Analysis

  • max time kernel
    140s
  • max time network
    138s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2024, 23:25

General

  • Target

    2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe

  • Size

    10.7MB

  • MD5

    c679d949e24f0da8ada06aa84d718bfe

  • SHA1

    972f771daeb976b70c4847f929a83bd5917cb23e

  • SHA256

    7281291a85f7446bd8d15c9c9af312711550cac86cd5ba8d9921c56de3ca913c

  • SHA512

    ed721e1eb14fec0dde13dd09813be87d187032ea75c6825bd2866e367de28d8535de1e591ed51d6583ea510c02fc9a11779cdf7356f6fadbce24282bea4d52ee

  • SSDEEP

    98304:n9xyitjorTcHhK3Dcwbp2VMprvrIVTYmnbOMt7ZUy6TX0i:mp/cHhw2hqCt9Uy6TX0i

Malware Config

Signatures

  • Renames multiple (316) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • Program crash 1 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:1504
    • C:\Windows\SysWOW64\sysx32.exe
      C:\Windows\system32\sysx32.exe /scan
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:804
    • C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
      C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:3296
      • C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe
        C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe --type=collab-renderer --proc=3296
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:4644
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -u -p 4644 -s 1008
          4⤵
          • Program crash
          PID:2004
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4644 -ip 4644
    1⤵
      PID:2016

    Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\7-Zip\7z.exe

            Filesize

            10.7MB

            MD5

            b87635a654a3114d002a8afa35aa1f21

            SHA1

            8bd68dab76853a473189ddc7c2dc1a7021accd43

            SHA256

            b9d5f07627feeb624dc2cc4afc3edfb51a827fd75af29a08d9e3249ee8e97d93

            SHA512

            a84a829416a74c5a061f473a3065efa4e78b22d3ea31e9a056aec8a219fa586877788b72bbf9d11f75df1ec0d8a2f09707dad78edfb750b189f48c67ce5499f2

          • C:\Users\Admin\AppData\Local\Temp\_2024-11-05_c679d949e24f0da8ada06aa84d718bfe_magniber.exe

            Filesize

            10.6MB

            MD5

            b35327b6468894d08999a3579c4a8c0d

            SHA1

            ae5ceda3cecb3f9c64d2bbb02d764f0c5394f441

            SHA256

            c127bb107832faac1c823dd63af009b5e891f4dbaca1e4c299a549d22e3446c3

            SHA512

            67a537194e37fc0db15ac52b8c7f874e719f55b9f5e76e08cc56fc8913e9cba8903ead6eddfbbac93b871d2314cabe99803140a9b2ed319b24017dcc79fc7475

          • C:\Windows\SysWOW64\sysx32.exe

            Filesize

            10.7MB

            MD5

            c679d949e24f0da8ada06aa84d718bfe

            SHA1

            972f771daeb976b70c4847f929a83bd5917cb23e

            SHA256

            7281291a85f7446bd8d15c9c9af312711550cac86cd5ba8d9921c56de3ca913c

            SHA512

            ed721e1eb14fec0dde13dd09813be87d187032ea75c6825bd2866e367de28d8535de1e591ed51d6583ea510c02fc9a11779cdf7356f6fadbce24282bea4d52ee

          • memory/804-638-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

          • memory/804-639-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

          • memory/804-1281-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

          • memory/804-2689-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

          • memory/804-2690-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

          • memory/804-2691-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

          • memory/804-2692-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

          • memory/804-2693-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

          • memory/1504-75-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

          • memory/1504-74-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB

          • memory/1504-0-0x0000000000400000-0x0000000000411000-memory.dmp

            Filesize

            68KB