xred | d128937db49232e9c249d0bda249fe19f6b421081afddd76d4a96a4cd2f4ebde

Analysis

max time kernel
17s
max time network
16s
platform
windows7_x64
resource
win7-20241023-en
resource tags

arch:x64arch:x86image:win7-20241023-enlocale:en-usos:windows7-x64system
submitted
29-11-2024 18:10

Sharing

Copy URL

Twitter E-mail

Reason

Machine shutdown

Report Analysis Logs

General

Target

2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Size

16.2MB
MD5

2af0b11517e28a1f1c46aa005771eed0
SHA1

71cbc6c3dbb9004543f0dc3e6d033d173e186d44
SHA256

d128937db49232e9c249d0bda249fe19f6b421081afddd76d4a96a4cd2f4ebde
SHA512

a5aea38fa8701859c36934e2de9df316d12e6adb4363548bcf6f1970b95ed68ce1939ad06d40f520ba93cff248db0b6350265024d9f76c0aa40abaf2d6f2d62b
SSDEEP

393216:pVHoIKb7Kbc0QLxOq1E4KP0KS/vQukGD+rH9RFvyFwK:Hov89C4+KP0KSn9kVrHY9

Score

10^/10

xred backdoor discovery persistence

Malware Config

Extracted

Family

xred

xred.mooo.com

Attributes

email
[email protected]
payload_url
http://freedns.afraid.org/api/?action=getdyndns&sha=a30fa98efc092684e8d1c5cff797bcc613562978

https://docs.google.com/uc?id=0BxsMXGfPIZfSVlVsOGlEVGxuZVk&export=download

https://www.dropbox.com/s/n1w4p8gc6jzo0sg/SUpdate.ini?dl=1

http://xred.site50.net/syn/SUpdate.ini

https://docs.google.com/uc?id=0BxsMXGfPIZfSVzUyaHFYVkQxeFk&export=download

https://www.dropbox.com/s/zhp1b06imehwylq/Synaptics.rar?dl=1

http://xred.site50.net/syn/Synaptics.rar

https://docs.google.com/uc?id=0BxsMXGfPIZfSTmlVYkxhSDg5TzQ&export=download

https://www.dropbox.com/s/fzj752whr3ontsm/SSLLibrary.dll?dl=1

http://xred.site50.net/syn/SSLLibrary.dll

Signatures

Xred
Xred is backdoor written in Delphi.
backdoor xred
Xred family
xred

Executes dropped EXE 13 IoCs

pid	Process
2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
2596	Synaptics.exe
1736	._cache_Synaptics.exe
2864	ISBEW64.exe
2708	ISBEW64.exe
2812	ISBEW64.exe
2216	ISBEW64.exe
1924	ISBEW64.exe
1840	ISBEW64.exe
2372	ISBEW64.exe
1280	ISBEW64.exe
1384	ISBEW64.exe
2364	ISBEW64.exe

Loads dropped DLL 20 IoCs

pid	Process
1272	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
1272	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
1272	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
2596	Synaptics.exe
2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
2596	Synaptics.exe
2996	MsiExec.exe
2996	MsiExec.exe
2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\L:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\P:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\R:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\B:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\J:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\T:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\Y:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\I:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\N:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\W:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\U:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Q:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\S:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\Z:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\O:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\H:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\M:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\V:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\X:	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
File opened (read-only)	\??\H:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
1272	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
2596	Synaptics.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1272	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
2596	Synaptics.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeRestorePrivilege	576	msiexec.exe
Token: SeTakeOwnershipPrivilege	576	msiexec.exe
Token: SeSecurityPrivilege	576	msiexec.exe
Token: SeCreateTokenPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeAssignPrimaryTokenPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeLockMemoryPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeIncreaseQuotaPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeMachineAccountPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeTcbPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeSecurityPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeTakeOwnershipPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeLoadDriverPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeSystemProfilePrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeSystemtimePrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeProfSingleProcessPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeIncBasePriorityPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeCreatePagefilePrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeCreatePermanentPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeBackupPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeRestorePrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeShutdownPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeDebugPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeAuditPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeSystemEnvironmentPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeChangeNotifyPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeRemoteShutdownPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeUndockPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeSyncAgentPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeEnableDelegationPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeManageVolumePrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeImpersonatePrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeCreateGlobalPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeCreateTokenPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeAssignPrimaryTokenPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeLockMemoryPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeIncreaseQuotaPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeMachineAccountPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeTcbPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeSecurityPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeTakeOwnershipPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeLoadDriverPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeSystemProfilePrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeSystemtimePrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeProfSingleProcessPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeIncBasePriorityPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeCreatePagefilePrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeCreatePermanentPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeBackupPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeRestorePrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeShutdownPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeDebugPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeAuditPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeSystemEnvironmentPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeChangeNotifyPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeRemoteShutdownPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeUndockPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeSyncAgentPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeEnableDelegationPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeManageVolumePrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeImpersonatePrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeCreateGlobalPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeCreateTokenPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeAssignPrimaryTokenPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
Token: SeLockMemoryPrivilege	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1272 wrote to memory of 2352	1272	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	30
PID 1272 wrote to memory of 2352	1272	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	30
PID 1272 wrote to memory of 2352	1272	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	30
PID 1272 wrote to memory of 2352	1272	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	30
PID 1272 wrote to memory of 2352	1272	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	30
PID 1272 wrote to memory of 2352	1272	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	30
PID 1272 wrote to memory of 2352	1272	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	30
PID 1272 wrote to memory of 2596	1272	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	31
PID 1272 wrote to memory of 2596	1272	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	31
PID 1272 wrote to memory of 2596	1272	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	31
PID 1272 wrote to memory of 2596	1272	2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	31
PID 2596 wrote to memory of 1736	2596	Synaptics.exe	32
PID 2596 wrote to memory of 1736	2596	Synaptics.exe	32
PID 2596 wrote to memory of 1736	2596	Synaptics.exe	32
PID 2596 wrote to memory of 1736	2596	Synaptics.exe	32
PID 2596 wrote to memory of 1736	2596	Synaptics.exe	32
PID 2596 wrote to memory of 1736	2596	Synaptics.exe	32
PID 2596 wrote to memory of 1736	2596	Synaptics.exe	32
PID 576 wrote to memory of 2996	576	msiexec.exe	35
PID 576 wrote to memory of 2996	576	msiexec.exe	35
PID 576 wrote to memory of 2996	576	msiexec.exe	35
PID 576 wrote to memory of 2996	576	msiexec.exe	35
PID 576 wrote to memory of 2996	576	msiexec.exe	35
PID 576 wrote to memory of 2996	576	msiexec.exe	35
PID 576 wrote to memory of 2996	576	msiexec.exe	35
PID 2352 wrote to memory of 2864	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	36
PID 2352 wrote to memory of 2864	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	36
PID 2352 wrote to memory of 2864	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	36
PID 2352 wrote to memory of 2864	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	36
PID 2352 wrote to memory of 2708	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	37
PID 2352 wrote to memory of 2708	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	37
PID 2352 wrote to memory of 2708	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	37
PID 2352 wrote to memory of 2708	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	37
PID 2352 wrote to memory of 2812	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	38
PID 2352 wrote to memory of 2812	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	38
PID 2352 wrote to memory of 2812	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	38
PID 2352 wrote to memory of 2812	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	38
PID 2352 wrote to memory of 2216	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	39
PID 2352 wrote to memory of 2216	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	39
PID 2352 wrote to memory of 2216	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	39
PID 2352 wrote to memory of 2216	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	39
PID 2352 wrote to memory of 1924	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	40
PID 2352 wrote to memory of 1924	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	40
PID 2352 wrote to memory of 1924	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	40
PID 2352 wrote to memory of 1924	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	40
PID 2352 wrote to memory of 1840	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	41
PID 2352 wrote to memory of 1840	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	41
PID 2352 wrote to memory of 1840	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	41
PID 2352 wrote to memory of 1840	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	41
PID 2352 wrote to memory of 2372	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	42
PID 2352 wrote to memory of 2372	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	42
PID 2352 wrote to memory of 2372	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	42
PID 2352 wrote to memory of 2372	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	42
PID 2352 wrote to memory of 1280	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	43
PID 2352 wrote to memory of 1280	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	43
PID 2352 wrote to memory of 1280	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	43
PID 2352 wrote to memory of 1280	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	43
PID 2352 wrote to memory of 1384	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	44
PID 2352 wrote to memory of 1384	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	44
PID 2352 wrote to memory of 1384	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	44
PID 2352 wrote to memory of 1384	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	44
PID 2352 wrote to memory of 2364	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	45
PID 2352 wrote to memory of 2364	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	45
PID 2352 wrote to memory of 2364	2352	._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe	45

C:\Users\Admin\AppData\Local\Temp\2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1272
- C:\Users\Admin\AppData\Local\Temp\._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe
  "C:\Users\Admin\AppData\Local\Temp\._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Enumerates connected drives
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2352
- - C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{C6753DA2-AFD0-4D15-B98B-79D9175D69CD}
    3⤵
    - Executes dropped EXE
    PID:2864
- - C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{28459CF4-7298-48E4-8C9D-40A5FCA846A4}
    3⤵
    - Executes dropped EXE
    PID:2708
- - C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{1CE6EA73-726A-4102-A1B6-C6B78DCEE440}
    3⤵
    - Executes dropped EXE
    PID:2812
- - C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AAAE2E68-AF41-480B-8574-560AC48CED48}
    3⤵
    - Executes dropped EXE
    PID:2216
- - C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{AF862F57-E818-416E-A5CD-83E0547A8650}
    3⤵
    - Executes dropped EXE
    PID:1924
- - C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{5B0368A7-146C-4619-80C0-38E6151DB193}
    3⤵
    - Executes dropped EXE
    PID:1840
- - C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{87D3F432-3FD1-43B8-A5CB-CDEED4B1A01C}
    3⤵
    - Executes dropped EXE
    PID:2372
- - C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{851590DF-C3B9-453B-B5AC-73141ECD443B}
    3⤵
    - Executes dropped EXE
    PID:1280
- - C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{31F4201F-815B-4B7A-9198-55FB5847BA92}
    3⤵
    - Executes dropped EXE
    PID:1384
- - C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe
    C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe {EFB7539B-24F3-46B6-AF6E-3B021B51EFEF}:{4B335D98-118B-48AE-AA17-E11D79BA4EC8}
    3⤵
    - Executes dropped EXE
    PID:2364
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2596
- - C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    PID:1736

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 71C0A72431AA12DD42F11B96C7FC2915 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:2996

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x0
1⤵
PID:2868

C:\Windows\system32\LogonUI.exe
"LogonUI.exe" /flags:0x1
1⤵
PID:940

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
16.2MB

MD5
2af0b11517e28a1f1c46aa005771eed0

SHA1
71cbc6c3dbb9004543f0dc3e6d033d173e186d44

SHA256
d128937db49232e9c249d0bda249fe19f6b421081afddd76d4a96a4cd2f4ebde

SHA512
a5aea38fa8701859c36934e2de9df316d12e6adb4363548bcf6f1970b95ed68ce1939ad06d40f520ba93cff248db0b6350265024d9f76c0aa40abaf2d6f2d62b

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0E1CD991-BA7F-4867-A461-9C51FBC023B9}\0x0409.ini

Filesize
21KB

MD5
be345d0260ae12c5f2f337b17e07c217

SHA1
0976ba0982fe34f1c35a0974f6178e15c238ed7b

SHA256
e994689a13b9448c074f9b471edeec9b524890a0d82925e98ab90b658016d8f3

SHA512
77040dbee29be6b136a83b9e444d8b4f71ff739f7157e451778fb4fccb939a67ff881a70483de16bcb6ae1fea64a89e00711a33ec26f4d3eea8e16c9e9553eff

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0E1CD991-BA7F-4867-A461-9C51FBC023B9}\Wireless LAN Driver.msi

Filesize
2.9MB

MD5
5440f4c8f2dc447fc20c8bd8fd2929dc

SHA1
78e4d3753c83f96e8428ef3090a1371bd612965b

SHA256
1cda0a99b10a0ff822d21b8150151a7bb77b632b161acfa8d97c79ca4f19ff78

SHA512
efc0b624da71c46feb460ae0ed613b6ebc8b6b3d81e42178f362acbbdc4dee4a06fb1fffb3f3b11b0533f69be42257af29cabdcae3d6c16d662e91cab21728c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{0E1CD991-BA7F-4867-A461-9C51FBC023B9}\_ISMSIDEL.INI

Filesize
4KB

MD5
8d32f309ab91415b39c3884b84244e52

SHA1
14c527f8ac99c720722ecb17b51da77953c0dc90

SHA256
bfa5594fe6c1f1efe6388abfac674d433ebe2413289fa94eb52eb979b818b36d

SHA512
3629e61996115f3a7aaf3482d3ee21c4f7756dc6ec5638fe02e795d77822d04a5470844f0eac7097b94dab373a716a9a45d90f0b0b58b6344d71f8c882fc196c

Download Submit
C:\Users\Admin\AppData\Local\Temp\{E9EF0433-98B1-49DE-9283-B1AD030D1D23}\_ISMSIDEL.INI

Filesize
4KB

MD5
27517adec7cf0912203b999866b5cf33

SHA1
b7284caf214e51c35a354833b7218907a4247495

SHA256
1e33116bb879540fec5ce1aa4045e5184fb1e76e08a7a90672917dfd06c2ef5a

SHA512
aaaae77f79324123e593907851349a66d6ea0d0e682fe02eaaeb052abc5924f60db6ca6d4387b96f0f7fbab617e448a6ccebe6de8a51917635797d469038ef93

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISBEW64.exe

Filesize
176KB

MD5
9f9c3f526ee03b257b7447d4305b9c73

SHA1
f0412cd79b2c733f5fa4b1f26c9fae753491be2e

SHA256
e933bf52d25f7bfc5ec0b58cd0df771dbc696b5ebe5a41a11cd1703f7348a669

SHA512
f5bc22491049858b49263c1bad8732726caf25d0da7c7fae7ff4448d8fe77d2f3882abc99fc376c17635ba9b37d9cdd6de64d9b61cec98d6e7b1f8bbfdc8c0d7

Download Submit
C:\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISLangUni.ini

Filesize
100KB

MD5
54cc77ea7980ac8263b67d1d094f3850

SHA1
b63c76182ff11f22a956e7b62dfa89223de8397b

SHA256
0698d5b9c8ea6d83d31c55562915bc04222b87920fb883f886e375348577607d

SHA512
c4af93d5b65236ee72437255f99246326a4b30b8bec5551905986600b3ce6eb68894af07a3f8ee61be3b0b4d6c723f48702343dfa90e4b883af9e9efd3f1e12d

Download Submit
C:\Users\Admin\AppData\Local\Temp\~BD37.tmp

Filesize
5KB

MD5
1f22caa34c2dabf3fb74c1e1386a3390

SHA1
096d6c57aa1c39950e67a1d100924de4a5f5479c

SHA256
ecac8672f31ce035bbe6c885518a34f7a2271d97bcb8c8e9ffc0d212f1494d33

SHA512
2b2a152935af7f329cd04d51ca66a687f19993d66b34aa8fa2571dbdb2bec82c5c35aea1387aca9b947c2ead4a41ca0c01141929d2ab6f9196702ba5e7b5dcf4

Download Submit
\Users\Admin\AppData\Local\Temp\._cache_2024-11-29_2af0b11517e28a1f1c46aa005771eed0_magniber.exe

Filesize
11.5MB

MD5
061e6313eef152e5c13d4d95c2c17000

SHA1
4b55b8a01c02ef71e4d427daff8b74ff2d586610

SHA256
7caaa83dd59376777f4c25b34deba5d2c6d0e58fb49c5b89442e42dcda8c4d1a

SHA512
14d0719724040bc060bac4b2c482a51b29fec175ddc4c1a96106d2f45e4dd24ab3c0c68e5b84169071e306ade5ebe578f7d4ec96de1c5879970886ba7bd0b825

Download Submit
\Users\Admin\AppData\Local\Temp\MSIC94A.tmp

Filesize
170KB

MD5
acd6ebc04f64992a1ad538f6ed029ed0

SHA1
8263edcff06aea33b92eb5815a56c488e2cb60d4

SHA256
15252dad21c5e3a68974caee681e25e7cfcd3d61cb30d07d665092cef64a07b4

SHA512
ea26ae1a13d9b154fe8755894a2d268429b0a8b010a8fff652d30e9b01efd261585abdfbb723f0438c6cf2ecb09e6da2aa8b5956e637f43846b7056fbb2365c2

Download Submit
\Users\Admin\AppData\Local\Temp\{0E1CD991-BA7F-4867-A461-9C51FBC023B9}\ISSetup.dll

Filesize
8.4MB

MD5
bdc5a14556155f6145531ca2a96260d9

SHA1
66c38610efe2786bbdbe66f876d7985a806a4109

SHA256
75643fc6e233371d3d4d2fd9234481d5e46f5d7638988331f3927fc341ae5e8f

SHA512
6316ef6096e5ce7284b785b55b172710c3a055a8441fada47225b4ad6ebcf17da31c5f2c3f3f39bd26499f19e5ce35c509aafc1ed5aa5f642b62f95ec83f0ad1

Download Submit
\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\ISRT.dll

Filesize
417KB

MD5
98c6b4b41996aceeabc6be68533ab5d4

SHA1
4708bb8597a4f930a4a742cb2410165ca3ff5278

SHA256
695e64964eaa368fc1f7ef8be022adde8bdeabdf31edbf82e0518617615df79b

SHA512
246271fcafc9eabbe9d430e07e92dc4178dacbd9e35fb575815ad8563eb0ced95cd1c790e91477439f98975c2011eeefacc518957a0b89f7b7d20fe9eb9973fb

Download Submit
\Users\Admin\AppData\Local\Temp\{FB830E56-23BD-4731-81D7-DB20A473FA0F}\_isres_0x0409.dll

Filesize
1.8MB

MD5
b6c16d95777a4e9257c5b5d546b36959

SHA1
e094a45da75fd8bf3e01d29872af5dc397f31da9

SHA256
e4a9354a4d9bc5cbcfd440ae1cc658522ae81e90801232707394bb904ef14669

SHA512
de8e21e7b1dce95f8e7a9cd874188cfc645654a174205d7e8dde99b58b858783de4343bc2b53d14764c91032385bf523e27198ec54fed99c756a6715c0e64f8a

Download Submit
memory/1272-2-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1272-166-0x0000000000400000-0x000000000143B000-memory.dmp

Filesize
16.2MB

Download
memory/1272-5-0x00000000004A5000-0x00000000006CD000-memory.dmp

Filesize
2.2MB

Download
memory/1272-8-0x0000000000400000-0x000000000143B000-memory.dmp

Filesize
16.2MB

Download
memory/1272-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1272-128-0x00000000004A5000-0x00000000006CD000-memory.dmp

Filesize
2.2MB

Download
memory/1272-4-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/2352-381-0x0000000004F30000-0x0000000005040000-memory.dmp

Filesize
1.1MB

Download
memory/2352-384-0x0000000005040000-0x0000000005207000-memory.dmp

Filesize
1.8MB

Download
memory/2352-185-0x0000000010000000-0x0000000010245000-memory.dmp

Filesize
2.3MB

Download
memory/2352-399-0x0000000004F30000-0x0000000005040000-memory.dmp

Filesize
1.1MB

Download
memory/2352-398-0x0000000010000000-0x0000000010245000-memory.dmp

Filesize
2.3MB

Download
memory/2596-153-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2596-155-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

Errors

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads