa109fcfba6472a1cced85bc6c2a5481232c6d1d039c88b2f65fb86070aeb26ac23e420c6255daca02ea6e698892f7670298d2c4f741b9e9415c7f

      Download Submit

    • memory/1212-24-0x0000000002DE0000-0x0000000002DE1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/1688-15-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2776-28-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2776-932-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download

    • memory/2776-960-0x0000000000400000-0x0000000000429000-memory.dmp

      Filesize

      164KB

      Download