Analysis
-
max time kernel
140s -
max time network
138s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
05/11/2024, 23:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
-
Size
10.7MB
-
MD5
c679d949e24f0da8ada06aa84d718bfe
-
SHA1
972f771daeb976b70c4847f929a83bd5917cb23e
-
SHA256
7281291a85f7446bd8d15c9c9af312711550cac86cd5ba8d9921c56de3ca913c
-
SHA512
ed721e1eb14fec0dde13dd09813be87d187032ea75c6825bd2866e367de28d8535de1e591ed51d6583ea510c02fc9a11779cdf7356f6fadbce24282bea4d52ee
-
SSDEEP
98304:n9xyitjorTcHhK3Dcwbp2VMprvrIVTYmnbOMt7ZUy6TX0i:mp/cHhw2hqCt9Uy6TX0i
Malware Config
Signatures
-
Renames multiple (316) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
-
Executes dropped EXE 3 IoCs
pid Process 804 sysx32.exe 3296 _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 4644 _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\B: sysx32.exe File opened (read-only) \??\K: sysx32.exe File opened (read-only) \??\O: sysx32.exe File opened (read-only) \??\P: sysx32.exe File opened (read-only) \??\U: sysx32.exe File opened (read-only) \??\X: sysx32.exe File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\G: sysx32.exe File opened (read-only) \??\I: sysx32.exe File opened (read-only) \??\S: sysx32.exe File opened (read-only) \??\E: sysx32.exe File opened (read-only) \??\H: sysx32.exe File opened (read-only) \??\J: sysx32.exe File opened (read-only) \??\N: sysx32.exe File opened (read-only) \??\Q: sysx32.exe File opened (read-only) \??\R: sysx32.exe File opened (read-only) \??\T: sysx32.exe File opened (read-only) \??\V: sysx32.exe File opened (read-only) \??\L: sysx32.exe File opened (read-only) \??\M: sysx32.exe File opened (read-only) \??\W: sysx32.exe File opened (read-only) \??\Y: sysx32.exe File opened (read-only) \??\Z: sysx32.exe -
Drops file in System32 directory 64 IoCs
description ioc Process File created C:\Windows\SysWOW64\dplaysvr.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\sdbinst.exe sysx32.exe File created C:\Windows\SysWOW64\gpscript.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\InfDefaultInstall.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\mmgaserver.exe sysx32.exe File created C:\Windows\SysWOW64\IME\IMEJP\imjpuexc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\compact.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\EaseOfAccessDialog.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\RdpSaUacHelper.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\calc.exe sysx32.exe File created C:\Windows\SysWOW64\ddodiag.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TRACERT.EXE sysx32.exe File opened for modification C:\Windows\SysWOW64\chkdsk.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\hdwwiz.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\msra.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\RpcPing.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\eventcreate.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\iexpress.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\mstsc.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\wowreg32.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\clip.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\explorer.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\msdt.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mstsc.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\quickassist.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\RdpSaUacHelper.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\upnpcont.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\winrshost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\IME\IMEJP\IMJPUEX.EXE.tmp sysx32.exe File created C:\Windows\SysWOW64\bootcfg.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\DpiScaling.exe sysx32.exe File created C:\Windows\SysWOW64\help.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\PickerHost.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\PING.EXE.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\CloudNotifications.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cmstp.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\dplaysvr.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\gpresult.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\powercfg.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\RunLegacyCPLElevated.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\hh.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\printui.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\rrinstaller.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\rundll32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\TSTheme.exe sysx32.exe File created C:\Windows\SysWOW64\CheckNetIsolation.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\iscsicli.exe sysx32.exe File created C:\Windows\SysWOW64\pcaui.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\fixmapi.exe.tmp sysx32.exe File created C:\Windows\SysWOW64\wbem\WMIC.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\quickassist.exe sysx32.exe File created C:\Windows\SysWOW64\msiexec.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\RdpSa.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\lodctr.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\WinRTNetMUAHostServer.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\notepad.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\wsmprovhost.exe sysx32.exe File created C:\Windows\SysWOW64\Speech_OneCore\Common\SpeechModelDownload.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\bitsadmin.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cmd.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\cmmon32.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\iexpress.exe sysx32.exe File opened for modification C:\Windows\SysWOW64\timeout.exe.tmp sysx32.exe File opened for modification C:\Windows\SysWOW64\mavinject.exe sysx32.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe.tmp sysx32.exe File created C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\orbd.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jjs.exe sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroBroker.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jre-1.8\bin\jabswitch.exe sysx32.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeUpdateBroker.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmlaunch.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\extcheck.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate32.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\MSOSREC.EXE sysx32.exe File created C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe.tmp sysx32.exe File opened for modification C:\Program Files\dotnet\shared\Microsoft.NETCore.App\8.0.2\createdump.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\wow_helper.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\EXCEL.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\VPREVIEW.EXE.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection.exe sysx32.exe File created C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroLayoutRecognizer\AcroLayoutRecognizer.exe.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\EdgeUpdate_bk\1.3.147.37\MicrosoftEdgeComRegisterShellARM64.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\javah.exe.tmp sysx32.exe File opened for modification C:\Program Files\Common Files\microsoft shared\ink\ShapeCollector.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\java.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jconsole.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jarsigner.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesCommonX64\Microsoft Shared\OFFICE16\MSOICONS.EXE.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Internet Explorer\ieinstal.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Mozilla Maintenance Service\Uninstall.exe sysx32.exe File created C:\Program Files\Java\jdk-1.8\bin\jstat.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\jre\bin\servertool.exe sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\IEContentService.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.NetFX45.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AdobeCollabSync.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Windows Media Player\wmpconfig.exe sysx32.exe File opened for modification C:\Program Files\dotnet\dotnet.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\MSOHTMED.EXE.tmp sysx32.exe File created C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\Installer\setup.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\jmap.exe sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\rmiregistry.exe.tmp sysx32.exe File created C:\Program Files\Java\jre-1.8\bin\ssvagent.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Integration\Integrator.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\pj11icon.exe sysx32.exe File created C:\Program Files\VideoLAN\VLC\uninstall.exe.tmp sysx32.exe File created C:\Program Files\Java\jdk-1.8\jre\bin\java-rmi.exe.tmp sysx32.exe File created C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe.tmp sysx32.exe File created C:\Program Files (x86)\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe.tmp sysx32.exe File opened for modification C:\Program Files\7-Zip\Uninstall.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\ohub32.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe sysx32.exe File opened for modification C:\Program Files\Windows Mail\wab.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\kinit.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\Office16\officeappguardwin32.exe.tmp sysx32.exe File opened for modification C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\AcroCEF\RdrServicesUpdater.exe.tmp sysx32.exe File created C:\Program Files\Google\Chrome\Application\chrome_proxy.exe.tmp sysx32.exe File created C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\filecompare.exe.tmp sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\SPREADSHEETCOMPARE.EXE sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\Windows\Installer\{90160000-000F-0000-1000-0000000FF1CE}\msouc.exe sysx32.exe File opened for modification C:\Program Files\Microsoft Office\root\vfs\ProgramFilesX86\Microsoft Office\Office16\DCF\Common.DBConnection64.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\tnameserv.exe.tmp sysx32.exe File opened for modification C:\Program Files\Java\jdk-1.8\bin\wsgen.exe sysx32.exe -
Drops file in Windows directory 64 IoCs
description ioc Process File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-setup-component_31bf3856ad364e35_10.0.19041.84_none_29cf9b86db5fb249\AuditShD.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..ices-appcompattools_31bf3856ad364e35_10.0.19041.1_none_a9109d150b1bf064\TSAppInstall.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windows-defender-service_31bf3856ad364e35_10.0.19041.746_none_a39f6d9ab59bd8b7\MsMpEng.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..eldebugger-recorder_31bf3856ad364e35_10.0.19041.746_none_425d54d86cc1f3e2\ttdinject.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..lications-clientsku_31bf3856ad364e35_10.0.19041.1266_none_93a0f3defb54e912\rdpinit.exe.tmp sysx32.exe File opened for modification C:\Windows\Microsoft.NET\Framework64\v3.0\WPF\PresentationFontCache.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-advancedtaskmanager_31bf3856ad364e35_10.0.19041.1202_none_23a707c9a0b5a8e1\r\Taskmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-embedded-shelllauncher_31bf3856ad364e35_10.0.19041.1202_none_b918e36ffc7a6ffe\f\ShellLauncherConfig.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-ie-feedsbs_31bf3856ad364e35_11.0.19041.1_none_e6307765e4f96817\msfeedssync.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-mspaint_31bf3856ad364e35_10.0.19041.746_none_6c16d1714d60fddf\f\mspaint.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-sharedfoldersui_31bf3856ad364e35_10.0.19041.746_none_96167fa49059f7a3\shrpubw.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-xbox-gamecallableui.appxmain_31bf3856ad364e35_10.0.19041.746_none_0119299746221375\r\XBox.TCUI.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-eventcollector_31bf3856ad364e35_10.0.19041.662_none_e341f52007f6d1a8\f\wecutil.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-rasconnectionmanager_31bf3856ad364e35_10.0.19041.746_none_476e348ff3b593af\cmstp.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-remoteassistance-exe_31bf3856ad364e35_10.0.19041.1_none_f79dcf01d5a416bd\sdchange.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.1266_none_1abb9653828c3f41\f\SecurityHealthHost.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-wmi-core_31bf3856ad364e35_10.0.19041.1081_none_38869341091832be\r\mofcomp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-a..nagement-uevservice_31bf3856ad364e35_10.0.19041.1_none_339537d6c993f72b\AgentService.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-c..-disposableclientvm_31bf3856ad364e35_10.0.19041.1_none_9b8799837b1e944c\WindowsSandbox.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-csrss_31bf3856ad364e35_10.0.19041.546_none_36dd2ad842e4f8c3\r\csrss.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-lxss-wslhost_31bf3856ad364e35_10.0.19041.117_none_9be21f0ef860b570\f\wslhost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-rasautodial_31bf3856ad364e35_10.0.19041.546_none_edd345b6c42269da\r\rasautou.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\f\prevhost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_openssh-common-components-onecore_31bf3856ad364e35_10.0.19041.84_none_b4499a04dddcc22e\scp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-com-surrogate-core_31bf3856ad364e35_10.0.19041.1_none_eadb9d8875f59863\dllhost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-devicecensus_31bf3856ad364e35_10.0.19041.1202_none_24329c73afbd2316\DeviceCensus.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ldifde_31bf3856ad364e35_10.0.19041.1_none_d6d84e47a8300235\ldifde.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-narrator_31bf3856ad364e35_10.0.19041.84_none_b5c0f628d1d661eb\r\Narrator.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..s-datausagehandlers_31bf3856ad364e35_10.0.19041.746_none_dbecc8a3cdc7c3cf\r\DataUsageLiveTileTask.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-t..nputpersonalization_31bf3856ad364e35_10.0.19041.746_none_1da55dc225237a0d\InputPersonalization.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_windows-shield-provider_31bf3856ad364e35_10.0.19041.84_none_9d98e005fb7852ca\r\SecurityHealthService.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-w..sition-uicomponents_31bf3856ad364e35_10.0.19041.1151_none_4e193eb76ed5f8cb\r\wiaacmgr.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-analog-facefodhandler_31bf3856ad364e35_10.0.19041.1266_none_1f1ff89fbf279f16\f\FaceFodUninstaller.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-apprep-chxapp.appxmain_31bf3856ad364e35_10.0.19041.423_none_15f557c171018574\r\CHXSmartScreen.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-d..-eashared-imebroker_31bf3856ad364e35_10.0.19041.844_none_67b5915b5651dd8a\f\ImeBroker.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..daryauthfactor-task_31bf3856ad364e35_10.0.19041.746_none_a9ff72b1a43fd663\f\DeviceCredentialDeployment.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-shell-previewhost_31bf3856ad364e35_10.0.19041.746_none_2136afef5fadeaa4\r\prevhost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-unp_31bf3856ad364e35_10.0.19041.1266_none_21c0be7c0dad3632\UpdateNotificationMgr.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-x..rtificateenrollment_31bf3856ad364e35_10.0.19041.746_none_d19001beed7624dc\r\CertEnrollCtrl.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_hyperv-compute-host-service_31bf3856ad364e35_10.0.19041.1288_none_6c70124c60e2b4ef\vmcompute.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-appmanagement-uevagent_31bf3856ad364e35_10.0.19041.1288_none_71734bf99a2a6955\f\ApplySettingsTemplateCatalog.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-ieframe_31bf3856ad364e35_11.0.19041.264_none_863c21753674f968\f\IESettingSync.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-p..ioningsecureprocess_31bf3856ad364e35_10.0.19041.1_none_4cc7187cbf1ef970\psp.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-shellhost_31bf3856ad364e35_10.0.19041.746_none_f47187f881cbaf7d\r\sihost.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-t..es-workspaceruntime_31bf3856ad364e35_10.0.19041.746_none_045e85893c117e35\r\wksprt.exe sysx32.exe File created C:\Windows\WinSxS\amd64_multimedia-windows-..n-playready-desktop_31bf3856ad364e35_10.0.19041.1_none_ef166e795b249cbd\prproc.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-d..omerfeedbackmanager_31bf3856ad364e35_10.0.19041.844_none_c47fb20821633815\imecfmui.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mapi-mmga_31bf3856ad364e35_10.0.19041.746_none_be98bb8265bc211a\r\mmgaserver.exe sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-t..es-commandlinetools_31bf3856ad364e35_10.0.19041.1_none_a4f6113bccc284b7\change.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wpd-shellextension_31bf3856ad364e35_10.0.19041.1_none_c719fa2e662738e0\WPDShextAutoplay.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-mediaplayer-setup_31bf3856ad364e35_10.0.19041.1266_none_2d0e4759c01cf211\setup_wm.exe sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-e..ifiedwritefilter-ux_31bf3856ad364e35_10.0.19041.746_none_c7c6fccae233c8b7\r\uwfux.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-n..setup-compatibility_31bf3856ad364e35_10.0.19041.746_none_4e1b852ddd390c0b\NetCfgNotifyObjectHost.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-security-tools-klist_31bf3856ad364e35_10.0.19041.1266_none_b5fa73367bbd2f91\r\klist.exe sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-systemreset_31bf3856ad364e35_10.0.19041.153_none_c8fbed52dad932cb\ResetEngine.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-windows-w..tnet-mua-hostserver_31bf3856ad364e35_10.0.19041.746_none_aee92417063babbe\WinRTNetMUAHostServer.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-wininit_31bf3856ad364e35_10.0.19041.1202_none_a5b2e5b8b986fe3d\r\wininit.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-s..artcard-tpm-manager_31bf3856ad364e35_10.0.19041.1_none_5106d54a804dbfc3\tpmvscmgr.exe sysx32.exe File opened for modification C:\Windows\WinSxS\wow64_microsoft-windows-msaudittools_31bf3856ad364e35_10.0.19041.546_none_ffd303094ff1fe66\auditpol.exe.tmp sysx32.exe File created C:\Windows\WinSxS\wow64_microsoft-windows-wow64-legacy_31bf3856ad364e35_10.0.19041.1023_none_6aeab5d4bd0371a8\r\user.exe.tmp sysx32.exe File created C:\Windows\Microsoft.NET\Framework64\v2.0.50727\InstallUtil.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-hyper-v-drivers-hypervisor_31bf3856ad364e35_10.0.19041.1288_none_a518f9eb1ab503d0\hvax64.exe.tmp sysx32.exe File created C:\Windows\WinSxS\amd64_microsoft-onecore-i..atedusermode-kernel_31bf3856ad364e35_10.0.19041.1023_none_5c93ef2449c89609\f\securekernel.exe.tmp sysx32.exe File opened for modification C:\Windows\WinSxS\amd64_microsoft-windows-d..rvices-adam-install_31bf3856ad364e35_10.0.19041.1_none_d2c567b17279a950\adaminstall.exe sysx32.exe -
Program crash 1 IoCs
pid pid_target Process procid_target 2004 4644 WerFault.exe 88 -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language sysx32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 3296 _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 3296 _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe -
Suspicious use of WriteProcessMemory 9 IoCs
description pid Process procid_target PID 1504 wrote to memory of 804 1504 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 85 PID 1504 wrote to memory of 804 1504 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 85 PID 1504 wrote to memory of 804 1504 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 85 PID 1504 wrote to memory of 3296 1504 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 86 PID 1504 wrote to memory of 3296 1504 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 86 PID 1504 wrote to memory of 3296 1504 2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 86 PID 3296 wrote to memory of 4644 3296 _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 88 PID 3296 wrote to memory of 4644 3296 _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 88 PID 3296 wrote to memory of 4644 3296 _2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe"1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1504 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:804
-
-
C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exeC:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3296 -
C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exeC:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe --type=collab-renderer --proc=32963⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4644 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 10084⤵
- Program crash
PID:2004
-
-
-
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4644 -ip 46441⤵PID:2016
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
10.7MB
MD5b87635a654a3114d002a8afa35aa1f21
SHA18bd68dab76853a473189ddc7c2dc1a7021accd43
SHA256b9d5f07627feeb624dc2cc4afc3edfb51a827fd75af29a08d9e3249ee8e97d93
SHA512a84a829416a74c5a061f473a3065efa4e78b22d3ea31e9a056aec8a219fa586877788b72bbf9d11f75df1ec0d8a2f09707dad78edfb750b189f48c67ce5499f2
-
Filesize
10.6MB
MD5b35327b6468894d08999a3579c4a8c0d
SHA1ae5ceda3cecb3f9c64d2bbb02d764f0c5394f441
SHA256c127bb107832faac1c823dd63af009b5e891f4dbaca1e4c299a549d22e3446c3
SHA51267a537194e37fc0db15ac52b8c7f874e719f55b9f5e76e08cc56fc8913e9cba8903ead6eddfbbac93b871d2314cabe99803140a9b2ed319b24017dcc79fc7475
-
Filesize
10.7MB
MD5c679d949e24f0da8ada06aa84d718bfe
SHA1972f771daeb976b70c4847f929a83bd5917cb23e
SHA2567281291a85f7446bd8d15c9c9af312711550cac86cd5ba8d9921c56de3ca913c
SHA512ed721e1eb14fec0dde13dd09813be87d187032ea75c6825bd2866e367de28d8535de1e591ed51d6583ea510c02fc9a11779cdf7356f6fadbce24282bea4d52ee