Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    92s
  • max time network
    129s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    06/04/2024, 21:34

General

  • Target

    2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe

  • Size

    1.5MB

  • MD5

    48f534500fd5c4612fda882bd9280efa

  • SHA1

    1d013dc16296ce45b19758b91f99ebe06e16767e

  • SHA256

    eb2eb7f54a3a69f88bd30aedd9c3c76d3cf314878a8d5b1795d394c1ecd59520

  • SHA512

    2232c88fc724c502c59ee7021a1c827e41568794ebf428cb33cc606087eae3d8367e520d3ce17e67b23ed6ac35e701421d0fb52b65dde67d791fcba8b3c0326b

  • SSDEEP

    24576:qZ7T2RItIgooooEwI/uAnlDUFm3eukrWeh0lhSMXlsgRl24e4mH4Ryg:qZ7CRIPooooEwITlDUo3ercRlfe4cCyg

Score
7/10

Malware Config

Signatures

  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 1 IoCs
  • Checks for any installed AV software in registry 1 TTPs 1 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 10 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 6 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe
    "C:\Users\Admin\AppData\Local\Temp\2024-04-06_48f534500fd5c4612fda882bd9280efa_magniber.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Modifies registry class
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:2436
    • C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus.exe
      C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\icarus-info.xml /install /sssid:2436
      2⤵
      • Executes dropped EXE
      • Writes to the Master Boot Record (MBR)
      • Checks processor information in registry
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2444
      • C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus_ui.exe
        C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus_ui.exe /sssid:2436 /er_master:master_ep_a47df9cf-8a89-4c27-8dbe-5d32f34d411a /er_ui:ui_ep_a6f67036-5b86-45fd-be46-76b2648e50d8
        3⤵
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of FindShellTrayWindow
        • Suspicious use of SetWindowsHookEx
        PID:1816
      • C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus.exe
        C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus.exe /sssid:2436 /er_master:master_ep_a47df9cf-8a89-4c27-8dbe-5d32f34d411a /er_ui:ui_ep_a6f67036-5b86-45fd-be46-76b2648e50d8 /er_slave:avg-du_slave_ep_d524bf76-b600-450f-ba1a-c338c3491828 /slave:avg-du
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Checks for any installed AV software in registry
        • Writes to the Master Boot Record (MBR)
        • Checks processor information in registry
        • Modifies registry class
        • Suspicious use of AdjustPrivilegeToken
        PID:4240

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AVG\Icarus\Logs\icarus.log

    Filesize

    45KB

    MD5

    4e2fdfa22d641b0c6079c3734c23183f

    SHA1

    1455d9436e5fa59941ff9f92ed2d1914ecd97bc8

    SHA256

    b5be687252eefa9ecf291a77e0b97a6100b9d1213f30f9b6da1239addf341551

    SHA512

    3ba3938c8360e48609eec1cdfe218c2b59a0572f7a6ce37df8094183ac726eddd962ecb080b1d73e8cecc87344b7cc097a5e99c78090ce838cc004fe3daaf0e2

  • C:\ProgramData\AVG\Icarus\Logs\sfx.log

    Filesize

    11KB

    MD5

    8228287e11ad46b8543fc4173749b42e

    SHA1

    3f46587c64d9843292c91d9c1780833c888c91c9

    SHA256

    4a6a68cca68be7d31f7afb8d309f784c3c0d24cf6ea7a343c6ff5a258a5ca014

    SHA512

    7ca072598547b0a357ceb11cf19a0d30388a965a7ee1319e83a2c64da51963b6d45a691d5a810fb4948a4591a1e5087abc5469b0554092bb145c2a6c77ef91dc

  • C:\ProgramData\AVG\Icarus\Logs\sui.log

    Filesize

    13KB

    MD5

    9d5a05c0bef902f8e8c70945535bfa5f

    SHA1

    27d4ea73de38a2686de5e89ae7d55c41ffbb9ce3

    SHA256

    06e60152d0eed543b7a6ffef31123074af3edb5d2fb3b607009e0f7fcd599297

    SHA512

    54bbcf88257b0923f6b1a6aa6df9be23ece8f5d640ab8645ef42de049a1d22632eab1fc54fa481d28829b73c73f61d18249a32b1f6251fd13d9fe1470b9fcd5a

  • C:\ProgramData\AVG\Icarus\settings\proxy.ini

    Filesize

    214B

    MD5

    d6de6577f75a4499fe64be2006979ae5

    SHA1

    0c83a2008fa28a97eb4b01d98aeab90a2e4c8e69

    SHA256

    87d882d37f63429088955a59b126f0d44fa728ce60142478004381a3604c9ea9

    SHA512

    cb4b42c07aa2da7857106c92bc6860a29d8a92f00e34f0df54f68c17945982bc01475c83b1a1079543404bb49342fc7cdc41d2ac32d71332439ceb27b5ad1c0c

  • C:\Users\Admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

    Filesize

    64B

    MD5

    22417b5d5eb168147f2c237d658a7163

    SHA1

    6ae67daf07c0a187f397923ecba497e5ab01ed58

    SHA256

    f1945b77f21bf5b8174bc94d0d69d4446baffd6808185554f8ae541e4254ecb1

    SHA512

    392b79a63b451495cc81877c288c0068d6c159bf0d7ce9ac0cc290128e57a5a1ebe0569dcbab85433448b3c1928be03cf01300ec7ae99573cfc4ef8c4c9b3cb8

  • C:\Users\Admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0

    Filesize

    72B

    MD5

    b65f7a67ff22c0083f4215e1040149c5

    SHA1

    47f1cbaab2be8ade7fea575a1862b2a0f9237603

    SHA256

    88973e9e1628a1f44da72a982d742443b89b24dbb6876e3164fc2b0631397b32

    SHA512

    2543b8cdd63de7a0b206a422a3e1c0c4f4b4247cff25dce7dc622ead842c2d0e7ba7a0ac99869e0a0a7081a50ce9d1e56131e5d1c4cd5cd64861ad21d486b6b6

  • C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\config.def

    Filesize

    598B

    MD5

    034b36267199768b675b84210a88ec58

    SHA1

    fb619e2a77013960d4a84b822b1225ec442b2020

    SHA256

    ae4c6c353cf7442bb86d0b219b0cee4ee52458586b1e8de12e21851c86d22c48

    SHA512

    8c2ecb10c04279c23498e6c9efe5518355383142f135d46813864c588efab09a181459f902f778bfb80f03c8832193828bde0e9ac8048d97d4b067a8c4410a5a

  • C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\icarus_product.dll

    Filesize

    1.9MB

    MD5

    d6a017483a5af86c762372d765eb36ba

    SHA1

    3644193fcf645113448eb8b0ddcd1f5d68763ba1

    SHA256

    563581e1a1f32a392ed60af488d1fd194d5eabe3db21042ac7e0f4f85a231ccf

    SHA512

    42d65eae3636d3871ace9ea273546ed3472fe007f0180f1335d28bad6b9ea0a7c345713fe08b5ab6cd9cd0bc925b7c7d1bbf5ea5d64d54f7f24faa05a43b0235

  • C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\avg-du\product-def.xml

    Filesize

    235KB

    MD5

    548a0818747231ebc5053a6c7dafbf2b

    SHA1

    179133d1777cddaf1d72b76bcedbcd9db6d9499a

    SHA256

    b83c924d75587032d3d1cc3149096feca0b55fdf4400cf6d8cbf0b911885ebc4

    SHA512

    71380216999acff3a83da62fa8c6f08414d2460a387b9dab8e88b648c5518b26a9a40a15941b7e065ec2205dd8c51c1303c0841126ff15e16aad6274c8dbd1d3

  • C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\bug_report.exe

    Filesize

    4.8MB

    MD5

    1d1ae7dd9eca36d6e070f19f6080b62b

    SHA1

    6ccd71808890b3674a4627949bf95b6c3a2dc06b

    SHA256

    07720d52b091b20507180e9485539bf6971d834e8e52a686a7f1dcd059f07b3f

    SHA512

    e2aca0953cf44f3f017f450d08ae252a0c25c69570bec7c8ba6494a060e81f70535aa4b814b491d3f5c02bc98cb588f3848bb4b16fab118073339d76a3ff49b0

  • C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\dump_process.exe

    Filesize

    3.4MB

    MD5

    26209014834bea1bf6b25ccaeb17cf4e

    SHA1

    8e9278463abc3070334cfaccb6a385d1fb399ada

    SHA256

    e767d9460894a4e5a882aa99c073637fc45cb1db369704c2895db9a725652018

    SHA512

    580bceeba9a4a2890b0a58f60f95e95a115c27d18f07158fca15c29c02456c7b8e83df9529fca45846df787a153f75741a9e13b93a28ec5da75c684660786659

  • C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus.exe

    Filesize

    7.4MB

    MD5

    d2b966df5b0e2736b07c3ed7701648d3

    SHA1

    6b7af201fd696a692f6fe1275e4904228ff323d5

    SHA256

    e463deb55e082cf53a47737c851daacdb0c2aa9cf939854ffb874c5a383c2829

    SHA512

    bc5ae0f083c296e9472d23773ffd1fad404336f5e621b2868e41fe25352708ad80c03a3805823fb058c81ee1cb22e7a4b7b7f092ac5a334d7aca90f78944899d

  • C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\icarus_ui.exe

    Filesize

    11.2MB

    MD5

    3f25bb38aaee8c47848817edc7dd5793

    SHA1

    70b71c474f8f49d31624cbcbf4343fe9c6afb318

    SHA256

    6d8da46af1e03c29f48d97a6a39870264158ef2c87edaed7b1b8a62cef742268

    SHA512

    f70eaea41684226ed3484eddf0998d1938635018d997e97ea45aa63a5ec762b8fb9ff3093b1f9d9dd1987835596bdc447d60ebc86de08ed8ee16f3bb19d5f1fe

  • C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\product-info.xml

    Filesize

    6KB

    MD5

    4cd56abe1d9846b864765770dc7e856b

    SHA1

    28827dc46f887b66003bd9b1953dfc355ec742e2

    SHA256

    e115b4da472bbc0b0042337f9ef5cb2da075b8e3dacdd7ef8393fe570d5fb0a4

    SHA512

    3b4c349611809d1df34b52c438074c719a5775c7484acda5489ce5da95ef5272d8ab210f8552391cbdc3042a291011815e5c1b555f0405bcc2152733eb84dd62

  • C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\common\setupui.cont

    Filesize

    183KB

    MD5

    17d7bd78b7192a5115a3c32639ffe2e0

    SHA1

    e57c42de150ea99d87375de4d1dac305abb2868a

    SHA256

    2690af4dca3322a0d0f99582370c9bea85263f0b2ee1b4c38e293b06acdd0f66

    SHA512

    88626d9ddd3610d1a369017773d9811cc707c02f7c039237da1a189d24d796977d6c1a596adcc77e38d4a073a472f6040598fff54b78adffab3a04fc520b4b66

  • C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\ecoo.edat

    Filesize

    21B

    MD5

    fac1bb5616a3b11b7a4e82bb17735ebd

    SHA1

    b3384971ec069823d20183070558eb03b7df35fb

    SHA256

    e90c4482daa3ce10324b0ef7f4c95a4f70803c0746b5b87c53078e9204962a2d

    SHA512

    f4f48a9b45d8274646c0699255f2f0bb5e8c37cf90a0a4c6f8809965acc73142ee21035e09fd77349bd988a565bdef2d86e849867a2e632035e1c39c3196ee5d

  • C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\eref.edat

    Filesize

    49B

    MD5

    e5913d9f76897190e98996018ca4d7c4

    SHA1

    a4c89df4e0d012df0cff9655d217218d019692aa

    SHA256

    84b1788f47ec1643168352f836f608ba5f5e3b3cc6f316fbd359dc5efe9bcb2c

    SHA512

    8173020f7ba6e4d3c7fcea79df705890b511039f6118750e53b3243debffbb47c131f3f03f3a7329c28168b946b1e8aa15f38012a0f30f5872389eb1d53865a9

  • C:\Windows\Temp\asw-d11ed4af-47d3-4209-b4bb-17bb0f6703e9\icarus-info.xml

    Filesize

    1KB

    MD5

    0e0e6fd998c0349cf1cc1820e89f7627

    SHA1

    dccf449325cf8964af8941966307daf92ecb441a

    SHA256

    bbf7fab6a579b128d20fa2a54bf58b9aa358470195e96cf24444bb775996fb85

    SHA512

    e135922d13c2a15be3a8dc041300b787e576455c099e30a755725e18b69f408bd6874a36a8fff8cd8e0f9b87d76c103751a61b7814a2400e613a7a1c716133f6