Overview

overview

7

Static

static

1

2024-09-01...il.exe

windows7-x64

7

2024-09-01...il.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    129s
  • max time network
    125s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-09-2024 10:25

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    2024-09-01_1b4994093c16ac227c82e93c656f4680_get-user-info_hijackloader_magniber_revil.exe

  • Size

    28.9MB

  • MD5

    1b4994093c16ac227c82e93c656f4680

  • SHA1

    bc30c0dddda8b6aaf9fe7ff1fd173e8cd640961d

  • SHA256

    4ef038de745e267a0046b2e9ffd14ead8c2cff3e4a9f0493e8b240b3b05e6411

  • SHA512

    3bceed380418b7b627b6d4d6430df204beebac542761b6289be8096c967f0372670f75625ac122ecae563b2470f2bb376b684bc81603f868d774b436807c31f9

  • SSDEEP

    393216:xKLsNkLB1Eyzzhjc9GZ1nncBC2NqFOvoizJ2jacQu3d0J4rYRZKV1PEr0lR4fjvJ:IoNqEyG9Grfs3zxcQh0o7vYG

Score
7/10
defense_evasiondiscoveryexecution

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Executes dropped EXE 1 IoCs
  • Loads dropped DLL 9 IoCs
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Indicator Removal: File Deletion 1 TTPs

    Adversaries may delete files left behind by the actions of their intrusion activity.

    defense_evasion
  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 4 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 4 IoCs
  • Suspicious use of WriteProcessMemory 9 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-09-01_1b4994093c16ac227c82e93c656f4680_get-user-info_hijackloader_magniber_revil.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-09-01_1b4994093c16ac227c82e93c656f4680_get-user-info_hijackloader_magniber_revil.exe"
    1⤵
    • Checks computer location settings
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of SetWindowsHookEx
    • Suspicious use of WriteProcessMemory
    PID:3260
    • C:\Windows\SYSTEM32\cmd.exe
      cmd /C rmdir C:\LenovoQuickFix\QuickFixCloseWin11AutoUpdate /s /q
      2⤵
        PID:4288
      • C:\LenovoQuickFix\QuickFixCloseWin11AutoUpdate\QuickFixCloseWin11AutoUpdate.exe
        "C:\LenovoQuickFix\QuickFixCloseWin11AutoUpdate\QuickFixCloseWin11AutoUpdate.exe"
        2⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Enumerates connected drives
        • System Location Discovery: System Language Discovery
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2900
        • C:\Windows\SYSTEM32\cmd.exe
          cmd /C powershell -command "Get-WmiObject -Class Win32_OSRecoveryConfiguration"
          3⤵
          • Suspicious use of WriteProcessMemory
          PID:3332
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            powershell -command "Get-WmiObject -Class Win32_OSRecoveryConfiguration"
            4⤵
            • Command and Scripting Interpreter: PowerShell
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:3456

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\LenovoQuickFix\QuickFixCloseWin11AutoUpdate\LenovoBuyFunction.dll
      Filesize

      1.5MB

      MD5

      23bec7a71200c0b8daebf98b299054dd

      SHA1

      c45ddc0698f1cd76da5c26784e34ebef7ec574e4

      SHA256

      09373a042027dd9afefe35388c5a001f58e00e0c0dbe81e26080ed1cefb7da3e

      SHA512

      910bccb8db75e617486843fa6075487fe0a3f2b062270854f5c628099b0fce864f5a75867d2a8c807e99f247267edad3bb5433172a493c33f580ce410d3e70b6

      Download Submit

    • C:\LenovoQuickFix\QuickFixCloseWin11AutoUpdate\LenovoDriverDownlog.dll
      Filesize

      66KB

      MD5

      b0d321395895455f1dfc081cd815dc70

      SHA1

      48cbe82690b46ff60fee71cfc5e7110ba010d3c0

      SHA256

      3701878a3a8d80b22f64459305c279cb3a1613b3cc67766a2765c3ac80e93042

      SHA512

      79d100a286e6689e8d351a26fc317bf669203f665622517d6817d73ff6e274ae2b13372ccee63ea18891dcc42d64e3162f4f57b274e0150d5bf083c7244e523d

      Download Submit

    • C:\LenovoQuickFix\QuickFixCloseWin11AutoUpdate\LsfSdk.dll
      Filesize

      4.9MB

      MD5

      cf4b769ab761764e89ea9863996b17ff

      SHA1

      9ec0e784ffc0a606554d97dce41640ed7c39ecbc

      SHA256

      e17192af9403b9be41ab2c502b857fe7540e180b0ffba364f4b68ff6a33ba3aa

      SHA512

      bf0d5a38d5067c7d932674a70a47b7a5325a44e9ab62436084e25b01b1604c6afa6dff6f20d46bf621ba4ba25b8f29126a0c2b8548a13ca34110de76fc5a7a70

      Download Submit

    • C:\LenovoQuickFix\QuickFixCloseWin11AutoUpdate\QuickFixCloseWin11AutoUpdate.exe
      Filesize

      3.9MB

      MD5

      4174eececc1046b9313d5767fe74366d

      SHA1

      cf0cd2aa55c04c43790cff5596d21b3471be03eb

      SHA256

      8264c025371689f28e17d3f0bc8dc27eb7749d5a534d5c1092a7b77b9c47348b

      SHA512

      f3feadb4ffd2e88b8ad0efb7e1e3b0a060c90084b2afe7109ff03f22d7201b732cfec466a03f711424f7b756fdd259fe01679299a499c00318ec672560ae3bf3

      Download Submit

    • C:\LenovoQuickFix\QuickFixCloseWin11AutoUpdate\WebView2Loader.dll
      Filesize

      104KB

      MD5

      29938d9e2f27e281dd8545ad364e6fa8

      SHA1

      25aa113097aa11e13442b7c8893631d7f5fe2f06

      SHA256

      49c0650616eadfa63394558cd1d3ed9f64918d5ed38ab3ef32ad0249283df0ef

      SHA512

      6dadd004471554a160528b509bc2b3382d535e9b06208de22ad4d1079cece9a3f9948ed005730195f1a40f973017ab0c3312bcb2de16dc7dcc199c741e082672

      Download Submit

    • C:\LenovoQuickFix\QuickFixCloseWin11AutoUpdate\libcurl.dll
      Filesize

      2.6MB

      MD5

      3c6edd608d59b613545b02a9d64f8460

      SHA1

      016ed09417f3c1c4f2af4369244b7119538d0034

      SHA256

      3d4ef993ca23173e142df58c9640388dccc3a8fff06553afbc4f4d9f8ea3b9ed

      SHA512

      a1ac6bb8d7d86456551f58992937a871f2217e52a15c192ca1e83d4559e9bb3be13f4fd992037bc25c5b77571e1b439dd2492f1de39e33d729c4c18af7018f3d

      Download Submit

    • C:\LenovoQuickFix\QuickFixCloseWin11AutoUpdate\mfc140u.dll
      Filesize

      4.8MB

      MD5

      f8ebbb4c28ab643471b124701da5b71a

      SHA1

      4674a454e4e817cdbbdbbc2321a75ea43a5cc5c6

      SHA256

      df8543e39c6c04440734a26b25a8adb34460d4ad08fd41e2468f067f1284e582

      SHA512

      f528dcde7cce29ba20c264d0774d21ec63e2ff942052df481078b8a400a020869d828383a8dc36389e55f8b6046304bd1822186305f12777913b0694e19bda85

      Download Submit

    • C:\LenovoQuickFix\QuickFixCloseWin11AutoUpdate\msvcp140.dll
      Filesize

      439KB

      MD5

      5fd0772c30a923159055e87395f96d86

      SHA1

      4a20f687c84eb327e3cb7a4a60fe597666607cf3

      SHA256

      02c7259456eac8cbadfb460377ba68e98282400c7a4a9d0bf49b3313ef6d554d

      SHA512

      132a9b969104c0a214bde3f8c6e8f754d116cecdad55224bbea7a40cffd98f4e4de503d83d92cca0aaab9ed51c9efa00ad5caed69a9eda71013598a43b161c3a

      Download Submit

    • C:\LenovoQuickFix\QuickFixCloseWin11AutoUpdate\vcruntime140.dll
      Filesize

      81KB

      MD5

      e51018e4985943c51ff91471f8906504

      SHA1

      5899aaccdb692dbdffdaa35436c47d17c130cfd0

      SHA256

      ff9c1123cff493a8f5eacb91115611b6c1c808b30c82af9b6f388c0ef1f6b46d

      SHA512

      2fe5ddad2100aeaea35398384a440ba0be169ef429f7e0b69687bc0f8865df41bc93fc80d3a8f0ddd9df54fc2f2d76b1056a1d1962d37432704c818128ffbd74

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_stkgftxk.kr0.ps1
      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

      Download Submit

    • memory/3456-47-0x000001A4384D0000-0x000001A4384F2000-memory.dmp

      Filesize

      136KB

      Download