68b9c467c6e941a16c612896a4e5fc70a8ae504c215dee9c1e7c2cf00d04901b

General

Target

2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe
Size

14.1MB
MD5

3f933bdc452d740ce982e66d1baca69a
SHA1

edb3877b8f9afa81ce25d3b7150976e26a7e5d33
SHA256

68b9c467c6e941a16c612896a4e5fc70a8ae504c215dee9c1e7c2cf00d04901b
SHA512

d7efe24976b9022f5f4e3086235e71ff8d0b21cf7e3c2da7bed6fc5d4acd389547f2fd7b2eabe977011abcf39f53c823a33387675bba043cbf0b6f9f9fd4ddab
SSDEEP

196608:t2AXJmUuWjP7bSyUp2zcsN4MtPvqO67O+Dyu2py5gVRFO3zjpP/2ZrqN0ESzy4Ay:tq03d8O67vHYRFO3z1POZrqNCy4Afpgn

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

Processes:

Adaware_PC_Cleaner_Installer.exe

pid process

1768 Adaware_PC_Cleaner_Installer.exe
Loads dropped DLL 3 IoCs

Processes:

regsvr32.exe2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exeDllHost.exe

pid process

864 regsvr32.exe
1496 2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe
552 DllHost.exe

pid	process
1768	Adaware_PC_Cleaner_Installer.exe

pid	process
864	regsvr32.exe
1496	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe
552	DllHost.exe

Modifies registry class 64 IoCs

Processes:

regsvr32.exeAdaware_PC_Cleaner_Installer.exe2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{49DE5849-B216-4BD0-A4A7-F84C30D6824D}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3584E70F-0B0D-4F5E-9E9F-8106DBA7616F}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83175151-C503-4B5C-8F80-70CCDAF09877}\ = "IStartItemModule"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5687C2E-DF3A-47B8-AAC4-C67010F566FC}	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{683AC85E-50D6-4ABC-A3F4-78A481055B2D}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16DA0ED2-8CE0-4D9D-B154-2B8C042DC38B}\AppID = "{D8770326-6F07-4DFF-A3C2-F453500A253A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61D835C-0012-44E5-84F0-D8E61DE2A10E}\TypeLib\ = "{DD1AD781-1AC2-4D46-ACA3-A59F1A502BDD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5EA6233C-BADC-45C9-A3AD-2C0137351069}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE5D85B5-FE9E-4BFD-86A2-8DC58BEDCC22}\TypeLib\ = "{DD1AD781-1AC2-4D46-ACA3-A59F1A502BDD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{3465F123-4E8C-4720-8A82-E3393DB33BFE}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83175151-C503-4B5C-8F80-70CCDAF09877}\ = "IStartItemModule"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E973472-C905-4967-BBC4-1316EB28FC0A}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{5EA6233C-BADC-45C9-A3AD-2C0137351069}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E973472-C905-4967-BBC4-1316EB28FC0A}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{E61D835C-0012-44E5-84F0-D8E61DE2A10E}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83175151-C503-4B5C-8F80-70CCDAF09877}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{83175151-C503-4B5C-8F80-70CCDAF09877}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A78AD12A-D8E9-4E39-A428-494173373160}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{C11C58CC-0598-4CE8-9078-395DE9632A93}\ = "IStartDataStruct"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{28436658-504D-4481-A159-3E5A6605EC4C}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8DB8242-FD72-40E3-B505-780F0CADE8B0}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC9A73D4-2F97-42E2-BAF3-FDC15EB4BA22}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{5EA6233C-BADC-45C9-A3AD-2C0137351069}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52B5A5CE-BEBB-4CA8-AF25-C319918EA896}\InprocServer32\ = "C:\\ProgramData\\Adaware PC Cleaner\\Installation\\Statistics.dll"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD76A28B-DD85-4BEC-963F-7F7941717973}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{446563B6-7BC8-48FD-84B8-94234EA0FF54}\VersionIndependentProgID	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC9A73D4-2F97-42E2-BAF3-FDC15EB4BA22}\TypeLib\ = "{DD1AD781-1AC2-4D46-ACA3-A59F1A502BDD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD76A28B-DD85-4BEC-963F-7F7941717973}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52B5A5CE-BEBB-4CA8-AF25-C319918EA896}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\TypeLib\ = "{9083194A-939D-43BF-84C8-263F30EB2E93}"	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD76A28B-DD85-4BEC-963F-7F7941717973}\ = "InstallItemModule3_1 Class"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{EE105714-A6AA-4DEF-8CF2-E87BB8D93726}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{446563B6-7BC8-48FD-84B8-94234EA0FF54}	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF163502-EFF1-45C6-90F0-B4072D6DEA15}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{D59CF48A-D44E-422E-8CAB-C81A14988684}\TypeLib\ = "{DD1AD781-1AC2-4D46-ACA3-A59F1A502BDD}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BE5D85B5-FE9E-4BFD-86A2-8DC58BEDCC22}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Adaware_PC_Cleaner_Installer.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{CA9235E4-C44A-46E9-AD55-C99A1AF38851}\Version	regsvr32.exe
Key deleted	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD76A28B-DD85-4BEC-963F-7F7941717973}\InprocServer32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{DD1AD781-1AC2-4D46-ACA3-A59F1A502BDD}\1.0\0\win32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{B01B955B-6142-46B6-978D-665F13956959}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A5687C2E-DF3A-47B8-AAC4-C67010F566FC}\TypeLib\ = "{DD1AD781-1AC2-4D46-ACA3-A59F1A502BDD}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{E5B411A4-C2E9-4302-876A-EBD317AF2E81}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83175151-C503-4B5C-8F80-70CCDAF09877}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{83175151-C503-4B5C-8F80-70CCDAF09877}\TypeLib\Version = "1.0"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{BE5D85B5-FE9E-4BFD-86A2-8DC58BEDCC22}\ProxyStubClsid32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E9737F69-AB4A-44A6-A584-406245B6525D}\AppID = "{D8770326-6F07-4DFF-A3C2-F453500A253A}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16DA0ED2-8CE0-4D9D-B154-2B8C042DC38B}	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{52B5A5CE-BEBB-4CA8-AF25-C319918EA896}\AppID = "{D8770326-6F07-4DFF-A3C2-F453500A253A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{446563B6-7BC8-48FD-84B8-94234EA0FF54}\AppID = "{D8770326-6F07-4DFF-A3C2-F453500A253A}"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{DC9A73D4-2F97-42E2-BAF3-FDC15EB4BA22}\ = "IGeoIP"	regsvr32.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{683AC85E-50D6-4ABC-A3F4-78A481055B2D}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{7E973472-C905-4967-BBC4-1316EB28FC0A}\InprocServer32	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{E9737F69-AB4A-44A6-A584-406245B6525D}\ = "GeoIpStruct Class"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{16DA0ED2-8CE0-4D9D-B154-2B8C042DC38B}\InprocServer32\ThreadingModel = "Apartment"	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{A8DB8242-FD72-40E3-B505-780F0CADE8B0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A78AD12A-D8E9-4E39-A428-494173373160}\TypeLib	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{A8DB8242-FD72-40E3-B505-780F0CADE8B0}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{51B44E8D-6850-497C-A4AF-49C26AC667F0}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{3584E70F-0B0D-4F5E-9E9F-8106DBA7616F}\ProxyStubClsid32	regsvr32.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{683AC85E-50D6-4ABC-A3F4-78A481055B2D}	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4FE5B912-1EE4-42D8-BEF8-08815A2B6726}\TypeLib	regsvr32.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\Interface\{BF163502-EFF1-45C6-90F0-B4072D6DEA15}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	regsvr32.exe

Modifies system certificate store 2 TTPs 5 IoCs

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d42000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd942000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 0400000001000000100000004be2c99196650cf40e5a9392a00afeb20f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd94090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b06010505070308530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b0601050507030762000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3390b000000010000001800000045006e00740072007500730074002e006e006500740000001400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab1d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d347e000000010000000800000000c001b39667d6010300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d4190000000100000010000000fa46ce7cbb85cfb4310075313a09ee052000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\8CF427FD790C3AD166068DE81E57EFBB932272D4\Blob = 5c000000010000000400000000080000190000000100000010000000fa46ce7cbb85cfb4310075313a09ee050300000001000000140000008cf427fd790c3ad166068de81e57efbb932272d47e000000010000000800000000c001b39667d6011d0000000100000010000000521b5f4582c1dcaae381b05e37ca2d341400000001000000140000006a72267ad01eef7de73b6951d46c8d9f901266ab0b000000010000001800000045006e00740072007500730074002e006e0065007400000062000000010000002000000043df5774b03e7fef5fe40d931a7bedf1bb2e6b42738c4e6d3841103d3aa7f3397f000000010000002c000000302a060a2b0601040182370a030406082b0601050507030506082b0601050507030606082b06010505070307530000000100000041000000303f3020060a6086480186fa6c0a010230123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f0000000100000020000000fde5f2d9ce2026e1e10064c0a468c9f355b90acf85baf5ce6f52d4016837fd940400000001000000100000004be2c99196650cf40e5a9392a00afeb22000000001000000420400003082043e30820326a00302010202044a538c28300d06092a864886f70d01010b05003081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d204732301e170d3039303730373137323535345a170d3330313230373137353535345a3081be310b300906035504061302555331163014060355040a130d456e74727573742c20496e632e31283026060355040b131f536565207777772e656e74727573742e6e65742f6c6567616c2d7465726d7331393037060355040b1330286329203230303920456e74727573742c20496e632e202d20666f7220617574686f72697a656420757365206f6e6c793132303006035504031329456e747275737420526f6f742043657274696669636174696f6e20417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100ba84b672db9e0c6be299e93001a776ea32b895411ac9da614e5872cffef68279bf7361060aa527d8b35fd3454e1c72d64e32f2728a0ff78319d06a808000451eb0c7e79abf1257271ca3682f0a87bd6a6b0e5e65f31c77d5d4858d7021b4b332e78ba2d5863902b1b8d247cee4c949c43ba7defb547d57bef0e86ec279b23a0b55e250981632135c2f7856c1c294b3f25ae4279a9f24d7c6ecd09b2582e3ccc2c445c58c977a066b2a119fa90a6e483b6fdbd4111942f78f07bff5535f9c3ef4172ce669ac4e324c6277eab7e8e5bb34bc198bae9c51e7b77eb553b13322e56dcf703c1afae29b67b683f48da5af624c4de058ac64341203f8b68d946324a4710203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e041604146a72267ad01eef7de73b6951d46c8d9f901266ab300d06092a864886f70d01010b05000382010100799f1d96c6b6793f228d87d3870304606a6b9a2e59897311ac43d1f513ff8d392bc0f2bd4f708ca92fea17c40b549ed41b9698333ca8ad62a20076ab59696e061d7ec4b9448d98af12d461db0a194647f3ebf763c1400540a5d2b7f4b59a36bfa98876880455042b9c877f1a373c7e2da51ad8d4895ecabdac3d6cd86dafd5f3760fcd3b8838229d6c939ac43dbf821b653fa60f5daafce5b215cab5adc6bc3dd084e8ea0672b04d393278bf3e119c0ba49d9a21f3f09b0b3078dbc1dc8743febc639acac5c21cc9c78dff3b125808e6b63dec7a2c4efb8396ce0c3c69875473a473c293ff5110ac155401d8fc05b189a17f74839a49d7dc4e7b8a486f8b45f6	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe

pid process

1496 2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe
1496 2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe

pid process

1496 2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe
1496 2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe

pid	process
1496	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe
1496	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe

pid	process
1496	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe
1496	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe

Suspicious use of WriteProcessMemory 6 IoCs

Processes:

2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe

description	pid	process	target process
PID 1496 wrote to memory of 864	1496	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe	regsvr32.exe
PID 1496 wrote to memory of 864	1496	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe	regsvr32.exe
PID 1496 wrote to memory of 864	1496	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe	regsvr32.exe
PID 1496 wrote to memory of 1768	1496	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe	Adaware_PC_Cleaner_Installer.exe
PID 1496 wrote to memory of 1768	1496	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe	Adaware_PC_Cleaner_Installer.exe
PID 1496 wrote to memory of 1768	1496	2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe	Adaware_PC_Cleaner_Installer.exe

C:\Users\Admin\AppData\Local\Temp\2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-05-20_3f933bdc452d740ce982e66d1baca69a_magniber_revil.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\regsvr32.exe
regsvr32.exe /s "C:\ProgramData\Adaware PC Cleaner\Installation\Statistics.dll"
2⤵
- Loads dropped DLL
- Modifies registry class
PID:864

C:\ProgramData\Adaware PC Cleaner\Installation\Adaware_PC_Cleaner_Installer.exe
"C:\ProgramData\Adaware PC Cleaner\Installation\Adaware_PC_Cleaner_Installer.exe" /RegServer
2⤵
- Executes dropped EXE
- Modifies registry class
PID:1768

C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{D8770326-6F07-4DFF-A3C2-F453500A253A}
1⤵
- Loads dropped DLL
PID:552

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4136 --field-trial-handle=2692,i,8678872182442199182,12502579059484928042,262144 --variations-seed-version /prefetch:8
1⤵
PID:2772

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Adaware PC Cleaner\Installation\Adaware_PC_Cleaner_Installer.exe

Filesize
14.1MB

MD5
3f933bdc452d740ce982e66d1baca69a

SHA1
edb3877b8f9afa81ce25d3b7150976e26a7e5d33

SHA256
68b9c467c6e941a16c612896a4e5fc70a8ae504c215dee9c1e7c2cf00d04901b

SHA512
d7efe24976b9022f5f4e3086235e71ff8d0b21cf7e3c2da7bed6fc5d4acd389547f2fd7b2eabe977011abcf39f53c823a33387675bba043cbf0b6f9f9fd4ddab

Download Submit
C:\ProgramData\Adaware PC Cleaner\Installation\Statistics.dll

Filesize
1.8MB

MD5
bfb79575829d398f4bfb0a4e870178bf

SHA1
e44237a29d9be3df80c53c6e3e7b9506f18440df

SHA256
72ab023cb047cda8478394c7f3eaf1f89d56e2ac9ac4ba1934f7cc40ab0f323e

SHA512
9191582bd2fa75dd2470a589fd42af4535bbde844ab102bf05e6cf5cef498ee9c48211ac2bce01e597e6a6e0f48a4ee096f591e4d8db6b9ca5197a560673b05a

Download Submit

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads