Malware Analysis Report

2024-09-23 11:50

Sample ID 240614-stg4cazfkq
Target 2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil
SHA256 8a82235671e38bb9d73feee53eac89ecd703b8df635d40d3896fefad7d4f7041
Tags
bootkit persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

8a82235671e38bb9d73feee53eac89ecd703b8df635d40d3896fefad7d4f7041

Threat Level: Shows suspicious behavior

The file 2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Writes to the Master Boot Record (MBR)

Drops file in Program Files directory

Loads dropped DLL

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 15:25

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 15:24

Reported

2024-06-14 15:27

Platform

win10v2004-20240226-en

Max time kernel

142s

Max time network

161s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PCManage\{F93DF148-6A0B-47ca-9F1E-D2671832B934}.tf C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe"

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe

"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2292,i,2103142837140538807,15881446839139365070,262144 --variations-seed-version /prefetch:8

Network

Country Destination Domain Proto
US 8.8.8.8:53 209.205.72.20.in-addr.arpa udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
GB 96.16.110.114:80 tcp
US 8.8.8.8:53 ss.pcmanage.cn udp
CN 122.9.39.210:80 ss.pcmanage.cn tcp
CN 122.9.39.210:80 ss.pcmanage.cn tcp
US 8.8.8.8:53 71.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 13.107.253.64:443 tcp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
CN 122.9.39.210:80 ss.pcmanage.cn tcp
CN 122.9.39.210:80 ss.pcmanage.cn tcp
US 8.8.8.8:53 164.189.21.2.in-addr.arpa udp
US 8.8.8.8:53 3.166.122.92.in-addr.arpa udp
CN 122.9.39.210:80 ss.pcmanage.cn tcp
CN 122.9.39.210:80 ss.pcmanage.cn tcp
US 8.8.8.8:53 91.90.14.23.in-addr.arpa udp
CN 122.9.39.210:80 ss.pcmanage.cn tcp
US 8.8.8.8:53 31.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
US 8.8.8.8:53 chromewebstore.googleapis.com udp
GB 216.58.212.234:443 chromewebstore.googleapis.com tcp
US 8.8.8.8:53 234.212.58.216.in-addr.arpa udp
US 8.8.8.8:53 93.65.42.20.in-addr.arpa udp

Files

C:\Users\Admin\AppData\Local\Temp\netul.dll

MD5 47f5fe83659f9ea0c7b204a3e76f78b1
SHA1 cc1e2e5e7601473e69a28f4ab4a7ed29a07dbada
SHA256 e834072d776786c0a9336225b18a1b4da91f3fd056277af61ba97a203c8bbb5a
SHA512 18c50b839b40b5706da9b0b948ea7ea85718cd38cd463d44750fa608ac14a1b45eb498c5d73460f4b67c9d9677fc3227be0ca48024aaf2b76dcebd09900e5e64

C:\Users\Admin\AppData\Local\Temp\{DEC25C21-A24A-43c7-B618-6AE019827BEC}.tmp\7z.dll

MD5 e46d966c4ba37e2f8e70c763d2a5ee70
SHA1 6835cf8754b9f5883adefd2a497e10a58b274562
SHA256 3888ea4bd723fdc0da83517374763c62b30731127837bb83ed6b190e9820754d
SHA512 951db30c235dd8bee327cb219972181307492c6009e75038f764afd14c15b2efc9c129b5e5024ea4ef8d21849efe6ec7853f16d7ae3d8f2c8a604f080b28e6b6

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 15:24

Reported

2024-06-14 15:27

Platform

win7-20240221-en

Max time kernel

117s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File created C:\Program Files (x86)\PCManage\{B534F37E-0F8C-4aa8-A313-F33B7AAFC5C5}.tf C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-14_2b82cdb3a95c7b72ef8bc799d8445c32_magniber_revil.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 ss.pcmanage.cn udp
CN 122.9.39.210:80 ss.pcmanage.cn tcp
CN 122.9.39.210:80 ss.pcmanage.cn tcp
CN 122.9.39.210:80 ss.pcmanage.cn tcp
CN 122.9.39.210:80 ss.pcmanage.cn tcp
CN 122.9.39.210:80 ss.pcmanage.cn tcp
CN 122.9.39.210:80 ss.pcmanage.cn tcp
CN 122.9.39.210:80 ss.pcmanage.cn tcp
CN 122.9.39.210:80 ss.pcmanage.cn tcp

Files

\Users\Admin\AppData\Local\Temp\netul.dll

MD5 47f5fe83659f9ea0c7b204a3e76f78b1
SHA1 cc1e2e5e7601473e69a28f4ab4a7ed29a07dbada
SHA256 e834072d776786c0a9336225b18a1b4da91f3fd056277af61ba97a203c8bbb5a
SHA512 18c50b839b40b5706da9b0b948ea7ea85718cd38cd463d44750fa608ac14a1b45eb498c5d73460f4b67c9d9677fc3227be0ca48024aaf2b76dcebd09900e5e64

\Users\Admin\AppData\Local\Temp\{6D200E8D-6A57-41b3-95E8-D2C22008695E}.tmp\7z.dll

MD5 e46d966c4ba37e2f8e70c763d2a5ee70
SHA1 6835cf8754b9f5883adefd2a497e10a58b274562
SHA256 3888ea4bd723fdc0da83517374763c62b30731127837bb83ed6b190e9820754d
SHA512 951db30c235dd8bee327cb219972181307492c6009e75038f764afd14c15b2efc9c129b5e5024ea4ef8d21849efe6ec7853f16d7ae3d8f2c8a604f080b28e6b6

memory/2408-38-0x0000000000470000-0x0000000000471000-memory.dmp

memory/2408-156-0x0000000000470000-0x0000000000471000-memory.dmp