Overview

overview

10

Static

static

10

2024-04-30...il.exe

windows7-x64

7

2024-04-30...il.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    127s
  • max time network
    115s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240419-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system
  • submitted
    30-04-2024 11:53

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-04-30_9a2cea83f2fa842a1f0ec23f45304366_magniber_revil.exe

  • Size

    35.7MB

  • MD5

    9a2cea83f2fa842a1f0ec23f45304366

  • SHA1

    4dead163187bca6cda8cb5041d15105e2ea10d00

  • SHA256

    1d94c15cc7d2b3cc3bdd8422b2bb271eff00d07cf77ddcb0cb445ee751784cde

  • SHA512

    59b2823a9d9b1d63859eff6952ff4f02faae9467c808c94eac82be6a9dead60d33884f363ead26422cb4b1cd7f561e2364a40b9167847a8e7b4c44ce50d9c326

  • SSDEEP

    393216:4HUaysP+F1gBJ3gDjHbSaiAFStsZTBuSgCh9h8hAqsPZ/U0qIpWerqNNZifKl/hf:UUaa6BOLiATZgC2hAgZiG/s7g

Score
7/10
bootkitdiscoverypersistencespywarestealer

Malware Config

Signatures

  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry key 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious use of AdjustPrivilegeToken 9 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 8 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-30_9a2cea83f2fa842a1f0ec23f45304366_magniber_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-30_9a2cea83f2fa842a1f0ec23f45304366_magniber_revil.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Checks computer location settings
    • Checks system information in the registry
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:216
    • C:\Windows\SysWOW64\w32tm.exe
      w32tm /query /status /verbose
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3160
      • C:\Windows\system32\w32tm.exe
        w32tm /query /status /verbose
        3⤵
          PID:1912
      • C:\Windows\SysWOW64\reg.exe
        reg query HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
        2⤵
        • Modifies registry key
        PID:1428

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
      Filesize

      512KB

      MD5

      0759c1f081374d15e722bd568e3cac13

      SHA1

      df3b1261d3588007c410eb74df117937a37d38d0

      SHA256

      9ce560b15ebdf797b55923ca668ef27f9b9c44e1cb82a1f787946d84e7fce610

      SHA512

      fc252531a2fc253a5576487ea9ee118228c63e0591698375a51a18d90e1902e339b4adf41cd6861b0b60b7f39cf20ddee61b26af3da308399382970e6af406cc

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
      Filesize

      14.0MB

      MD5

      3cd6f6b5ac495d00a3ccb6d7ffd0dcaf

      SHA1

      7f63532a677f445ff030012e59f0e2d3743b1d19

      SHA256

      b1dc197f41a930ed8cef7a20754fad7465b234e54229bf9820472669938ae6b5

      SHA512

      66fe40d64e6163bdc6b7ad9a62b98e1d12b1d1ca86c20d097a45133aa5779ed7df0f832b1863159be27ef31ef422d2984adde019c84d5722bc309f6584b8db36

      Download Submit

    • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm
      Filesize

      16KB

      MD5

      f61403ffe4ed69701c75c5bc1662f932

      SHA1

      f26c7e6640ee018b77a1b9a33b9ed75f09895530

      SHA256

      47b065c2c61e4619954ad53203811a918127e24e9df0820bdad45f6dacbaf8b2

      SHA512

      c6ea09a83132312ca408459bb131a3f385617d0d1b24f59008ac451cd7c4f94b13d6a2d4418b7dc90fe4dabbf51fcb418283fe497a30db3a7db2b776f77e32bd

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\gcapi_1714478058216.dll
      Filesize

      600KB

      MD5

      f637d5d3c3a60fddb5dd397556fe9b1d

      SHA1

      66f0c4f137870a9927400ea00facc00193ef21e3

      SHA256

      641b843cb6ee7538ec267212694c9ef0616b9ac9ab14a0abd7cf020678d50b02

      SHA512

      e96984f2f9c6858e989f10fd8e71b09a8a640c9be2fb87ac1692d9bca7107d7a837f8fbdcc46c01a6107dd9020994c5a6f975b7e16434e9b2bf1c43b1f0d8b31

      Download Submit

    • memory/216-43-0x000000000D600000-0x000000000D608000-memory.dmp

      Filesize

      32KB

      Download

    • memory/216-44-0x000000000D5F0000-0x000000000D5F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/216-6-0x0000000005570000-0x0000000005571000-memory.dmp

      Filesize

      4KB

      Download

    • memory/216-7-0x0000000005580000-0x0000000005581000-memory.dmp

      Filesize

      4KB

      Download

    • memory/216-4-0x0000000005550000-0x0000000005551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/216-17-0x000000000CA70000-0x000000000CA80000-memory.dmp

      Filesize

      64KB

      Download

    • memory/216-23-0x000000000CC10000-0x000000000CC20000-memory.dmp

      Filesize

      64KB

      Download

    • memory/216-41-0x000000000D760000-0x000000000D768000-memory.dmp

      Filesize

      32KB

      Download

    • memory/216-0-0x0000000000010000-0x0000000000011000-memory.dmp

      Filesize

      4KB

      Download

    • memory/216-5-0x0000000005560000-0x0000000005561000-memory.dmp

      Filesize

      4KB

      Download

    • memory/216-46-0x000000000D600000-0x000000000D608000-memory.dmp

      Filesize

      32KB

      Download

    • memory/216-49-0x000000000D5F0000-0x000000000D5F8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/216-52-0x000000000D5B0000-0x000000000D5B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/216-3-0x0000000003020000-0x0000000003021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/216-64-0x000000000D6A0000-0x000000000D6A8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/216-66-0x000000000D6E0000-0x000000000D6E8000-memory.dmp

      Filesize

      32KB

      Download

    • memory/216-69-0x000000000D5F0000-0x000000000D5F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/216-73-0x000000000D5B0000-0x000000000D5B1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/216-2-0x0000000000030000-0x0000000000031000-memory.dmp

      Filesize

      4KB

      Download

    • memory/216-1-0x0000000000020000-0x0000000000021000-memory.dmp

      Filesize

      4KB

      Download