Overview

overview

10

Static

static

3

2024-12-20...er.exe

windows7-x64

10

2024-12-20...er.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    20-12-2024 12:44

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe

  • Size

    9.0MB

  • MD5

    d49256ff715f5c1eab0e233836adcc2e

  • SHA1

    c173203859e9aa8f6f879c2f261e4be2bcd0b720

  • SHA256

    1a9390fbfb16f57e55d4aec702f174de39f03f57ed4c7c999041998c1b06647c

  • SHA512

    0a565ef31d18414ea7e04783aae1bd0224119bbd1e5616d64f428be4acf88e028910c523171f51b6a707818c233f38d9b7abb082b66e46d06b24849cddbbd6af

  • SSDEEP

    196608:rhHMBGC3PtXtT+Was8xwq1wo9JoYx5JAMdJOnZTG1IvQSaKe6NZOn:r2G0kwuwasMdJOnZKVSaaNZOn

Score
10/10
xmrigdiscoveryminerpersistenceupx

Malware Config

Signatures

  • Xmrig family
    xmrig
  • xmrig

    XMRig is a high performance, open source, cross platform CPU/GPU miner.

    minerxmrig
  • XMRig Miner payload 9 IoCs
    miner
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 2 IoCs
    persistence
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • UPX packed file 11 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

    upx
  • Checks for VirtualBox DLLs, possible anti-VM trick 1 TTPs 2 IoCs

    Certain files are specific to VirtualBox VMs and can be used to detect execution in a VM.

  • System Location Discovery: System Language Discovery 1 TTPs 14 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Gathers network information 2 TTPs 4 IoCs

    Uses commandline utility to view network configuration.

  • Kills process with taskkill 1 IoCs
    evasion
  • Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistenceexecution
  • Suspicious behavior: EnumeratesProcesses 64 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 13 IoCs
  • Suspicious use of WriteProcessMemory 41 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe"
    1⤵
    • Adds Run key to start application
    • Enumerates connected drives
    • Checks for VirtualBox DLLs, possible anti-VM trick
    • System Location Discovery: System Language Discovery
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:4812
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe /F
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:2300
      • C:\Windows\SysWOW64\schtasks.exe
        schtasks /create /sc minute /mo 1 /tn "QQMusic" /tr C:\Users\Admin\AppData\Local\Temp\2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe /F
        3⤵
        • System Location Discovery: System Language Discovery
        • Scheduled Task/Job: Scheduled Task
        PID:1532
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c taskkill /f /im 360speedld.exe&&exit
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:5076
      • C:\Windows\SysWOW64\taskkill.exe
        taskkill /f /im 360speedld.exe
        3⤵
        • System Location Discovery: System Language Discovery
        • Kills process with taskkill
        • Suspicious use of AdjustPrivilegeToken
        PID:4316
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /flushdns
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1736
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:5092
    • C:\ProgramData\360speedld.exe
      C:\ProgramData\360speedld.exe -o stratum+tcp://mo.t1linux.com:21666 -u L -p 1 --max-cpu-usage=50 --cpu-priority 3 --cpu-max-threads-hint=50 -K
      2⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1368
    • C:\ProgramData\SMB.exe
      C:\ProgramData\SMB.exe
      2⤵
      • Executes dropped EXE
      • System Location Discovery: System Language Discovery
      PID:2404
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /flushdns
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:4844
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:3208
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /flushdns
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:1972
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:2624
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ipconfig /flushdns
      2⤵
      • System Location Discovery: System Language Discovery
      • Suspicious use of WriteProcessMemory
      PID:6360
      • C:\Windows\SysWOW64\ipconfig.exe
        ipconfig /flushdns
        3⤵
        • System Location Discovery: System Language Discovery
        • Gathers network information
        PID:6404
  • C:\Users\Admin\AppData\Local\Temp\2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
    C:\Users\Admin\AppData\Local\Temp\2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
    1⤵
    • Executes dropped EXE
    • Checks for VirtualBox DLLs, possible anti-VM trick
    PID:5976

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\360speedld.exe
    Filesize

    1.3MB

    MD5

    23d84a7ed2e8e76d0a13197b74913654

    SHA1

    23d04ba674bafbad225243dc81ce7eccd744a35a

    SHA256

    ac530d542a755ecce6a656ea6309717ec222c34d7e34c61792f3b350a8a29301

    SHA512

    aa6b0100d477214d550b6498787190fc1a8fafa7c478f9595d45e4e76ece9888b84dcca26696500d5710a9d1acae4810f2606d8962c46d31f2bdfcdd27bd675c

    Download Submit

  • C:\ProgramData\SMB.exe
    Filesize

    3.1MB

    MD5

    7b2f170698522cd844e0423252ad36c1

    SHA1

    303ac0aaf0e9f48d4943e57d1ee6c757f2dd48c5

    SHA256

    5214f356f2e8640230e93a95633cd73945c38027b23e76bb5e617c71949f8994

    SHA512

    7155477e6988a16f6d12a0800ab72b9b9b64b97a509324ac0669cec2a4b82cd81b3481ae2c2d1ce65e73b017cebb56628d949d6195aac8f6ddd9625a80789dfa

    Download Submit

  • C:\ProgramData\X64.dll
    Filesize

    85KB

    MD5

    5120faeac5cf38c6b3a397287037748e

    SHA1

    0c0660b70ba484739b6602c43a4aded0129c9862

    SHA256

    735f4106d3c7a484d808b623d416c7f803853d686c637bb39e2a44e95701d3b6

    SHA512

    5e05f501495db0fdd1a237594dfe5ca11150b057cadd1a487032eb88ebdf45e6d68a3d22c182e192eda3e2c373f1d196b3c1ca04f6d55392fc13dbdac8803f6d

    Download Submit

  • C:\ProgramData\X86.dll
    Filesize

    71KB

    MD5

    0c086c796f35aebe90a1670bd62ba187

    SHA1

    e24aa3bf011c7806ebebdd9a77bd962326a7d0c9

    SHA256

    cd08cf87b358e0c9b0905f2f60c62bcd80d66bc0129483a9742c400a84fb9fef

    SHA512

    c2ef9899f4fd90b1be5294045490da7daef290564ef1e0701177895590ffff8cbe7a21ab619ed31f18f6d4e3ee2189329fff7bced20c2aaf79333fca16a320dc

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\2024-12-20_d49256ff715f5c1eab0e233836adcc2e_luca-stealer_magniber.exe
    Filesize

    9.0MB

    MD5

    d49256ff715f5c1eab0e233836adcc2e

    SHA1

    c173203859e9aa8f6f879c2f261e4be2bcd0b720

    SHA256

    1a9390fbfb16f57e55d4aec702f174de39f03f57ed4c7c999041998c1b06647c

    SHA512

    0a565ef31d18414ea7e04783aae1bd0224119bbd1e5616d64f428be4acf88e028910c523171f51b6a707818c233f38d9b7abb082b66e46d06b24849cddbbd6af

    Download Submit

  • memory/1368-141-0x00007FF6361C0000-0x00007FF636804000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1368-132-0x00007FF6361C0000-0x00007FF636804000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1368-133-0x00007FF6361C0000-0x00007FF636804000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1368-10-0x000002BEBCAC0000-0x000002BEBCAD4000-memory.dmp

    Filesize

    80KB

    Download

  • memory/1368-142-0x00007FF6361C0000-0x00007FF636804000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1368-8-0x00007FF6361C0000-0x00007FF636804000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1368-144-0x00007FF6361C0000-0x00007FF636804000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1368-145-0x00007FF6361C0000-0x00007FF636804000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1368-151-0x00007FF6361C0000-0x00007FF636804000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1368-152-0x00007FF6361C0000-0x00007FF636804000-memory.dmp

    Filesize

    6.3MB

    Download

  • memory/1368-153-0x00007FF6361C0000-0x00007FF636804000-memory.dmp

    Filesize

    6.3MB

    Download