Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
121s -
max time network
126s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
06/04/2024, 21:34
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe
-
Size
1.5MB
-
MD5
48f534500fd5c4612fda882bd9280efa
-
SHA1
1d013dc16296ce45b19758b91f99ebe06e16767e
-
SHA256
eb2eb7f54a3a69f88bd30aedd9c3c76d3cf314878a8d5b1795d394c1ecd59520
-
SHA512
2232c88fc724c502c59ee7021a1c827e41568794ebf428cb33cc606087eae3d8367e520d3ce17e67b23ed6ac35e701421d0fb52b65dde67d791fcba8b3c0326b
-
SSDEEP
24576:qZ7T2RItIgooooEwI/uAnlDUFm3eukrWeh0lhSMXlsgRl24e4mH4Ryg:qZ7CRIPooooEwITlDUo3ercRlfe4cCyg
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2516 icarus.exe 2500 icarus_ui.exe 2348 icarus.exe -
Loads dropped DLL 6 IoCs
pid Process 2648 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe 2516 icarus.exe 2516 icarus.exe 2516 icarus.exe 2516 icarus.exe 2348 icarus.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avast Software\Avast icarus.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe File opened for modification \??\PhysicalDrive0 icarus.exe File opened for modification \??\PhysicalDrive0 icarus.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz icarus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 icarus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString icarus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz icarus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 icarus_ui.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz icarus_ui.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 icarus.exe -
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2" 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F icarus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2" icarus.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAaaOq9/rSbEaN5Dz9v60/mwQAAAACAAAAAAAQZgAAAAEAACAAAADC3Ktk1wpetjcvZG0sZRbUsHhDGUt72WSpqUiag9GhtAAAAAAOgAAAAAIAACAAAABPczoJwDEoX19hYe3pVG7jgpyyVhkPk/61j3hQ/GxdtFAAAAAobzPKoXuKb2e8VJ5e+aooMhM+o4biLQB3CwqXjnieWDtQ//L24E/UluEmCJJ/QdUgvO/MXI4wjx6qIw+kX2PH2/EoS2NFL8oGbnRRkcE4X0AAAADMfSyXVPWORCYajybW0JlzvBEQwU1hk6jQwy7MvFGa6y4+uT7fyfknfkgunLLb5HfNTrptsyuTFrEpEZ7br9y7" 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "120d9c01-7082-4180-b3f5-3d226a4c5d69" 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "120d9c01-7082-4180-b3f5-3d226a4c5d69" icarus.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F icarus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "120d9c01-7082-4180-b3f5-3d226a4c5d69" icarus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2" icarus.exe -
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2500 icarus_ui.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2516 icarus.exe Token: SeDebugPrivilege 2500 icarus_ui.exe Token: SeDebugPrivilege 2348 icarus.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2648 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe 2500 icarus_ui.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2500 icarus_ui.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2648 wrote to memory of 2516 2648 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe 28 PID 2648 wrote to memory of 2516 2648 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe 28 PID 2648 wrote to memory of 2516 2648 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe 28 PID 2648 wrote to memory of 2516 2648 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe 28 PID 2516 wrote to memory of 2500 2516 icarus.exe 29 PID 2516 wrote to memory of 2500 2516 icarus.exe 29 PID 2516 wrote to memory of 2500 2516 icarus.exe 29 PID 2516 wrote to memory of 2348 2516 icarus.exe 30 PID 2516 wrote to memory of 2348 2516 icarus.exe 30 PID 2516 wrote to memory of 2348 2516 icarus.exe 30 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe"1⤵
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2648 -
C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exeC:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\icarus-info.xml /install /sssid:26482⤵
- Executes dropped EXE
- Loads dropped DLL
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2516 -
C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus_ui.exeC:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\common\icarus_ui.exe /sssid:2648 /er_master:master_ep_922767b5-9948-4595-bda0-4b192e17b88e /er_ui:ui_ep_dce3cf69-2f08-4d7a-89f2-9671f934418f3⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2500
-
-
C:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exeC:\Windows\Temp\asw-3d6edf2a-6e64-42ca-8568-2235b209daf5\avg-du\icarus.exe /sssid:2648 /er_master:master_ep_922767b5-9948-4595-bda0-4b192e17b88e /er_ui:ui_ep_dce3cf69-2f08-4d7a-89f2-9671f934418f /er_slave:avg-du_slave_ep_53e5abec-349a-4d36-9446-dbe673324c7d /slave:avg-du3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:2348
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
43KB
MD516a2d74a8a35273f4729b94650948329
SHA146e635b0b09501a8f673a8dea5f78ac48cf3ea05
SHA25605286ec8a8cbd3ca97620fad7183cc591dac62e6cbca454b79d96f4c2b4225b3
SHA5126f2fc744352c8f1d99bb65bc70fe914bd4f2384c405bfffa72cd0adc76c65da1c4d3ec04098e05e8d5933a7e5d17c3fe587124cd6ba8ef2cd07005f8bf9f5d59
-
Filesize
11KB
MD53c3397f05d02412a19615121be5201d7
SHA1c9573cadf1c9ed76fcfbc8245a4c0d0e618dc409
SHA2561f0b168ae917a09461498c4c92482d49f6d7e312de679d31a1551ffc66b40cb4
SHA5127a87575658050e3f45a8f8a35b282577724078773129e3badf994ff9de2c8ec888f4889513697a0c7d65a219cc7efcf302e10a3301c84cc604fa0205f4c59665
-
Filesize
10KB
MD56975d013ce7251439bc99127b914babf
SHA1b861e1e7759b682a18e92f86c21c0ab14b4963da
SHA256182dcf4d76f665387fa12b819ace204904e75501e9b7cd7fc57b9ecd3d8a7a6f
SHA5123083e5e7cc03e825d57c2ac9cfaa92e17a66230664913efc88fc806d752e87ba7a58d63f4b624d646229308d064c853b0a82cf97ed62be6d16e0b02c6456fcd2
-
Filesize
214B
MD5d6de6577f75a4499fe64be2006979ae5
SHA10c83a2008fa28a97eb4b01d98aeab90a2e4c8e69
SHA25687d882d37f63429088955a59b126f0d44fa728ce60142478004381a3604c9ea9
SHA512cb4b42c07aa2da7857106c92bc6860a29d8a92f00e34f0df54f68c17945982bc01475c83b1a1079543404bb49342fc7cdc41d2ac32d71332439ceb27b5ad1c0c
-
Filesize
64B
MD522417b5d5eb168147f2c237d658a7163
SHA16ae67daf07c0a187f397923ecba497e5ab01ed58
SHA256f1945b77f21bf5b8174bc94d0d69d4446baffd6808185554f8ae541e4254ecb1
SHA512392b79a63b451495cc81877c288c0068d6c159bf0d7ce9ac0cc290128e57a5a1ebe0569dcbab85433448b3c1928be03cf01300ec7ae99573cfc4ef8c4c9b3cb8
-
Filesize
72B
MD5397f9adfb3031344b02b85d5a7cc6c19
SHA1901a4d800dba8d8fa573d822d65a39886291553a
SHA25693655368abb0a79a3d79cc098b6a0ccf3e2e14654b6b14ff3b09469163a02cfd
SHA512feab9216e9208b2349c3a91eff081e96ace9c93f5ad4d3096225d207232fbc42ceae264dea8edaab68176eafebf1ce7640ee7300a99002922b333952fd92ac12
-
Filesize
598B
MD5034b36267199768b675b84210a88ec58
SHA1fb619e2a77013960d4a84b822b1225ec442b2020
SHA256ae4c6c353cf7442bb86d0b219b0cee4ee52458586b1e8de12e21851c86d22c48
SHA5128c2ecb10c04279c23498e6c9efe5518355383142f135d46813864c588efab09a181459f902f778bfb80f03c8832193828bde0e9ac8048d97d4b067a8c4410a5a
-
Filesize
1.9MB
MD5d6a017483a5af86c762372d765eb36ba
SHA13644193fcf645113448eb8b0ddcd1f5d68763ba1
SHA256563581e1a1f32a392ed60af488d1fd194d5eabe3db21042ac7e0f4f85a231ccf
SHA51242d65eae3636d3871ace9ea273546ed3472fe007f0180f1335d28bad6b9ea0a7c345713fe08b5ab6cd9cd0bc925b7c7d1bbf5ea5d64d54f7f24faa05a43b0235
-
Filesize
4.8MB
MD51d1ae7dd9eca36d6e070f19f6080b62b
SHA16ccd71808890b3674a4627949bf95b6c3a2dc06b
SHA25607720d52b091b20507180e9485539bf6971d834e8e52a686a7f1dcd059f07b3f
SHA512e2aca0953cf44f3f017f450d08ae252a0c25c69570bec7c8ba6494a060e81f70535aa4b814b491d3f5c02bc98cb588f3848bb4b16fab118073339d76a3ff49b0
-
Filesize
3.4MB
MD526209014834bea1bf6b25ccaeb17cf4e
SHA18e9278463abc3070334cfaccb6a385d1fb399ada
SHA256e767d9460894a4e5a882aa99c073637fc45cb1db369704c2895db9a725652018
SHA512580bceeba9a4a2890b0a58f60f95e95a115c27d18f07158fca15c29c02456c7b8e83df9529fca45846df787a153f75741a9e13b93a28ec5da75c684660786659
-
Filesize
11.2MB
MD53f25bb38aaee8c47848817edc7dd5793
SHA170b71c474f8f49d31624cbcbf4343fe9c6afb318
SHA2566d8da46af1e03c29f48d97a6a39870264158ef2c87edaed7b1b8a62cef742268
SHA512f70eaea41684226ed3484eddf0998d1938635018d997e97ea45aa63a5ec762b8fb9ff3093b1f9d9dd1987835596bdc447d60ebc86de08ed8ee16f3bb19d5f1fe
-
Filesize
235KB
MD5548a0818747231ebc5053a6c7dafbf2b
SHA1179133d1777cddaf1d72b76bcedbcd9db6d9499a
SHA256b83c924d75587032d3d1cc3149096feca0b55fdf4400cf6d8cbf0b911885ebc4
SHA51271380216999acff3a83da62fa8c6f08414d2460a387b9dab8e88b648c5518b26a9a40a15941b7e065ec2205dd8c51c1303c0841126ff15e16aad6274c8dbd1d3
-
Filesize
6KB
MD54cd56abe1d9846b864765770dc7e856b
SHA128827dc46f887b66003bd9b1953dfc355ec742e2
SHA256e115b4da472bbc0b0042337f9ef5cb2da075b8e3dacdd7ef8393fe570d5fb0a4
SHA5123b4c349611809d1df34b52c438074c719a5775c7484acda5489ce5da95ef5272d8ab210f8552391cbdc3042a291011815e5c1b555f0405bcc2152733eb84dd62
-
Filesize
183KB
MD517d7bd78b7192a5115a3c32639ffe2e0
SHA1e57c42de150ea99d87375de4d1dac305abb2868a
SHA2562690af4dca3322a0d0f99582370c9bea85263f0b2ee1b4c38e293b06acdd0f66
SHA51288626d9ddd3610d1a369017773d9811cc707c02f7c039237da1a189d24d796977d6c1a596adcc77e38d4a073a472f6040598fff54b78adffab3a04fc520b4b66
-
Filesize
21B
MD5fac1bb5616a3b11b7a4e82bb17735ebd
SHA1b3384971ec069823d20183070558eb03b7df35fb
SHA256e90c4482daa3ce10324b0ef7f4c95a4f70803c0746b5b87c53078e9204962a2d
SHA512f4f48a9b45d8274646c0699255f2f0bb5e8c37cf90a0a4c6f8809965acc73142ee21035e09fd77349bd988a565bdef2d86e849867a2e632035e1c39c3196ee5d
-
Filesize
49B
MD5e5913d9f76897190e98996018ca4d7c4
SHA1a4c89df4e0d012df0cff9655d217218d019692aa
SHA25684b1788f47ec1643168352f836f608ba5f5e3b3cc6f316fbd359dc5efe9bcb2c
SHA5128173020f7ba6e4d3c7fcea79df705890b511039f6118750e53b3243debffbb47c131f3f03f3a7329c28168b946b1e8aa15f38012a0f30f5872389eb1d53865a9
-
Filesize
1KB
MD5c18976ba0a6e8c9a349bc77424bb2052
SHA15d04c5d9f2fac508a5d00edb97a4eebe465c58cf
SHA256b7a505ce106653432c7f86b5e87b88f016e3c3685abc27a10cc5fdf8e30ec1fa
SHA51279208aeeafbf84ac3563f3584ef191f455b4f65ca7ab912cf582ff0257d376bd30cce49aeffcc3e8d30b7d82084782cf7da63f5188eddfb2524f386ed77c2735
-
Filesize
7.4MB
MD5d2b966df5b0e2736b07c3ed7701648d3
SHA16b7af201fd696a692f6fe1275e4904228ff323d5
SHA256e463deb55e082cf53a47737c851daacdb0c2aa9cf939854ffb874c5a383c2829
SHA512bc5ae0f083c296e9472d23773ffd1fad404336f5e621b2868e41fe25352708ad80c03a3805823fb058c81ee1cb22e7a4b7b7f092ac5a334d7aca90f78944899d