Analysis
-
max time kernel
119s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
25-04-2024 07:50
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe
-
Size
16.3MB
-
MD5
a114f6b8e5bc2b1c61ec685e04939eb9
-
SHA1
3325809cf00427ec4afd8a38b533ad8470a6645b
-
SHA256
624f1b6120a37ab6e163e5db80d2d4098a705f91f0a50ad6779cabf9b0ca1dcb
-
SHA512
eb356c53707fa05fea9e0955dc15995806d53b70511901931837b6a5a2a1177e7c896c315089ed95660d33bd34101616ede6fd534aba463ce5baea8906102de8
-
SSDEEP
196608:dNym2iBYGfsV3A+DyBQuEAbKqM+XYuqS4O7NADtV6v+AqL16bLMD+cpvJ/4H3nmb:dN4H3X28ZE7JqLobLMFgXnU7sElly
Malware Config
Signatures
-
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
Processes:
DEoPqVQ29DrcO0u.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions DEoPqVQ29DrcO0u.exe -
Executes dropped EXE 2 IoCs
Processes:
DEoPqVQ29DrcO0u.exe无双江湖.exepid process 2824 DEoPqVQ29DrcO0u.exe 2552 无双江湖.exe -
Loads dropped DLL 2 IoCs
Processes:
2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exepid process 2224 2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe 2224 2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe -
Suspicious behavior: EnumeratesProcesses 22 IoCs
Processes:
DEoPqVQ29DrcO0u.exe无双江湖.exepid process 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2824 DEoPqVQ29DrcO0u.exe 2552 无双江湖.exe 2552 无双江湖.exe -
Suspicious use of AdjustPrivilegeToken 5 IoCs
Processes:
DEoPqVQ29DrcO0u.exedescription pid process Token: SeShutdownPrivilege 2824 DEoPqVQ29DrcO0u.exe Token: SeShutdownPrivilege 2824 DEoPqVQ29DrcO0u.exe Token: SeShutdownPrivilege 2824 DEoPqVQ29DrcO0u.exe Token: SeShutdownPrivilege 2824 DEoPqVQ29DrcO0u.exe Token: SeShutdownPrivilege 2824 DEoPqVQ29DrcO0u.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
Processes:
DEoPqVQ29DrcO0u.exepid process 2824 DEoPqVQ29DrcO0u.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
DEoPqVQ29DrcO0u.exepid process 2824 DEoPqVQ29DrcO0u.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
无双江湖.exepid process 2552 无双江湖.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exedescription pid process target process PID 2224 wrote to memory of 2824 2224 2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe DEoPqVQ29DrcO0u.exe PID 2224 wrote to memory of 2824 2224 2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe DEoPqVQ29DrcO0u.exe PID 2224 wrote to memory of 2824 2224 2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe DEoPqVQ29DrcO0u.exe PID 2224 wrote to memory of 2824 2224 2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe DEoPqVQ29DrcO0u.exe PID 2224 wrote to memory of 2552 2224 2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe 无双江湖.exe PID 2224 wrote to memory of 2552 2224 2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe 无双江湖.exe PID 2224 wrote to memory of 2552 2224 2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe 无双江湖.exe PID 2224 wrote to memory of 2552 2224 2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe 无双江湖.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\ytool\DEoPqVQ29DrcO0u.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
-
C:\Users\Admin\AppData\Local\Temp\无双江湖.exe"C:\Users\Admin\AppData\Local\Temp\无双江湖.exe"2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.logFilesize
258B
MD50d95e62b705954f6fd88fa6b63ea6f35
SHA1da0eb5150a37a791b9f33bb4ab18cab5204a9db4
SHA256d01c8dcf97b21566515990e517237c522d0d59bbbdcb44690f7696b6d5066bbc
SHA512be1cc13fd2b82f40d9960d3015a931cde62cbdf52dc1c80b14829c74bb7773a0f011b3763dfb4c4ab30c02499ee0a6444178ea10b8ad7a8104a99ff74536cc2f
-
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.logFilesize
4KB
MD594563609c4890a143fdcf657e61347a4
SHA1d068aaaba18397eb9c2a425dada2f2ef9034ea24
SHA25608fb7d455bb6b4c251b2661d80c2413ad734ef7f97ea021420b108b2e5cc0d40
SHA512abeb3b70718da413263e4027dac575758f64cddd91238dc25753e1ffbf70833e5c84ce5c99d6262c1e80db11bdd272e8beec8a757da90868477e91e3fac2f2b9
-
\Users\Admin\AppData\Local\Temp\ytool\DEoPqVQ29DrcO0u.exeFilesize
5.7MB
MD544003c6234aed9009e382d7b9d5bbc88
SHA1a70142a17509371bda137dda1eb07d29d2a83812
SHA25669eabb2d00dcb1438d05ccafea1253e61990c88d9d6bfc42d51dfd3b99542764
SHA512352db99135d68665984b6f97d5e0261bd7f6b4e760a2707825a5368430075dcb0ddad9f34952c27e9216713f4c772c2aeb7be9d457abfd843b02798360472048
-
\Users\Admin\AppData\Local\Temp\无双江湖.exeFilesize
7.6MB
MD5dad1b196efeb7ef1a847d9a74d8f5b13
SHA15bc704fe37e7d51df0c18c6b7e8f23f1272b4dee
SHA2566146c9aa44c40f1a463f0a2b950a7287d4bbc2dea8b4ead52b763bbd5e3139bd
SHA5125b5143c718db5018da48d859c3064837bd3c0944d4f9d77d6cada2ab824ea4457ede40d320db472e726e0113571166d283bec61008ca8ab55cebea4f7fe61906