Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
33s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20250129-en -
resource tags
arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system -
submitted
01/02/2025, 01:24
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe
Resource
win7-20240903-en
windows7-x64
25 signatures
150 seconds
Behavioral task
behavioral2
Sample
2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe
Resource
win10v2004-20250129-en
windows10-2004-x64
21 signatures
150 seconds
General
-
Target
2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe
-
Size
357KB
-
MD5
8e0a909a89438175faf2ac7acf5e721b
-
SHA1
0ac18576c7634bdc07ef0576c38df8036a806c0b
-
SHA256
91a543a24299a0dc22fbec348d090c4a0774f822440f58965ff38da77b82f0e0
-
SHA512
15201efc7fd47c5f3c3d6ec108f2eaf970102e411014a59eaefe17cdd6011fd632310b9e86c1b7a611467bd598b3ca89cb379935f23b3ca7337ca678e232c23e
-
SSDEEP
3072:KrfdSNN+V4Ji4GpMs/BE9PxGW5EdCeUsBRDFY9wIyZu9CwNwrGlXTDFarXEM2KPK:KE+VSuye7dCesaM7sqgrUgPOepQfX8A
Malware Config
Extracted
Family
sality
C2
http://89.119.67.154/testo5/
http://kukutrustnet777.info/home.gif
http://kukutrustnet888.info/home.gif
http://kukutrustnet987.info/home.gif
http://www.klkjwre9fqwieluoi.info/
http://kukutrustnet777888.info/
Signatures
-
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" winmgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" winmgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1" winmgr.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe -
Sality family
-
UAC bypass 3 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winmgr.exe -
Windows security bypass 2 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\system\DisableRegistryTools = "1" winmgr.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\Control Panel\International\Geo\Nation 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe -
Executes dropped EXE 2 IoCs
pid Process 3820 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 4448 winmgr.exe -
Windows security modification 2 TTPs 14 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" winmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc winmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" winmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1" winmgr.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1" winmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1" winmgr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" winmgr.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Windows\\M-50509529509275084208452680240430\\winmgr.exe" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (str) \REGISTRY\USER\S-1-5-21-4174397412-4125106315-2776226590-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Manager = "C:\\Windows\\M-50509529509275084208452680240430\\winmgr.exe" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe -
Checks whether UAC is enabled 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winmgr.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 5036 set thread context of 3820 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 86 -
resource yara_rule behavioral2/memory/5036-1-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-4-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-8-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-9-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-11-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-7-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-6-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-5-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-3-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-10-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-16-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-17-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-18-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-19-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-20-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-22-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-23-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-25-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-26-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-29-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-31-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-34-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-36-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/5036-44-0x00000000021F0000-0x000000000327E000-memory.dmp upx behavioral2/memory/4448-75-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/4448-78-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/4448-81-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/4448-80-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/4448-72-0x00000000021E0000-0x000000000326E000-memory.dmp upx behavioral2/memory/4448-74-0x00000000021E0000-0x000000000326E000-memory.dmp upx -
Drops file in Windows directory 4 IoCs
description ioc Process File opened for modification C:\Windows\M-50509529509275084208452680240430 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe File opened for modification C:\Windows\SYSTEM.INI 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe File created C:\Windows\M-50509529509275084208452680240430\winmgr.exe 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe File opened for modification C:\Windows\M-50509529509275084208452680240430\winmgr.exe 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language winmgr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious behavior: EnumeratesProcesses 8 IoCs
pid Process 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 4448 winmgr.exe 4448 winmgr.exe 4448 winmgr.exe 4448 winmgr.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Token: SeDebugPrivilege 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 5036 wrote to memory of 776 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 8 PID 5036 wrote to memory of 784 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 9 PID 5036 wrote to memory of 1020 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 13 PID 5036 wrote to memory of 2844 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 49 PID 5036 wrote to memory of 2924 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 50 PID 5036 wrote to memory of 3048 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 52 PID 5036 wrote to memory of 3400 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 56 PID 5036 wrote to memory of 3524 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 57 PID 5036 wrote to memory of 3720 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 58 PID 5036 wrote to memory of 3848 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 59 PID 5036 wrote to memory of 3924 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 60 PID 5036 wrote to memory of 4016 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 61 PID 5036 wrote to memory of 3656 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 62 PID 5036 wrote to memory of 2120 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 74 PID 5036 wrote to memory of 2680 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 76 PID 5036 wrote to memory of 312 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 80 PID 5036 wrote to memory of 1476 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 81 PID 5036 wrote to memory of 776 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 8 PID 5036 wrote to memory of 784 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 9 PID 5036 wrote to memory of 1020 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 13 PID 5036 wrote to memory of 2844 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 49 PID 5036 wrote to memory of 2924 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 50 PID 5036 wrote to memory of 3048 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 52 PID 5036 wrote to memory of 3400 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 56 PID 5036 wrote to memory of 3524 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 57 PID 5036 wrote to memory of 3720 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 58 PID 5036 wrote to memory of 3848 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 59 PID 5036 wrote to memory of 3924 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 60 PID 5036 wrote to memory of 4016 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 61 PID 5036 wrote to memory of 3656 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 62 PID 5036 wrote to memory of 2120 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 74 PID 5036 wrote to memory of 2680 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 76 PID 5036 wrote to memory of 312 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 80 PID 5036 wrote to memory of 1476 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 81 PID 5036 wrote to memory of 736 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 84 PID 5036 wrote to memory of 2224 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 85 PID 5036 wrote to memory of 3820 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 86 PID 5036 wrote to memory of 3820 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 86 PID 5036 wrote to memory of 3820 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 86 PID 5036 wrote to memory of 3820 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 86 PID 5036 wrote to memory of 3820 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 86 PID 5036 wrote to memory of 3820 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 86 PID 5036 wrote to memory of 3820 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 86 PID 5036 wrote to memory of 3820 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 86 PID 5036 wrote to memory of 3820 5036 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 86 PID 3820 wrote to memory of 3328 3820 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 87 PID 3820 wrote to memory of 3328 3820 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 87 PID 3820 wrote to memory of 3328 3820 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 87 PID 3820 wrote to memory of 4448 3820 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 88 PID 3820 wrote to memory of 4448 3820 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 88 PID 3820 wrote to memory of 4448 3820 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe 88 PID 4448 wrote to memory of 776 4448 winmgr.exe 8 PID 4448 wrote to memory of 784 4448 winmgr.exe 9 PID 4448 wrote to memory of 1020 4448 winmgr.exe 13 PID 4448 wrote to memory of 2844 4448 winmgr.exe 49 PID 4448 wrote to memory of 2924 4448 winmgr.exe 50 PID 4448 wrote to memory of 3048 4448 winmgr.exe 52 PID 4448 wrote to memory of 3400 4448 winmgr.exe 56 PID 4448 wrote to memory of 3524 4448 winmgr.exe 57 PID 4448 wrote to memory of 3720 4448 winmgr.exe 58 PID 4448 wrote to memory of 3848 4448 winmgr.exe 59 PID 4448 wrote to memory of 3924 4448 winmgr.exe 60 PID 4448 wrote to memory of 4016 4448 winmgr.exe 61 PID 4448 wrote to memory of 3656 4448 winmgr.exe 62 -
System policy modification 1 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" winmgr.exe
Processes
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:776
-
C:\Windows\system32\fontdrvhost.exe"fontdrvhost.exe"1⤵PID:784
-
C:\Windows\system32\dwm.exe"dwm.exe"1⤵PID:1020
-
C:\Windows\system32\sihost.exesihost.exe1⤵PID:2844
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc1⤵PID:2924
-
C:\Windows\system32\taskhostw.exetaskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}1⤵PID:3048
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵PID:3400
-
C:\Users\Admin\AppData\Local\Temp\2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe"2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Checks whether UAC is enabled
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:5036 -
C:\Users\Admin\AppData\Local\Temp\2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2025-02-01_8e0a909a89438175faf2ac7acf5e721b_magniber.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\udvudoghhv.bat" "4⤵
- System Location Discovery: System Language Discovery
PID:3328 -
C:\Windows\System32\Conhost.exe\??\C:\Windows\system32\conhost.exe 0xffffffff -ForceV15⤵PID:4972
-
-
-
C:\Windows\M-50509529509275084208452680240430\winmgr.exeC:\Windows\M-50509529509275084208452680240430\winmgr.exe4⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Checks whether UAC is enabled
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4448
-
-
-
-
C:\Windows\system32\svchost.exeC:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc1⤵PID:3524
-
C:\Windows\system32\DllHost.exeC:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}1⤵PID:3720
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3848
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3924
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:4016
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:3656
-
C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca1⤵PID:2120
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2680
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca1⤵PID:312
-
C:\Windows\system32\backgroundTaskHost.exe"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca1⤵PID:1476
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:736
-
C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding1⤵PID:2224
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Impair Defenses
4Disable or Modify System Firewall
1Disable or Modify Tools
3Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
357KB
MD58e0a909a89438175faf2ac7acf5e721b
SHA10ac18576c7634bdc07ef0576c38df8036a806c0b
SHA25691a543a24299a0dc22fbec348d090c4a0774f822440f58965ff38da77b82f0e0
SHA51215201efc7fd47c5f3c3d6ec108f2eaf970102e411014a59eaefe17cdd6011fd632310b9e86c1b7a611467bd598b3ca89cb379935f23b3ca7337ca678e232c23e
-
Filesize
278B
MD5122b46015765a9d914b31f3311410679
SHA136082dc5a669eb336eae6b97d2c72a559e834095
SHA2563e624495a97877580b507062172849b6ffea4cc2887e890c091fc38d3e54fe24
SHA5125e7dc2c6c1b5cf056a741eb2f2a07d41f2e6bf5397c89cfb7c1dd60f163f08183cd884a6c4f217409e51681c475f82b7d58e1b86ec12c63378ce6f9078a167cb
-
Filesize
257B
MD5a0cb0b20c58c08d2799c44543086036b
SHA15fe8f78a95c1a3f012be85ec79b5f4c5637b26c2
SHA256ad24af63b2ac9dc917cef609504a58b8bfdccb053d0cd58692745ce0292070d7
SHA5127883cf0cf4e5386b37474189339aef40086b02f8794d51e2f1d16019cc3ad4fc95c1a898a7d3f48c99322f2057bdbbd8d219287c3fe2163183d4035016103521