xmrig | 1a9390fbfb16f57e55d4aec702f174de39f03f57ed4c7c999041998c1b06647c

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
20-12-2024 12:44

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
Size

9.0MB
MD5

d49256ff715f5c1eab0e233836adcc2e
SHA1

c173203859e9aa8f6f879c2f261e4be2bcd0b720
SHA256

1a9390fbfb16f57e55d4aec702f174de39f03f57ed4c7c999041998c1b06647c
SHA512

0a565ef31d18414ea7e04783aae1bd0224119bbd1e5616d64f428be4acf88e028910c523171f51b6a707818c233f38d9b7abb082b66e46d06b24849cddbbd6af
SSDEEP

196608:rhHMBGC3PtXtT+Was8xwq1wo9JoYx5JAMdJOnZTG1IvQSaKe6NZOn:r2G0kwuwasMdJOnZKVSaaNZOn

Score

10^/10

xmrig discovery miner persistence upx

Malware Config

Signatures

Xmrig family
xmrig
xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 9 IoCs

miner

resource	yara_rule
behavioral1/memory/576-137-0x000000013FD50000-0x0000000140394000-memory.dmp	xmrig
behavioral1/memory/576-136-0x000000013FD50000-0x0000000140394000-memory.dmp	xmrig
behavioral1/memory/576-142-0x000000013FD50000-0x0000000140394000-memory.dmp	xmrig
behavioral1/memory/576-143-0x000000013FD50000-0x0000000140394000-memory.dmp	xmrig
behavioral1/memory/576-145-0x000000013FD50000-0x0000000140394000-memory.dmp	xmrig
behavioral1/memory/576-146-0x000000013FD50000-0x0000000140394000-memory.dmp	xmrig
behavioral1/memory/576-147-0x000000013FD50000-0x0000000140394000-memory.dmp	xmrig
behavioral1/memory/576-148-0x000000013FD50000-0x0000000140394000-memory.dmp	xmrig
behavioral1/memory/576-149-0x000000013FD50000-0x0000000140394000-memory.dmp	xmrig

Executes dropped EXE 3 IoCs

pid	Process
576	360speedld.exe
1912	SMB.exe
1752	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe

Loads dropped DLL 2 IoCs

pid	Process
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\QQMusic = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe"	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\QQMusic = "C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe"	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000800000001739a-8.dat	upx
behavioral1/memory/576-10-0x000000013FD50000-0x0000000140394000-memory.dmp	upx
behavioral1/memory/576-137-0x000000013FD50000-0x0000000140394000-memory.dmp	upx
behavioral1/memory/576-136-0x000000013FD50000-0x0000000140394000-memory.dmp	upx
behavioral1/memory/576-142-0x000000013FD50000-0x0000000140394000-memory.dmp	upx
behavioral1/memory/576-143-0x000000013FD50000-0x0000000140394000-memory.dmp	upx
behavioral1/memory/576-145-0x000000013FD50000-0x0000000140394000-memory.dmp	upx
behavioral1/memory/576-146-0x000000013FD50000-0x0000000140394000-memory.dmp	upx
behavioral1/memory/576-147-0x000000013FD50000-0x0000000140394000-memory.dmp	upx
behavioral1/memory/576-148-0x000000013FD50000-0x0000000140394000-memory.dmp	upx
behavioral1/memory/576-149-0x000000013FD50000-0x0000000140394000-memory.dmp	upx

Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\VBoxMiniRdrDN	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
File opened (read-only)	\??\VBoxMiniRdrDN	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\web\webbase.xml	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe

System Location Discovery: System Language Discovery 1 TTPs 15 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	schtasks.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	taskkill.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	SMB.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ipconfig.exe

Checks processor information in registry 2 TTPs 2 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe

Gathers network information 2 TTPs 4 IoCs

Uses commandline utility to view network configuration.

System Information Discovery

T1082

Command and Scripting Interpreter

T1059

pid	Process
3056	ipconfig.exe
852	ipconfig.exe
2788	ipconfig.exe
1728	ipconfig.exe

Kills process with taskkill 1 IoCs

evasion

pid	Process
2952	taskkill.exe

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
2728	schtasks.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
Token: SeBackupPrivilege	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
Token: SeSecurityPrivilege	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
Token: SeSecurityPrivilege	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
Token: SeBackupPrivilege	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
Token: SeSecurityPrivilege	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
Token: SeBackupPrivilege	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
Token: SeSecurityPrivilege	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
Token: SeBackupPrivilege	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
Token: SeSecurityPrivilege	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
Token: SeDebugPrivilege	2952	taskkill.exe
Token: SeLockMemoryPrivilege	576	360speedld.exe
Token: SeLockMemoryPrivilege	576	360speedld.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 2372 wrote to memory of 2244	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	31
PID 2372 wrote to memory of 2244	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	31
PID 2372 wrote to memory of 2244	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	31
PID 2372 wrote to memory of 2244	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	31
PID 2372 wrote to memory of 2768	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	33
PID 2372 wrote to memory of 2768	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	33
PID 2372 wrote to memory of 2768	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	33
PID 2372 wrote to memory of 2768	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	33
PID 2244 wrote to memory of 2728	2244	cmd.exe	34
PID 2244 wrote to memory of 2728	2244	cmd.exe	34
PID 2244 wrote to memory of 2728	2244	cmd.exe	34
PID 2244 wrote to memory of 2728	2244	cmd.exe	34
PID 2768 wrote to memory of 2952	2768	cmd.exe	36
PID 2768 wrote to memory of 2952	2768	cmd.exe	36
PID 2768 wrote to memory of 2952	2768	cmd.exe	36
PID 2768 wrote to memory of 2952	2768	cmd.exe	36
PID 2372 wrote to memory of 2636	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	38
PID 2372 wrote to memory of 2636	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	38
PID 2372 wrote to memory of 2636	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	38
PID 2372 wrote to memory of 2636	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	38
PID 2636 wrote to memory of 3056	2636	cmd.exe	40
PID 2636 wrote to memory of 3056	2636	cmd.exe	40
PID 2636 wrote to memory of 3056	2636	cmd.exe	40
PID 2636 wrote to memory of 3056	2636	cmd.exe	40
PID 2372 wrote to memory of 576	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	41
PID 2372 wrote to memory of 576	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	41
PID 2372 wrote to memory of 576	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	41
PID 2372 wrote to memory of 576	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	41
PID 2372 wrote to memory of 1912	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	43
PID 2372 wrote to memory of 1912	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	43
PID 2372 wrote to memory of 1912	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	43
PID 2372 wrote to memory of 1912	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	43
PID 2372 wrote to memory of 840	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	44
PID 2372 wrote to memory of 840	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	44
PID 2372 wrote to memory of 840	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	44
PID 2372 wrote to memory of 840	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	44
PID 840 wrote to memory of 852	840	cmd.exe	46
PID 840 wrote to memory of 852	840	cmd.exe	46
PID 840 wrote to memory of 852	840	cmd.exe	46
PID 840 wrote to memory of 852	840	cmd.exe	46
PID 1544 wrote to memory of 1752	1544	taskeng.exe	48
PID 1544 wrote to memory of 1752	1544	taskeng.exe	48
PID 1544 wrote to memory of 1752	1544	taskeng.exe	48
PID 1544 wrote to memory of 1752	1544	taskeng.exe	48
PID 2372 wrote to memory of 2828	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	49
PID 2372 wrote to memory of 2828	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	49
PID 2372 wrote to memory of 2828	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	49
PID 2372 wrote to memory of 2828	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	49
PID 2828 wrote to memory of 2788	2828	cmd.exe	51
PID 2828 wrote to memory of 2788	2828	cmd.exe	51
PID 2828 wrote to memory of 2788	2828	cmd.exe	51
PID 2828 wrote to memory of 2788	2828	cmd.exe	51
PID 2372 wrote to memory of 700	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	52
PID 2372 wrote to memory of 700	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	52
PID 2372 wrote to memory of 700	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	52
PID 2372 wrote to memory of 700	2372	2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe	52
PID 700 wrote to memory of 1728	700	cmd.exe	54
PID 700 wrote to memory of 1728	700	cmd.exe	54
PID 700 wrote to memory of 1728	700	cmd.exe	54
PID 700 wrote to memory of 1728	700	cmd.exe	54

C:\Users\Admin\AppData\Local\Temp\2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Checks for VirtualBox DLLs, possible anti-VM trick
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2372
- C:\Windows\SysWOW64\cmd.exe
  cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe /F
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2244
- - C:\Windows\SysWOW64\schtasks.exe
    schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe /F
    3⤵
    - System Location Discovery: System Language Discovery
    - Scheduled Task/Job: Scheduled Task
    PID:2728
- C:\Windows\SysWOW64\cmd.exe
  cmd /c taskkill /f /im 360speedld.exe&&exit
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2768
- - C:\Windows\SysWOW64\taskkill.exe
    taskkill /f /im 360speedld.exe
    3⤵
    - System Location Discovery: System Language Discovery
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:2952
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:3056
- C:\ProgramData\360speedld.exe
  C:\ProgramData\360speedld.exe -o stratum+tcp://mo.t1linux.com:21666 -u 0 -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
  2⤵
  - Executes dropped EXE
  - Suspicious use of AdjustPrivilegeToken
  PID:576
- C:\ProgramData\SMB.exe
  C:\ProgramData\SMB.exe
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:1912
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:852
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2828
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:2788
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ipconfig /flushdns
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:700
- - C:\Windows\SysWOW64\ipconfig.exe
    ipconfig /flushdns
    3⤵
    - System Location Discovery: System Language Discovery
    - Gathers network information
    PID:1728

C:\Windows\system32\taskeng.exe
taskeng.exe {21B2136D-479A-4F9B-8256-6A63B5FD40CB} S-1-5-21-3290804112-2823094203-3137964600-1000:VORHPBAB\Admin:Interactive:[1]
1⤵
- Suspicious use of WriteProcessMemory
PID:1544
- C:\Users\Admin\AppData\Local\Temp\2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
  C:\Users\Admin\AppData\Local\Temp\2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
  2⤵
  - Executes dropped EXE
  - Checks for VirtualBox DLLs, possible anti-VM trick
  - System Location Discovery: System Language Discovery
  PID:1752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\360speedld.exe

Filesize
1.3MB

MD5
23d84a7ed2e8e76d0a13197b74913654

SHA1
23d04ba674bafbad225243dc81ce7eccd744a35a

SHA256
ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

SHA512
aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

Download Submit
C:\ProgramData\SMB.exe

Filesize
3.1MB

MD5
7b2f170698522cd844e0423252ad36c1

SHA1
303ac0aaf0e9f48d4943e57d1ee6c757f2dd48c5

SHA256
5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994

SHA512
7155477e6988a16f6d12a0800ab72b9b9b64b97a509324ac0669cec2a4b82cd81b3481ae2c2d1ce65e73b017cebb56628d949d6195aac8f6ddd9625a80789dfa

Download Submit
C:\ProgramData\X64.dll

Filesize
85KB

MD5
7ac92f444697cf6fae393f41370c632d

SHA1
2836df09431e789cd9a48b2608fb5113c70b2d64

SHA256
95791123cd3e668a95ddda7de1c28f528c31235883a2e1e044a27689711a6beb

SHA512
b12609a85c549f1da278ff0bcd7c9f2fe5fc5a06c7d7bfbc237b80f5b4c8aa1617c5742839ada5a789469f5cfdf1b0faa49f2352e79bc248842526f615b6cda2

Download Submit
C:\ProgramData\X86.dll

Filesize
71KB

MD5
ab2c510c70948e367c22e53672b1e4f9

SHA1
76a370a6017a3a5316353f81ee70fa8919738cb1

SHA256
66a8af51c1743aea41268f090fc39aab85b182a160f05e6dc3259015d521b70e

SHA512
a283bac70567c6f889d9191c6b5ea581c9f90885915cae4c0d8d77d0c37dfa142cbe6e6cb95c4e036424bc063706363c9c5847cf70347b1bdb2a23f6fe27a2fb

Download Submit
C:\Users\Admin\AppData\Local\Temp\2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe

Filesize
9.0MB

MD5
d49256ff715f5c1eab0e233836adcc2e

SHA1
c173203859e9aa8f6f879c2f261e4be2bcd0b720

SHA256
1a9390fbfb16f57e55d4aec702f174de39f03f57ed4c7c999041998c1b06647c

SHA512
0a565ef31d18414ea7e04783aae1bd0224119bbd1e5616d64f428be4acf88e028910c523171f51b6a707818c233f38d9b7abb082b66e46d06b24849cddbbd6af

Download Submit
memory/576-143-0x000000013FD50000-0x0000000140394000-memory.dmp

Filesize
6.3MB

Download
memory/576-137-0x000000013FD50000-0x0000000140394000-memory.dmp

Filesize
6.3MB

Download
memory/576-136-0x000000013FD50000-0x0000000140394000-memory.dmp

Filesize
6.3MB

Download
memory/576-11-0x00000000000F0000-0x0000000000104000-memory.dmp

Filesize
80KB

Download
memory/576-10-0x000000013FD50000-0x0000000140394000-memory.dmp

Filesize
6.3MB

Download
memory/576-142-0x000000013FD50000-0x0000000140394000-memory.dmp

Filesize
6.3MB

Download
memory/576-145-0x000000013FD50000-0x0000000140394000-memory.dmp

Filesize
6.3MB

Download
memory/576-146-0x000000013FD50000-0x0000000140394000-memory.dmp

Filesize
6.3MB

Download
memory/576-147-0x000000013FD50000-0x0000000140394000-memory.dmp

Filesize
6.3MB

Download
memory/576-148-0x000000013FD50000-0x0000000140394000-memory.dmp

Filesize
6.3MB

Download
memory/576-149-0x000000013FD50000-0x0000000140394000-memory.dmp

Filesize
6.3MB

Download
memory/2372-16-0x00000000044E0000-0x0000000004B24000-memory.dmp

Filesize
6.3MB

Download
memory/2372-9-0x00000000044E0000-0x0000000004B24000-memory.dmp

Filesize
6.3MB

Download