Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
92s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06/04/2024, 21:34
Static task
static1
Behavioral task
behavioral1
Sample
2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe
-
Size
1.5MB
-
MD5
48f534500fd5c4612fda882bd9280efa
-
SHA1
1d013dc16296ce45b19758b91f99ebe06e16767e
-
SHA256
eb2eb7f54a3a69f88bd30aedd9c3c76d3cf314878a8d5b1795d394c1ecd59520
-
SHA512
2232c88fc724c502c59ee7021a1c827e41568794ebf428cb33cc606087eae3d8367e520d3ce17e67b23ed6ac35e701421d0fb52b65dde67d791fcba8b3c0326b
-
SSDEEP
24576:qZ7T2RItIgooooEwI/uAnlDUFm3eukrWeh0lhSMXlsgRl24e4mH4Ryg:qZ7CRIPooooEwITlDUo3ercRlfe4cCyg
Malware Config
Signatures
-
Executes dropped EXE 3 IoCs
pid Process 2444 icarus.exe 1816 icarus_ui.exe 4240 icarus.exe -
Loads dropped DLL 1 IoCs
pid Process 4240 icarus.exe -
Checks for any installed AV software in registry 1 TTPs 1 IoCs
description ioc Process Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast icarus.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
description ioc Process File opened for modification \??\PhysicalDrive0 icarus.exe File opened for modification \??\PhysicalDrive0 icarus.exe File opened for modification \??\PhysicalDrive0 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz icarus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 icarus_ui.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz icarus_ui.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 icarus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz icarus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 icarus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString icarus.exe -
Modifies registry class 10 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2" icarus.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "d0fa1792-eafc-4d3f-8898-374533cf7294" 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "d0fa1792-eafc-4d3f-8898-374533cf7294" icarus.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F icarus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "d0fa1792-eafc-4d3f-8898-374533cf7294" icarus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2" 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA/7tUb8mDTUWmlZA4o785QQQAAAACAAAAAAAQZgAAAAEAACAAAABvJoEQ/JhkyeMCmQQD27S3Rils9a0kyqpSWujSVSAWgwAAAAAOgAAAAAIAACAAAABkcgbYUoHiWMWyWv6WQ9sfdqcllgmby8PThnFoW/QWXlAAAABoBNMnRhhIYweleGdQcQ2A4Ff9/rns9tC+jM8IQAn6T5OAc2yoL7OKgJ1m0YuoXSRBulI14+6PnUx6dNXddOHtunB80LsCfmc3jxrz8RNS6UAAAACsTdwUwXIwVL7PtQtKELj+PkPHbLT/2novNjvwvk9LIEKlmFEevyTVRX+Y9W01LB+sh2ctkiSg3b1/FgvMdhwh" 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F icarus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2" icarus.exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
pid Process 1816 icarus_ui.exe 1816 icarus_ui.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeDebugPrivilege 2444 icarus.exe Token: SeDebugPrivilege 1816 icarus_ui.exe Token: SeDebugPrivilege 4240 icarus.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 2436 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe 1816 icarus_ui.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1816 icarus_ui.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 2436 wrote to memory of 2444 2436 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe 94 PID 2436 wrote to memory of 2444 2436 2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe 94 PID 2444 wrote to memory of 1816 2444 icarus.exe 95 PID 2444 wrote to memory of 1816 2444 icarus.exe 95 PID 2444 wrote to memory of 4240 2444 icarus.exe 97 PID 2444 wrote to memory of 4240 2444 icarus.exe 97 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus.exeC:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\icarus-info.xml /install /sssid:24362⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus_ui.exeC:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus_ui.exe /sssid:2436 /er_master:master_ep_a47df9cf-8a89-4c27-8dbe-5d32f34d411a /er_ui:ui_ep_a6f67036-5b86-45fd-be46-76b2648e50d83⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:1816
-
-
C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus.exeC:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus.exe /sssid:2436 /er_master:master_ep_a47df9cf-8a89-4c27-8dbe-5d32f34d411a /er_ui:ui_ep_a6f67036-5b86-45fd-be46-76b2648e50d8 /er_slave:avg-du_slave_ep_d524bf76-b600-450f-ba1a-c338c3491828 /slave:avg-du3⤵
- Executes dropped EXE
- Loads dropped DLL
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:4240
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD54e2fdfa22d641b0c6079c3734c23183f
SHA11455d9436e5fa59941ff9f92ed2d1914ecd97bc8
SHA256b5be687252eefa9ecf291a77e0b97a6100b9d1213f30f9b6da1239addf341551
SHA5123ba3938c8360e48609eec1cdfe218c2b59a0572f7a6ce37df8094183ac726eddd962ecb080b1d73e8cecc87344b7cc097a5e99c78090ce838cc004fe3daaf0e2
-
Filesize
11KB
MD58228287e11ad46b8543fc4173749b42e
SHA13f46587c64d9843292c91d9c1780833c888c91c9
SHA2564a6a68cca68be7d31f7afb8d309f784c3c0d24cf6ea7a343c6ff5a258a5ca014
SHA5127ca072598547b0a357ceb11cf19a0d30388a965a7ee1319e83a2c64da51963b6d45a691d5a810fb4948a4591a1e5087abc5469b0554092bb145c2a6c77ef91dc
-
Filesize
13KB
MD59d5a05c0bef902f8e8c70945535bfa5f
SHA127d4ea73de38a2686de5e89ae7d55c41ffbb9ce3
SHA25606e60152d0eed543b7a6ffef31123074af3edb5d2fb3b607009e0f7fcd599297
SHA51254bbcf88257b0923f6b1a6aa6df9be23ece8f5d640ab8645ef42de049a1d22632eab1fc54fa481d28829b73c73f61d18249a32b1f6251fd13d9fe1470b9fcd5a
-
Filesize
214B
MD5d6de6577f75a4499fe64be2006979ae5
SHA10c83a2008fa28a97eb4b01d98aeab90a2e4c8e69
SHA25687d882d37f63429088955a59b126f0d44fa728ce60142478004381a3604c9ea9
SHA512cb4b42c07aa2da7857106c92bc6860a29d8a92f00e34f0df54f68c17945982bc01475c83b1a1079543404bb49342fc7cdc41d2ac32d71332439ceb27b5ad1c0c
-
Filesize
64B
MD522417b5d5eb168147f2c237d658a7163
SHA16ae67daf07c0a187f397923ecba497e5ab01ed58
SHA256f1945b77f21bf5b8174bc94d0d69d4446baffd6808185554f8ae541e4254ecb1
SHA512392b79a63b451495cc81877c288c0068d6c159bf0d7ce9ac0cc290128e57a5a1ebe0569dcbab85433448b3c1928be03cf01300ec7ae99573cfc4ef8c4c9b3cb8
-
Filesize
72B
MD5b65f7a67ff22c0083f4215e1040149c5
SHA147f1cbaab2be8ade7fea575a1862b2a0f9237603
SHA25688973e9e1628a1f44da72a982d742443b89b24dbb6876e3164fc2b0631397b32
SHA5122543b8cdd63de7a0b206a422a3e1c0c4f4b4247cff25dce7dc622ead842c2d0e7ba7a0ac99869e0a0a7081a50ce9d1e56131e5d1c4cd5cd64861ad21d486b6b6
-
Filesize
598B
MD5034b36267199768b675b84210a88ec58
SHA1fb619e2a77013960d4a84b822b1225ec442b2020
SHA256ae4c6c353cf7442bb86d0b219b0cee4ee52458586b1e8de12e21851c86d22c48
SHA5128c2ecb10c04279c23498e6c9efe5518355383142f135d46813864c588efab09a181459f902f778bfb80f03c8832193828bde0e9ac8048d97d4b067a8c4410a5a
-
Filesize
1.9MB
MD5d6a017483a5af86c762372d765eb36ba
SHA13644193fcf645113448eb8b0ddcd1f5d68763ba1
SHA256563581e1a1f32a392ed60af488d1fd194d5eabe3db21042ac7e0f4f85a231ccf
SHA51242d65eae3636d3871ace9ea273546ed3472fe007f0180f1335d28bad6b9ea0a7c345713fe08b5ab6cd9cd0bc925b7c7d1bbf5ea5d64d54f7f24faa05a43b0235
-
Filesize
235KB
MD5548a0818747231ebc5053a6c7dafbf2b
SHA1179133d1777cddaf1d72b76bcedbcd9db6d9499a
SHA256b83c924d75587032d3d1cc3149096feca0b55fdf4400cf6d8cbf0b911885ebc4
SHA51271380216999acff3a83da62fa8c6f08414d2460a387b9dab8e88b648c5518b26a9a40a15941b7e065ec2205dd8c51c1303c0841126ff15e16aad6274c8dbd1d3
-
Filesize
4.8MB
MD51d1ae7dd9eca36d6e070f19f6080b62b
SHA16ccd71808890b3674a4627949bf95b6c3a2dc06b
SHA25607720d52b091b20507180e9485539bf6971d834e8e52a686a7f1dcd059f07b3f
SHA512e2aca0953cf44f3f017f450d08ae252a0c25c69570bec7c8ba6494a060e81f70535aa4b814b491d3f5c02bc98cb588f3848bb4b16fab118073339d76a3ff49b0
-
Filesize
3.4MB
MD526209014834bea1bf6b25ccaeb17cf4e
SHA18e9278463abc3070334cfaccb6a385d1fb399ada
SHA256e767d9460894a4e5a882aa99c073637fc45cb1db369704c2895db9a725652018
SHA512580bceeba9a4a2890b0a58f60f95e95a115c27d18f07158fca15c29c02456c7b8e83df9529fca45846df787a153f75741a9e13b93a28ec5da75c684660786659
-
Filesize
7.4MB
MD5d2b966df5b0e2736b07c3ed7701648d3
SHA16b7af201fd696a692f6fe1275e4904228ff323d5
SHA256e463deb55e082cf53a47737c851daacdb0c2aa9cf939854ffb874c5a383c2829
SHA512bc5ae0f083c296e9472d23773ffd1fad404336f5e621b2868e41fe25352708ad80c03a3805823fb058c81ee1cb22e7a4b7b7f092ac5a334d7aca90f78944899d
-
Filesize
11.2MB
MD53f25bb38aaee8c47848817edc7dd5793
SHA170b71c474f8f49d31624cbcbf4343fe9c6afb318
SHA2566d8da46af1e03c29f48d97a6a39870264158ef2c87edaed7b1b8a62cef742268
SHA512f70eaea41684226ed3484eddf0998d1938635018d997e97ea45aa63a5ec762b8fb9ff3093b1f9d9dd1987835596bdc447d60ebc86de08ed8ee16f3bb19d5f1fe
-
Filesize
6KB
MD54cd56abe1d9846b864765770dc7e856b
SHA128827dc46f887b66003bd9b1953dfc355ec742e2
SHA256e115b4da472bbc0b0042337f9ef5cb2da075b8e3dacdd7ef8393fe570d5fb0a4
SHA5123b4c349611809d1df34b52c438074c719a5775c7484acda5489ce5da95ef5272d8ab210f8552391cbdc3042a291011815e5c1b555f0405bcc2152733eb84dd62
-
Filesize
183KB
MD517d7bd78b7192a5115a3c32639ffe2e0
SHA1e57c42de150ea99d87375de4d1dac305abb2868a
SHA2562690af4dca3322a0d0f99582370c9bea85263f0b2ee1b4c38e293b06acdd0f66
SHA51288626d9ddd3610d1a369017773d9811cc707c02f7c039237da1a189d24d796977d6c1a596adcc77e38d4a073a472f6040598fff54b78adffab3a04fc520b4b66
-
Filesize
21B
MD5fac1bb5616a3b11b7a4e82bb17735ebd
SHA1b3384971ec069823d20183070558eb03b7df35fb
SHA256e90c4482daa3ce10324b0ef7f4c95a4f70803c0746b5b87c53078e9204962a2d
SHA512f4f48a9b45d8274646c0699255f2f0bb5e8c37cf90a0a4c6f8809965acc73142ee21035e09fd77349bd988a565bdef2d86e849867a2e632035e1c39c3196ee5d
-
Filesize
49B
MD5e5913d9f76897190e98996018ca4d7c4
SHA1a4c89df4e0d012df0cff9655d217218d019692aa
SHA25684b1788f47ec1643168352f836f608ba5f5e3b3cc6f316fbd359dc5efe9bcb2c
SHA5128173020f7ba6e4d3c7fcea79df705890b511039f6118750e53b3243debffbb47c131f3f03f3a7329c28168b946b1e8aa15f38012a0f30f5872389eb1d53865a9
-
Filesize
1KB
MD50e0e6fd998c0349cf1cc1820e89f7627
SHA1dccf449325cf8964af8941966307daf92ecb441a
SHA256bbf7fab6a579b128d20fa2a54bf58b9aa358470195e96cf24444bb775996fb85
SHA512e135922d13c2a15be3a8dc041300b787e576455c099e30a755725e18b69f408bd6874a36a8fff8cd8e0f9b87d76c103751a61b7814a2400e613a7a1c716133f6