Malware Analysis Report

2024-10-18 22:06

Sample ID 240611-p16thaxdkc
Target 2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil
SHA256 227a94ba6523bf9b2fc77748c6f8c580d43f219eb8e4f4dd600335588d36be4a
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

227a94ba6523bf9b2fc77748c6f8c580d43f219eb8e4f4dd600335588d36be4a

Threat Level: Shows suspicious behavior

The file 2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Unexpected DNS network traffic destination

Writes to the Master Boot Record (MBR)

Checks computer location settings

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 12:48

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 12:48

Reported

2024-06-11 12:51

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe"

Signatures

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 185.228.168.9 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 94.140.15.15 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 1.0.0.1 N/A N/A
Destination IP 185.228.169.9 N/A N/A
Destination IP 76.76.19.19 N/A N/A
Destination IP 94.140.14.14 N/A N/A
Destination IP 9.9.9.9 N/A N/A
Destination IP 149.112.112.112 N/A N/A
Destination IP 76.223.122.150 N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wdl1.pcfg.cache.wpscdn.com udp
US 8.8.8.8:53 api.wps.com udp
US 8.8.8.8:53 wdl1.pcfg.cache.wpscdn.com udp
US 8.8.4.4:53 wdl1.pcfg.cache.wpscdn.com udp
US 8.8.8.8:53 4.4.8.8.in-addr.arpa udp
US 9.9.9.9:53 wdl1.pcfg.cache.wpscdn.com udp
US 8.8.8.8:53 api.wps.com udp
US 8.8.8.8:53 9.9.9.9.in-addr.arpa udp
CH 149.112.112.112:53 wdl1.pcfg.cache.wpscdn.com udp
US 8.8.8.8:53 112.112.112.149.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp
US 208.67.222.222:53 wdl1.pcfg.cache.wpscdn.com udp
US 8.8.8.8:53 222.222.67.208.in-addr.arpa udp
US 208.67.220.220:53 wdl1.pcfg.cache.wpscdn.com udp
US 8.8.8.8:53 220.220.67.208.in-addr.arpa udp
US 1.1.1.1:53 wdl1.pcfg.cache.wpscdn.com udp
US 1.0.0.1:53 wdl1.pcfg.cache.wpscdn.com udp
US 8.8.8.8:53 1.0.0.1.in-addr.arpa udp
US 185.228.168.9:53 wdl1.pcfg.cache.wpscdn.com udp
US 185.228.169.9:53 wdl1.pcfg.cache.wpscdn.com udp
US 76.76.19.19:53 wdl1.pcfg.cache.wpscdn.com udp
US 8.8.8.8:53 19.19.76.76.in-addr.arpa udp
US 76.223.122.150:53 wdl1.pcfg.cache.wpscdn.com udp
US 8.8.8.8:53 150.122.223.76.in-addr.arpa udp
CY 94.140.14.14:53 wdl1.pcfg.cache.wpscdn.com udp
US 8.8.8.8:53 14.14.140.94.in-addr.arpa udp
CY 94.140.15.15:53 wdl1.pcfg.cache.wpscdn.com udp
US 8.8.8.8:53 15.15.140.94.in-addr.arpa udp
US 52.111.229.43:443 tcp

Files

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 12:48

Reported

2024-06-11 12:51

Platform

win7-20240508-en

Max time kernel

143s

Max time network

143s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe"

Signatures

Unexpected DNS network traffic destination

Description Indicator Process Target
Destination IP 149.112.112.112 N/A N/A
Destination IP 94.140.14.14 N/A N/A
Destination IP 9.9.9.9 N/A N/A
Destination IP 76.223.122.150 N/A N/A
Destination IP 208.67.222.222 N/A N/A
Destination IP 185.228.169.9 N/A N/A
Destination IP 208.67.220.220 N/A N/A
Destination IP 1.0.0.1 N/A N/A
Destination IP 94.140.15.15 N/A N/A
Destination IP 185.228.168.9 N/A N/A
Destination IP 76.76.19.19 N/A N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 wdl1.pcfg.cache.wpscdn.com udp
US 8.8.8.8:53 api.wps.com udp
US 8.8.8.8:53 wdl1.pcfg.cache.wpscdn.com udp
US 8.8.4.4:53 wdl1.pcfg.cache.wpscdn.com udp
US 9.9.9.9:53 wdl1.pcfg.cache.wpscdn.com udp
US 8.8.8.8:53 api.wps.com udp
CH 149.112.112.112:53 wdl1.pcfg.cache.wpscdn.com udp
US 208.67.222.222:53 wdl1.pcfg.cache.wpscdn.com udp
US 208.67.220.220:53 wdl1.pcfg.cache.wpscdn.com udp
US 1.1.1.1:53 wdl1.pcfg.cache.wpscdn.com udp
US 1.0.0.1:53 wdl1.pcfg.cache.wpscdn.com udp
US 185.228.168.9:53 wdl1.pcfg.cache.wpscdn.com udp
US 185.228.169.9:53 wdl1.pcfg.cache.wpscdn.com udp
US 76.76.19.19:53 wdl1.pcfg.cache.wpscdn.com udp
US 76.223.122.150:53 wdl1.pcfg.cache.wpscdn.com udp
CY 94.140.14.14:53 wdl1.pcfg.cache.wpscdn.com udp
CY 94.140.15.15:53 wdl1.pcfg.cache.wpscdn.com udp

Files

N/A