Overview

overview

10

Static

static

3

2024-05-19...il.exe

windows7-x64

10

2024-05-19...il.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    149s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240426-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
  • submitted
    19-05-2024 06:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-05-19_6bbfea1a0d783a09f481f15ec81f54f5_mafia_magniber_revil.exe

  • Size

    9.5MB

  • MD5

    6bbfea1a0d783a09f481f15ec81f54f5

  • SHA1

    348b7a3cd4c9ccd21f7d435344922861fb25a150

  • SHA256

    34614d74c87dd35699a46b00c6bab995dc95efa1035704415e4affb4eba38949

  • SHA512

    e6a744d1646048a13286e99519936ad81f5ea1bfc5124050e9d74b346fbe22410a75d391f9c9f1ed7f76206d56ad9fac6c210a0c9d2f5fa4f5405f1deda324c7

  • SSDEEP

    196608:nF+DGhrXoxPHrz4RLfqqhqDF6xIlg6fjphjbtAwbBvuiM:nF+DGhrXoxPHrMRLfqqoDFpln7rbt

Score
10/10
banloaddownloaderdropperevasiontrojan

Malware Config

Signatures

  • Banload

    Banload variants download malicious files, then install and execute the files.

    trojandropperdownloaderbanload
  • Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
    evasion
  • Checks BIOS information in registry 2 TTPs 2 IoCs

    BIOS information is often read in order to detect sandboxing environments.

  • Suspicious use of SetThreadContext 64 IoCs
  • Program crash 8 IoCs
  • Modifies registry class 5 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 5 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-05-19_6bbfea1a0d783a09f481f15ec81f54f5_mafia_magniber_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-05-19_6bbfea1a0d783a09f481f15ec81f54f5_mafia_magniber_revil.exe"
    1⤵
    • Suspicious use of SetThreadContext
    • Suspicious use of WriteProcessMemory
    PID:4240
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 544
      2⤵
      • Program crash
      PID:4620
    • C:\Users\Admin\AppData\Local\Temp\2024-05-19_6bbfea1a0d783a09f481f15ec81f54f5_mafia_magniber_revil.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-05-19_6bbfea1a0d783a09f481f15ec81f54f5_mafia_magniber_revil.exe"
      2⤵
      • Identifies VirtualBox via ACPI registry values (likely anti-VM)
      • Checks BIOS information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3552
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 556
        3⤵
        • Program crash
        PID:4796
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 688
        3⤵
        • Program crash
        PID:1532
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 856
        3⤵
        • Program crash
        PID:2780
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 876
        3⤵
        • Program crash
        PID:4268
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 876
        3⤵
        • Program crash
        PID:1160
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 3552 -s 932
        3⤵
        • Program crash
        PID:3988
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 4240 -s 700
      2⤵
      • Program crash
      PID:4816
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4240 -ip 4240
    1⤵
      PID:3436
    • C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -pss -s 480 -p 3552 -ip 3552
      1⤵
        PID:4552
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -pss -s 520 -p 4240 -ip 4240
        1⤵
          PID:5084
        • C:\Windows\SysWOW64\WerFault.exe
          C:\Windows\SysWOW64\WerFault.exe -pss -s 504 -p 3552 -ip 3552
          1⤵
            PID:2324
          • C:\Windows\SysWOW64\WerFault.exe
            C:\Windows\SysWOW64\WerFault.exe -pss -s 532 -p 3552 -ip 3552
            1⤵
              PID:3528
            • C:\Windows\SysWOW64\WerFault.exe
              C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3552 -ip 3552
              1⤵
                PID:4416
              • C:\Windows\SysWOW64\WerFault.exe
                C:\Windows\SysWOW64\WerFault.exe -pss -s 516 -p 3552 -ip 3552
                1⤵
                  PID:1012
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -pss -s 548 -p 3552 -ip 3552
                  1⤵
                    PID:964

                  Network

                  MITRE ATT&CK Enterprise v15

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • memory/3552-40-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-10-0x0000000004BF0000-0x0000000004DFD000-memory.dmp

                    Filesize

                    2.1MB

                    Download

                  • memory/3552-49-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-4-0x0000000004BF0000-0x0000000004DFD000-memory.dmp

                    Filesize

                    2.1MB

                    Download

                  • memory/3552-13-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-15-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-18-0x0000000004630000-0x0000000004650000-memory.dmp

                    Filesize

                    128KB

                    Download

                  • memory/3552-16-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-17-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-19-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-22-0x0000000004BF0000-0x0000000004DFD000-memory.dmp

                    Filesize

                    2.1MB

                    Download

                  • memory/3552-21-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-28-0x0000000004BF0000-0x0000000004DFD000-memory.dmp

                    Filesize

                    2.1MB

                    Download

                  • memory/3552-29-0x0000000004BF0000-0x0000000004DFD000-memory.dmp

                    Filesize

                    2.1MB

                    Download

                  • memory/3552-183-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-3-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-172-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-57-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-62-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-73-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-86-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-95-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-106-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-117-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-128-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-139-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-150-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/3552-159-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/4240-52-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download

                  • memory/4240-1-0x0000000000400000-0x00000000026C2000-memory.dmp

                    Filesize

                    34.8MB

                    Download