Analysis

  • max time kernel
    148s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2024, 23:25

General

  • Target

    2024-11-05_ba3a2af30efd8c3138475810580be6ee_magniber.exe

  • Size

    9.5MB

  • MD5

    ba3a2af30efd8c3138475810580be6ee

  • SHA1

    7304c4f8b3865d0b3b49a6deed53a571f6066061

  • SHA256

    a3f168db9898d46e29efb229aea33e6082cfa6085eed3adec10de02fa4a25988

  • SHA512

    78c26ec428ed606b88c6e8c74217f4e07c329b50406ae64946f34b5216be82de80329cc8799d7b80cf0872a339ff1f9313accaf49c83e9eabec805aa2137ed5d

  • SSDEEP

    196608:mp/cHhw2rNAWgd/i7D4/mO4y/i2GhC5HeHxMX0RyXI:YcDuWgd/i7C/iHh4WxPf

Malware Config

Signatures

  • Renames multiple (316) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-05_ba3a2af30efd8c3138475810580be6ee_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-05_ba3a2af30efd8c3138475810580be6ee_magniber.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:224
    • C:\Windows\SysWOW64\sysx32.exe
      C:\Windows\system32\sysx32.exe /scan
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:4768
    • C:\Users\Admin\AppData\Local\Temp\_2024-11-05_ba3a2af30efd8c3138475810580be6ee_magniber.exe
      C:\Users\Admin\AppData\Local\Temp\_2024-11-05_ba3a2af30efd8c3138475810580be6ee_magniber.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:4860
      • C:\Users\Admin\AppData\Local\Temp\_2024-11-05_ba3a2af30efd8c3138475810580be6ee_magniber.exe
        C:\Users\Admin\AppData\Local\Temp\_2024-11-05_ba3a2af30efd8c3138475810580be6ee_magniber.exe --type=collab-renderer --proc=4860
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2268

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          9.5MB

          MD5

          2b96aeffee3dd2d8d74b0b8f6b418411

          SHA1

          beae9f704b036133a296b39a8e43a4092bfb9c58

          SHA256

          6563be834a0ba75d2d0748170613751fbade8c8eeb89f197cdbd730d45b3858f

          SHA512

          9a767a44c477e1ca15a043ce167331f43f4703db0a9bfd3211d5e3e2d6bb0bcf3e9d38d22971b3418f8545fa0df1398df4e866ec999a8346355590a55320301a

        • C:\Users\Admin\AppData\Local\Temp\_2024-11-05_ba3a2af30efd8c3138475810580be6ee_magniber.exe

          Filesize

          9.5MB

          MD5

          88fb8ea77eefc3141c19792ad3b74b45

          SHA1

          2ab88d0661d9c778ad2692d4a4c13543eade672d

          SHA256

          be5512a54d2614bc406b70b9477f90935732da6b81b673e0b091c17110cbf3c7

          SHA512

          5c44960917578a26f604ef0d16b7f77148e7e0a2a02a54a36543f0bf13c2958d6c2b4043af5cae6d5e3e6a3c22398e7b2cc60bbe3f28468f54372e497386038e

        • C:\Windows\SysWOW64\sysx32.exe

          Filesize

          9.5MB

          MD5

          ba3a2af30efd8c3138475810580be6ee

          SHA1

          7304c4f8b3865d0b3b49a6deed53a571f6066061

          SHA256

          a3f168db9898d46e29efb229aea33e6082cfa6085eed3adec10de02fa4a25988

          SHA512

          78c26ec428ed606b88c6e8c74217f4e07c329b50406ae64946f34b5216be82de80329cc8799d7b80cf0872a339ff1f9313accaf49c83e9eabec805aa2137ed5d

        • memory/224-0-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/224-142-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4768-699-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4768-702-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4768-1407-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4768-2689-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4768-2690-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4768-2691-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/4768-2692-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB