Analysis
-
max time kernel
143s -
max time network
143s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
11-06-2024 12:48
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe
-
Size
5.3MB
-
MD5
331a13337f21d145bdd92dff4ed8a3c5
-
SHA1
4180ed229a433ae662205772476bee87a2d0cf0f
-
SHA256
227a94ba6523bf9b2fc77748c6f8c580d43f219eb8e4f4dd600335588d36be4a
-
SHA512
d0148a2ff6740bdbc34456cb5f03c5c2d180aedf90638d78953b5a5a057109b2ce49da57f732c39723b9a5e94cd6a1802c098465dc569c8d741956efe1826f07
-
SSDEEP
98304:tkKyerff4aiY60lKLep2lxGLRY1hGM5PTLnMmnlSRDf/rOLs:t/rffhi3ip2LGRBgPTwmnlKTrj
Malware Config
Signatures
-
Unexpected DNS network traffic destination 11 IoCs
Network traffic to other servers than the configured DNS servers was detected on the DNS port.
Processes:
description ioc Destination IP 149.112.112.112 Destination IP 94.140.14.14 Destination IP 9.9.9.9 Destination IP 76.223.122.150 Destination IP 208.67.222.222 Destination IP 185.228.169.9 Destination IP 208.67.220.220 Destination IP 1.0.0.1 Destination IP 94.140.15.15 Destination IP 185.228.168.9 Destination IP 76.76.19.19 -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exedescription ioc process File opened for modification \??\PhysicalDrive0 2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation 2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exepid process 1452 2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
PID:1452