Analysis Overview
SHA256
8a82235671e38bb9d73feee53eac89ecd703b8df635d40d3896fefad7d4f7041
Threat Level: Shows suspicious behavior
The file 2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil was found to be: Shows suspicious behavior.
Malicious Activity Summary
Writes to the Master Boot Record (MBR)
Drops file in Program Files directory
Loads dropped DLL
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-14 15:25
Signatures
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-14 15:24
Reported
2024-06-14 15:27
Platform
win10v2004-20240226-en
Max time kernel
142s
Max time network
161s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\PCManage\{F93DF148-6A0B-47ca-9F1E-D2671832B934}.tf | C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe"
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| GB | 96.16.110.114:80 | tcp | |
| US | 8.8.8.8:53 | ss.pcmanage.cn | udp |
| CN | 122.9.39.210:80 | ss.pcmanage.cn | tcp |
| CN | 122.9.39.210:80 | ss.pcmanage.cn | tcp |
| US | 8.8.8.8:53 | 71.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 13.107.253.64:443 | tcp | |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| CN | 122.9.39.210:80 | ss.pcmanage.cn | tcp |
| CN | 122.9.39.210:80 | ss.pcmanage.cn | tcp |
| US | 8.8.8.8:53 | 164.189.21.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 3.166.122.92.in-addr.arpa | udp |
| CN | 122.9.39.210:80 | ss.pcmanage.cn | tcp |
| CN | 122.9.39.210:80 | ss.pcmanage.cn | tcp |
| US | 8.8.8.8:53 | 91.90.14.23.in-addr.arpa | udp |
| CN | 122.9.39.210:80 | ss.pcmanage.cn | tcp |
| US | 8.8.8.8:53 | 31.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.212.234:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | 234.212.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 93.65.42.20.in-addr.arpa | udp |
Files
C:\Users\Admin\AppData\Local\Temp\netul.dll
| MD5 | 47f5fe83659f9ea0c7b204a3e76f78b1 |
| SHA1 | cc1e2e5e7601473e69a28f4ab4a7ed29a07dbada |
| SHA256 | e834072d776786c0a9336225b18a1b4da91f3fd056277af61ba97a203c8bbb5a |
| SHA512 | 18c50b839b40b5706da9b0b948ea7ea85718cd38cd463d44750fa608ac14a1b45eb498c5d73460f4b67c9d9677fc3227be0ca48024aaf2b76dcebd09900e5e64 |
C:\Users\Admin\AppData\Local\Temp\{DEC25C21-A24A-43c7-B618-6AE019827BEC}.tmp\7z.dll
| MD5 | e46d966c4ba37e2f8e70c763d2a5ee70 |
| SHA1 | 6835cf8754b9f5883adefd2a497e10a58b274562 |
| SHA256 | 3888ea4bd723fdc0da83517374763c62b30731127837bb83ed6b190e9820754d |
| SHA512 | 951db30c235dd8bee327cb219972181307492c6009e75038f764afd14c15b2efc9c129b5e5024ea4ef8d21849efe6ec7853f16d7ae3d8f2c8a604f080b28e6b6 |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-14 15:24
Reported
2024-06-14 15:27
Platform
win7-20240221-en
Max time kernel
117s
Max time network
120s
Command Line
Signatures
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files (x86)\PCManage\{B534F37E-0F8C-4aa8-A313-F33B7AAFC5C5}.tf | C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | ss.pcmanage.cn | udp |
| CN | 122.9.39.210:80 | ss.pcmanage.cn | tcp |
| CN | 122.9.39.210:80 | ss.pcmanage.cn | tcp |
| CN | 122.9.39.210:80 | ss.pcmanage.cn | tcp |
| CN | 122.9.39.210:80 | ss.pcmanage.cn | tcp |
| CN | 122.9.39.210:80 | ss.pcmanage.cn | tcp |
| CN | 122.9.39.210:80 | ss.pcmanage.cn | tcp |
| CN | 122.9.39.210:80 | ss.pcmanage.cn | tcp |
| CN | 122.9.39.210:80 | ss.pcmanage.cn | tcp |
Files
\Users\Admin\AppData\Local\Temp\netul.dll
| MD5 | 47f5fe83659f9ea0c7b204a3e76f78b1 |
| SHA1 | cc1e2e5e7601473e69a28f4ab4a7ed29a07dbada |
| SHA256 | e834072d776786c0a9336225b18a1b4da91f3fd056277af61ba97a203c8bbb5a |
| SHA512 | 18c50b839b40b5706da9b0b948ea7ea85718cd38cd463d44750fa608ac14a1b45eb498c5d73460f4b67c9d9677fc3227be0ca48024aaf2b76dcebd09900e5e64 |
\Users\Admin\AppData\Local\Temp\{6D200E8D-6A57-41b3-95E8-D2C22008695E}.tmp\7z.dll
| MD5 | e46d966c4ba37e2f8e70c763d2a5ee70 |
| SHA1 | 6835cf8754b9f5883adefd2a497e10a58b274562 |
| SHA256 | 3888ea4bd723fdc0da83517374763c62b30731127837bb83ed6b190e9820754d |
| SHA512 | 951db30c235dd8bee327cb219972181307492c6009e75038f764afd14c15b2efc9c129b5e5024ea4ef8d21849efe6ec7853f16d7ae3d8f2c8a604f080b28e6b6 |
memory/2408-38-0x0000000000470000-0x0000000000471000-memory.dmp
memory/2408-156-0x0000000000470000-0x0000000000471000-memory.dmp