Analysis
-
max time kernel
140s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/11/2024, 23:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
-
Size
10.7MB
-
MD5
c679d949e24f0da8ada06aa84d718bfe
-
SHA1
972f771daeb976b70c4847f929a83bd5917cb23e
-
SHA256
7281291a85f7446bd8d15c9c9af312711550cac86cd5ba8d9921c56de3ca913c
-
SHA512
ed721e1eb14fec0dde13dd09813be87d187032ea75c6825bd2866e367de28d8535de1e591ed51d6583ea510c02fc9a11779cdf7356f6fadbce24282bea4d52ee
-
SSDEEP
98304:n9xyitjorTcHhK3Dcwbp2VMprvrIVTYmnbOMt7ZUy6TX0i:mp/cHhw2hqCt9Uy6TX0i
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2328 sysx32.exe 2812 _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 2864 _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe -
Loads dropped DLL 4 IoCs
pid Process 2316 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 2316 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 2316 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 2812 _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\B: sysx32.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\sysx32.exe 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe File opened for modification C:\Windows\SysWOW64\sysx32.exe 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe File created C:\Windows\SysWOW64\sysx32.exe sysx32.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File created C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe File opened for modification C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2812 _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2812 _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2316 wrote to memory of 2328 2316 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 30 PID 2316 wrote to memory of 2328 2316 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 30 PID 2316 wrote to memory of 2328 2316 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 30 PID 2316 wrote to memory of 2328 2316 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 30 PID 2316 wrote to memory of 2812 2316 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 31 PID 2316 wrote to memory of 2812 2316 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 31 PID 2316 wrote to memory of 2812 2316 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 31 PID 2316 wrote to memory of 2812 2316 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 31 PID 2812 wrote to memory of 2864 2812 _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 32 PID 2812 wrote to memory of 2864 2812 _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 32 PID 2812 wrote to memory of 2864 2812 _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 32 PID 2812 wrote to memory of 2864 2812 _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2328
-
-
C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exeC:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exeC:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe --type=collab-renderer --proc=28123⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2864
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.6MB
MD5b35327b6468894d08999a3579c4a8c0d
SHA1ae5ceda3cecb3f9c64d2bbb02d764f0c5394f441
SHA256c127bb107832faac1c823dd63af009b5e891f4dbaca1e4c299a549d22e3446c3
SHA51267a537194e37fc0db15ac52b8c7f874e719f55b9f5e76e08cc56fc8913e9cba8903ead6eddfbbac93b871d2314cabe99803140a9b2ed319b24017dcc79fc7475
-
Filesize
10.7MB
MD5c679d949e24f0da8ada06aa84d718bfe
SHA1972f771daeb976b70c4847f929a83bd5917cb23e
SHA2567281291a85f7446bd8d15c9c9af312711550cac86cd5ba8d9921c56de3ca913c
SHA512ed721e1eb14fec0dde13dd09813be87d187032ea75c6825bd2866e367de28d8535de1e591ed51d6583ea510c02fc9a11779cdf7356f6fadbce24282bea4d52ee