Analysis

  • max time kernel
    120s
  • max time network
    121s
  • platform
    windows7_x64
  • resource
    win7-20240220-en
  • resource tags

    arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
  • submitted
    26-06-2024 10:07

General

  • Target

    2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe

  • Size

    11.7MB

  • MD5

    6c1b0d7bf60d6e2272d495a5f1c17553

  • SHA1

    0ca95d2b94f688553b1ae4f9f60cf32a440220c6

  • SHA256

    6a9ca3b9310f2e3afb7937aa579bce78043f1dedd680db0e2581003cd193d25e

  • SHA512

    0c08a6e6fa4dfd4feacb3f78e167a81d589d964cf90699d5af92a7e3e2040823a1923e64cfb429a2c6c366618fb7dae1d5583727290ebd189166a508f90716fe

  • SSDEEP

    196608:kNym2iBYGfsV3YBukMDHMD+cpvJ/4H3nmghWoa/fsysMF4JD85lLkjiX:kN4H3YBjMDHMFgXnU7sElLy

Score
9/10

Malware Config

Signatures

  • Detects executables packed with VMProtect. 5 IoCs
  • Looks for VirtualBox Guest Additions in registry 2 TTPs 1 IoCs
  • UPX dump on OEP (original entry point) 2 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 2 IoCs
  • VMProtect packed file 5 IoCs

    Detects executables packed with VMProtect commercial packer.

  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2868
    • C:\Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe
      "C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe" "C:\Users\Admin\AppData\Local\Temp\2024-06-26_6c1b0d7bf60d6e2272d495a5f1c17553_magniber_revil.exe"
      2⤵
      • Looks for VirtualBox Guest Additions in registry
      • Executes dropped EXE
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      PID:2864
    • C:\Users\Admin\AppData\Local\Temp\请勿点击.exe
      "C:\Users\Admin\AppData\Local\Temp\请勿点击.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of NtSetInformationThreadHideFromDebugger
      • Suspicious use of SetWindowsHookEx
      • Suspicious use of WriteProcessMemory
      PID:3060
      • C:\Windows\SysWOW64\cmd.exe
        cmd.exe
        3⤵
          PID:2392

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\ISocket.dll

      Filesize

      295KB

      MD5

      6db6dcfe126984a341cecfc5be783f48

      SHA1

      98309871ad417694bafd93d44eb71180b79cdd45

      SHA256

      8adf02829208ea32bdb377e8fccfd106393611e9425d980ce39a8dac17150dac

      SHA512

      d4848676f2eb202ccc8f56f8389c53db0335f0ccc99ec4481e1c9978c2664519a0ffad0e8b53cc0bb56ae7ddf1cd041e225200b807a5808027c863d8094fcdc3

    • C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

      Filesize

      212B

      MD5

      5cefad007afabe7f77758610cb3a4561

      SHA1

      5b0cff15ffbdb7317287b7575cfda241e8e34e3b

      SHA256

      d85b0e0c7bbdfecab6154759d13c24f620a51d14d4bd6980e35266e7d55059e1

      SHA512

      dc2a4a55809331beeaf261762d313b21daf739259994fb870ed9d01da820b3944368e46a2ee9320c4c83a5106a5a165c2c38bc589ec9fcb4c18723a8cab2cc13

    • C:\Users\Admin\AppData\Local\Temp\yjs_log\log.log

      Filesize

      5KB

      MD5

      d6ff5fb46185e783e042d0f1498ee8b9

      SHA1

      6c2717706a64fd0050c03eb7d08de6c49cd853e3

      SHA256

      5a376e346175b2a5527e34af42562be78b842cce9bd3e2936d46954623a5275f

      SHA512

      671d979969b3470445a9200eb68ee42dc125ee0d0fd62f3cc33b396c47b54ed71c639fb10c763891bf0944566010245610a47b36b0cf768118ba956316fe57a8

    • \Users\Admin\AppData\Local\Temp\ytool\QJxCtGAG7YVM6iM.exe

      Filesize

      5.7MB

      MD5

      631cbea327373843c7193404da2f7b49

      SHA1

      a1743aeb4d79877ed831617b733a41b477d16481

      SHA256

      7c887a2b87da1faa449896903127b70b904430b2d9f123d811821e3ea720c49a

      SHA512

      5fb96abde331e0e85c3f0b61326e26f4d336ef36e587f423e0202d9d74f076425bd9dc521425a4c63c4d53d81c62713e16b975f5ca0eb5209b2f54e0793f3f77

    • \Users\Admin\AppData\Local\Temp\请勿点击.exe

      Filesize

      3.1MB

      MD5

      5a716b52188c8226cf75fc626844b4c5

      SHA1

      3ea374fe53812157b72922b548a68374794644d2

      SHA256

      1c349bcb071020e192ddadd8e02b0daa611dfa661cc0d5a8ea6ba6122412424a

      SHA512

      9264ed289f4e627f501a0cf4987ad802502daa9fa8ee8a74a8771161f9a19fc3025b46bdac6fab7c33f9d0688eb5380c1932f50172c75a8cb6dbba62bdc29a4d

    • memory/2868-22-0x0000000003090000-0x000000000367A000-memory.dmp

      Filesize

      5.9MB

    • memory/3060-24-0x0000000000400000-0x00000000009EA000-memory.dmp

      Filesize

      5.9MB

    • memory/3060-25-0x0000000000400000-0x00000000009EA000-memory.dmp

      Filesize

      5.9MB

    • memory/3060-406-0x0000000000400000-0x00000000009EA000-memory.dmp

      Filesize

      5.9MB