Malware Analysis Report

2024-10-18 22:07

Sample ID 240611-plnz5sxclk
Target 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil
SHA256 f717b6c4fb1e9d0f0e102bab834e6976c75ecfe973fc975ae523d1517997f8d1
Tags
bootkit persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

f717b6c4fb1e9d0f0e102bab834e6976c75ecfe973fc975ae523d1517997f8d1

Threat Level: Shows suspicious behavior

The file 2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Writes to the Master Boot Record (MBR)

Checks computer location settings

Deletes itself

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Runs ping.exe

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-11 12:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-11 12:25

Reported

2024-06-11 12:27

Platform

win7-20240508-en

Max time kernel

118s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\zip_onece_del_11491_20342_30554_17823.bat" "

C:\Windows\SysWOW64\PING.EXE

ping -n 1 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 ver.zipper.yunbiaosoft.com udp
US 8.8.8.8:53 ver.zipper.yunbiaosoft.com udp
US 8.8.8.8:53 ver.zipper.yunbiaosoft.com udp

Files

C:\Users\Admin\AppData\Local\Temp\zip_onece_del_11491_20342_30554_17823.bat

MD5 dcd12b64aeb60c4c75978b490cdd91bb
SHA1 6e9d7b991b2c647c08bf46c974392762fb0788ab
SHA256 d9536ec713da50696e332554ce32dbe43690751fd10c593970d4ff0483e6ad85
SHA512 928d299b489869bde9edf928921ead3ef79f1d649348a52481290117b87b8ed0ab1fb404aee1c1a029b25835982ea9314afae7b2bebc562a0e66ef98c00fc610

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-11 12:25

Reported

2024-06-11 12:27

Platform

win10v2004-20240508-en

Max time kernel

51s

Max time network

52s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe N/A

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-11_0868774d2473fd075d9dcd68b20e4ebc_magniber_revil.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\zip_onece_del_26348_17484_21897_17780.bat" "

C:\Windows\SysWOW64\PING.EXE

ping -n 1 127.0.0.1

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 ver.zipper.yunbiaosoft.com udp
US 8.8.8.8:53 ver.zipper.yunbiaosoft.com udp
US 8.8.8.8:53 ver.zipper.yunbiaosoft.com udp

Files

C:\Users\Admin\AppData\Local\Temp\zip_onece_del_26348_17484_21897_17780.bat

MD5 b21eb3b04716e48d98a45f9988658273
SHA1 af39e65f03f4e17dd70594426d97510bfe6d1a5c
SHA256 3fb366ba6aa46dfc51027f95068254c66ae656865ebc1a61f66629571e8a366f
SHA512 04ff3b88865e09eb599a310090d0829f03e1990a3d01dacc2ebb9c808d0500be2b172d68e9b17ec45ed380d30326e0fde1fe9af5ad5b07737a7ba6e182cc83d3