Analysis

  • max time kernel
    120s
  • max time network
    124s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    14-05-2024 18:46

General

  • Target

    2024-05-14_06dc28c7414d3050464c253652e8cb7d_magniber_revil.exe

  • Size

    18.5MB

  • MD5

    06dc28c7414d3050464c253652e8cb7d

  • SHA1

    072f770bebce12387eebf2e9096d186cfdb87cda

  • SHA256

    5c46aec4468bcd0f358054adcee783eab587ba5017b1edee8881b78904623e35

  • SHA512

    75018a2101fd20b8275d27884d1c34c8816415865cfdf81d635237b2a25b67409ed42857533d8a8dbc6fe3e7a5de30b62ea797e38454ba383a23d63db43b3878

  • SSDEEP

    393216:H+Rf4UdVEy9qMBNLtl+H3orJHXSPyQeEeov42xZzKMsZWrEcbLXoE8yS2R5J:Uf4UdVEy9qMBNW4rJ3SPDV423kZfgP8A

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 2 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Program crash 1 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-14_06dc28c7414d3050464c253652e8cb7d_magniber_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-14_06dc28c7414d3050464c253652e8cb7d_magniber_revil.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Suspicious use of WriteProcessMemory
    PID:1312
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 1312 -s 824
      2⤵
      • Program crash
      PID:2300

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • \Users\Admin\AppData\Local\Temp\netul.dll

    Filesize

    1.9MB

    MD5

    991f7dfe5115467b72de04d4ddeb6bac

    SHA1

    f31d9541d896955e1bcf48e01b68fc3374501998

    SHA256

    210ab11ab262d146ba4a8b1621668c5508f2e97d31788a1ec6474e5947479354

    SHA512

    52bc896a261534bb47b7c1342b2809d86288dbf07b08d344646a3719ab25e3e37c34adb9c7b2139f6518d56b528b73a500451c5948307a58dcfecdc0d2b2b9a4

  • \Users\Admin\AppData\Local\Temp\{DB31F3B8-4C28-4801-B121-AD49419CF67C}.tmp\7z.dll

    Filesize

    1.1MB

    MD5

    ea58ab20340cd1a4beeb1fe85bc09c9a

    SHA1

    0783d18e3ccc9faad51269c132d8fb559a2f83d2

    SHA256

    cfdd08f5fc342b4e4aa3c515d318307351be752cc79a6818dbb986cddac47d6d

    SHA512

    6f83ba8db59d8228f961f86364f1d4658e2f4b3773d0a8094f1f95eb635b68e08487a7286497de644a0c3ee83908ccc00e21048483f620ca86b30cfeba41b553

  • memory/1312-17-0x00000000002E0000-0x00000000002E1000-memory.dmp

    Filesize

    4KB