143cc091b13e22737efb089dc1e9c6101d0aaa4dfd2617d01d37389f42d7ac81

Analysis

max time kernel
37s
max time network
37s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
05/04/2024, 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
Size

24.3MB
MD5

f1e3325bece9c6cb68ef684d4061e6ea
SHA1

ac5a013e0afa6cb0e049eee8a4c5830088218822
SHA256

143cc091b13e22737efb089dc1e9c6101d0aaa4dfd2617d01d37389f42d7ac81
SHA512

15e1404adf31f39ee923c4c4869ff9e91ef7fc5ffa6253d1170cdb6e60a7c5309881f0144f83803a2e4980d3c9680dace12831fc7d04172cbbb958cc82ee7b78
SSDEEP

196608:cP0Hj6JigboXZDwqY8a/qVwsEXX1KOgCu3JK1Op3H2SAmGcWqnlv018d:cPboGX8a/jWWu3cI2D/cWcls1

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 17 IoCs

pid	Process
4508	alg.exe
5104	DiagnosticsHub.StandardCollector.Service.exe
4592	fxssvc.exe
2016	elevation_service.exe
1096	elevation_service.exe
3424	maintenanceservice.exe
3132	msdtc.exe
1176	OSE.EXE
4472	PerceptionSimulationService.exe
3956	perfhost.exe
2068	locator.exe
4620	SensorDataService.exe
4312	snmptrap.exe
4748	spectrum.exe
2056	ssh-agent.exe
1724	TieringEngineService.exe
2924	AgentService.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\System32\alg.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\spectrum.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AppVClient.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\SysWow64\perfhost.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\SgrmBroker.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\OpenSSH\ssh-agent.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\TieringEngineService.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\AgentService.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Roaming\60461d1912d07ad8.bin	alg.exe
File opened for modification	C:\Windows\system32\dllhost.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\msiexec.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\MSDtc\MSDTC.LOG	msdtc.exe
File opened for modification	C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\SensorDataService.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\fxssvc.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\msdtc.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\system32\locator.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\System32\snmptrap.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File created	C:\Program Files (x86)\Mozilla Maintenance Service\logs\maintenanceservice.log	maintenanceservice.exe
File opened for modification	\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Microsoft.Net\Framework64\v3.0\WPF\PresentationFontCache.exe	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
File opened for modification	C:\Windows\DtcInstall.log	msdtc.exe

Checks SCSI registry key(s) 3 TTPs 64 IoCs

SCSI information is often read in order to detect sandboxing environments.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\FriendlyName	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{78c34fc8-104a-4aca-9ea4-524d52996e57}\005A	spectrum.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\FriendlyName	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{51236583-0c4a-4fe8-b81f-166aec13f510}\007A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002\Properties\{540b947e-8b40-45bc-a8a2-6a0b894cbda2}\0009	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{8c7ed206-3f8a-4827-b3ab-ae9e1faefc6c}\0004	SensorDataService.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000001\Properties\{b725f130-47ef-101a-a5f1-02608c9eebac}\000A	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_Msft&Prod_Virtual_DVD-ROM\2&1f4adffe&0&000002	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\CdRom&Ven_DADY&Prod_DADY_DVD-ROM\4&215468a5&0&010000\Properties\{259abffc-50a7-47ce-af08-68c9a7d73366}\000C	spectrum.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Enum\SCSI\Disk&Ven_DADY&Prod_HARDDISK\4&215468a5&0&000000\Properties\{cf73bb51-3abf-44a2-85e0-9a3dc7a12132}\0006	spectrum.exe

Modifies data under HKEY_USERS 5 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1130 = "Microsoft Modem Device Provider"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1134 = "Microsoft Routing Extension"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1131 = "Route through e-mail"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1132 = "Store in a folder"	fxssvc.exe
Set value (str)	\REGISTRY\USER\.DEFAULT\Software\Classes\Local Settings\MuiCache\22\52C64B7E\@fxsresm.dll,-1133 = "Print"	fxssvc.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	540	2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
Token: SeAuditPrivilege	4592	fxssvc.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-05_f1e3325bece9c6cb68ef684d4061e6ea_magniber_revil_zxxz.exe"
1⤵
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:540

C:\Windows\System32\alg.exe
C:\Windows\System32\alg.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
PID:4508

C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
1⤵
- Executes dropped EXE
PID:5104

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
1⤵
PID:4568

C:\Windows\system32\fxssvc.exe
C:\Windows\system32\fxssvc.exe
1⤵
- Executes dropped EXE
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:4592

C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:2016

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:1096

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
- Drops file in Program Files directory
PID:3424

C:\Windows\System32\msdtc.exe
C:\Windows\System32\msdtc.exe
1⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
PID:3132

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1176

C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
C:\Windows\system32\PerceptionSimulation\PerceptionSimulationService.exe
1⤵
- Executes dropped EXE
PID:4472

C:\Windows\SysWow64\perfhost.exe
C:\Windows\SysWow64\perfhost.exe
1⤵
- Executes dropped EXE
PID:3956

C:\Windows\system32\locator.exe
C:\Windows\system32\locator.exe
1⤵
- Executes dropped EXE
PID:2068

C:\Windows\System32\SensorDataService.exe
C:\Windows\System32\SensorDataService.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4620

C:\Windows\System32\snmptrap.exe
C:\Windows\System32\snmptrap.exe
1⤵
- Executes dropped EXE
PID:4312

C:\Windows\system32\spectrum.exe
C:\Windows\system32\spectrum.exe
1⤵
- Executes dropped EXE
- Checks SCSI registry key(s)
PID:4748

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:2056

C:\Windows\system32\svchost.exe
C:\Windows\system32\svchost.exe -k LocalService -p -s SharedRealitySvc
1⤵
PID:1460

C:\Windows\system32\TieringEngineService.exe
C:\Windows\system32\TieringEngineService.exe
1⤵
- Executes dropped EXE
PID:1724

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
abc0c378fef6cbf1a66ce773569d0fa8

SHA1
ebe2307f3df64bf39a22ddc533f23a815a0173fc

SHA256
677722f45186c0344d76fb2af16e27be485d41f96f2b993c4708ee0eadd01539

SHA512
8d1def1f50b839b4d7032152c6278eefbd169356536da037cc2630679d03b8c469c9cc293aebba50f72fe4a998e057a5b8c7d2dbc61d5e10a04fd5f4bb4d613b

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
781KB

MD5
31f6f0769e756259c33eec775fbd2204

SHA1
0fc6c7dbf242a325289012a6e82ce19835e924d8

SHA256
eaa4788539dcf26876a90a420915ed1baa7491b89114ef63a315bbbb3c02dd99

SHA512
4e048f870cad711f1574e6b0928a1c4f44bb61b05bcd0ed9b06e6554f626cded45c76c431fe3a11567ebf5763ccc5d65649ad2d9bd8f17276f4b078e571b26e9

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
805KB

MD5
7eebbf528b1154082d7335177e10f847

SHA1
ece3fcccf239886925d86b5bd3cacce64ebc0612

SHA256
d1615d257293956bbb619c7bf3a8de8db6817f664ac2f91346877838b3eb2c6a

SHA512
8c879977ea35f020f5995068c4997d8ad976d6d0d73694011974721deb8f138c70f994cce4faeddc808f29797063c7a97648ec24002b50e5881dda20fce93e11

Download Submit
C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

Filesize
2.1MB

MD5
7039294ee599dba5540b1ff525e5963b

SHA1
557bcb2bb2bd444c1804ca7553a9341b49cca481

SHA256
5fb63dd609c0577324982bbd2feb3e3b4994105daafbf4c083e9ac3114f5dfa6

SHA512
dc100edf1c45879959755d6213da900569de26cfd292b8e9dc4588cff54e86c6d7cb174b5e857765d3981957c30f0443bd4c7b0d30d11fb8e1f5f259c02b43c0

Download Submit
C:\Windows\SysWOW64\perfhost.exe

Filesize
588KB

MD5
b615835291c7ef305612ad152abf8b0b

SHA1
f6c6b61e415be22233f747e091fdbd5bb2aa9bef

SHA256
e104656ea61bf7c51c24d91c18a540805a47530b4a527466d67e6b93bc12ce7d

SHA512
77a9fcbb9bc0a9cd45b977b72f833c02d1211d300cf6a42ba28781c2635bebc6bd0c7a1df0d3293ddde1c06d035863c8ba503add0470a3e49ec1cf773a7fdae4

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.6MB

MD5
3db90f0ba74da170ef5353213b9b24a4

SHA1
8d60db9653924a7f859eadb402f383eaae0665e1

SHA256
a51ae7421b0728a2b207c00998d8ff7bea807e9dc698470ad08f805295d0e3df

SHA512
782be16dd437959681648a961c21147e85379a1353bfc311c05c03dd322513efa3f17643d5f8cb8b6877928449cfd0ad3eee826247c8505d9b4fce918ab0240e

Download Submit
C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

Filesize
659KB

MD5
c0364bec7e3bb1adba41353e2e990f9b

SHA1
0f1ff486765caf55e8886e3cdcf9995181a087b8

SHA256
6da8bf319e5263dffda9600aa273de882eeae46c16f7bc363bc95070ed3b0cb3

SHA512
b742d2ec090d77401c5ecf3ce2bb80cdd085076419b6c7b2f64ce31a2bfd82a479b81e8109990f7b7da51a4031a51ebfd0dfb1c1d1f2aa6122c903466ddb8c92

Download Submit
C:\Windows\System32\FXSSVC.exe

Filesize
1.2MB

MD5
7e4081461b9b9664f9d6951c4d6a3bf1

SHA1
29769936de2ca15d789d15f7634a4c0350aca0b6

SHA256
caafef83dc18fc53f28428607b703e64d1f728a8204631378dce0c975acfc451

SHA512
8763080b2afea371a7dfaf7d0b4d8f02692e3d440c62e94bdb8da47aea309a81dd92d2f160a965c5c52fedf5b9b9d2d41cdf8fa50b83070a303029e26d7c70dd

Download Submit
C:\Windows\System32\Locator.exe

Filesize
578KB

MD5
431b7ae42ccd42829470bfbf12c8d5ae

SHA1
9c0df8f18f0b0875baea0421cfaa680d52e04910

SHA256
701c56ce2b8ed3da29cd22f7189d09ba91cc64d7eea98421398d91a84a9fb454

SHA512
8c62b05f23a8da26a08c2610f19eca73da2bd11968647ca15f064533a9fde70016233b3b0f6b2e9f2e9501221bf6160f4a3b72e6faff5ef39570bf1067b6440f

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
940KB

MD5
afbb0c5121673d43c13d30fb6feda058

SHA1
bd5c4c97c6d347dfeb12056a733c987b1ff615b4

SHA256
5a1cf5c51f0ecc68ddf756cae45b630f8970ddf03586cb38dae229e8002827c0

SHA512
6c1869836bee23a1d10890f9fc1bc525507344f16af4b7d75a0af6cfd921d8b995747ae2464f1bda71cfa3bceb1a72f65c1a2e4b39a99b721e535d01095af2a3

Download Submit
C:\Windows\System32\PerceptionSimulation\PerceptionSimulationService.exe

Filesize
671KB

MD5
3bcce9ad9b94c5def9aa238f0009fd17

SHA1
5c70a098eb651f79268065e226487ba0ff97ebd3

SHA256
d12fe85c2f0ea0c290081809cd5f1982b7c1ccadc9e520dcc474184e1031ad6f

SHA512
f558447cbdd562439f63bdd47558b411869e032d4d572a48238b077af758cfd023896cf51d9bb82e5b868ab9707e177fd457fda63884dbed7c50acb99f74fc7b

Download Submit
C:\Windows\System32\SensorDataService.exe

Filesize
1.8MB

MD5
48d207a500fddc94f17866d1fc0be4b1

SHA1
d673c250499de6fd4bdd4c6cb3c8c90934ef691f

SHA256
9a9fb998f28b9993da41005587a84f8f3e1db68e292489ce7574258c416068b9

SHA512
b12a31686b6fd4c83fbaef9e31f24621353a9c32773d7be3c781c65a10e87c1f2bc4573d70ec918e6d38bc081088168ceac748558b39ad12bd88f9c8c7943283

Download Submit
C:\Windows\System32\Spectrum.exe

Filesize
1.4MB

MD5
c96b169ce2d8d189c76e4e14f49c31cf

SHA1
49bfa4d5b355599fe8201f70a455c993d0bb6949

SHA256
a927cd04a72b4434f29eab0b2e6df237c5c130baeade2d90babef61535a19a87

SHA512
e11b5fdb034a88dac426ec1e22236e2365e2b870e2dcbfca87c6483f23cae75239e64d82b30814e937723c76ea018c40154e20d19fe938d3c2d1499f05ae7012

Download Submit
C:\Windows\System32\TieringEngineService.exe

Filesize
885KB

MD5
f7f6846cd23a8c2183b0eaada1f6ac5a

SHA1
27bb8815e61cb8d57588a50e7979f74596517b74

SHA256
f0a8dc35cac30d3db9f908fe85ac0c173c3ba5169fdc4220c06b835895c9d8f3

SHA512
883f4b5c9133c56a5f7e3779ad44b624652fbb1770457c83a521de41a58c556194777791c362d34f47f1ab7a96e0f873551a0b02bdbfac9317e3ff19ca9c8dd0

Download Submit
C:\Windows\System32\alg.exe

Filesize
661KB

MD5
2623922c76564dec05f7fdb8c9e059a4

SHA1
af7da13f8d8e56721cfbbde9b7bbde42731811ea

SHA256
17a0a093824e6fcb1a7b6a3a0863279f4e0b8e574549e991f9529a998a555cf5

SHA512
599ea9b8edfedeab631216e9b3393a068aa501df419ac7a0b472ff7a5cf1cadc3d587ff494a3909f04f469ac5b417fe5dc8588a390be9c26292eaf912db07f85

Download Submit
C:\Windows\System32\msdtc.exe

Filesize
712KB

MD5
0d780e57303079dadc8f4fb28d102701

SHA1
25dddcf08fd0379c335dd153d1fc85e057917495

SHA256
69dcd04198f1667f839ce7819236823f6e5edadbc61d4569b4e0f633580e99a2

SHA512
00dfbead637c0be88db8f4be2ab0359b110d8c121f6c098465efa89e60b144aff8ab81d8ff7dda78227d8877a3124dd6f624cdf3ce0c4df6a0cfef48e4980b6d

Download Submit
C:\Windows\System32\snmptrap.exe

Filesize
584KB

MD5
ff4e6dbfab87e7eb4543010b66349702

SHA1
07b55d99df1cc2aa4114655f662ba8d5bbb1c896

SHA256
c607339dfff2dc2fe8c9f743ec5d74975f45280b3af5ae283be0438ac951b828

SHA512
71d957f6576d932eb3abd5708b22b790e406318447b3ae034bcd54b5faf96db749946fbad31eea42655892c499a633126f15b0e08147d1307bcb0b35206fed34

Download Submit
memory/540-0-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/540-7-0x0000000003D90000-0x0000000003DF7000-memory.dmp

Filesize
412KB

Download
memory/540-67-0x0000000000400000-0x0000000001EFA000-memory.dmp

Filesize
27.0MB

Download
memory/540-6-0x0000000003D90000-0x0000000003DF7000-memory.dmp

Filesize
412KB

Download
memory/540-1-0x0000000003D90000-0x0000000003DF7000-memory.dmp

Filesize
412KB

Download
memory/1096-131-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1096-62-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1096-69-0x0000000140000000-0x000000014022B000-memory.dmp

Filesize
2.2MB

Download
memory/1096-71-0x00000000001A0000-0x0000000000200000-memory.dmp

Filesize
384KB

Download
memory/1176-173-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1176-114-0x00000000007C0000-0x0000000000820000-memory.dmp

Filesize
384KB

Download
memory/1176-107-0x0000000140000000-0x00000001400CF000-memory.dmp

Filesize
828KB

Download
memory/1724-207-0x0000000140000000-0x00000001400E2000-memory.dmp

Filesize
904KB

Download
memory/2016-58-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/2016-121-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2016-48-0x0000000140000000-0x0000000140237000-memory.dmp

Filesize
2.2MB

Download
memory/2056-194-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2056-200-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2056-216-0x0000000140000000-0x0000000140102000-memory.dmp

Filesize
1.0MB

Download
memory/2056-217-0x0000000000510000-0x0000000000570000-memory.dmp

Filesize
384KB

Download
memory/2068-147-0x0000000000700000-0x0000000000760000-memory.dmp

Filesize
384KB

Download
memory/2068-138-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2068-205-0x0000000140000000-0x0000000140095000-memory.dmp

Filesize
596KB

Download
memory/2924-228-0x0000000000BF0000-0x0000000000C50000-memory.dmp

Filesize
384KB

Download
memory/2924-221-0x0000000140000000-0x00000001401C0000-memory.dmp

Filesize
1.8MB

Download
memory/3132-100-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3132-96-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3132-165-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3132-159-0x0000000140000000-0x00000001400B9000-memory.dmp

Filesize
740KB

Download
memory/3132-92-0x0000000000800000-0x0000000000860000-memory.dmp

Filesize
384KB

Download
memory/3424-78-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3424-87-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/3424-84-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/3424-90-0x0000000140000000-0x00000001400CA000-memory.dmp

Filesize
808KB

Download
memory/3424-76-0x0000000000D20000-0x0000000000D80000-memory.dmp

Filesize
384KB

Download
memory/3956-137-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/3956-192-0x0000000000400000-0x0000000000497000-memory.dmp

Filesize
604KB

Download
memory/4312-167-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4312-214-0x0000000140000000-0x0000000140096000-memory.dmp

Filesize
600KB

Download
memory/4312-174-0x00000000006C0000-0x0000000000720000-memory.dmp

Filesize
384KB

Download
memory/4472-123-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4472-187-0x0000000140000000-0x00000001400AB000-memory.dmp

Filesize
684KB

Download
memory/4472-132-0x0000000000C00000-0x0000000000C60000-memory.dmp

Filesize
384KB

Download
memory/4508-13-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4508-75-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4508-12-0x0000000140000000-0x00000001400AA000-memory.dmp

Filesize
680KB

Download
memory/4508-19-0x0000000000750000-0x00000000007B0000-memory.dmp

Filesize
384KB

Download
memory/4592-43-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4592-37-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4592-55-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4592-52-0x0000000000CB0000-0x0000000000D10000-memory.dmp

Filesize
384KB

Download
memory/4592-36-0x0000000140000000-0x0000000140135000-memory.dmp

Filesize
1.2MB

Download
memory/4620-213-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4620-151-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4620-209-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4620-212-0x0000000140000000-0x00000001401D7000-memory.dmp

Filesize
1.8MB

Download
memory/4620-160-0x0000000000780000-0x00000000007E0000-memory.dmp

Filesize
384KB

Download
memory/4748-215-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/4748-188-0x0000000000720000-0x0000000000780000-memory.dmp

Filesize
384KB

Download
memory/4748-178-0x0000000140000000-0x0000000140169000-memory.dmp

Filesize
1.4MB

Download
memory/5104-32-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5104-26-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download
memory/5104-25-0x0000000000690000-0x00000000006F0000-memory.dmp

Filesize
384KB

Download
memory/5104-94-0x0000000140000000-0x00000001400A9000-memory.dmp

Filesize
676KB

Download