Overview

overview

10

Static

static

10

2024-07-01...il.exe

windows7-x64

6

2024-07-01...il.exe

windows10-2004-x64

6

Analysis

  • max time kernel
    1s
  • max time network
    127s
  • platform
    windows7_x64
  • resource
    win7-20240508-en
  • resource tags

    arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
  • submitted
    01/07/2024, 14:48

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe

  • Size

    37.6MB

  • MD5

    6068830154e280bb0c0ca87e57533425

  • SHA1

    94e5cab7e49fb04ec30ff75b6e3bc4fcea9e792d

  • SHA256

    492d4f36465829ece536dbd06aa7010b1d4c0270db158242d296ed6e73a4b696

  • SHA512

    990ccda1b69c7a0d3bb43dc3bdf6bb518deb02197395b661b332e55d64cdbf4a740fbab830773c22e4b1afc6d357ee4be12e7ab9a6916f15386bd45c9e68df73

  • SSDEEP

    786432:4TuUJP9mP1O9uGVD+6PPZlXMuzw+AuE3sBJm:4TuUJlmP1O9uGVDPxWiOuE3s/

Score
6/10
bootkitpersistence

Malware Config

Signatures

  • Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

    bootkitpersistence
  • Checks system information in the registry 2 TTPs 2 IoCs

    System information is often read in order to detect sandboxing environments.

  • Loads dropped DLL 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Checks system information in the registry
    • Loads dropped DLL
    • Checks processor information in registry
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2080

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log
          Filesize

          512KB

          MD5

          934785bd82108251dd002da9f20b6ce3

          SHA1

          a42c12162b4b19da5fc4ea0d43e2aed0cca48c20

          SHA256

          41e0204223bfc255c1eb05e5b2de6c470867c5382faf565ad839b98d7498424b

          SHA512

          859d453d1a3775d513f6eab29d9775d2da84091c34d0c025d75d4988fbb25d783a44cfc5889637aaf0f0d0c9012375e65fce00e7a001ee20cb343627dba2332b

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat
          Filesize

          32.1MB

          MD5

          bed62904779d0e7a5e7755982fb17e7f

          SHA1

          fffe124468f172476d7ea326ae1fea1a75340887

          SHA256

          8d893516a1311f7d93c85f0a29d7dec4751723c0c4aefa6e0b546e2cd08cbc61

          SHA512

          3bb8a80c82529ebbd16daafea06181a9ef20e186319e3be252312a14c2dcb13131fe77c680a3a01843689f6a1bc8346a4292baac47b79ea202d6a3b0036c43e7

          Download Submit

        • \Users\Admin\AppData\Local\Temp\gcapi_17198453452080.dll
          Filesize

          600KB

          MD5

          f637d5d3c3a60fddb5dd397556fe9b1d

          SHA1

          66f0c4f137870a9927400ea00facc00193ef21e3

          SHA256

          641b843cb6ee7538ec267212694c9ef0616b9ac9ab14a0abd7cf020678d50b02

          SHA512

          e96984f2f9c6858e989f10fd8e71b09a8a640c9be2fb87ac1692d9bca7107d7a837f8fbdcc46c01a6107dd9020994c5a6f975b7e16434e9b2bf1c43b1f0d8b31

          Download Submit

        • memory/2080-15-0x0000000006CF0000-0x0000000006D00000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2080-2-0x0000000005160000-0x0000000005161000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2080-5-0x0000000005190000-0x0000000005191000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2080-6-0x00000000051A0000-0x00000000051A1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2080-7-0x00000000051B0000-0x00000000051B1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2080-10-0x0000000005480000-0x0000000005481000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2080-3-0x0000000005170000-0x0000000005171000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2080-0-0x0000000000130000-0x0000000000131000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2080-21-0x0000000008830000-0x0000000008840000-memory.dmp

          Filesize

          64KB

          Download

        • memory/2080-4-0x0000000005180000-0x0000000005181000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2080-44-0x0000000005F30000-0x0000000005F38000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2080-49-0x0000000005EE0000-0x0000000005EE1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2080-47-0x0000000005F60000-0x0000000005F68000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2080-54-0x0000000005930000-0x0000000005931000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2080-1-0x0000000005150000-0x0000000005151000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2080-106-0x0000000006110000-0x0000000006118000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2080-111-0x0000000006100000-0x0000000006101000-memory.dmp

          Filesize

          4KB

          Download

        • memory/2080-109-0x0000000006400000-0x0000000006408000-memory.dmp

          Filesize

          32KB

          Download

        • memory/2080-169-0x0000000005480000-0x0000000005481000-memory.dmp

          Filesize

          4KB

          Download