sality | e77d8392c09e6c1a42337f0079967c879bbf933358436a38791e4014f3ebfd7b

Analysis

max time kernel
124s
max time network
110s
platform
windows10-2004_x64
resource
win10v2004-20240611-en
resource tags

arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
submitted
30-06-2024 15:53

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Size

2.9MB
MD5

a929042a85c0ebe291a1b2b55f948567
SHA1

1211f45dc01988f0ba2f63b13e197af6e27603be
SHA256

e77d8392c09e6c1a42337f0079967c879bbf933358436a38791e4014f3ebfd7b
SHA512

1e9d36cb684d9d4b6be8efb02a30bf020d3661b6718ab3bcfbb62d9a2c0cedc9d37197443aad00a7a6db340a6cdebe268f1b5341282777ee2a2790d0f1417a2a
SSDEEP

49152:VpAJ4K/kZCRW6JIAYtBRVXJT8IE+eDvkX6uPh0OR8/dJ388mS5vbv+fH2rJnLs5V:gdkyIAYt3VXNeTkquPhO881Vv5LndS

Score

10^/10

sality backdoor bootkit evasion persistence trojan upx

Malware Config

Extracted

Family

sality

http://89.119.67.154/testo5/

http://kukutrustnet777.info/home.gif

http://kukutrustnet888.info/home.gif

http://kukutrustnet987.info/home.gif

Signatures

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DoNotAllowExceptions = "0"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "1"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

Sality
Sality is backdoor written in C++, first discovered in 2003.
backdoor sality
UAC bypass 3 TTPs 1 IoCs
evasion trojan

Bypass User Account Control
T1548.002

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

Windows security bypass 2 TTPs 6 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

Detects executables packed with Sality Polymorphic Code Generator or Simple Poly Engine or Sality 38 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4128-1-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-4-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-5-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-14-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-13-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-20-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-19-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-6-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-12-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-3-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-22-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-21-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-23-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-24-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-25-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-27-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-28-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-29-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-31-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-32-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-34-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-36-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-39-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-41-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-44-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-46-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-47-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-50-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-52-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-53-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-55-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-57-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-64-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-66-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-68-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-70-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-71-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine
behavioral2/memory/4128-76-0x0000000002600000-0x00000000036BA000-memory.dmp	INDICATOR_EXE_Packed_SimplePolyEngine

UPX dump on OEP (original entry point) 38 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4128-1-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-4-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-5-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-14-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-13-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-20-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-19-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-6-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-12-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-3-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-22-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-21-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-23-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-24-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-25-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-27-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-28-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-29-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-31-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-32-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-34-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-36-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-39-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-41-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-44-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-46-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-47-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-50-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-52-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-53-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-55-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-57-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-64-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-66-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-68-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-70-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-71-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX
behavioral2/memory/4128-76-0x0000000002600000-0x00000000036BA000-memory.dmp	UPX

UPX packed file 38 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/4128-1-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-4-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-5-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-14-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-13-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-20-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-19-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-6-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-12-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-3-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-22-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-21-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-23-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-24-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-25-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-27-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-28-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-29-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-31-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-32-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-34-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-36-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-39-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-41-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-44-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-46-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-47-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-50-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-52-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-53-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-55-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-57-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-64-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-66-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-68-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-70-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-71-0x0000000002600000-0x00000000036BA000-memory.dmp	upx
behavioral2/memory/4128-76-0x0000000002600000-0x00000000036BA000-memory.dmp	upx

Windows security modification 2 TTPs 7 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusOverride = "1"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallDisableNotify = "1"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\FirewallOverride = "1"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UacDisableNotify = "1"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\Svc	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description	ioc	process
File opened (read-only)	\??\E:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\Y:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\Z:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\I:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\M:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\P:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\R:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\T:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\V:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\G:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\H:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\J:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\N:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\U:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\W:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\K:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\L:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\O:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\Q:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\S:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened (read-only)	\??\X:	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1542.003

Processes:

2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description ioc process

File opened for modification \??\PhysicalDrive0 2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

Drops autorun.inf file 1 TTPs 2 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

Processes:

2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description	ioc	process
File opened for modification	F:\autorun.inf	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened for modification	C:\autorun.inf	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

Drops file in Program Files directory 12 IoCs

Processes:

2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description	ioc	process
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened for modification	C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\InspectorOfficeGadget.exe	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeClickToRun.exe	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

Drops file in Windows directory 2 IoCs

Processes:

2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description	ioc	process
File created	C:\Windows\e57322c	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
File opened for modification	C:\Windows\SYSTEM.INI	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

Suspicious behavior: EnumeratesProcesses 26 IoCs

Processes:

2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

pid	process
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description	pid	process
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
Token: SeDebugPrivilege	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description	pid	process	target process
PID 4128 wrote to memory of 772	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	fontdrvhost.exe
PID 4128 wrote to memory of 776	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	fontdrvhost.exe
PID 4128 wrote to memory of 332	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	dwm.exe
PID 4128 wrote to memory of 2916	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	sihost.exe
PID 4128 wrote to memory of 2940	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	svchost.exe
PID 4128 wrote to memory of 2244	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	taskhostw.exe
PID 4128 wrote to memory of 3432	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	Explorer.EXE
PID 4128 wrote to memory of 3532	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	svchost.exe
PID 4128 wrote to memory of 3736	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	DllHost.exe
PID 4128 wrote to memory of 3832	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	StartMenuExperienceHost.exe
PID 4128 wrote to memory of 3892	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	RuntimeBroker.exe
PID 4128 wrote to memory of 3988	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	SearchApp.exe
PID 4128 wrote to memory of 3568	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	RuntimeBroker.exe
PID 4128 wrote to memory of 2632	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	TextInputHost.exe
PID 4128 wrote to memory of 3052	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	RuntimeBroker.exe
PID 4128 wrote to memory of 4704	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	backgroundTaskHost.exe
PID 4128 wrote to memory of 4728	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	backgroundTaskHost.exe
PID 4128 wrote to memory of 772	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	fontdrvhost.exe
PID 4128 wrote to memory of 776	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	fontdrvhost.exe
PID 4128 wrote to memory of 332	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	dwm.exe
PID 4128 wrote to memory of 2916	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	sihost.exe
PID 4128 wrote to memory of 2940	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	svchost.exe
PID 4128 wrote to memory of 2244	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	taskhostw.exe
PID 4128 wrote to memory of 3432	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	Explorer.EXE
PID 4128 wrote to memory of 3532	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	svchost.exe
PID 4128 wrote to memory of 3736	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	DllHost.exe
PID 4128 wrote to memory of 3832	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	StartMenuExperienceHost.exe
PID 4128 wrote to memory of 3892	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	RuntimeBroker.exe
PID 4128 wrote to memory of 3988	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	SearchApp.exe
PID 4128 wrote to memory of 3568	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	RuntimeBroker.exe
PID 4128 wrote to memory of 2632	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	TextInputHost.exe
PID 4128 wrote to memory of 3052	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	RuntimeBroker.exe
PID 4128 wrote to memory of 4704	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	backgroundTaskHost.exe
PID 4128 wrote to memory of 4824	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	RuntimeBroker.exe
PID 4128 wrote to memory of 4408	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	RuntimeBroker.exe
PID 4128 wrote to memory of 772	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	fontdrvhost.exe
PID 4128 wrote to memory of 776	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	fontdrvhost.exe
PID 4128 wrote to memory of 332	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	dwm.exe
PID 4128 wrote to memory of 2916	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	sihost.exe
PID 4128 wrote to memory of 2940	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	svchost.exe
PID 4128 wrote to memory of 2244	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	taskhostw.exe
PID 4128 wrote to memory of 3432	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	Explorer.EXE
PID 4128 wrote to memory of 3532	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	svchost.exe
PID 4128 wrote to memory of 3736	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	DllHost.exe
PID 4128 wrote to memory of 3832	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	StartMenuExperienceHost.exe
PID 4128 wrote to memory of 3892	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	RuntimeBroker.exe
PID 4128 wrote to memory of 3988	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	SearchApp.exe
PID 4128 wrote to memory of 3568	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	RuntimeBroker.exe
PID 4128 wrote to memory of 2632	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	TextInputHost.exe
PID 4128 wrote to memory of 3052	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	RuntimeBroker.exe
PID 4128 wrote to memory of 4704	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	backgroundTaskHost.exe
PID 4128 wrote to memory of 4824	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	RuntimeBroker.exe
PID 4128 wrote to memory of 4408	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	RuntimeBroker.exe
PID 4128 wrote to memory of 772	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	fontdrvhost.exe
PID 4128 wrote to memory of 776	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	fontdrvhost.exe
PID 4128 wrote to memory of 332	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	dwm.exe
PID 4128 wrote to memory of 2916	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	sihost.exe
PID 4128 wrote to memory of 2940	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	svchost.exe
PID 4128 wrote to memory of 2244	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	taskhostw.exe
PID 4128 wrote to memory of 3432	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	Explorer.EXE
PID 4128 wrote to memory of 3532	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	svchost.exe
PID 4128 wrote to memory of 3736	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	DllHost.exe
PID 4128 wrote to memory of 3832	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	StartMenuExperienceHost.exe
PID 4128 wrote to memory of 3892	4128	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe	RuntimeBroker.exe

System policy modification 1 TTPs 1 IoCs
evasion

Modify Registry
T1112

Processes:

2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" 2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:772

C:\Windows\system32\fontdrvhost.exe
"fontdrvhost.exe"
1⤵
PID:776

C:\Windows\system32\dwm.exe
"dwm.exe"
1⤵
PID:332

C:\Windows\system32\sihost.exe
sihost.exe
1⤵
PID:2916

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k UnistackSvcGroup -s CDPUserSvc
1⤵
PID:2940

C:\Windows\system32\taskhostw.exe
taskhostw.exe {222A245B-E637-4AE9-A93F-A59CA119A75E}
1⤵
PID:2244

C:\Windows\Explorer.EXE
C:\Windows\Explorer.EXE
1⤵
PID:3432

C:\Users\Admin\AppData\Local\Temp\2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-30_a929042a85c0ebe291a1b2b55f948567_magniber.exe"
2⤵
- Modifies firewall policy service
- UAC bypass
- Windows security bypass
- Windows security modification
- Checks whether UAC is enabled
- Enumerates connected drives
- Writes to the Master Boot Record (MBR)
- Drops autorun.inf file
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4128

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k ClipboardSvcGroup -p -s cbdhsvc
1⤵
PID:3532

C:\Windows\system32\DllHost.exe
C:\Windows\system32\DllHost.exe /Processid:{3EB3C877-1F16-487C-9050-104DBCD66683}
1⤵
PID:3736

C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
1⤵
PID:3832

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3892

C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
1⤵
PID:3988

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3568

C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe
"C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\InputApp\TextInputHost.exe" -ServerName:InputApp.AppX9jnwykgrccxc8by3hsrsh07r423xzvav.mca
1⤵
PID:2632

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:3052

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:CortanaUI.AppX3bn25b6f886wmg6twh46972vprk9tnbf.mca
1⤵
PID:4704

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:4728

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4824

C:\Windows\System32\RuntimeBroker.exe
C:\Windows\System32\RuntimeBroker.exe -Embedding
1⤵
PID:4408

C:\Windows\system32\backgroundTaskHost.exe
"C:\Windows\system32\backgroundTaskHost.exe" -ServerName:App.AppXmtcan0h2tfbfy7k9kn8hbxb6dmzz1zh0.mca
1⤵
PID:1992

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Create or Modify System Process

Windows Service

Pre-OS Boot

Bootkit

Privilege Escalation

Create or Modify System Process

T1543

Windows Service

T1543.003

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

System Information Discovery

T1082

Query Registry

T1012

Peripheral Device Discovery

T1120

Lateral Movement

Replication Through Removable Media

T1091

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

F:\ctcm.exe
Filesize
97KB

MD5
8f948bc0137a1bd1c815550872e08f49

SHA1
b774c84d0c237b27563658238568879118a47149

SHA256
376b59faea9bfa6323d37a6b54b1f3cbb396d3c04f819b25abd684759632f12c

SHA512
139b641771a427c20032e17b37434d8ebc674b7ae0feee0ed47e18c1e69cb0751cc1451e980f0e0275ad29c1c40cee40703c243f76a4ac39b32e5f72ec0438f4

Download Submit
memory/4128-29-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-17-0x0000000004440000-0x0000000004442000-memory.dmp

Filesize
8KB

Download
memory/4128-5-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-1-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-18-0x0000000004440000-0x0000000004442000-memory.dmp

Filesize
8KB

Download
memory/4128-14-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-13-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-20-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-19-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-6-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-28-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-15-0x0000000004440000-0x0000000004442000-memory.dmp

Filesize
8KB

Download
memory/4128-31-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-3-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-22-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-21-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-23-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-24-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-25-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-27-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-16-0x0000000004590000-0x0000000004591000-memory.dmp

Filesize
4KB

Download
memory/4128-4-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-12-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-32-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-34-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-36-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-39-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-41-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-44-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-46-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-47-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-50-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-52-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-53-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-55-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-57-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-64-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-66-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-68-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-70-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-71-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-73-0x0000000004440000-0x0000000004442000-memory.dmp

Filesize
8KB

Download
memory/4128-76-0x0000000002600000-0x00000000036BA000-memory.dmp

Filesize
16.7MB

Download
memory/4128-0-0x0000000000400000-0x0000000000711000-memory.dmp

Filesize
3.1MB

Download