7d64f3c657193290b248aad982d194f68c917ddeb015227a3c02ac725166bb1f

Analysis

max time kernel
118s
max time network
121s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
04/04/2024, 20:04

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-04-04_f24c21fc028d0d04eed8eb65768a494d_magniber_revil.exe
Size

13.3MB
MD5

f24c21fc028d0d04eed8eb65768a494d
SHA1

625f7073adc5b4faeafcc7639c0310d9a9907c7d
SHA256

7d64f3c657193290b248aad982d194f68c917ddeb015227a3c02ac725166bb1f
SHA512

db682cd8b8a6a0aea34cccb9095de5365b6a1f3374965627c05b1ab93d6684166d5c14cda0834635445e07ef6429ecfaef8494c6b5405019dbd39af30c32ee68
SSDEEP

196608:56K8gKtEzcTsJjobFf1VS9C86JQtK5YzLhUBbBuUhT1z9yhwsns7G82C1:V8gKt/4joxf1x8KQtK4OBbBu/e882e

Score

7^/10

bootkit persistence

Malware Config

Signatures

Loads dropped DLL 2 IoCs

pid	Process
1432	2024-04-04_f24c21fc028d0d04eed8eb65768a494d_magniber_revil.exe
1432	2024-04-04_f24c21fc028d0d04eed8eb65768a494d_magniber_revil.exe

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2024-04-04_f24c21fc028d0d04eed8eb65768a494d_magniber_revil.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2684	1432	WerFault.exe	27

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 1432 wrote to memory of 2684	1432	2024-04-04_f24c21fc028d0d04eed8eb65768a494d_magniber_revil.exe	28
PID 1432 wrote to memory of 2684	1432	2024-04-04_f24c21fc028d0d04eed8eb65768a494d_magniber_revil.exe	28
PID 1432 wrote to memory of 2684	1432	2024-04-04_f24c21fc028d0d04eed8eb65768a494d_magniber_revil.exe	28
PID 1432 wrote to memory of 2684	1432	2024-04-04_f24c21fc028d0d04eed8eb65768a494d_magniber_revil.exe	28

C:\Users\Admin\AppData\Local\Temp\2024-04-04_f24c21fc028d0d04eed8eb65768a494d_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-04_f24c21fc028d0d04eed8eb65768a494d_magniber_revil.exe"
1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Suspicious use of WriteProcessMemory
PID:1432
- C:\Windows\SysWOW64\WerFault.exe
  C:\Windows\SysWOW64\WerFault.exe -u -p 1432 -s 720
  2⤵
  - Program crash
  PID:2684

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\netul.dll

Filesize
1.9MB

MD5
47f5fe83659f9ea0c7b204a3e76f78b1

SHA1
cc1e2e5e7601473e69a28f4ab4a7ed29a07dbada

SHA256
e834072d776786c0a9336225b18a1b4da91f3fd056277af61ba97a203c8bbb5a

SHA512
18c50b839b40b5706da9b0b948ea7ea85718cd38cd463d44750fa608ac14a1b45eb498c5d73460f4b67c9d9677fc3227be0ca48024aaf2b76dcebd09900e5e64

Download Submit
\Users\Admin\AppData\Local\Temp\{9CD93727-B9A2-45c0-A952-05165BFCE6AF}.tmp\7z.dll

Filesize
1.1MB

MD5
7b265e9fd7556b3ce6e5c6e679c7212a

SHA1
bcbcdcd455d4a6fe39e0a91c4b8a7fb78b56230b

SHA256
f5961b7af060d06504cc99bed925fb450ce184962327225cb4ea9cad9a9922a9

SHA512
fa423bc6f03c33848dcbede961914fb4034c94544946f1b117a7bdcb5ca5075655b6d22d9385b8fe8b8eba7c59fce1d1024691472d26a64ab7286bc8760adf60

Download Submit
memory/1432-24-0x0000000000280000-0x0000000000281000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads