a848bf1e584139446ba66896fe01aedf6726ce4e51bdb10b23afab53438c142a

General

Target

2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
Size

292KB
MD5

5bc38f3130148964d82a642b314c0811
SHA1

b9755be3cb6de01745627c288253aeb680d307d6
SHA256

a848bf1e584139446ba66896fe01aedf6726ce4e51bdb10b23afab53438c142a
SHA512

0cbe3706a9a770aed43a3d5533a3ec183b236d14c4038c69490e719bfed2a835269727f7835256d711b3160bbc5f44d464efb20ab33750051ff26cd8319555bd
SSDEEP

3072:jNdkchM4eJY+kPsSNxq8RPCUek4pZhzVB+Nm+5XNtOCq+IYKC9ADQFcgtgVsN6fd:BzhM4em+kPsgzr4tSRq+IYKEA0bN67t7

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe

Executes dropped EXE 2 IoCs

Processes:

winmgr.exewinmgr.exe

pid process

2484 winmgr.exe
4452 winmgr.exe

pid	process
2484	winmgr.exe
4452	winmgr.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Windows\\M-5050259729679027539035209642065\\winmgr.exe"	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Windows\\M-5050259729679027539035209642065\\winmgr.exe"	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exewinmgr.exe

description	pid	process	target process
PID 4232 set thread context of 3844	4232	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 2484 set thread context of 4452	2484	winmgr.exe	winmgr.exe

Drops file in Program Files directory 8 IoCs

Processes:

winmgr.exe

description	ioc	process
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\createdump.exe	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\6.0.27\System.IO.Compression.ZipFile.dll	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	winmgr.exe
File created	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\createdump.exe	winmgr.exe
File opened for modification	C:\Program Files\dotnet\shared\Microsoft.NETCore.App\7.0.16\System.IO.Compression.ZipFile.dll	winmgr.exe

Drops file in Windows directory 3 IoCs

Processes:

2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe

description	ioc	process
File created	C:\Windows\M-5050259729679027539035209642065\winmgr.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
File opened for modification	C:\Windows\M-5050259729679027539035209642065\winmgr.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
File opened for modification	C:\Windows\M-5050259729679027539035209642065	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exewinmgr.execmd.exewinmgr.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winmgr.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	winmgr.exe

Suspicious use of WriteProcessMemory 24 IoCs

Processes:

2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exewinmgr.exe

description	pid	process	target process
PID 4232 wrote to memory of 3844	4232	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 4232 wrote to memory of 3844	4232	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 4232 wrote to memory of 3844	4232	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 4232 wrote to memory of 3844	4232	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 4232 wrote to memory of 3844	4232	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 4232 wrote to memory of 3844	4232	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 4232 wrote to memory of 3844	4232	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 4232 wrote to memory of 3844	4232	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 4232 wrote to memory of 3844	4232	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
PID 3844 wrote to memory of 732	3844	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	cmd.exe
PID 3844 wrote to memory of 732	3844	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	cmd.exe
PID 3844 wrote to memory of 732	3844	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	cmd.exe
PID 3844 wrote to memory of 2484	3844	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	winmgr.exe
PID 3844 wrote to memory of 2484	3844	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	winmgr.exe
PID 3844 wrote to memory of 2484	3844	2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe	winmgr.exe
PID 2484 wrote to memory of 4452	2484	winmgr.exe	winmgr.exe
PID 2484 wrote to memory of 4452	2484	winmgr.exe	winmgr.exe
PID 2484 wrote to memory of 4452	2484	winmgr.exe	winmgr.exe
PID 2484 wrote to memory of 4452	2484	winmgr.exe	winmgr.exe
PID 2484 wrote to memory of 4452	2484	winmgr.exe	winmgr.exe
PID 2484 wrote to memory of 4452	2484	winmgr.exe	winmgr.exe
PID 2484 wrote to memory of 4452	2484	winmgr.exe	winmgr.exe
PID 2484 wrote to memory of 4452	2484	winmgr.exe	winmgr.exe
PID 2484 wrote to memory of 4452	2484	winmgr.exe	winmgr.exe

C:\Users\Admin\AppData\Local\Temp\2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4232
- C:\Users\Admin\AppData\Local\Temp\2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-11-22_5bc38f3130148964d82a642b314c0811_magniber.exe"
  2⤵
  - Checks computer location settings
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3844
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\pdxvscjiwl.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:732
- - C:\Windows\M-5050259729679027539035209642065\winmgr.exe
    C:\Windows\M-5050259729679027539035209642065\winmgr.exe
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2484
  - - C:\Windows\M-5050259729679027539035209642065\winmgr.exe
      C:\Windows\M-5050259729679027539035209642065\winmgr.exe
      4⤵
      Executes dropped EXE
      Drops file in Program Files directory
      System Location Discovery: System Language Discovery
      PID:4452

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pdxvscjiwl.bat

Filesize
278B

MD5
47066bf76e2b800a9a5df2efcea7ba30

SHA1
a513915a9567130063e9755a38827114cd6e7195

SHA256
9f06996d2cd1043ab32fe13f988dcef321340d7f5457cd03a5efb6ca4b6e6b1b

SHA512
0437a69fec8cc202b5cdeb2c7565b6d5bb42b628f0151ceaf1030367a9d63ec0d18a52796fd07a7d685416096cc5e13d2c5dc8f27ac327ca55d9a1cc243c6549

Download Submit
C:\Users\Admin\AppData\Local\Temp\phqghumeay

Filesize
293KB

MD5
6b6a37ed5b442a3b97668e1ddb6004c4

SHA1
279e0f51045a17f23848718c5389551837bccfca

SHA256
94c644d258d4ab76a6ad688e7b24f0eefd9203ad4bd018ffa77d36d25d7c073a

SHA512
e9019da35128de423e4d5b6b09d847812449321597a1702bd3ea51e1e4ab2af63184837a566df59ebcfc789591a39ebf3737962ae92fab28eff6cd9045d8bcc0

Download Submit
C:\Windows\M-5050259729679027539035209642065\winmgr.exe

Filesize
292KB

MD5
5bc38f3130148964d82a642b314c0811

SHA1
b9755be3cb6de01745627c288253aeb680d307d6

SHA256
a848bf1e584139446ba66896fe01aedf6726ce4e51bdb10b23afab53438c142a

SHA512
0cbe3706a9a770aed43a3d5533a3ec183b236d14c4038c69490e719bfed2a835269727f7835256d711b3160bbc5f44d464efb20ab33750051ff26cd8319555bd

Download Submit
memory/2484-18-0x0000000000550000-0x0000000000650000-memory.dmp

Filesize
1024KB

Download
memory/2484-23-0x0000000003000000-0x0000000003054000-memory.dmp

Filesize
336KB

Download
memory/3844-3-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3844-6-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/3844-7-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download
memory/4232-0-0x0000000003000000-0x0000000003054000-memory.dmp

Filesize
336KB

Download
memory/4232-2-0x0000000000400000-0x0000000000500000-memory.dmp

Filesize
1024KB

Download
memory/4232-5-0x0000000003000000-0x0000000003054000-memory.dmp

Filesize
336KB

Download
memory/4452-25-0x0000000000400000-0x000000000040D000-memory.dmp

Filesize
52KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads