b96e81b936927a165c12f9752aa25a7753ab1ce2d429374b585512090031d853

General

Target

2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
Size

3.1MB
MD5

ba88b24a04173ea75c436dee3b394975
SHA1

bdd9e32cf205c1135bcc7a2453dda08cbbfc666e
SHA256

b96e81b936927a165c12f9752aa25a7753ab1ce2d429374b585512090031d853
SHA512

a0c706c8ffe8d8d5b2c44e7fa334df5324304444b97a0693cf7b3ca67add8fbb11c78522559797c9411dbb94b87ada4febc63766783335d0589e0167b9586864
SSDEEP

49152:FMDRZ9IBVL+s0ezJGd80SHMsThF35Hj1BzuAhcEC1Xoe:FMDtIXLr06AdfEThF35PzuacEQD

Score

7^/10

discovery

Malware Config

Signatures

Deletes itself 1 IoCs

Processes:

cmd.exe

pid process

1596 cmd.exe
Executes dropped EXE 1 IoCs

Processes:

2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe

pid process

2412 2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
Loads dropped DLL 1 IoCs

Processes:

cmd.exe

pid process

1596 cmd.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

pid	process
1596	cmd.exe

pid	process
2412	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe

pid	process
1596	cmd.exe

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.execmd.exeschtasks.exeschtasks.execmd.exechcp.comtimeout.exe2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.execmd.exeipconfig.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	chcp.com
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

936 timeout.exe
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.

System Information Discovery
T1082

Command and Scripting Interpreter
T1059

Processes:

ipconfig.exe

pid process

540 ipconfig.exe
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence execution

Scheduled Task
T1053.005

Processes:

schtasks.exe

pid process

2060 schtasks.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe

pid process

2412 2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
2412 2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe

pid	process
936	timeout.exe

pid	process
540	ipconfig.exe

pid	process
2060	schtasks.exe

pid	process
2412	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
2412	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe

Suspicious use of WriteProcessMemory 36 IoCs

Processes:

2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.execmd.execmd.exe2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.execmd.exe

description	pid	process	target process
PID 2320 wrote to memory of 1612	2320	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	cmd.exe
PID 2320 wrote to memory of 1612	2320	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	cmd.exe
PID 2320 wrote to memory of 1612	2320	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	cmd.exe
PID 2320 wrote to memory of 1612	2320	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	cmd.exe
PID 2320 wrote to memory of 1596	2320	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	cmd.exe
PID 2320 wrote to memory of 1596	2320	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	cmd.exe
PID 2320 wrote to memory of 1596	2320	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	cmd.exe
PID 2320 wrote to memory of 1596	2320	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	cmd.exe
PID 1612 wrote to memory of 3064	1612	cmd.exe	schtasks.exe
PID 1612 wrote to memory of 3064	1612	cmd.exe	schtasks.exe
PID 1612 wrote to memory of 3064	1612	cmd.exe	schtasks.exe
PID 1612 wrote to memory of 3064	1612	cmd.exe	schtasks.exe
PID 1596 wrote to memory of 2288	1596	cmd.exe	chcp.com
PID 1596 wrote to memory of 2288	1596	cmd.exe	chcp.com
PID 1596 wrote to memory of 2288	1596	cmd.exe	chcp.com
PID 1596 wrote to memory of 2288	1596	cmd.exe	chcp.com
PID 1612 wrote to memory of 2060	1612	cmd.exe	schtasks.exe
PID 1612 wrote to memory of 2060	1612	cmd.exe	schtasks.exe
PID 1612 wrote to memory of 2060	1612	cmd.exe	schtasks.exe
PID 1612 wrote to memory of 2060	1612	cmd.exe	schtasks.exe
PID 1596 wrote to memory of 2412	1596	cmd.exe	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
PID 1596 wrote to memory of 2412	1596	cmd.exe	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
PID 1596 wrote to memory of 2412	1596	cmd.exe	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
PID 1596 wrote to memory of 2412	1596	cmd.exe	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
PID 1596 wrote to memory of 936	1596	cmd.exe	timeout.exe
PID 1596 wrote to memory of 936	1596	cmd.exe	timeout.exe
PID 1596 wrote to memory of 936	1596	cmd.exe	timeout.exe
PID 1596 wrote to memory of 936	1596	cmd.exe	timeout.exe
PID 2412 wrote to memory of 1716	2412	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	cmd.exe
PID 2412 wrote to memory of 1716	2412	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	cmd.exe
PID 2412 wrote to memory of 1716	2412	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	cmd.exe
PID 2412 wrote to memory of 1716	2412	2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe	cmd.exe
PID 1716 wrote to memory of 540	1716	cmd.exe	ipconfig.exe
PID 1716 wrote to memory of 540	1716	cmd.exe	ipconfig.exe
PID 1716 wrote to memory of 540	1716	cmd.exe	ipconfig.exe
PID 1716 wrote to memory of 540	1716	cmd.exe	ipconfig.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2320
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zbe20241119123722536.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1612
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks.Exe /delete /tn "Maintenance" /f
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3064
- - C:\Windows\SysWOW64\schtasks.exe
    Schtasks.Exe /create /tn "Maintenance" /xml "C:\Users\Admin\AppData\Local\Temp\zx20241119123722536.xml"
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2060
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\zb20241119123722536.bat" "
  2⤵
  - Deletes itself
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1596
- - C:\Windows\SysWOW64\chcp.com
    chcp 1251
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2288
- - C:\Users\Admin\AppData\Local\Temp\2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-11-19_ba88b24a04173ea75c436dee3b394975_magniber_nymaim.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:2412
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /C ipconfig /all >> "C:\Users\Admin\AppData\Local\Temp\HP_CCC\HpOsInfo.txt"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1716
    - - C:\Windows\SysWOW64\ipconfig.exe
        
        ipconfig /all
        5⤵
        System Location Discovery: System Language Discovery
        Gathers network information
        
        PID:540
- - C:\Windows\SysWOW64\timeout.exe
    timeout /t 3 /nobreak
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:936

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

1

T1059

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Persistence

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Privilege Escalation

Scheduled Task/Job

1

T1053

Scheduled Task

1

T1053.005

Defense Evasion

Credential Access

Discovery

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HP_CCC\HpOsInfo.txt

Filesize
104B

MD5
b824d1fe03f101d1bbfeb5651a9ee52b

SHA1
302c2c7c6fe84e881ab243fa1457af3cc28fa4a8

SHA256
9c787ed3b31ffbc1913fafa11031456ab72cd9ead7d559c12bfb4856c94e134e

SHA512
2834c7ee83a1d80782b42c847991df2113f59d69d0632c9e2cb4546144e41b045dc3fa0fa7fe0f5eac384691e2c83ba26448aa5537fefc87e340b9300b5e729b

Download Submit
C:\Users\Admin\AppData\Local\Temp\zb20241119123722536.bat

Filesize
744B

MD5
45d77fc6aabd61fd3d2701320294ede5

SHA1
bd3a1d126e52794758ab4620be25e7d3718c2b9a

SHA256
bdb4879addf996b2d766f310618ab13c11f3202986e7abada612976d0257452d

SHA512
feb1d4bbfe187cc84a6fdcdc3bfa410f21eb0a2bd5696e5160b057f6aaf23fc054ba7e9f94f6dfe983dd3168c3f8db0b71b236cdd1b460dcfd919573a1375ebc

Download Submit
C:\Users\Admin\AppData\Local\Temp\zbe20241119123722536.bat

Filesize
379B

MD5
db8fb7a97f135b5e16fc06bf465f136a

SHA1
00e26d485a5337e5b6a55f11ef3e50cbe7f23611

SHA256
55b4c19c54bbb8caf90add7deaac935e59ca9acc557e191a576cead24f49f6ab

SHA512
5c194c8487c837cbe0bf350dda0a65a8023e7f82642e716b6f29ca1dda8b2b0692b44f43ce6a5237d763b71dc1d416d41747ac5d219baad8a7cce42e86c9114c

Download Submit
C:\Users\Admin\AppData\Local\Temp\ze20241119123722536.tmp

Filesize
3.1MB

MD5
eda2b634ec03bb63bcc03039424feefa

SHA1
937a0ec57acbf2a85b402905823432e64ff1e42f

SHA256
e25b98ed0153d8a73b40b0eceb8237fa2399beec4e984b4f806bb80e17b71d7e

SHA512
38ec2b8ce7b2c6ba9b32d66965207e757684f28e1c0f41a525da37e46062ad5723a9a86d49aab5b6243e9855b856c9e207becf4ec8edb95be139e8bd331213a4

Download Submit
C:\Users\Admin\AppData\Local\Temp\zx20241119123722536.xml

Filesize
1KB

MD5
1c4523bc0de2d714e319fae3165f41b9

SHA1
9be7af0026f5eb17e02fb73cb34b071b51c732f2

SHA256
67cebcf4c2e0823e382f350c33a2110f1a35dacdcce19c3bb6e6ee6550f9b80a

SHA512
dee6a088431734b1dfe57474c5dbca7c632b75cd23fc2d16c868d8e633cd5d83961f7e6b98c83e605f5ba676bc4c5d08bd74c7ab8057a973cbf70b3ae1488c6d

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads