f9a99a0c4830a500caeae5e7e27d582f050320f8a93988a173962239add2bcff

Analysis

max time kernel
136s
max time network
138s
platform
windows10-2004_x64
resource
win10v2004-20231215-en
resource tags

arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 13:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_b294c8f64b7f34310ad6b9078160cc88_magniber_revil.exe
Size

26.7MB
MD5

b294c8f64b7f34310ad6b9078160cc88
SHA1

437253b11f3363a3ead59e13f233d47157b6c203
SHA256

f9a99a0c4830a500caeae5e7e27d582f050320f8a93988a173962239add2bcff
SHA512

5e70b64602b3a66f6b08f0c31c2d07fc37fbb3896c62c47b2c3d03b0618defedd7bf4127ff5af1d6e59bf1e3f90e79fe9c677a2d781df9136be8c59f7f1abc0d
SSDEEP

393216:vZVz9gSy/Goc4G9gQOTn4tc1LS4qOFJ7k2/H1/mfKYWKpN9roAEoBJpjsNMFgXnu:vZxmG93an4CdEO3v5+pNO2mNtXnas

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
628	yxTn1HUMOA3w5XJ.exe
1688	青璃江湖【2024】.exe
4012	loginlauncher.exe

Loads dropped DLL 4 IoCs

pid	Process
4012	loginlauncher.exe
4012	loginlauncher.exe
4012	loginlauncher.exe
4012	loginlauncher.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
4012	loginlauncher.exe
4012	loginlauncher.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 2 IoCs

pid	pid_target	Process	procid_target
4668	4012	WerFault.exe	87
60	4012	WerFault.exe	87

Suspicious behavior: EnumeratesProcesses 6 IoCs

pid	Process
1688	青璃江湖【2024】.exe
1688	青璃江湖【2024】.exe
4012	loginlauncher.exe
4012	loginlauncher.exe
628	yxTn1HUMOA3w5XJ.exe
628	yxTn1HUMOA3w5XJ.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
628	yxTn1HUMOA3w5XJ.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
628	yxTn1HUMOA3w5XJ.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 804 wrote to memory of 628	804	2024-04-05_b294c8f64b7f34310ad6b9078160cc88_magniber_revil.exe	85
PID 804 wrote to memory of 628	804	2024-04-05_b294c8f64b7f34310ad6b9078160cc88_magniber_revil.exe	85
PID 804 wrote to memory of 628	804	2024-04-05_b294c8f64b7f34310ad6b9078160cc88_magniber_revil.exe	85
PID 804 wrote to memory of 1688	804	2024-04-05_b294c8f64b7f34310ad6b9078160cc88_magniber_revil.exe	86
PID 804 wrote to memory of 1688	804	2024-04-05_b294c8f64b7f34310ad6b9078160cc88_magniber_revil.exe	86
PID 804 wrote to memory of 1688	804	2024-04-05_b294c8f64b7f34310ad6b9078160cc88_magniber_revil.exe	86
PID 1688 wrote to memory of 4012	1688	青璃江湖【2024】.exe	87
PID 1688 wrote to memory of 4012	1688	青璃江湖【2024】.exe	87
PID 1688 wrote to memory of 4012	1688	青璃江湖【2024】.exe	87

C:\Users\Admin\AppData\Local\Temp\2024-04-05_b294c8f64b7f34310ad6b9078160cc88_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_b294c8f64b7f34310ad6b9078160cc88_magniber_revil.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:804
- C:\Users\Admin\AppData\Local\Temp\ytool\yxTn1HUMOA3w5XJ.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-04-05_b294c8f64b7f34310ad6b9078160cc88_magniber_revil.exe" "C:\Users\Admin\AppData\Local\Temp\2024-04-05_b294c8f64b7f34310ad6b9078160cc88_magniber_revil.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  PID:628
- C:\Users\Admin\AppData\Local\Temp\青璃江湖【2024】.exe
  "C:\Users\Admin\AppData\Local\Temp\青璃江湖【2024】.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1688
- - C:\Users\Admin\AppData\Local\Temp\loginlauncher.exe
    C:\Users\Admin\AppData\Local\Temp\loginlauncher.exe
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    PID:4012
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1760
      4⤵
      Program crash
      PID:4668
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4012 -s 1780
      4⤵
      Program crash
      PID:60

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4012 -ip 4012
1⤵
PID:1152

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4012 -ip 4012
1⤵
PID:4648

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\HPSocket_U.dll

Filesize
1.5MB

MD5
d749bdc6aa076c053e2db43d27a98912

SHA1
00cedb22411983700965be32d3f794a2ef5f1662

SHA256
8067a17ca87b700f4f5b879d67390cfda315d492b516e6fee0adcc27a74aa3dd

SHA512
ae96cd81e43fe7b9f0c2a5c4f918ba77a557b2b246ce0ab2f54b1eb48333b44eb3fab1cf8a24c77b746098b4d461b7b67f15906bda805af4638ebfbff4edf0d8

Download Submit
C:\Users\Admin\AppData\Local\Temp\libcrypto-1_1.dll

Filesize
2.7MB

MD5
3a7df0b0fd5434806d8e56d1d303cf80

SHA1
90f3d8353b5222058a35352d00d3638f3a277b38

SHA256
dcf1243844b1bbabf515b918c641ce55bbcab3bc29a540d55fafd838cef9a6fa

SHA512
74307e283296d70bc2cacc6f6a9339617506c7df700275a0d9186f3e9d7c7bd7de1e3a43b26db8260d9f9deb695f26be67cef646a71217de4ebce3b96f075c75

Download Submit
C:\Users\Admin\AppData\Local\Temp\libssl-1_1.dll

Filesize
921KB

MD5
cf5e3f01a99238faa0e9bd32fb2b3c4a

SHA1
1d62b61d77e9e54bfec378fb900bf699553d7acd

SHA256
ea1c1528b0093d76cf60863531f395f5120c8632bfafd8584b3ebc9b1e3d6c43

SHA512
c9e943ea44a8683b5d4dd49f3ba0869d5717d8436ce1eac6627ca69460767846277113a119babba7b2550a8e1bfa1e33056caf93daa6415aefcda4afae2f74a0

Download Submit
C:\Users\Admin\AppData\Local\Temp\loginlauncher.exe

Filesize
15.9MB

MD5
da5628589c587298c7f16700f0e476b2

SHA1
244de8fdd94b52dd28b487422529e5111a5e91e7

SHA256
8d41369b873144e96f0cb45da5e08fd85e8a42906bf1a190af17215cd8c50216

SHA512
e8192287ba17746f20d36ec48855da5c04e234982ee02db33816f1ea16d26d40a16017519f35b9c8ce4275aea70b4c344d4ab5a1531e5b17d32e4f30428bfc4e

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
311B

MD5
73618a91baa67f01020c66f8f77292ef

SHA1
1bda45a40acdbb0a574a583183c40d2445782d1b

SHA256
744a3570c661d8587a3a585647f423671dc90a1e6cc68b156a85d257e3a8d493

SHA512
966d1c9c5ade3941f85ab9c17d689075aaa44b7ac55e5807e907bc0548720590ebaa6f9f847ec5f38ed4fafc2de72589941fd20913c83c7576ae9787c31b97fe

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
648B

MD5
ae34d5e80fce6f8d6ae518cfb78bc67f

SHA1
8294c36830ef6a41c30f8989fd7b32bf6a28fd43

SHA256
6d8ed3e60f287ecfa6ec719f90e53b9d6446901ea572560c2f6182f0046fea72

SHA512
8e33aef842d861d34e09a6d78428e9aa305d23b26f6f0fcfe8db837190ba726a3c7fff7a3a9f9ecf0257f88d95b0c9da5607f65549422651429ce6d94487b80f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

Filesize
5KB

MD5
1536bb67d92e6e0a9263451ea8970ff2

SHA1
742a0c42c7417bb695c1962f662f10913b747e34

SHA256
d9dbc24e650ddad03597969d1f9eee7158313d8558f31b9d8a55b29e0343b72e

SHA512
43fe067e517aad5803bcece28bcff7acbdc7884b7d9c61658ae05f93e5bb9fc7b1e3b6e8dfcf2c4800dec6718e959b448aae9ff59e350ae007f17ac51b79c2ad

Download Submit
C:\Users\Admin\AppData\Local\Temp\ytool\yxTn1HUMOA3w5XJ.exe

Filesize
5.7MB

MD5
80ee4fc8c8911ab5194c2727cb0da67d

SHA1
7c23e1ed9af5f632129f949223142c3a3cdce865

SHA256
bdfa7b2ee186696d2496c442454ac391b7ef2964cb99c1b5c29cf52d82379071

SHA512
91c4f6ec66cd79d9d9f3d5f40988b2d4fd0bbe559f745c249a100a1a7b212248dea5b93095bc74422c3f16f1ba615fa742377e6f1e618efb5945d27af405f31b

Download Submit
C:\Users\Admin\AppData\Local\Temp\青璃江湖【2024】.exe

Filesize
18.1MB

MD5
2cce5463603a6edba9f1ae3be807a89f

SHA1
72ef6b744bcdd2e6b2ad5112d9796c63454a75d7

SHA256
4f31b6c9f9d7874edac1d8e1349820cbf2a2be26866d78e0ff01723fa21e8fe8

SHA512
0784649db7d1cafc48a5ee1e849863aebaffc1e47f8e437537aef6807c392071314a3ca62cad199c49c7949fd9db9dd0a4c38a149b742b0a9b42a37af2b51899

Download Submit
memory/4012-39-0x0000000004B50000-0x0000000004B51000-memory.dmp

Filesize
4KB

Download
memory/4012-47-0x00000000005F0000-0x000000000262C000-memory.dmp

Filesize
32.2MB

Download
memory/4012-42-0x0000000004BA0000-0x0000000004BA1000-memory.dmp

Filesize
4KB

Download
memory/4012-41-0x0000000004B90000-0x0000000004B91000-memory.dmp

Filesize
4KB

Download
memory/4012-44-0x0000000004BC0000-0x0000000004BC1000-memory.dmp

Filesize
4KB

Download
memory/4012-43-0x0000000004BB0000-0x0000000004BB1000-memory.dmp

Filesize
4KB

Download
memory/4012-45-0x0000000004BD0000-0x0000000004BD1000-memory.dmp

Filesize
4KB

Download
memory/4012-40-0x0000000004B60000-0x0000000004B61000-memory.dmp

Filesize
4KB

Download
memory/4012-46-0x00000000005F0000-0x000000000262C000-memory.dmp

Filesize
32.2MB

Download
memory/4012-38-0x0000000004B40000-0x0000000004B41000-memory.dmp

Filesize
4KB

Download
memory/4012-37-0x00000000005F0000-0x000000000262C000-memory.dmp

Filesize
32.2MB

Download
memory/4012-223-0x00000000005F0000-0x000000000262C000-memory.dmp

Filesize
32.2MB

Download
memory/4012-224-0x0000000010000000-0x00000000101BB000-memory.dmp

Filesize
1.7MB

Download
memory/4012-228-0x00000000005F0000-0x000000000262C000-memory.dmp

Filesize
32.2MB

Download