Analysis

  • max time kernel
    148s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    05/11/2024, 23:27

General

  • Target

    2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe

  • Size

    7.1MB

  • MD5

    cd4e0696f981277d3f3513f34549f125

  • SHA1

    43fa109b18d953344faae6afb987809a9a0a266a

  • SHA256

    59cf20a6b5ad5973b75fe12431bb5e3455650cc3176cef5aeaca0e7da7cb09ee

  • SHA512

    87f160cea14d958950010142d49f49b7522bbe1625665a56830b5c77b405627cc79405af235d0a238eaad7627774a009231527e7678b712b7b365090316cac86

  • SSDEEP

    98304:n9xyitjorTcHhK3Dcwbp2VMprvrGD7nTsR:mp/cHhw2MR

Malware Config

Signatures

  • Renames multiple (316) files with added filename extension

    This suggests ransomware activity of encrypting all the files on the system.

  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
  • Enumerates connected drives 3 TTPs 23 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 64 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe"
    1⤵
    • Adds Run key to start application
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2796
    • C:\Windows\SysWOW64\sysx32.exe
      C:\Windows\system32\sysx32.exe /scan
      2⤵
      • Executes dropped EXE
      • Enumerates connected drives
      • Drops file in System32 directory
      • Drops file in Program Files directory
      • Drops file in Windows directory
      • System Location Discovery: System Language Discovery
      PID:1004
    • C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
      C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of WriteProcessMemory
      PID:2108
      • C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe
        C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe --type=collab-renderer --proc=2108
        3⤵
        • Executes dropped EXE
        • System Location Discovery: System Language Discovery
        PID:2740

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\7-Zip\7z.exe

          Filesize

          7.1MB

          MD5

          cf91782089cf539220245a8ab01a89ce

          SHA1

          282f6f74537fa89a6e69a5210b14dd450b725f57

          SHA256

          36198acb04425ee207c21504171bbc9ae3f860e75d1f6d4aea9c1b476c596449

          SHA512

          a5ace830c7553e5428c64f6f7679afebf63f1db256d9151058effc0d36b07ca265a3372d18503cbf0d847e5def4878d82cd032146deb096e476a439fd7f917bb

        • C:\Users\Admin\AppData\Local\Temp\_2024-11-05_cd4e0696f981277d3f3513f34549f125_magniber.exe

          Filesize

          7.1MB

          MD5

          05fc7907ae77304429f2099533e39e73

          SHA1

          f3e98ee40c9473d64222e4ecb783aa5234767719

          SHA256

          ee5a827a0d216ea35652c121ec85be227832e81592f4eeb6ea78012f0a6ce207

          SHA512

          6e7a56b53b73aaa1dfcc1ef721bf421f557872d2222db3cb43ee78ac4ca22eae2f1b2dd53eeec332e15262efd1cef778662b164a41d58570f43348730cc8d93d

        • C:\Windows\SysWOW64\sysx32.exe

          Filesize

          7.1MB

          MD5

          cd4e0696f981277d3f3513f34549f125

          SHA1

          43fa109b18d953344faae6afb987809a9a0a266a

          SHA256

          59cf20a6b5ad5973b75fe12431bb5e3455650cc3176cef5aeaca0e7da7cb09ee

          SHA512

          87f160cea14d958950010142d49f49b7522bbe1625665a56830b5c77b405627cc79405af235d0a238eaad7627774a009231527e7678b712b7b365090316cac86

        • memory/1004-827-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1004-826-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1004-1709-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1004-2689-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1004-2690-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/1004-2691-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2796-0-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB

        • memory/2796-133-0x0000000000400000-0x0000000000411000-memory.dmp

          Filesize

          68KB