a848bf1e584139446ba66896fe01aedf6726ce4e51bdb10b23afab53438c142a

General

Target

2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
Size

292KB
MD5

5bc38f3130148964d82a642b314c0811
SHA1

b9755be3cb6de01745627c288253aeb680d307d6
SHA256

a848bf1e584139446ba66896fe01aedf6726ce4e51bdb10b23afab53438c142a
SHA512

0cbe3706a9a770aed43a3d5533a3ec183b236d14c4038c69490e719bfed2a835269727f7835256d711b3160bbc5f44d464efb20ab33750051ff26cd8319555bd
SSDEEP

3072:jNdkchM4eJY+kPsSNxq8RPCUek4pZhzVB+Nm+5XNtOCq+IYKC9ADQFcgtgVsN6fd:BzhM4em+kPsgzr4tSRq+IYKEA0bN67t7

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe

Executes dropped EXE 2 IoCs

Processes:

winmgr.exewinmgr.exe

pid process

4156 winmgr.exe
4376 winmgr.exe

pid	process
4156	winmgr.exe
4376	winmgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Windows\\M-5050259729679027539035209642065\\winmgr.exe"	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Windows\\M-5050259729679027539035209642065\\winmgr.exe"	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exewinmgr.exe

description	pid	process	target process
PID 2988 set thread context of 1496	2988	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 4156 set thread context of 4376	4156	winmgr.exe	winmgr.exe

Drops file in Program Files directory 8 IoCs

Processes:

winmgr.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	winmgr.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe

description	ioc	process
File created	C:\Windows\M-5050259729679027539035209642065\winmgr.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
File opened for modification	C:\Windows\M-5050259729679027539035209642065\winmgr.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
File opened for modification	C:\Windows\M-5050259729679027539035209642065	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

winmgr.execmd.exewinmgr.exe2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exewinmgr.exe

description	pid	process	target process
PID 2988 wrote to memory of 1496	2988	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 2988 wrote to memory of 1496	2988	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 2988 wrote to memory of 1496	2988	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 2988 wrote to memory of 1496	2988	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 2988 wrote to memory of 1496	2988	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 2988 wrote to memory of 1496	2988	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 2988 wrote to memory of 1496	2988	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 2988 wrote to memory of 1496	2988	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 2988 wrote to memory of 1496	2988	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 1496 wrote to memory of 3420	1496	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	cmd.exe
PID 1496 wrote to memory of 3420	1496	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	cmd.exe
PID 1496 wrote to memory of 3420	1496	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	cmd.exe
PID 1496 wrote to memory of 4156	1496	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	winmgr.exe
PID 1496 wrote to memory of 4156	1496	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	winmgr.exe
PID 1496 wrote to memory of 4156	1496	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	winmgr.exe
PID 4156 wrote to memory of 4376	4156	winmgr.exe	winmgr.exe
PID 4156 wrote to memory of 4376	4156	winmgr.exe	winmgr.exe
PID 4156 wrote to memory of 4376	4156	winmgr.exe	winmgr.exe
PID 4156 wrote to memory of 4376	4156	winmgr.exe	winmgr.exe
PID 4156 wrote to memory of 4376	4156	winmgr.exe	winmgr.exe
PID 4156 wrote to memory of 4376	4156	winmgr.exe	winmgr.exe
PID 4156 wrote to memory of 4376	4156	winmgr.exe	winmgr.exe
PID 4156 wrote to memory of 4376	4156	winmgr.exe	winmgr.exe
PID 4156 wrote to memory of 4376	4156	winmgr.exe	winmgr.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Users\Admin\AppData\Local\Temp\2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1496
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\dtdrmutfnz.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3420
- - C:\Windows\M-5050259729679027539035209642065\winmgr.exe
    C:\Windows\M-5050259729679027539035209642065\winmgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4156
  - - C:\Windows\M-5050259729679027539035209642065\winmgr.exe
      C:\Windows\M-5050259729679027539035209642065\winmgr.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:4376

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\dtdrmutfnz.bat

Filesize
278B

MD5
feef6747fd008416e2f871f045070370

SHA1
4124f11dc918be5a348553a39e9e64c3a3c439db

SHA256
019ee0d063d8ee88ff5e9901793d83ecf9beb30214b765cb77a067f66bab3db8

SHA512
e5a399a0f946d6fe43435a97a067bc585ff0367d06b6dd221575e9c5d4f830ea564cc21bc4d578b404e8615470b4ad2941e1fd22b344fadd3141feb2a44c4437

Download Submit
C:\Users\Admin\AppData\Local\Temp\phqghumeay

Filesize
293KB

MD5
6b6a37ed5b442a3b97668e1ddb6004c4

SHA1
279e0f51045a17f23848718c5389551837bccfca

SHA256
94c644d258d4ab76a6ad688e7b24f0eefd9203ad4bd018ffa77d36d25d7c073a

SHA512
e9019da35128de423e4d5b6b09d847812449321597a1702bd3ea51e1e4ab2af63184837a566df59ebcfc789591a39ebf3737962ae92fab28eff6cd9045d8bcc0

Download Submit
C:\Windows\M-5050259729679027539035209642065\winmgr.exe

Filesize
292KB

MD5
5bc38f3130148964d82a642b314c0811

SHA1
b9755be3cb6de01745627c288253aeb680d307d6

SHA256
a848bf1e584139446ba66896fe01aedf6726ce4e51bdb10b23afab53438c142a

SHA512
0cbe3706a9a770aed43a3d5533a3ec183b236d14c4038c69490e719bfed2a835269727f7835256d711b3160bbc5f44d464efb20ab33750051ff26cd8319555bd

Download Submit
memory/1496-7-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1496-5-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/1496-3-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/2988-6-0x0000000003000000-0x0000000003054000-memory.dmp

Filesize
336KB

Download
memory/2988-0-0x0000000003000000-0x0000000003054000-memory.dmp

Filesize
336KB

Download
memory/2988-2-0x00000000005C0000-0x00000000006C0000-memory.dmp

Filesize
1024KB

Download
memory/4156-21-0x0000000000750000-0x0000000000850000-memory.dmp

Filesize
1024KB

Download
memory/4156-23-0x0000000003000000-0x0000000003054000-memory.dmp

Filesize
336KB

Download
memory/4376-22-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4376-24-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4376-26-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads