Malware Analysis Report

2024-10-18 22:06

Sample ID 240611-p25mtsxgqq
Target 2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil
SHA256 45ee781e271d0483d777a55544ccd44a9490ad26f533dc89816c068adb61ccb6
Tags
bootkit persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

45ee781e271d0483d777a55544ccd44a9490ad26f533dc89816c068adb61ccb6

Threat Level: Shows suspicious behavior

The file 2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Writes to the Master Boot Record (MBR)

Checks computer location settings

Modifies system certificate store

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 12:50

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 12:50

Reported

2024-06-11 12:53

Platform

win7-20240221-en

Max time kernel

118s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\SystemCertificates\TrustedDevices C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\SystemCertificates\TrustedDevices\Certificates C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CRLs C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\SystemCertificates\TrustedDevices\CTLs C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.wps.com udp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp
FR 90.84.175.86:443 api.wps.com tcp

Files

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 12:50

Reported

2024-06-11 12:53

Platform

win10v2004-20240508-en

Max time kernel

125s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CTLs C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\WindowsServerUpdateServices C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CRLs C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CTLs C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CTLs C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\Certificates C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CTLs C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\CTLs C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\FlightRoot C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\CRLs C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\CRLs C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\TrustedDevices C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CRLs C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\Windows Live ID Token Issuer\CTLs C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CTLs C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\TestSignRoot C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\TrustedAppRoot C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\CRLs C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\Certificates C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\FlightRoot\Certificates C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TestSignRoot\Certificates C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedAppRoot\Certificates C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\eSIM Certification Authorities C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\CRLs C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\TrustedDevices\CRLs C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\eSIM Certification Authorities\Certificates C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Software\Microsoft\SystemCertificates\Windows Live ID Token Issuer C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A
Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\SystemCertificates\WindowsServerUpdateServices\Certificates C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_374f077b74762d300c35b62947d9738e_avoslocker_magniber_revil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 api.wps.com udp
US 8.8.8.8:53 api.wps.com udp

Files

N/A