Analysis
-
max time kernel
120s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 10:07
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe
Resource
win7-20240220-en
General
-
Target
2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe
-
Size
11.7MB
-
MD5
6c1b0d7bf60d6e2272d495a5f1c17553
-
SHA1
0ca95d2b94f688553b1ae4f9f60cf32a440220c6
-
SHA256
6a9ca3b9310f2e3afb7937aa579bce78043f1dedd680db0e2581003cd193d25e
-
SHA512
0c08a6e6fa4dfd4feacb3f78e167a81d589d964cf90699d5af92a7e3e2040823a1923e64cfb429a2c6c366618fb7dae1d5583727290ebd189166a508f90716fe
-
SSDEEP
196608:kNym2iBYGfsV3YBukMDHMD+cpvJ/4H3nmghWoa/fsysMF4JD85lLkjiX:kN4H3YBjMDHMFgXnU7sElLy
Malware Config
Signatures
-
Detects executables packed with VMProtect. 5 IoCs
resource yara_rule behavioral1/files/0x00080000000153ee-18.dat INDICATOR_EXE_Packed_VMProtect behavioral1/memory/3060-24-0x0000000000400000-0x00000000009EA000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/2868-22-0x0000000003090000-0x000000000367A000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/3060-25-0x0000000000400000-0x00000000009EA000-memory.dmp INDICATOR_EXE_Packed_VMProtect behavioral1/memory/3060-406-0x0000000000400000-0x00000000009EA000-memory.dmp INDICATOR_EXE_Packed_VMProtect -
Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Oracle\VirtualBox Guest Additions QJxCtGAG7YVM6iM.exe -
UPX dump on OEP (original entry point) 2 IoCs
resource yara_rule behavioral1/memory/3060-25-0x0000000000400000-0x00000000009EA000-memory.dmp UPX behavioral1/memory/3060-406-0x0000000000400000-0x00000000009EA000-memory.dmp UPX -
Executes dropped EXE 2 IoCs
pid Process 2864 QJxCtGAG7YVM6iM.exe 3060 请勿点击.exe -
Loads dropped DLL 2 IoCs
pid Process 2868 2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe 2868 2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe -
resource yara_rule behavioral1/files/0x00080000000153ee-18.dat vmprotect behavioral1/memory/3060-24-0x0000000000400000-0x00000000009EA000-memory.dmp vmprotect behavioral1/memory/2868-22-0x0000000003090000-0x000000000367A000-memory.dmp vmprotect behavioral1/memory/3060-25-0x0000000000400000-0x00000000009EA000-memory.dmp vmprotect behavioral1/memory/3060-406-0x0000000000400000-0x00000000009EA000-memory.dmp vmprotect -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
pid Process 3060 请勿点击.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
pid Process 2864 QJxCtGAG7YVM6iM.exe 2864 QJxCtGAG7YVM6iM.exe 2864 QJxCtGAG7YVM6iM.exe 2864 QJxCtGAG7YVM6iM.exe 2864 QJxCtGAG7YVM6iM.exe 2864 QJxCtGAG7YVM6iM.exe 2864 QJxCtGAG7YVM6iM.exe 2864 QJxCtGAG7YVM6iM.exe 2864 QJxCtGAG7YVM6iM.exe 2864 QJxCtGAG7YVM6iM.exe -
Suspicious use of FindShellTrayWindow 1 IoCs
pid Process 2864 QJxCtGAG7YVM6iM.exe -
Suspicious use of SendNotifyMessage 1 IoCs
pid Process 2864 QJxCtGAG7YVM6iM.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
pid Process 3060 请勿点击.exe 3060 请勿点击.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 2868 wrote to memory of 2864 2868 2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe 28 PID 2868 wrote to memory of 2864 2868 2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe 28 PID 2868 wrote to memory of 2864 2868 2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe 28 PID 2868 wrote to memory of 2864 2868 2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe 28 PID 2868 wrote to memory of 3060 2868 2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe 29 PID 2868 wrote to memory of 3060 2868 2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe 29 PID 2868 wrote to memory of 3060 2868 2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe 29 PID 2868 wrote to memory of 3060 2868 2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe 29 PID 3060 wrote to memory of 2392 3060 请勿点击.exe 30 PID 3060 wrote to memory of 2392 3060 请勿点击.exe 30 PID 3060 wrote to memory of 2392 3060 请勿点击.exe 30 PID 3060 wrote to memory of 2392 3060 请勿点击.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2868 -
C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe" "C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe"2⤵
- Looks for VirtualBox Guest Additions in registry
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2864
-
-
C:\Users\Admin\AppData\Local\Temp\请勿点击.exe"C:\Users\Admin\AppData\Local\Temp\请勿点击.exe"2⤵
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3060 -
C:\Windows\SysWOW64\cmd.execmd.exe3⤵PID:2392
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
295KB
MD56db6dcfe126984a341cecfc5be783f48
SHA198309871ad417694bafd93d44eb71180b79cdd45
SHA2568adf02829208ea32bdb377e8fccfd106393611e9425d980ce39a8dac17150dac
SHA512d4848676f2eb202ccc8f56f8389c53db0335f0ccc99ec4481e1c9978c2664519a0ffad0e8b53cc0bb56ae7ddf1cd041e225200b807a5808027c863d8094fcdc3
-
Filesize
212B
MD55cefad007afabe7f77758610cb3a4561
SHA15b0cff15ffbdb7317287b7575cfda241e8e34e3b
SHA256d85b0e0c7bbdfecab6154759d13c24f620a51d14d4bd6980e35266e7d55059e1
SHA512dc2a4a55809331beeaf261762d313b21daf739259994fb870ed9d01da820b3944368e46a2ee9320c4c83a5106a5a165c2c38bc589ec9fcb4c18723a8cab2cc13
-
Filesize
5KB
MD5d6ff5fb46185e783e042d0f1498ee8b9
SHA16c2717706a64fd0050c03eb7d08de6c49cd853e3
SHA2565a376e346175b2a5527e34af42562be78b842cce9bd3e2936d46954623a5275f
SHA512671d979969b3470445a9200eb68ee42dc125ee0d0fd62f3cc33b396c47b54ed71c639fb10c763891bf0944566010245610a47b36b0cf768118ba956316fe57a8
-
Filesize
5.7MB
MD5631cbea327373843c7193404da2f7b49
SHA1a1743aeb4d79877ed831617b733a41b477d16481
SHA2567c887a2b87da1faa449896903127b70b904430b2d9f123d811821e3ea720c49a
SHA5125fb96abde331e0e85c3f0b61326e26f4d336ef36e587f423e0202d9d74f076425bd9dc521425a4c63c4d53d81c62713e16b975f5ca0eb5209b2f54e0793f3f77
-
Filesize
3.1MB
MD55a716b52188c8226cf75fc626844b4c5
SHA13ea374fe53812157b72922b548a68374794644d2
SHA2561c349bcb071020e192ddadd8e02b0daa611dfa661cc0d5a8ea6ba6122412424a
SHA5129264ed289f4e627f501a0cf4987ad802502daa9fa8ee8a74a8771161f9a19fc3025b46bdac6fab7c33f9d0688eb5380c1932f50172c75a8cb6dbba62bdc29a4d