c81517a4a23b108fd97d7537398f574f58089f5d8528bd6619bbb7601727ee7d

Analysis

max time kernel
117s
max time network
218s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
10/04/2024, 13:50

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-04-10_cd640527d9adfe5eab2c68274bfd4d5a_magniber.exe
Size

1.5MB
MD5

cd640527d9adfe5eab2c68274bfd4d5a
SHA1

5d8595f6bedb7d02813f08e792713073c2f5e5f4
SHA256

c81517a4a23b108fd97d7537398f574f58089f5d8528bd6619bbb7601727ee7d
SHA512

34d097f0c946d60d8f2708e54bf641428adec12ed353161d870202aa7ff6c56c91421492c3c94b8dabb01f075f5f0b89634f37c815e9311a7e6309a4d35c2235
SSDEEP

24576:79WdZnnSCKTLSSooooEph/Sv/WgdXXPWhRLdXh0lhSMXlqNZd4e4Cs+aK6LFh:79WdZ0LdooooEph10XPWhL2cWe4R+aKE

Score

7^/10

bootkit persistence

Malware Config

Signatures

Executes dropped EXE 3 IoCs

pid	Process
3720	icarus.exe
4924	icarus_ui.exe
2324	icarus.exe

Loads dropped DLL 1 IoCs

pid	Process
2324	icarus.exe

Checks for any installed AV software in registry 1 TTPs 1 IoCs

Security Software Discovery

T1518.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast	icarus.exe

Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	2024-04-10_cd640527d9adfe5eab2c68274bfd4d5a_magniber.exe
File opened for modification	\??\PhysicalDrive0	icarus.exe
File opened for modification	\??\PhysicalDrive0	icarus.exe

Checks processor information in registry 2 TTPs 7 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus_ui.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	icarus.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	icarus.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	icarus_ui.exe

Modifies registry class 10 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAT/wNuITuE0eUebt8AudiFwQAAAACAAAAAAAQZgAAAAEAACAAAADjIyxAo1YplDpoZTi7bCdj4tAPDBg3ONFgLt5jC8IgKgAAAAAOgAAAAAIAACAAAABDYZ3k700GF4zlcj2bZpvQCgEwLecosrFlQT7Er2jk/1AAAAACGIbcPKsmLM1jBjvtbJsR/uZZILxWCzpoo3kzkuoJ3pMEnuZ4wq6zTnhPeHi27ri5mnPfXrHW15PUNHp6lqNs5v+ZIZvSTottNdicelylnkAAAADgxOfDDpk0pBw4zLEQZF44M1aXhFEDWxDr0RGJhixRePZoG9kr8chrvCSw/DJ7NulIgWoNWJxPCQKnJZ/HfsUP"	2024-04-10_cd640527d9adfe5eab2c68274bfd4d5a_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F	icarus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "2b62538b-3448-433d-9749-adfcaebf8fe4"	icarus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2"	icarus.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F	2024-04-10_cd640527d9adfe5eab2c68274bfd4d5a_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2"	2024-04-10_cd640527d9adfe5eab2c68274bfd4d5a_magniber.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "2b62538b-3448-433d-9749-adfcaebf8fe4"	2024-04-10_cd640527d9adfe5eab2c68274bfd4d5a_magniber.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F	icarus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "2b62538b-3448-433d-9749-adfcaebf8fe4"	icarus.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2"	icarus.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4924	icarus_ui.exe
4924	icarus_ui.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	3720	icarus.exe
Token: SeDebugPrivilege	4924	icarus_ui.exe
Token: SeDebugPrivilege	2324	icarus.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
3276	2024-04-10_cd640527d9adfe5eab2c68274bfd4d5a_magniber.exe
4924	icarus_ui.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4924	icarus_ui.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 3276 wrote to memory of 3720	3276	2024-04-10_cd640527d9adfe5eab2c68274bfd4d5a_magniber.exe	88
PID 3276 wrote to memory of 3720	3276	2024-04-10_cd640527d9adfe5eab2c68274bfd4d5a_magniber.exe	88
PID 3720 wrote to memory of 4924	3720	icarus.exe	92
PID 3720 wrote to memory of 4924	3720	icarus.exe	92
PID 3720 wrote to memory of 2324	3720	icarus.exe	94
PID 3720 wrote to memory of 2324	3720	icarus.exe	94

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\2024-04-10_cd640527d9adfe5eab2c68274bfd4d5a_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-04-10_cd640527d9adfe5eab2c68274bfd4d5a_magniber.exe"
1⤵
- Writes to the Master Boot Record (MBR)
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:3276
- C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\common\icarus.exe
  C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\icarus-info.xml /install /sssid:3276
  2⤵
  - Executes dropped EXE
  - Writes to the Master Boot Record (MBR)
  - Checks processor information in registry
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3720
- - C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\common\icarus_ui.exe
    C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\common\icarus_ui.exe /sssid:3276 /er_master:master_ep_fd16d2f0-e81e-4501-a7a2-87e655af6515 /er_ui:ui_ep_08cd6fa5-e084-4013-b555-a3bf79cc3121
    3⤵
    - Executes dropped EXE
    - Checks processor information in registry
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SetWindowsHookEx
    PID:4924
- - C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\avg-du\icarus.exe
    C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\avg-du\icarus.exe /sssid:3276 /er_master:master_ep_fd16d2f0-e81e-4501-a7a2-87e655af6515 /er_ui:ui_ep_08cd6fa5-e084-4013-b555-a3bf79cc3121 /er_slave:avg-du_slave_ep_88bb4a3b-7a2b-4284-9f8e-180639cd32b7 /slave:avg-du
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Checks for any installed AV software in registry
    - Writes to the Master Boot Record (MBR)
    - Checks processor information in registry
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    PID:2324

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

Software Discovery

T1518

Security Software Discovery

T1518.001

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\AVG\Icarus\Logs\icarus.log

Filesize
43KB

MD5
3acd230ec8dfd123979ff28b122992d6

SHA1
f21c82aade59cd59f3e46b727d5342de6a6034ff

SHA256
494436594a466017741a3427b8e8900ead0c2134cafead96bea5116c22691578

SHA512
daa62b08ddd19fec8e7f188f6b663c485ac900208c84441aa88bdb6f800771b232c2a8a1ef60a96ab79aa094e58be1400429d85cdec480a7a837e59f9af20373

Download Submit
C:\ProgramData\AVG\Icarus\Logs\sfx.log

Filesize
11KB

MD5
540ce65a197203bbda4c91cc1f7754a3

SHA1
7b877d49abc76c0c3e1ea2d626e0ea44e75819c4

SHA256
07bd195ffdb28d40e2ee2c1a43192fdf8f77ca8c27a7c7030e48fe96edc5505d

SHA512
bf5303b13392ca696b9fa3966f9c423c8fcc6ccba8fed180e088382a75297e61fa2f87043668423f2753b93285527fcbbb5fdbcad8d863c013e2cadb67b98201

Download Submit
C:\ProgramData\AVG\Icarus\Logs\sui.log

Filesize
10KB

MD5
c06bf9f5cfa950aa3e924a4322b25b01

SHA1
78b38b830f03a62c5073d85bf033ca8e4214b918

SHA256
9fdaf34125d30c5442c8a006d8d6cb62af3cdb07f590dde16e98e157f9cdd38a

SHA512
564070e91ee842412d5ed9cd2b38d4267f8f3cacc8210c0ff473f1643c31b98a106b8a7ac0a3946fc7e3f7c7d3f15c7318a97e2ca15a3196b7a4008e78e82424

Download Submit
C:\ProgramData\AVG\Icarus\settings\proxy.ini

Filesize
214B

MD5
d6de6577f75a4499fe64be2006979ae5

SHA1
0c83a2008fa28a97eb4b01d98aeab90a2e4c8e69

SHA256
87d882d37f63429088955a59b126f0d44fa728ce60142478004381a3604c9ea9

SHA512
cb4b42c07aa2da7857106c92bc6860a29d8a92f00e34f0df54f68c17945982bc01475c83b1a1079543404bb49342fc7cdc41d2ac32d71332439ceb27b5ad1c0c

Download Submit
C:\Users\Admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

Filesize
64B

MD5
22417b5d5eb168147f2c237d658a7163

SHA1
6ae67daf07c0a187f397923ecba497e5ab01ed58

SHA256
f1945b77f21bf5b8174bc94d0d69d4446baffd6808185554f8ae541e4254ecb1

SHA512
392b79a63b451495cc81877c288c0068d6c159bf0d7ce9ac0cc290128e57a5a1ebe0569dcbab85433448b3c1928be03cf01300ec7ae99573cfc4ef8c4c9b3cb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0

Filesize
72B

MD5
6fb2d0281337f1915f702c983e719bb2

SHA1
e012d220b73de7f851897b80d3bd8e3f6d8230f9

SHA256
6f3c4b62d018d74a614bf3843d8aa6d47df9294e4e62e4e5a713404c569ad091

SHA512
48662a66aac608094f3c55b715fb50c3ba91a4bf8119153a9cb1995f618a2ef3d9c3785a31e54f5e38a2e84776046242ba52bb818f236dfe9d6c9146fee30519

Download Submit
C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\avg-du\config.def

Filesize
598B

MD5
034b36267199768b675b84210a88ec58

SHA1
fb619e2a77013960d4a84b822b1225ec442b2020

SHA256
ae4c6c353cf7442bb86d0b219b0cee4ee52458586b1e8de12e21851c86d22c48

SHA512
8c2ecb10c04279c23498e6c9efe5518355383142f135d46813864c588efab09a181459f902f778bfb80f03c8832193828bde0e9ac8048d97d4b067a8c4410a5a

Download Submit
C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\avg-du\icarus_product.dll

Filesize
1.9MB

MD5
d6a017483a5af86c762372d765eb36ba

SHA1
3644193fcf645113448eb8b0ddcd1f5d68763ba1

SHA256
563581e1a1f32a392ed60af488d1fd194d5eabe3db21042ac7e0f4f85a231ccf

SHA512
42d65eae3636d3871ace9ea273546ed3472fe007f0180f1335d28bad6b9ea0a7c345713fe08b5ab6cd9cd0bc925b7c7d1bbf5ea5d64d54f7f24faa05a43b0235

Download Submit
C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\avg-du\product-def.xml

Filesize
235KB

MD5
548a0818747231ebc5053a6c7dafbf2b

SHA1
179133d1777cddaf1d72b76bcedbcd9db6d9499a

SHA256
b83c924d75587032d3d1cc3149096feca0b55fdf4400cf6d8cbf0b911885ebc4

SHA512
71380216999acff3a83da62fa8c6f08414d2460a387b9dab8e88b648c5518b26a9a40a15941b7e065ec2205dd8c51c1303c0841126ff15e16aad6274c8dbd1d3

Download Submit
C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\avg-du\setupui.cont

Filesize
183KB

MD5
17d7bd78b7192a5115a3c32639ffe2e0

SHA1
e57c42de150ea99d87375de4d1dac305abb2868a

SHA256
2690af4dca3322a0d0f99582370c9bea85263f0b2ee1b4c38e293b06acdd0f66

SHA512
88626d9ddd3610d1a369017773d9811cc707c02f7c039237da1a189d24d796977d6c1a596adcc77e38d4a073a472f6040598fff54b78adffab3a04fc520b4b66

Download Submit
C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\common\bug_report.exe

Filesize
4.8MB

MD5
1d1ae7dd9eca36d6e070f19f6080b62b

SHA1
6ccd71808890b3674a4627949bf95b6c3a2dc06b

SHA256
07720d52b091b20507180e9485539bf6971d834e8e52a686a7f1dcd059f07b3f

SHA512
e2aca0953cf44f3f017f450d08ae252a0c25c69570bec7c8ba6494a060e81f70535aa4b814b491d3f5c02bc98cb588f3848bb4b16fab118073339d76a3ff49b0

Download Submit
C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\common\dump_process.exe

Filesize
3.4MB

MD5
26209014834bea1bf6b25ccaeb17cf4e

SHA1
8e9278463abc3070334cfaccb6a385d1fb399ada

SHA256
e767d9460894a4e5a882aa99c073637fc45cb1db369704c2895db9a725652018

SHA512
580bceeba9a4a2890b0a58f60f95e95a115c27d18f07158fca15c29c02456c7b8e83df9529fca45846df787a153f75741a9e13b93a28ec5da75c684660786659

Download Submit
C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\common\icarus.exe

Filesize
7.4MB

MD5
d2b966df5b0e2736b07c3ed7701648d3

SHA1
6b7af201fd696a692f6fe1275e4904228ff323d5

SHA256
e463deb55e082cf53a47737c851daacdb0c2aa9cf939854ffb874c5a383c2829

SHA512
bc5ae0f083c296e9472d23773ffd1fad404336f5e621b2868e41fe25352708ad80c03a3805823fb058c81ee1cb22e7a4b7b7f092ac5a334d7aca90f78944899d

Download Submit
C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\common\icarus_ui.exe

Filesize
11.2MB

MD5
3f25bb38aaee8c47848817edc7dd5793

SHA1
70b71c474f8f49d31624cbcbf4343fe9c6afb318

SHA256
6d8da46af1e03c29f48d97a6a39870264158ef2c87edaed7b1b8a62cef742268

SHA512
f70eaea41684226ed3484eddf0998d1938635018d997e97ea45aa63a5ec762b8fb9ff3093b1f9d9dd1987835596bdc447d60ebc86de08ed8ee16f3bb19d5f1fe

Download Submit
C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\common\product-info.xml

Filesize
6KB

MD5
4cd56abe1d9846b864765770dc7e856b

SHA1
28827dc46f887b66003bd9b1953dfc355ec742e2

SHA256
e115b4da472bbc0b0042337f9ef5cb2da075b8e3dacdd7ef8393fe570d5fb0a4

SHA512
3b4c349611809d1df34b52c438074c719a5775c7484acda5489ce5da95ef5272d8ab210f8552391cbdc3042a291011815e5c1b555f0405bcc2152733eb84dd62

Download Submit
C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\ecoo.edat

Filesize
33B

MD5
9708cf98edabe5ec4fb09890a8bed194

SHA1
6baeccaeb01aeabd53e842998a6091360f560230

SHA256
4924b197cf99c637900c9dc102ff2a8ba79113c5070f60ad069c15f16e9dd38b

SHA512
bc5c137e8b4d21d10fb4bd1943018b5f5baddeae2414e108ddf64900af76d4b264e7fa545c55f2099fc8fce6685f1e71d94c21048d230adf17f9c06cac7c639c

Download Submit
C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\eref.edat

Filesize
51B

MD5
61f585724ae31a666b56f26cfbf525bc

SHA1
93dc3356ff02a9c9351da9b651e3f3d95b9a2cab

SHA256
483a306ecd282a1048f21074a056641ebd5a119dd7594804cfa8cbbe04fa7a82

SHA512
c015a6454dd9824d730e3516b5957445595e7af6a5f3b5baf11e47e2be0b0c9c2d302350a4dabd6a922b3e41f6d2e8c7f80896b839825b9051afdf5fa57dcc6e

Download Submit
C:\Windows\Temp\asw-be6e393c-747e-42e8-92db-1779c5f40748\icarus-info.xml

Filesize
1KB

MD5
058c5f38729f060c049d9f8062866e41

SHA1
4236ad6c58df8fe5de9bc0f75642ad65f3b65013

SHA256
646fc3ba2166508f7921ecaf8339679e27256c436fff0070a36f7bca3856d329

SHA512
312511e479da5d52515b2e4e5492a742f8e9b0f882b2ca25726d578247c1730f851986195828d54ee70749d022b1bf3fb8774b88dee302a0bc9c8683f97772f8

Download Submit