Analysis Overview
SHA256
227a94ba6523bf9b2fc77748c6f8c580d43f219eb8e4f4dd600335588d36be4a
Threat Level: Shows suspicious behavior
The file 2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil was found to be: Shows suspicious behavior.
Malicious Activity Summary
Unexpected DNS network traffic destination
Writes to the Master Boot Record (MBR)
Checks computer location settings
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-11 12:48
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-11 12:48
Reported
2024-06-11 12:51
Platform
win10v2004-20240508-en
Max time kernel
147s
Max time network
150s
Command Line
Signatures
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 185.228.168.9 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 94.140.15.15 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 1.0.0.1 | N/A | N/A |
| Destination IP | 185.228.169.9 | N/A | N/A |
| Destination IP | 76.76.19.19 | N/A | N/A |
| Destination IP | 94.140.14.14 | N/A | N/A |
| Destination IP | 9.9.9.9 | N/A | N/A |
| Destination IP | 149.112.112.112 | N/A | N/A |
| Destination IP | 76.223.122.150 | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 8.8.8.8:53 | api.wps.com | udp |
| US | 8.8.8.8:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 8.8.4.4:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 8.8.8.8:53 | 4.4.8.8.in-addr.arpa | udp |
| US | 9.9.9.9:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 8.8.8.8:53 | api.wps.com | udp |
| US | 8.8.8.8:53 | 9.9.9.9.in-addr.arpa | udp |
| CH | 149.112.112.112:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 8.8.8.8:53 | 112.112.112.149.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 43.229.111.52.in-addr.arpa | udp |
| US | 208.67.222.222:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 8.8.8.8:53 | 222.222.67.208.in-addr.arpa | udp |
| US | 208.67.220.220:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 8.8.8.8:53 | 220.220.67.208.in-addr.arpa | udp |
| US | 1.1.1.1:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 1.0.0.1:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 8.8.8.8:53 | 1.0.0.1.in-addr.arpa | udp |
| US | 185.228.168.9:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 185.228.169.9:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 76.76.19.19:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 8.8.8.8:53 | 19.19.76.76.in-addr.arpa | udp |
| US | 76.223.122.150:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 8.8.8.8:53 | 150.122.223.76.in-addr.arpa | udp |
| CY | 94.140.14.14:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 8.8.8.8:53 | 14.14.140.94.in-addr.arpa | udp |
| CY | 94.140.15.15:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 8.8.8.8:53 | 15.15.140.94.in-addr.arpa | udp |
| US | 52.111.229.43:443 | tcp |
Files
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-11 12:48
Reported
2024-06-11 12:51
Platform
win7-20240508-en
Max time kernel
143s
Max time network
143s
Command Line
Signatures
Unexpected DNS network traffic destination
| Description | Indicator | Process | Target |
| Destination IP | 149.112.112.112 | N/A | N/A |
| Destination IP | 94.140.14.14 | N/A | N/A |
| Destination IP | 9.9.9.9 | N/A | N/A |
| Destination IP | 76.223.122.150 | N/A | N/A |
| Destination IP | 208.67.222.222 | N/A | N/A |
| Destination IP | 185.228.169.9 | N/A | N/A |
| Destination IP | 208.67.220.220 | N/A | N/A |
| Destination IP | 1.0.0.1 | N/A | N/A |
| Destination IP | 94.140.15.15 | N/A | N/A |
| Destination IP | 185.228.168.9 | N/A | N/A |
| Destination IP | 76.76.19.19 | N/A | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-11_331a13337f21d145bdd92dff4ed8a3c5_avoslocker_magniber_revil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 8.8.8.8:53 | api.wps.com | udp |
| US | 8.8.8.8:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 8.8.4.4:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 9.9.9.9:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 8.8.8.8:53 | api.wps.com | udp |
| CH | 149.112.112.112:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 208.67.222.222:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 208.67.220.220:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 1.1.1.1:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 1.0.0.1:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 185.228.168.9:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 185.228.169.9:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 76.76.19.19:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| US | 76.223.122.150:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| CY | 94.140.14.14:53 | wdl1.pcfg.cache.wpscdn.com | udp |
| CY | 94.140.15.15:53 | wdl1.pcfg.cache.wpscdn.com | udp |