492d4f36465829ece536dbd06aa7010b1d4c0270db158242d296ed6e73a4b696

Analysis

max time kernel
109s
max time network
175s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
01-07-2024 14:48

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
Size

37.6MB
MD5

6068830154e280bb0c0ca87e57533425
SHA1

94e5cab7e49fb04ec30ff75b6e3bc4fcea9e792d
SHA256

492d4f36465829ece536dbd06aa7010b1d4c0270db158242d296ed6e73a4b696
SHA512

990ccda1b69c7a0d3bb43dc3bdf6bb518deb02197395b661b332e55d64cdbf4a740fbab830773c22e4b1afc6d357ee4be12e7ab9a6916f15386bd45c9e68df73
SSDEEP

786432:4TuUJP9mP1O9uGVD+6PPZlXMuzw+AuE3sBJm:4TuUJlmP1O9uGVDPxWiOuE3s/

Score

6^/10

bootkit persistence

Malware Config

Signatures

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe

Checks system information in the registry 2 TTPs 2 IoCs

System information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemManufacturer	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
Key value queried	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SystemInformation\SystemProductName	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe

Loads dropped DLL 1 IoCs

pid	Process
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\Description\System\CentralProcessor\0	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~Mhz	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
Key queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe

Suspicious behavior: EnumeratesProcesses 40 IoCs

pid	Process
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
2320	2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe

C:\Users\Admin\AppData\Local\Temp\2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-07-01_6068830154e280bb0c0ca87e57533425_gozi_magniber_revil.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Checks computer location settings
- Checks system information in the registry
- Loads dropped DLL
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2320

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1340 --field-trial-handle=2356,i,13261194862334667799,7441241219475888176,262144 --variations-seed-version /prefetch:8
1⤵
PID:464

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
6eaa37edd89818f4678234d852e6c072

SHA1
9d355c06b66bd18fcac221fba50247babf83dc91

SHA256
0bed2954c6ca0f3f23bd4d9387822c6dcd17abe3592a34b82ca6d74553eb677e

SHA512
780c6c1ca429e177e1dd154b2e9274a03c15d4ed2b36df59ce051a3b2f623d8340dbb81338f5c527d71aa7fa2d9f4912efd2e706c3c07d0577e115a34a526e55

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\V01.log

Filesize
512KB

MD5
876e2d613cc3e6b89cb5d9a6eac28a99

SHA1
4a52f86bde25562f36e9b3a92138b54f4f30e7b3

SHA256
70f89e06cd0ba0e29784478d14f18f1634929e62ab3264788a62676d88c2f8b8

SHA512
af859c02c75936085aa9c8eae12ccb5f32224d8de48bde157ec0751c7cc75f3250d835aad78412cb7513108f1f280b1f016e28be930be5a5d899d8e0f8fbdd81

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
11.6MB

MD5
007f40465d148ae3a7d8e3699bace8b3

SHA1
a4b1071f53ddf7769eaf8a870b2376195ca60d56

SHA256
8411aabc5c6b064529e8d00bc40b3e4eebfd8fb765c591ebca8a94c3b334e961

SHA512
69bf7d967890f557e924fcbc34a1bbc2c38526f2091d0e715e9555bbc54bd94bab252066fce24b331963d4f4c462e651ca9faaff3f139f12c7a5ee7a39a2b49d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
11.6MB

MD5
f034d1dbf166d6eafb64cac8a7676878

SHA1
c1f540109f42b9d31427162e42398e588310f4dc

SHA256
ad50702a1917cfa0952b08b153bd37165887289e41aae9ea6fab57ac0614db34

SHA512
cf61c38d7958e506e1213457da34639a73972429e30ed178546afbabab9fecf754c440458d6a1c8c19bec9e2ca2171089dacd7217703ba3d8460e14c2201d636

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.dat

Filesize
12.1MB

MD5
f31decb3d78a7249e5a195de0ede1714

SHA1
da423cdc3ace0440f635883afed267f873ae68fd

SHA256
1f463d18749b788ad4a4d05fa5b1e8bbc50e18fa397724ffeb5a72cd387b3e99

SHA512
3774148fa1b825893f4d371377985ff400468f197e96aa8e832bf865892488b02d5fff5c18455a7c6641c0ed95816df6e80310b2bb0eac5f19987493e7ba0c1e

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
f6b7f7030df241d48ab145e6f90216fe

SHA1
bdf0180e4ef022c336e961ccfdd9831291fd0f2c

SHA256
28b09857ffbbb46f2dc5e3584d247f2deeb43823bf479a0820880033802e664d

SHA512
ef5a8e8eb8b7269256e9d9d8c819040de25f783fcdbf375ffc60164f0b0f508c806c3cf61e23bd0bd02d8daabb31dfd1ce6dc370041cceff92ca8ecb7642117d

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
7b91c72168cde9db35311a2e3b610344

SHA1
412944bce7ec2a2715fd679ea39497a3c75a944a

SHA256
88f2fb34dd9db9cccc5153ef1f6dae5f26b95a4324014ac93fc743badc7f2b0b

SHA512
df0cda580616a335dbc0b130d6cbb5c9160746423fdf7878eca00a8d0d5705600934683ea55728bd9034c0fcdfadcf39a3e745d0ef8792a21984893c34092e94

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
b97d285fe4a727be910932aabc127831

SHA1
bbde156fb2f95907e6579075bd062e7add7e1211

SHA256
a042c1af77df032a6acd09238a81da110f7c76692d369ef793521e588d2383cd

SHA512
6ea997a811e2415f771632c8216d5c588e84c8b796d338694a8c00185dadada8a793fc5eb5da5b1ef84e469d7920ee2684f0ad0df4d349d4733c6c19fd35a658

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\WebCache\WebCacheV01.jfm

Filesize
16KB

MD5
40f0e9e5bda3aacd50e372b41a660e64

SHA1
4f7383959d24cad4a73ec0c683ef1ee392e47879

SHA256
be0d53c8dcf8e23de4f5b3fbf4aae7126439fabc71bda6bbf88d3107a2886904

SHA512
5eeb7095fb351435ed132e963a92ce41bea761449994e5b0600dc467c4e08c4ce8c618851c4a5b7a99372472eea47300317f5c59280d233993c31057de4d8bbc

Download Submit
C:\Users\Admin\AppData\Local\Temp\gcapi_17198454412320.dll

Filesize
600KB

MD5
f637d5d3c3a60fddb5dd397556fe9b1d

SHA1
66f0c4f137870a9927400ea00facc00193ef21e3

SHA256
641b843cb6ee7538ec267212694c9ef0616b9ac9ab14a0abd7cf020678d50b02

SHA512
e96984f2f9c6858e989f10fd8e71b09a8a640c9be2fb87ac1692d9bca7107d7a837f8fbdcc46c01a6107dd9020994c5a6f975b7e16434e9b2bf1c43b1f0d8b31

Download Submit
memory/2320-41-0x000000000D820000-0x000000000D828000-memory.dmp

Filesize
32KB

Download
memory/2320-69-0x0000000006040000-0x0000000006041000-memory.dmp

Filesize
4KB

Download
memory/2320-42-0x000000000D810000-0x000000000D811000-memory.dmp

Filesize
4KB

Download
memory/2320-44-0x000000000D820000-0x000000000D828000-memory.dmp

Filesize
32KB

Download
memory/2320-0-0x0000000000010000-0x0000000000011000-memory.dmp

Filesize
4KB

Download
memory/2320-47-0x000000000D810000-0x000000000D818000-memory.dmp

Filesize
32KB

Download
memory/2320-50-0x000000000D680000-0x000000000D681000-memory.dmp

Filesize
4KB

Download
memory/2320-21-0x000000000C8A0000-0x000000000C8B0000-memory.dmp

Filesize
64KB

Download
memory/2320-62-0x000000000D890000-0x000000000D898000-memory.dmp

Filesize
32KB

Download
memory/2320-39-0x000000000DA80000-0x000000000DA88000-memory.dmp

Filesize
32KB

Download
memory/2320-66-0x0000000006040000-0x0000000006048000-memory.dmp

Filesize
32KB

Download
memory/2320-73-0x000000000D680000-0x000000000D681000-memory.dmp

Filesize
4KB

Download
memory/2320-15-0x000000000C700000-0x000000000C710000-memory.dmp

Filesize
64KB

Download
memory/2320-7-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2320-6-0x0000000000070000-0x0000000000071000-memory.dmp

Filesize
4KB

Download
memory/2320-5-0x0000000000060000-0x0000000000061000-memory.dmp

Filesize
4KB

Download
memory/2320-4-0x0000000000050000-0x0000000000051000-memory.dmp

Filesize
4KB

Download
memory/2320-3-0x0000000000040000-0x0000000000041000-memory.dmp

Filesize
4KB

Download
memory/2320-2-0x0000000000030000-0x0000000000031000-memory.dmp

Filesize
4KB

Download
memory/2320-1-0x0000000000020000-0x0000000000021000-memory.dmp

Filesize
4KB

Download