4a038637b9c02a0ea23529f697e17b59aae2c21f5da6f40b3b4f087bd5cb4a4b

Analysis

max time kernel
149s
max time network
121s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 09:44

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Size

37.3MB
MD5

66c907e326e00f4a9ea032eb15650418
SHA1

44bcdd545c1172b1e4b55395d316924302c36afb
SHA256

4a038637b9c02a0ea23529f697e17b59aae2c21f5da6f40b3b4f087bd5cb4a4b
SHA512

782ddf391849ff35d2d815a607917ac24c0725e49dbde4512f672914345e0ed55d776853c162cad15278b9334e4c306d18e5f9ff285300bc1627c2bbec9f4e8b
SSDEEP

393216:LisOkxjdjXrac47N6EfZnWcUeDQxB5WmAFuHrAFLVpsnIzVlrqNAw+AufUlBhSpX:Gp2j9XE7YcxaB5WDLjTZw+AuQBs7Gxq

Score

9^/10

bootkit discovery persistence spyware stealer

Malware Config

Signatures

Detects binaries (Windows and macOS) referencing many web browsers. Observed in information stealers. 2 IoCs

resource	yara_rule
behavioral1/memory/2972-10-0x0000000000010000-0x0000000002781000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers
behavioral1/memory/2972-142-0x0000000000010000-0x0000000002781000-memory.dmp	INDICATOR_SUSPICIOUS_Binary_References_Browsers

Detects executables containing SQL queries to confidential data stores. Observed in infostealers 2 IoCs

resource	yara_rule
behavioral1/memory/2972-10-0x0000000000010000-0x0000000002781000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore
behavioral1/memory/2972-142-0x0000000000010000-0x0000000002781000-memory.dmp	INDICATOR_SUSPICIOUS_EXE_SQLQuery_ConfidentialDataStore

Loads dropped DLL 2 IoCs

pid	Process
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\CCleaner Smart Cleaning = "\"C:\\Users\\Admin\\AppData\\Local\\Temp\\2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe\" /MONITOR"	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe

Checks for any installed AV software in registry 1 TTPs 16 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\SOFTWARE\Avira\AntiVirus	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Avast Software\Avast	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Avast Software\Avast	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\Speedup	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Avira\AntiVir Desktop	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\SOFTWARE\Avira\AntiVirus	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Speedup	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\AntiVir Desktop	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\Speedup	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avast Software\Avast	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avira\AntiVir Desktop	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\Software\Wow6432Node\Avast Software\Avast	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\Software\Avast Software\Avast	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops desktop.ini file(s) 11 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\USLGY7LX\desktop.ini	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\03PVXV8P\desktop.ini	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\X7K1QVVO\desktop.ini	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\5Z74IJYR\desktop.ini	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\desktop.ini	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2Y8NTX1F\desktop.ini	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\9PLWLLW7\desktop.ini	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\SKAMU6WE\desktop.ini	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\desktop.ini	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\1D5U9W0O\desktop.ini	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe

Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	\??\PhysicalDrive0	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe

Checks system information in the registry 2 TTPs 4 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe

Drops file in Windows directory 30 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\sammui.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Logs\CBS\CBS.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Logs\DPX\setupact.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Performance\WinSAT\winsat.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\DtcInstall.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\setupact.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\TSSysprep.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\SoftwareDistribution\ReportingEvents.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb00001.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\setuperr.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\security\logs\scecomp.old	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Logs\DISM\dism.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\ServiceProfiles\LocalService\AppData\Local\Microsoft\Windows\WindowsUpdate.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v4.0.30319\ngen_service.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Debug\PASSWD.LOG	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\security\logs\scesetup.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setupact.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Panther\setuperr.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\SoftwareDistribution\DataStore\Logs\edb.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\WindowsUpdate.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Logs\DPX\setuperr.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Panther\UnattendGC\setuperr.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
File opened for modification	C:\Windows\Panther\setupact.log	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 14 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe

Modifies registry key 1 TTPs 1 IoCs

Modify Registry

T1112

pid	Process
1748	reg.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe

Suspicious use of AdjustPrivilegeToken 6 IoCs

description	pid	Process
Token: SeDebugPrivilege	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Token: SeManageVolumePrivilege	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Token: SeManageVolumePrivilege	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Token: SeShutdownPrivilege	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Token: SeShutdownPrivilege	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
Token: SeDebugPrivilege	3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
3032	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe

Suspicious use of WriteProcessMemory 16 IoCs

description	pid	Process	procid_target
PID 2972 wrote to memory of 3032	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe	29
PID 2972 wrote to memory of 3032	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe	29
PID 2972 wrote to memory of 3032	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe	29
PID 2972 wrote to memory of 3032	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe	29
PID 2972 wrote to memory of 304	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe	30
PID 2972 wrote to memory of 304	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe	30
PID 2972 wrote to memory of 304	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe	30
PID 2972 wrote to memory of 304	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe	30
PID 304 wrote to memory of 2088	304	w32tm.exe	32
PID 304 wrote to memory of 2088	304	w32tm.exe	32
PID 304 wrote to memory of 2088	304	w32tm.exe	32
PID 304 wrote to memory of 2088	304	w32tm.exe	32
PID 2972 wrote to memory of 1748	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe	33
PID 2972 wrote to memory of 1748	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe	33
PID 2972 wrote to memory of 1748	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe	33
PID 2972 wrote to memory of 1748	2972	2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe	33

C:\Users\Admin\AppData\Local\Temp\2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe"
1⤵
- Loads dropped DLL
- Checks for any installed AV software in registry
- Drops desktop.ini file(s)
- Writes to the Master Boot Record (MBR)
- Checks system information in the registry
- Drops file in Windows directory
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2972
- C:\Users\Admin\AppData\Local\Temp\2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe
  "C:\Users\Admin\AppData\Local\Temp\2024-06-01_66c907e326e00f4a9ea032eb15650418_gozi_magniber_revil.exe" /monitor
  2⤵
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks for any installed AV software in registry
  - Writes to the Master Boot Record (MBR)
  - Checks system information in the registry
  - Checks processor information in registry
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SendNotifyMessage
  - Suspicious use of SetWindowsHookEx
  PID:3032
- C:\Windows\SysWOW64\w32tm.exe
  w32tm /query /status /verbose
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:304
- - C:\Windows\system32\w32tm.exe
    w32tm /query /status /verbose
    3⤵
    PID:2088
- C:\Windows\SysWOW64\reg.exe
  reg query HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
  2⤵
  - Modifies registry key
  PID:1748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
b95125d82608f1d4fa00600c2c0a763c

SHA1
29f426505bcc2ae6e7de55a38b609dfe642370f6

SHA256
442cef8b2ebe26f37be6a344282f87b5a47a9b61d2fa9e84f1e4fcd0b91ce86a

SHA512
c7a7b4bebf5bfaef065fe64e986abb30299f04f3ea3f674dd07dd11feb2ce7c6856b6b3b39466dfebbc9ad5e835a44f609cde40abdf27bb28229578d7dc731ba

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
32.1MB

MD5
d054f951ddd675896207619f7d98bd55

SHA1
9637ccb996739705d388f489c6cad42aac8d331f

SHA256
a138eecdd0d1d9ce0c432fbfb1762639ad7c94c82f39fb69968fb9c74ea87caa

SHA512
5b54964c6286703ca21874ee92d28595ba8a2f701313940558778e0433cee19d213ea1903cb23af896e92ef21895ebef0feece8d511c931382b0f1940647f44a

Download Submit
C:\Users\Admin\AppData\Local\Temp\Setup\config.def

Filesize
27B

MD5
05927e894c81eb42c3b4dae5a5a6c937

SHA1
7ec0660aac7c3396599447a49f30ba18e1f0db49

SHA256
09c65b39bc891e12956ab7bb30fae147ef7c8fa37542b6f040613436b566e7f8

SHA512
c06e2788952a3550597f5b539cf8f5cf7a569e33192951bc8ce97d4570bd4ba35abce99586f309f3e1cffe6f1d83aee98b79c0c26503ef4cd4d1fbfb40e1ba4e

Download Submit
\Users\Admin\AppData\Local\Temp\gcapi_17172350822972.dll

Filesize
600KB

MD5
f637d5d3c3a60fddb5dd397556fe9b1d

SHA1
66f0c4f137870a9927400ea00facc00193ef21e3

SHA256
641b843cb6ee7538ec267212694c9ef0616b9ac9ab14a0abd7cf020678d50b02

SHA512
e96984f2f9c6858e989f10fd8e71b09a8a640c9be2fb87ac1692d9bca7107d7a837f8fbdcc46c01a6107dd9020994c5a6f975b7e16434e9b2bf1c43b1f0d8b31

Download Submit
memory/2972-15-0x0000000005A00000-0x0000000005A10000-memory.dmp

Filesize
64KB

Download
memory/2972-44-0x0000000005BC0000-0x0000000005BC8000-memory.dmp

Filesize
32KB

Download
memory/2972-6-0x0000000005170000-0x0000000005171000-memory.dmp

Filesize
4KB

Download
memory/2972-7-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/2972-10-0x0000000000010000-0x0000000002781000-memory.dmp

Filesize
39.4MB

Download
memory/2972-4-0x0000000004C70000-0x0000000004C71000-memory.dmp

Filesize
4KB

Download
memory/2972-0-0x00000000029F0000-0x00000000029F1000-memory.dmp

Filesize
4KB

Download
memory/2972-21-0x0000000009C40000-0x0000000009C50000-memory.dmp

Filesize
64KB

Download
memory/2972-3-0x0000000004C60000-0x0000000004C61000-memory.dmp

Filesize
4KB

Download
memory/2972-5-0x0000000004C80000-0x0000000004C81000-memory.dmp

Filesize
4KB

Download
memory/2972-49-0x0000000005B70000-0x0000000005B71000-memory.dmp

Filesize
4KB

Download
memory/2972-47-0x0000000005D00000-0x0000000005D08000-memory.dmp

Filesize
32KB

Download
memory/2972-54-0x00000000055A0000-0x00000000055A1000-memory.dmp

Filesize
4KB

Download
memory/2972-2-0x0000000004C50000-0x0000000004C51000-memory.dmp

Filesize
4KB

Download
memory/2972-142-0x0000000000010000-0x0000000002781000-memory.dmp

Filesize
39.4MB

Download
memory/2972-1-0x0000000004C40000-0x0000000004C41000-memory.dmp

Filesize
4KB

Download
memory/3032-106-0x00000000032B0000-0x00000000032B1000-memory.dmp

Filesize
4KB

Download
memory/3032-105-0x0000000003100000-0x0000000003101000-memory.dmp

Filesize
4KB

Download
memory/3032-104-0x0000000002900000-0x0000000002901000-memory.dmp

Filesize
4KB

Download