6eaa56c2332e280de5a676eef48986cb8d5e180beb81862a956ed40a8d122dd6

Analysis

max time kernel
122s
max time network
124s
platform
windows7_x64
resource
win7-20240220-en
resource tags

arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system
submitted
01/06/2024, 23:56

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

2024-06-01_5cde5782362882a2257da3792b76cdd7_magniber_revil.exe
Size

11.7MB
MD5

5cde5782362882a2257da3792b76cdd7
SHA1

f4235bcea87c3743bf1c80872bbd1d48d24c2ebd
SHA256

6eaa56c2332e280de5a676eef48986cb8d5e180beb81862a956ed40a8d122dd6
SHA512

386e409c176924fb9c8aa3777e4000af2aa6ab488bf50f9779fb9ffb0093629c39ae23837856c1a3faf14f2e2e31c5c7261ffd83e04d4416df1e668f06c6d38b
SSDEEP

196608:ilMdd5Bm8GTsLgQo110/eWzBytJ1XuiGit6zerqNHR1yiLjsyQu:iaLgQonVWEJ1+iGiyerqNHRIEl

Score

4^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1344	Adaware_PC_Cleaner_Installer.exe

Loads dropped DLL 1 IoCs

pid	Process
2196	2024-06-01_5cde5782362882a2257da3792b76cdd7_magniber_revil.exe

Modifies registry class 43 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}\1.0\HELPDIR	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}\1.0\FLAGS	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}\1.0\0	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}\1.0\HELPDIR\ = "C:\\ProgramData\\Adaware PC Cleaner\\Installation"	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\TypeLib	Adaware_PC_Cleaner_Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{683AC85E-50D6-4ABC-A3F4-78A481055B2D}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	Adaware_PC_Cleaner_Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{683AC85E-50D6-4ABC-A3F4-78A481055B2D}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\Programmable	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\TypeLib	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}\1.0	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\ProxyStubClsid32	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\TypeLib\Version = "1.0"	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\TypeLib\ = "{9083194A-939D-43BF-84C8-263F30EB2E93}"	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\Version\ = "1.0"	Adaware_PC_Cleaner_Installer.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\Elevation\Enabled = "1"	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\Elevation\IconReference = "@C:\\ProgramData\\Adaware PC Cleaner\\Installation\\Adaware_PC_Cleaner_Installer.exe,-501"	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}\1.0\FLAGS\ = "0"	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\Elevation	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\ProxyStubClsid32	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\TypeLib\Version = "1.0"	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\ = "IInstaller"	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{683AC85E-50D6-4ABC-A3F4-78A481055B2D}	2024-06-01_5cde5782362882a2257da3792b76cdd7_magniber_revil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\ = "Installer Class"	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}\1.0\ = "GlamInstallerComLib"	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}	Adaware_PC_Cleaner_Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{683AC85E-50D6-4ABC-A3F4-78A481055B2D}\LaunchPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	2024-06-01_5cde5782362882a2257da3792b76cdd7_magniber_revil.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\ = "IInstaller"	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\ProxyStubClsid32\ = "{00020424-0000-0000-C000-000000000046}"	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{683AC85E-50D6-4ABC-A3F4-78A481055B2D}	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\LocalServer32	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\LocalServer32\ = "\"C:\\ProgramData\\Adaware PC Cleaner\\Installation\\Adaware_PC_Cleaner_Installer.exe\""	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\LocalServer32\ServerExecutable = "C:\\ProgramData\\Adaware PC Cleaner\\Installation\\Adaware_PC_Cleaner_Installer.exe"	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}\1.0\0\win32	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\TypeLib\{9083194A-939D-43BF-84C8-263F30EB2E93}\1.0\0\win32\ = "C:\\ProgramData\\Adaware PC Cleaner\\Installation\\Adaware_PC_Cleaner_Installer.exe"	Adaware_PC_Cleaner_Installer.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\TypeLib	Adaware_PC_Cleaner_Installer.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{683AC85E-50D6-4ABC-A3F4-78A481055B2D}\AccessPermission = 010014804c0000005c000000140000003000000002001c0001000000110014000400000001010000000000100010000002001c0001000000000014000b0000000101000000000001000000000102000000000005200000002002000001020000000000052000000020020000	2024-06-01_5cde5782362882a2257da3792b76cdd7_magniber_revil.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{037AED23-3513-46A8-B68F-6A7158E32B81}\Version	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\TypeLib\ = "{9083194A-939D-43BF-84C8-263F30EB2E93}"	Adaware_PC_Cleaner_Installer.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CF4D10FB-4B78-4EC6-A760-7702FDC44FB2}\TypeLib\ = "{9083194A-939D-43BF-84C8-263F30EB2E93}"	Adaware_PC_Cleaner_Installer.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2196	2024-06-01_5cde5782362882a2257da3792b76cdd7_magniber_revil.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
2196	2024-06-01_5cde5782362882a2257da3792b76cdd7_magniber_revil.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2196 wrote to memory of 1344	2196	2024-06-01_5cde5782362882a2257da3792b76cdd7_magniber_revil.exe	29
PID 2196 wrote to memory of 1344	2196	2024-06-01_5cde5782362882a2257da3792b76cdd7_magniber_revil.exe	29
PID 2196 wrote to memory of 1344	2196	2024-06-01_5cde5782362882a2257da3792b76cdd7_magniber_revil.exe	29
PID 2196 wrote to memory of 1344	2196	2024-06-01_5cde5782362882a2257da3792b76cdd7_magniber_revil.exe	29
PID 2196 wrote to memory of 1344	2196	2024-06-01_5cde5782362882a2257da3792b76cdd7_magniber_revil.exe	29
PID 2196 wrote to memory of 1344	2196	2024-06-01_5cde5782362882a2257da3792b76cdd7_magniber_revil.exe	29
PID 2196 wrote to memory of 1344	2196	2024-06-01_5cde5782362882a2257da3792b76cdd7_magniber_revil.exe	29

C:\Users\Admin\AppData\Local\Temp\2024-06-01_5cde5782362882a2257da3792b76cdd7_magniber_revil.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-01_5cde5782362882a2257da3792b76cdd7_magniber_revil.exe"
1⤵
- Loads dropped DLL
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2196
- C:\ProgramData\Adaware PC Cleaner\Installation\Adaware_PC_Cleaner_Installer.exe
  "C:\ProgramData\Adaware PC Cleaner\Installation\Adaware_PC_Cleaner_Installer.exe" /RegServer
  2⤵
  - Executes dropped EXE
  - Modifies registry class
  PID:1344

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar238F.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\ProgramData\Adaware PC Cleaner\Installation\Adaware_PC_Cleaner_Installer.exe

Filesize
11.7MB

MD5
5cde5782362882a2257da3792b76cdd7

SHA1
f4235bcea87c3743bf1c80872bbd1d48d24c2ebd

SHA256
6eaa56c2332e280de5a676eef48986cb8d5e180beb81862a956ed40a8d122dd6

SHA512
386e409c176924fb9c8aa3777e4000af2aa6ab488bf50f9779fb9ffb0093629c39ae23837856c1a3faf14f2e2e31c5c7261ffd83e04d4416df1e668f06c6d38b

Download Submit