624f1b6120a37ab6e163e5db80d2d4098a705f91f0a50ad6779cabf9b0ca1dcb

General

Target

2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe
Size

16.3MB
MD5

a114f6b8e5bc2b1c61ec685e04939eb9
SHA1

3325809cf00427ec4afd8a38b533ad8470a6645b
SHA256

624f1b6120a37ab6e163e5db80d2d4098a705f91f0a50ad6779cabf9b0ca1dcb
SHA512

eb356c53707fa05fea9e0955dc15995806d53b70511901931837b6a5a2a1177e7c896c315089ed95660d33bd34101616ede6fd534aba463ce5baea8906102de8
SSDEEP

196608:dNym2iBYGfsV3A+DyBQuEAbKqM+XYuqS4O7NADtV6v+AqL16bLMD+cpvJ/4H3nmb:dN4H3X28ZE7JqLobLMFgXnU7sElly

Score

9^/10

evasion

Malware Config

Signatures

Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

DEoPqVQ29DrcO0u.exe

description ioc process

Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions DEoPqVQ29DrcO0u.exe
Executes dropped EXE 2 IoCs

Processes:

DEoPqVQ29DrcO0u.exe无双江湖.exe

pid process

2824 DEoPqVQ29DrcO0u.exe
2552 无双江湖.exe
Loads dropped DLL 2 IoCs

Processes:

2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe

pid process

2224 2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe
2224 2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions	DEoPqVQ29DrcO0u.exe

pid	process
2224	2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe
2224	2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe

Suspicious behavior: EnumeratesProcesses 22 IoCs

Processes:

DEoPqVQ29DrcO0u.exe无双江湖.exe

pid	process
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2824	DEoPqVQ29DrcO0u.exe
2552	无双江湖.exe
2552	无双江湖.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

DEoPqVQ29DrcO0u.exe

description	pid	process
Token: SeShutdownPrivilege	2824	DEoPqVQ29DrcO0u.exe
Token: SeShutdownPrivilege	2824	DEoPqVQ29DrcO0u.exe
Token: SeShutdownPrivilege	2824	DEoPqVQ29DrcO0u.exe
Token: SeShutdownPrivilege	2824	DEoPqVQ29DrcO0u.exe
Token: SeShutdownPrivilege	2824	DEoPqVQ29DrcO0u.exe

Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

DEoPqVQ29DrcO0u.exe

pid process

2824 DEoPqVQ29DrcO0u.exe
Suspicious use of SendNotifyMessage 1 IoCs

Processes:

DEoPqVQ29DrcO0u.exe

pid process

2824 DEoPqVQ29DrcO0u.exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

无双江湖.exe

pid process

2552 无双江湖.exe

pid	process
2552	无双江湖.exe

Suspicious use of WriteProcessMemory 8 IoCs

Processes:

2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe

description	pid	process	target process
PID 2224 wrote to memory of 2824	2224	2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe	DEoPqVQ29DrcO0u.exe
PID 2224 wrote to memory of 2824	2224	2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe	DEoPqVQ29DrcO0u.exe
PID 2224 wrote to memory of 2824	2224	2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe	DEoPqVQ29DrcO0u.exe
PID 2224 wrote to memory of 2824	2224	2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe	DEoPqVQ29DrcO0u.exe
PID 2224 wrote to memory of 2552	2224	2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe	无双江湖.exe
PID 2224 wrote to memory of 2552	2224	2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe	无双江湖.exe
PID 2224 wrote to memory of 2552	2224	2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe	无双江湖.exe
PID 2224 wrote to memory of 2552	2224	2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe	无双江湖.exe

C:\Users\Admin\AppData\Local\Temp\2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2224

C:\Users\Admin\AppData\Local\Temp\ytool\DEoPqVQ29DrcO0u.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe" "C:\Users\Admin\AppData\Local\Temp\2024-04-25_a114f6b8e5bc2b1c61ec685e04939eb9_magniber_revil.exe"
2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2824

C:\Users\Admin\AppData\Local\Temp\无双江湖.exe
"C:\Users\Admin\AppData\Local\Temp\无双江湖.exe"
2⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:2552

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

1

T1497

Credential Access

Discovery

Query Registry

1

T1012

Virtualization/Sandbox Evasion

1

T1497

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
Filesize
258B

MD5
0d95e62b705954f6fd88fa6b63ea6f35

SHA1
da0eb5150a37a791b9f33bb4ab18cab5204a9db4

SHA256
d01c8dcf97b21566515990e517237c522d0d59bbbdcb44690f7696b6d5066bbc

SHA512
be1cc13fd2b82f40d9960d3015a931cde62cbdf52dc1c80b14829c74bb7773a0f011b3763dfb4c4ab30c02499ee0a6444178ea10b8ad7a8104a99ff74536cc2f

Download Submit
C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log
Filesize
4KB

MD5
94563609c4890a143fdcf657e61347a4

SHA1
d068aaaba18397eb9c2a425dada2f2ef9034ea24

SHA256
08fb7d455bb6b4c251b2661d80c2413ad734ef7f97ea021420b108b2e5cc0d40

SHA512
abeb3b70718da413263e4027dac575758f64cddd91238dc25753e1ffbf70833e5c84ce5c99d6262c1e80db11bdd272e8beec8a757da90868477e91e3fac2f2b9

Download Submit
\Users\Admin\AppData\Local\Temp\ytool\DEoPqVQ29DrcO0u.exe
Filesize
5.7MB

MD5
44003c6234aed9009e382d7b9d5bbc88

SHA1
a70142a17509371bda137dda1eb07d29d2a83812

SHA256
69eabb2d00dcb1438d05ccafea1253e61990c88d9d6bfc42d51dfd3b99542764

SHA512
352db99135d68665984b6f97d5e0261bd7f6b4e760a2707825a5368430075dcb0ddad9f34952c27e9216713f4c772c2aeb7be9d457abfd843b02798360472048

Download Submit
\Users\Admin\AppData\Local\Temp\无双江湖.exe
Filesize
7.6MB

MD5
dad1b196efeb7ef1a847d9a74d8f5b13

SHA1
5bc704fe37e7d51df0c18c6b7e8f23f1272b4dee

SHA256
6146c9aa44c40f1a463f0a2b950a7287d4bbc2dea8b4ead52b763bbd5e3139bd

SHA512
5b5143c718db5018da48d859c3064837bd3c0944d4f9d77d6cada2ab824ea4457ede40d320db472e726e0113571166d283bec61008ca8ab55cebea4f7fe61906

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads