Analysis
-
max time kernel
51s -
max time network
52s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
11-06-2024 12:25
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe
Resource
win10v2004-20240508-en
General
-
Target
2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe
-
Size
5.7MB
-
MD5
0868774d2473fd075d9dcd68b20e4ebc
-
SHA1
c34abb23606ea72f6caa8e8c45ffadc020d6505d
-
SHA256
f717b6c4fb1e9d0f0e102bab834e6976c75ecfe973fc975ae523d1517997f8d1
-
SHA512
cb1e4b2e00175d06402d8bffac6be1284f116857a604fa2387df18c9f0db2b3d6d6d1bfa0880a487bd6fa6ff2a0f143df2474ffb6c85d35d7575a7477929511c
-
SSDEEP
98304:LMMGgqTjjIMx5CBxAWimaFZJaxY+OO/KewTOiyO7NrMVW7FLOAkGkzdnEVomFHKI:LQoW58AWLaUIRewTOiycFLOyomFHKnPA
Malware Config
Signatures
-
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exedescription ioc process File opened for modification \??\PhysicalDrive0 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 8 IoCs
Processes:
2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exepid process 5028 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe 5028 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe 5028 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe 5028 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe 5028 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe 5028 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe 5028 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe 5028 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exedescription pid process Token: SeDebugPrivilege 5028 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe Token: SeDebugPrivilege 5028 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe Token: SeDebugPrivilege 5028 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exepid process 5028 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe -
Suspicious use of WriteProcessMemory 6 IoCs
Processes:
2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.execmd.exedescription pid process target process PID 5028 wrote to memory of 1176 5028 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe cmd.exe PID 5028 wrote to memory of 1176 5028 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe cmd.exe PID 5028 wrote to memory of 1176 5028 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe cmd.exe PID 1176 wrote to memory of 3004 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 3004 1176 cmd.exe PING.EXE PID 1176 wrote to memory of 3004 1176 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5028 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zip_onece_del_26348_17484_21897_17780.bat" "2⤵
- Suspicious use of WriteProcessMemory
PID:1176 -
C:\Windows\SysWOW64\PING.EXEping -n 1 127.0.0.13⤵
- Runs ping.exe
PID:3004
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
496B
MD5b21eb3b04716e48d98a45f9988658273
SHA1af39e65f03f4e17dd70594426d97510bfe6d1a5c
SHA2563fb366ba6aa46dfc51027f95068254c66ae656865ebc1a61f66629571e8a366f
SHA51204ff3b88865e09eb599a310090d0829f03e1990a3d01dacc2ebb9c808d0500be2b172d68e9b17ec45ed380d30326e0fde1fe9af5ad5b07737a7ba6e182cc83d3