Malware Analysis Report

2024-09-23 10:29

Sample ID 240614-lalh4axhnq
Target 2024-06-14_2cb46c6a34799717761938752c2a3318_magniber_metamorfo_revil
SHA256 3a2b72f5534b9c5c8b73d8250b27b8cfdada3decb62d71ce23851484d3ba2cc7
Tags
bootkit persistence
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

3a2b72f5534b9c5c8b73d8250b27b8cfdada3decb62d71ce23851484d3ba2cc7

Threat Level: Shows suspicious behavior

The file 2024-06-14_2cb46c6a34799717761938752c2a3318_magniber_metamorfo_revil was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Loads dropped DLL

Writes to the Master Boot Record (MBR)

Unsigned PE

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 09:19

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 09:19

Reported

2024-06-14 09:22

Platform

win7-20240508-en

Max time kernel

117s

Max time network

117s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-14_2cb46c6a34799717761938752c2a3318_magniber_metamorfo_revil.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-14_2cb46c6a34799717761938752c2a3318_magniber_metamorfo_revil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-14_2cb46c6a34799717761938752c2a3318_magniber_metamorfo_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-14_2cb46c6a34799717761938752c2a3318_magniber_metamorfo_revil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 search.52toolbox.com udp
US 8.8.8.8:53 search.52toolbox.com udp
US 8.8.8.8:53 s.52toolbox.com udp

Files

\Users\Admin\AppData\Local\Temp\curlnet.dll

MD5 31809f4c132493f25a7101b7dfee3fc6
SHA1 df93349e4ec2a23158dbaa8a613f9c8a48aa1aad
SHA256 1bba9d7e041299219c4fc40e0a3b02a2eddad6cb50651166583848542f25fd48
SHA512 ddb796a9a2fe0f5d4b0df6686c05a26493cd689bb8d911549f563a02ae88382cbde749d5fbd915bed3b72db048ae384287980303ad6362d18618ea5497e283e4

\Users\Admin\AppData\Local\Temp\{4E85F478-59B3-4feb-A594-5B1529CB4AC6}.tmp\7z.dll

MD5 5531a8b662bd7993825613a12af93dd9
SHA1 45f1dc04ab21d35ca770fcb839d0f214830d2d81
SHA256 5b9369cda0fe1f481815eae567fb18f45c8820b657b381c8083a92c3cbf49c6e
SHA512 ced356370eea145f252129b08cc75e1e183aca0e2e6faa6475260ea5395a3adf415c1ad364495df56ccaba3fc15a4a8453701d320abcb17ff9eb760fe98c8bef

memory/2928-16-0x0000000000550000-0x0000000000551000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 09:19

Reported

2024-06-14 09:22

Platform

win10v2004-20240611-en

Max time kernel

124s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-14_2cb46c6a34799717761938752c2a3318_magniber_metamorfo_revil.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-14_2cb46c6a34799717761938752c2a3318_magniber_metamorfo_revil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-14_2cb46c6a34799717761938752c2a3318_magniber_metamorfo_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-14_2cb46c6a34799717761938752c2a3318_magniber_metamorfo_revil.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=3064,i,3595107284059830391,18018199024659337217,262144 --variations-seed-version --mojo-platform-channel-handle=4308 /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 search.52toolbox.com udp
CN 39.105.192.163:80 search.52toolbox.com tcp
US 8.8.8.8:53 g.bing.com udp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 204.79.197.237:443 g.bing.com tcp
BE 88.221.83.249:443 www.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 203.107.17.2.in-addr.arpa udp
US 8.8.8.8:53 249.83.221.88.in-addr.arpa udp
US 8.8.8.8:53 20.160.190.20.in-addr.arpa udp
CN 39.105.192.163:80 search.52toolbox.com tcp
US 8.8.8.8:53 s.52toolbox.com udp
CN 139.196.165.62:80 s.52toolbox.com tcp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 18.31.95.13.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 23.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 144.107.17.2.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\curlnet.dll

MD5 31809f4c132493f25a7101b7dfee3fc6
SHA1 df93349e4ec2a23158dbaa8a613f9c8a48aa1aad
SHA256 1bba9d7e041299219c4fc40e0a3b02a2eddad6cb50651166583848542f25fd48
SHA512 ddb796a9a2fe0f5d4b0df6686c05a26493cd689bb8d911549f563a02ae88382cbde749d5fbd915bed3b72db048ae384287980303ad6362d18618ea5497e283e4

C:\Users\Admin\AppData\Local\Temp\{A9C7D033-2429-49eb-A6DA-CD6A169A0F3E}.tmp\7z.dll

MD5 5531a8b662bd7993825613a12af93dd9
SHA1 45f1dc04ab21d35ca770fcb839d0f214830d2d81
SHA256 5b9369cda0fe1f481815eae567fb18f45c8820b657b381c8083a92c3cbf49c6e
SHA512 ced356370eea145f252129b08cc75e1e183aca0e2e6faa6475260ea5395a3adf415c1ad364495df56ccaba3fc15a4a8453701d320abcb17ff9eb760fe98c8bef