Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
05/11/2024, 23:27
Static task
static1
Behavioral task
behavioral1
Sample
2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
Resource
win10v2004-20241007-en
General
-
Target
2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
-
Size
7.1MB
-
MD5
cd4e0696f981277d3f3513f34549f125
-
SHA1
43fa109b18d953344faae6afb987809a9a0a266a
-
SHA256
59cf20a6b5ad5973b75fe12431bb5e3455650cc3176cef5aeaca0e7da7cb09ee
-
SHA512
87f160cea14d958950010142d49f49b7522bbe1625665a56830b5c77b405627cc79405af235d0a238eaad7627774a009231527e7678b712b7b365090316cac86
-
SSDEEP
98304:n9xyitjorTcHhK3Dcwbp2VMprvrGD7nTsR:mp/cHhw2MR
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2728 sysx32.exe 2736 _2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe 2824 _2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe -
Loads dropped DLL 4 IoCs
pid Process 1088 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe 1088 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe 1088 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe 2736 _2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\sys32 = "C:\\Windows\\system32\\sysx32.exe" 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe -
Enumerates connected drives 3 TTPs 2 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\A: sysx32.exe File opened (read-only) \??\B: sysx32.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\sysx32.exe sysx32.exe File created C:\Windows\SysWOW64\sysx32.exe 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe File opened for modification C:\Windows\SysWOW64\sysx32.exe 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe -
Drops file in Program Files directory 2 IoCs
description ioc Process File opened for modification C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe File created C:\Program Files\7-Zip\7z.exe.tmp sysx32.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2736 _2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2736 _2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1088 wrote to memory of 2728 1088 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe 30 PID 1088 wrote to memory of 2728 1088 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe 30 PID 1088 wrote to memory of 2728 1088 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe 30 PID 1088 wrote to memory of 2728 1088 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe 30 PID 1088 wrote to memory of 2736 1088 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe 31 PID 1088 wrote to memory of 2736 1088 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe 31 PID 1088 wrote to memory of 2736 1088 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe 31 PID 1088 wrote to memory of 2736 1088 2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe 31 PID 2736 wrote to memory of 2824 2736 _2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe 32 PID 2736 wrote to memory of 2824 2736 _2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe 32 PID 2736 wrote to memory of 2824 2736 _2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe 32 PID 2736 wrote to memory of 2824 2736 _2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe 32
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe"1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1088 -
C:\Windows\SysWOW64\sysx32.exeC:\Windows\system32\sysx32.exe /scan2⤵
- Executes dropped EXE
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
PID:2728
-
-
C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exeC:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2736 -
C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exeC:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe --type=collab-renderer --proc=27363⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2824
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.1MB
MD505fc7907ae77304429f2099533e39e73
SHA1f3e98ee40c9473d64222e4ecb783aa5234767719
SHA256ee5a827a0d216ea35652c121ec85be227832e81592f4eeb6ea78012f0a6ce207
SHA5126e7a56b53b73aaa1dfcc1ef721bf421f557872d2222db3cb43ee78ac4ca22eae2f1b2dd53eeec332e15262efd1cef778662b164a41d58570f43348730cc8d93d
-
Filesize
7.1MB
MD5cd4e0696f981277d3f3513f34549f125
SHA143fa109b18d953344faae6afb987809a9a0a266a
SHA25659cf20a6b5ad5973b75fe12431bb5e3455650cc3176cef5aeaca0e7da7cb09ee
SHA51287f160cea14d958950010142d49f49b7522bbe1625665a56830b5c77b405627cc79405af235d0a238eaad7627774a009231527e7678b712b7b365090316cac86