Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    121s
  • max time network
    126s
  • platform
    windows7_x64
  • resource
    win7-20240221-en
  • resource tags

    arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
  • submitted
    06/04/2024, 21:34

General

  • Target

    2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe

  • Size

    1.5MB

  • MD5

    48f534500fd5c4612fda882bd9280efa

  • SHA1

    1d013dc16296ce45b19758b91f99ebe06e16767e

  • SHA256

    eb2eb7f54a3a69f88bd30aedd9c3c76d3cf314878a8d5b1795d394c1ecd59520

  • SHA512

    2232c88fc724c502c59ee7021a1c827e41568794ebf428cb33cc606087eae3d8367e520d3ce17e67b23ed6ac35e701421d0fb52b65dde67d791fcba8b3c0326b

  • SSDEEP

    24576:qZ7T2RItIgooooEwI/uAnlDUFm3eukrWeh0lhSMXlsgRl24e4mH4Ryg:qZ7CRIPooooEwITlDUo3ercRlfe4cCyg

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 6 IoCs
  • Checks for any installed AV software in registry 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 10 IoCs
  • Modifies system certificate store 2 TTPs 2 IoCs
  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • Modifies registry class
    • Modifies system certificate store
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2648
    • C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe
      C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\icarus-info.xml /install /sssid:2648
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2516
      • C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus_ui.exe
        C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus_ui.exe /sssid:2648 /er_master:master_ep_922767b5-9948-4595-bda0-4b192e17b88e /er_ui:ui_ep_dce3cf69-2f08-4d7a-89f2-9671f934418f
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:2500
      • C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exe
        C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exe /sssid:2648 /er_master:master_ep_922767b5-9948-4595-bda0-4b192e17b88e /er_ui:ui_ep_dce3cf69-2f08-4d7a-89f2-9671f934418f /er_slave:avg-du_slave_ep_53e5abec-349a-4d36-9446-dbe673324c7d /slave:avg-du
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks for any installed AV software in registry
        • Writes to the Master Boot Record (MBR)
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:2348

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AVG\Icarus\Logs\icarus.log

    Filesize

    43KB

    MD5

    16a2d74a8a35273f4729b94650948329

    SHA1

    46e635b0b09501a8f673a8dea5f78ac48cf3ea05

    SHA256

    05286ec8a8cbd3ca97620fad7183cc591dac62e6cbca454b79d96f4c2b4225b3

    SHA512

    6f2fc744352c8f1d99bb65bc70fe914bd4f2384c405bfffa72cd0adc76c65da1c4d3ec04098e05e8d5933a7e5d17c3fe587124cd6ba8ef2cd07005f8bf9f5d59

  • C:\ProgramData\AVG\Icarus\Logs\sfx.log

    Filesize

    11KB

    MD5

    3c3397f05d02412a19615121be5201d7

    SHA1

    c9573cadf1c9ed76fcfbc8245a4c0d0e618dc409

    SHA256

    1f0b168ae917a09461498c4c92482d49f6d7e312de679d31a1551ffc66b40cb4

    SHA512

    7a87575658050e3f45a8f8a35b282577724078773129e3badf994ff9de2c8ec888f4889513697a0c7d65a219cc7efcf302e10a3301c84cc604fa0205f4c59665

  • C:\ProgramData\AVG\Icarus\Logs\sui.log

    Filesize

    10KB

    MD5

    6975d013ce7251439bc99127b914babf

    SHA1

    b861e1e7759b682a18e92f86c21c0ab14b4963da

    SHA256

    182dcf4d76f665387fa12b819ace204904e75501e9b7cd7fc57b9ecd3d8a7a6f

    SHA512

    3083e5e7cc03e825d57c2ac9cfaa92e17a66230664913efc88fc806d752e87ba7a58d63f4b624d646229308d064c853b0a82cf97ed62be6d16e0b02c6456fcd2

  • C:\ProgramData\AVG\Icarus\settings\proxy.ini

    Filesize

    214B

    MD5

    d6de6577f75a4499fe64be2006979ae5

    SHA1

    0c83a2008fa28a97eb4b01d98aeab90a2e4c8e69

    SHA256

    87d882d37f63429088955a59b126f0d44fa728ce60142478004381a3604c9ea9

    SHA512

    cb4b42c07aa2da7857106c92bc6860a29d8a92f00e34f0df54f68c17945982bc01475c83b1a1079543404bb49342fc7cdc41d2ac32d71332439ceb27b5ad1c0c

  • C:\Users\Admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

    Filesize

    64B

    MD5

    22417b5d5eb168147f2c237d658a7163

    SHA1

    6ae67daf07c0a187f397923ecba497e5ab01ed58

    SHA256

    f1945b77f21bf5b8174bc94d0d69d4446baffd6808185554f8ae541e4254ecb1

    SHA512

    392b79a63b451495cc81877c288c0068d6c159bf0d7ce9ac0cc290128e57a5a1ebe0569dcbab85433448b3c1928be03cf01300ec7ae99573cfc4ef8c4c9b3cb8

  • C:\Users\Admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0

    Filesize

    72B

    MD5

    397f9adfb3031344b02b85d5a7cc6c19

    SHA1

    901a4d800dba8d8fa573d822d65a39886291553a

    SHA256

    93655368abb0a79a3d79cc098b6a0ccf3e2e14654b6b14ff3b09469163a02cfd

    SHA512

    feab9216e9208b2349c3a91eff081e96ace9c93f5ad4d3096225d207232fbc42ceae264dea8edaab68176eafebf1ce7640ee7300a99002922b333952fd92ac12

  • C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\config.def

    Filesize

    598B

    MD5

    034b36267199768b675b84210a88ec58

    SHA1

    fb619e2a77013960d4a84b822b1225ec442b2020

    SHA256

    ae4c6c353cf7442bb86d0b219b0cee4ee52458586b1e8de12e21851c86d22c48

    SHA512

    8c2ecb10c04279c23498e6c9efe5518355383142f135d46813864c588efab09a181459f902f778bfb80f03c8832193828bde0e9ac8048d97d4b067a8c4410a5a

  • C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus_product.dll

    Filesize

    1.9MB

    MD5

    d6a017483a5af86c762372d765eb36ba

    SHA1

    3644193fcf645113448eb8b0ddcd1f5d68763ba1

    SHA256

    563581e1a1f32a392ed60af488d1fd194d5eabe3db21042ac7e0f4f85a231ccf

    SHA512

    42d65eae3636d3871ace9ea273546ed3472fe007f0180f1335d28bad6b9ea0a7c345713fe08b5ab6cd9cd0bc925b7c7d1bbf5ea5d64d54f7f24faa05a43b0235

  • C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\bug_report.exe

    Filesize

    4.8MB

    MD5

    1d1ae7dd9eca36d6e070f19f6080b62b

    SHA1

    6ccd71808890b3674a4627949bf95b6c3a2dc06b

    SHA256

    07720d52b091b20507180e9485539bf6971d834e8e52a686a7f1dcd059f07b3f

    SHA512

    e2aca0953cf44f3f017f450d08ae252a0c25c69570bec7c8ba6494a060e81f70535aa4b814b491d3f5c02bc98cb588f3848bb4b16fab118073339d76a3ff49b0

  • C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\dump_process.exe

    Filesize

    3.4MB

    MD5

    26209014834bea1bf6b25ccaeb17cf4e

    SHA1

    8e9278463abc3070334cfaccb6a385d1fb399ada

    SHA256

    e767d9460894a4e5a882aa99c073637fc45cb1db369704c2895db9a725652018

    SHA512

    580bceeba9a4a2890b0a58f60f95e95a115c27d18f07158fca15c29c02456c7b8e83df9529fca45846df787a153f75741a9e13b93a28ec5da75c684660786659

  • C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus_ui.exe

    Filesize

    11.2MB

    MD5

    3f25bb38aaee8c47848817edc7dd5793

    SHA1

    70b71c474f8f49d31624cbcbf4343fe9c6afb318

    SHA256

    6d8da46af1e03c29f48d97a6a39870264158ef2c87edaed7b1b8a62cef742268

    SHA512

    f70eaea41684226ed3484eddf0998d1938635018d997e97ea45aa63a5ec762b8fb9ff3093b1f9d9dd1987835596bdc447d60ebc86de08ed8ee16f3bb19d5f1fe

  • C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\product-def.xml

    Filesize

    235KB

    MD5

    548a0818747231ebc5053a6c7dafbf2b

    SHA1

    179133d1777cddaf1d72b76bcedbcd9db6d9499a

    SHA256

    b83c924d75587032d3d1cc3149096feca0b55fdf4400cf6d8cbf0b911885ebc4

    SHA512

    71380216999acff3a83da62fa8c6f08414d2460a387b9dab8e88b648c5518b26a9a40a15941b7e065ec2205dd8c51c1303c0841126ff15e16aad6274c8dbd1d3

  • C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\product-info.xml

    Filesize

    6KB

    MD5

    4cd56abe1d9846b864765770dc7e856b

    SHA1

    28827dc46f887b66003bd9b1953dfc355ec742e2

    SHA256

    e115b4da472bbc0b0042337f9ef5cb2da075b8e3dacdd7ef8393fe570d5fb0a4

    SHA512

    3b4c349611809d1df34b52c438074c719a5775c7484acda5489ce5da95ef5272d8ab210f8552391cbdc3042a291011815e5c1b555f0405bcc2152733eb84dd62

  • C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\setupui.cont

    Filesize

    183KB

    MD5

    17d7bd78b7192a5115a3c32639ffe2e0

    SHA1

    e57c42de150ea99d87375de4d1dac305abb2868a

    SHA256

    2690af4dca3322a0d0f99582370c9bea85263f0b2ee1b4c38e293b06acdd0f66

    SHA512

    88626d9ddd3610d1a369017773d9811cc707c02f7c039237da1a189d24d796977d6c1a596adcc77e38d4a073a472f6040598fff54b78adffab3a04fc520b4b66

  • C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\ecoo.edat

    Filesize

    21B

    MD5

    fac1bb5616a3b11b7a4e82bb17735ebd

    SHA1

    b3384971ec069823d20183070558eb03b7df35fb

    SHA256

    e90c4482daa3ce10324b0ef7f4c95a4f70803c0746b5b87c53078e9204962a2d

    SHA512

    f4f48a9b45d8274646c0699255f2f0bb5e8c37cf90a0a4c6f8809965acc73142ee21035e09fd77349bd988a565bdef2d86e849867a2e632035e1c39c3196ee5d

  • C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\eref.edat

    Filesize

    49B

    MD5

    e5913d9f76897190e98996018ca4d7c4

    SHA1

    a4c89df4e0d012df0cff9655d217218d019692aa

    SHA256

    84b1788f47ec1643168352f836f608ba5f5e3b3cc6f316fbd359dc5efe9bcb2c

    SHA512

    8173020f7ba6e4d3c7fcea79df705890b511039f6118750e53b3243debffbb47c131f3f03f3a7329c28168b946b1e8aa15f38012a0f30f5872389eb1d53865a9

  • C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\icarus-info.xml

    Filesize

    1KB

    MD5

    c18976ba0a6e8c9a349bc77424bb2052

    SHA1

    5d04c5d9f2fac508a5d00edb97a4eebe465c58cf

    SHA256

    b7a505ce106653432c7f86b5e87b88f016e3c3685abc27a10cc5fdf8e30ec1fa

    SHA512

    79208aeeafbf84ac3563f3584ef191f455b4f65ca7ab912cf582ff0257d376bd30cce49aeffcc3e8d30b7d82084782cf7da63f5188eddfb2524f386ed77c2735

  • \Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe

    Filesize

    7.4MB

    MD5

    d2b966df5b0e2736b07c3ed7701648d3

    SHA1

    6b7af201fd696a692f6fe1275e4904228ff323d5

    SHA256

    e463deb55e082cf53a47737c851daacdb0c2aa9cf939854ffb874c5a383c2829

    SHA512

    bc5ae0f083c296e9472d23773ffd1fad404336f5e621b2868e41fe25352708ad80c03a3805823fb058c81ee1cb22e7a4b7b7f092ac5a334d7aca90f78944899d

  • memory/2500-127-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

    Filesize

    64KB