Analysis Overview
SHA256
24cdc7f0c20c323f251648e4144711d0348fa2458e94fa1784808a42376b889a
Threat Level: Shows suspicious behavior
The file 2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber was found to be: Shows suspicious behavior.
Malicious Activity Summary
Writes to the Master Boot Record (MBR)
Checks for any installed AV software in registry
Executes dropped EXE
Loads dropped DLL
Suspicious behavior: EnumeratesProcesses
Checks processor information in registry
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-12 17:46
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-12 17:46
Reported
2024-06-12 17:49
Platform
win7-20240221-en
Max time kernel
127s
Max time network
120s
Command Line
Signatures
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\Avira\Antivirus | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "15" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "68" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "94" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "100" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "36" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "78" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "10" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "21" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "26" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "31" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "42" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "84" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "89" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "0" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "5" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "47" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "52" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "57" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "63" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "73" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 32 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
| Token: 32 | N/A | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.2883a0727b486b71\instup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe"
C:\Windows\Temp\asw.2883a0727b486b71\instup.exe
"C:\Windows\Temp\asw.2883a0727b486b71\instup.exe" /sfx:clear /sfxstorage:C:\Windows\Temp\asw.2883a0727b486b71 /prod:ais /wait /stub_context:2cd70376-6542-42f7-970e-b87b5e2dd61b:15154656
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | analytics.avcdn.net | udp |
| US | 8.8.8.8:53 | v7event.stats.avcdn.net | udp |
| US | 34.117.223.223:443 | v7event.stats.avcdn.net | tcp |
| US | 34.117.223.223:443 | v7event.stats.avcdn.net | tcp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 34.160.176.28:443 | shepherd.avcdn.net | tcp |
Files
C:\Windows\Temp\asw.2883a0727b486b71\servers.def
| MD5 | 2b62fb1ecd174c7e951f2b8af502c1c0 |
| SHA1 | 90744a9355dd5b74d2ecc7ee34fccbeca1c18f1b |
| SHA256 | 1fc616dd97e72451eda1324979f65df6af823aaaee1c83e5c2c3f3308cd26a67 |
| SHA512 | 0f14fbab88469ed19cde8d54ad74276ae4b03a783bf99def2d0f4d655a6ff86a35aa7ce4e8a7dcb936c70789efc4714b9bf1b317e485a6a44f150be6792cd7a0 |
\Windows\Temp\asw.2883a0727b486b71\Instup.exe
| MD5 | ff5e2157cdb884d405019eff5f319120 |
| SHA1 | d5a97c8e24e8f83741724c5003753a7ada407c33 |
| SHA256 | 711e8d499fc490cbbe571485d249e483c3bec7084ca298a7158d81641b2b0863 |
| SHA512 | 98129fc9276ac642d0e34b47c33674c6ab9d49784067e8f7a7993f7be89629f85e9c92ae5a878db7f810b5c5750e1497ef39b0f1499c8fc939648b551226dfc7 |
C:\Windows\Temp\asw.2883a0727b486b71\Instup.dll
| MD5 | 624fb0914c589de09dbfc0f99d643256 |
| SHA1 | 5b24cd12f5705caa695a647c81adc21582ded878 |
| SHA256 | 5dd4950ef312869c5c3056397d53bdc633ad7ff793e288a21771879ab562952c |
| SHA512 | f0856f9f441ddcb965ac4f9f07ef0ab009fe265719c1f3edc332b6f8dfeaa6c3eac9caed0b52a9a433ccf0cc04e6179fe23a9d14cd4445be9fcf0ba23377ac42 |
C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Clear.log
| MD5 | 4cd8e295b277f2f9ca2e71be7150ba49 |
| SHA1 | b37bf6afe4495bb97a402bd1c475ec98a63458dd |
| SHA256 | 01fe30239aa3b52f36e198fcdd96faa98fa61970bde10dbb9e564f06fb0f1bcc |
| SHA512 | 5f7ece4ee825cd803cc14b575dbf9b7185c913385a67d36ef4f437b59d220c3b3d7827810118bb98da621a0fe8ca249934741cba927dcee1b539531cb78c03c4 |
C:\Windows\Temp\asw.2883a0727b486b71\config.def
| MD5 | b86dd14aadb9e34d004ad39a4693ced0 |
| SHA1 | 1cb7775cee3e4106b2ddba89a0ccdc9dd547c521 |
| SHA256 | b64d1d23aef5cdeeb2279216a00c931b201bce90407c9cbff3a7ef2742873878 |
| SHA512 | 03cb9215521da45e1df7b926fad7b0afd5ee001944c475a90c8646d7621d0d062267a682e102d81da0b5204ed215ec6ba4c7646d9340d71b0cb77ca12ddef0c1 |
C:\Windows\Temp\asw.2883a0727b486b71\prod-pgm.vpx
| MD5 | 6d08ac0131cac7a2f9f2ea5d9d0b0cc6 |
| SHA1 | 25983c1419089c6a7570963dda2d06e022b3b36d |
| SHA256 | 846f9f2f624c8a1f001a4bd7c7ca3158c8c79cb11fa6d474cfdf8e48d0238a3f |
| SHA512 | 753890f34fc1a925177a594c8bc5e19dc509fb8b32c1eef429496c5d19421200bdd75879c529981823340718bee82dafdf3f262a9ecf65de9ef03d12a1684b2c |
C:\Windows\Temp\asw.2883a0727b486b71\part-prg_ais-18050d08.vpx
| MD5 | d264bf74d7ffcbad341d9fcefa4893bb |
| SHA1 | c7e9a0972524fa573825865c46eb6728d3e219e0 |
| SHA256 | 4b01a68078d7e1af1c0197baddbbb1ef4d3cbf13f71e8b9df766f88b4e6d8025 |
| SHA512 | afbfdf6fdeb5dc427340de691726e79cb5bcc41bd488c557c684efe3f26d83a17f1118cc50bd64541a9a839d3dd4329a72a9423e65d3e9cdcfbd14003f1e0dc3 |
C:\Windows\Temp\asw.2883a0727b486b71\part-setup_ais-18050d08.vpx
| MD5 | 0344288a18997069003d84c226a168f9 |
| SHA1 | 0fe47920601834e620737ad321fbb24d38c7ee94 |
| SHA256 | 675bd92f752a51bd7d9797895252b3130095a06d7d5db8f221ab6251735ead8d |
| SHA512 | b1680ef42d7e2e56fbb124c91da27f15e6c946450c7d03d95b937c3cde80dbc2260e11926578075df255058c2307058429fd2f7307fc0a105c775a9b8aa82429 |
C:\Windows\Temp\asw.2883a0727b486b71\prod-vps.vpx
| MD5 | b516373c4f4f0bd98bbbcd71b4022e4d |
| SHA1 | fb2ccdcbec8ddcd91f35fd762dd86a5b2cb8e062 |
| SHA256 | 52e06087d9c0968150bc5d3b06895e3ab9b69aebea20e0328434b703aa242099 |
| SHA512 | b1ef7ffd12b104a3caf8676c95285693c2af057537df0e87a292cea51bddf34be3ff00adae1337ecede93a8de9bb9ee71c464920f9f54c7bf3236d74aae98469 |
C:\Windows\Temp\asw.2883a0727b486b71\part-jrog2-137e.vpx
| MD5 | 5246545bb7faf8b82921c4317839dfac |
| SHA1 | 198aaf355de19f24fdc0a677325eac2bc72d016e |
| SHA256 | 354de0df08232274092f9041151a1ef7c809221aa07683b5be22c5a1bb5ad41f |
| SHA512 | 6fa0a3950de735da1217f7bf224a16cf1e7816e8e00eed205be31ac600d530a839cea29e8d2a8f1db19f72d4e627ad694ae5afc3fb831a004a84e568333f08e4 |
C:\Windows\Temp\asw.2883a0727b486b71\part-vps_windows-24052800.vpx
| MD5 | 93a7ccb20993b55cce86867cd309c984 |
| SHA1 | b6fb34ef95c8fc76b4ab5d7798f774ce18fa7bcd |
| SHA256 | d32d1058daa6dd510801d18a43e06daef33d3f6f957fb9677eb6cd1471a99c11 |
| SHA512 | 255fface6307e49c4878189010fbcccc5b824206c0d78bcf18d48cf84bb453f909c3c3685c29daab749e10f1aea9afd61b462a506a9ed7f1628c464a5dd7af4d |
C:\Windows\Temp\asw.2883a0727b486b71\asw436fd68c0da8f701.ini
| MD5 | ca2254dec12e5c85c312c81f4c1dc51b |
| SHA1 | 5694943a6247191d509981fc318dba0ade38baf1 |
| SHA256 | 5edf19b89999d7b845336ff9127f1669f2effdf98148d186023d556049474de7 |
| SHA512 | 99ee411cce9cfdc4320169376ae60148c8c5c9d8849e20e70f9a0fefa7cf7a301d5046cd3e9471d57a41ab12140d43e2cc2ac8055ccbcaa795920507c1e85dd0 |
C:\Windows\Temp\asw.2883a0727b486b71\config.def
| MD5 | e9402726825b0fb645708ca5e929f518 |
| SHA1 | 308c616ee174d7c1f0602375f4db32e829ce5760 |
| SHA256 | 281c89160557a3bf7eaa7761479938a6924aed9bc90b279d2f2ee1aa1d5b4cee |
| SHA512 | f7df5255c2e2a0e17266c71c2cf2878883645e755bf5cf7eb779c55eb42a70a29fa2142fe4e5f6a32247575f0502bb47695a35cb35312b7d8fb4d5763a2eef60 |
C:\Windows\Temp\asw.2883a0727b486b71\config.ini
| MD5 | ab95959523a5abc20413b542ceade8d3 |
| SHA1 | 532adb9a5e0c9cc3df216789ba7348d0778d1f51 |
| SHA256 | 3c4fe9205af3ea71f3423c653dcca3ebc4def290f4f2ac5711c97c3a9d6b8547 |
| SHA512 | 5e4d4b2ba76e1fbd6faa7a768989e62e8273f02f0b4ebb94f418ae2a8fbb353e8bdd475bea468450373bd09bf28bf8d8d2f7827afbfb52580f01a7d3cf8c4399 |
C:\Windows\Temp\asw.2883a0727b486b71\HTMLayout.dll
| MD5 | 94e0a71ece8c5f96c066efd19b146ee3 |
| SHA1 | ff4072b7d6a19655cd4f37b13a62a2940b1b4f03 |
| SHA256 | 4682931b759eed08e06e0b4925c68e902c2731a564716b85b2b3a0d32b049e31 |
| SHA512 | 072088e6a03daf3174272b182f4e60f3929b2075f04321e359948a3bd917c7bceff28e34b1858da5de6376771fc630004f2256f533c89199fd621992e3c498b4 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-12 17:46
Reported
2024-06-12 17:49
Platform
win10v2004-20240611-en
Max time kernel
93s
Max time network
124s
Command Line
Signatures
Checks for any installed AV software in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\AVAST Software\Avast | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Software\Avira\Antivirus | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
Writes to the Master Boot Record (MBR)
| Description | Indicator | Process | Target |
| File opened for modification | \??\PhysicalDrive0 | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| File opened for modification | \??\PhysicalDrive0 | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Key opened | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "31" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "36" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "52" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "68" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "89" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "94" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "15" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "21" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "100" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "5" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "73" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "42" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "47" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "10" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "57" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "63" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "78" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "84" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "0" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "26" | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: 32 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
| Token: 32 | N/A | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
| N/A | N/A | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 1140 wrote to memory of 612 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe |
| PID 1140 wrote to memory of 612 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe |
| PID 1140 wrote to memory of 612 | N/A | C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe | C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe
"C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe"
C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe
"C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe" /sfx:clear /sfxstorage:C:\Windows\Temp\asw.7eb4ba69c5d3de1a /prod:ais /wait /stub_context:88926bc8-37e0-466d-a7b1-2152966f049f:15154656
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | v7event.stats.avcdn.net | udp |
| US | 8.8.8.8:53 | analytics.avcdn.net | udp |
| US | 34.117.223.223:443 | analytics.avcdn.net | tcp |
| US | 34.117.223.223:443 | analytics.avcdn.net | tcp |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 204.79.197.237:443 | g.bing.com | tcp |
| NL | 23.62.61.75:443 | www.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 68.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 223.223.117.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 237.197.79.204.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 205.47.74.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 75.61.62.23.in-addr.arpa | udp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 8.8.8.8:53 | shepherd.avcdn.net | udp |
| US | 34.160.176.28:443 | shepherd.avcdn.net | tcp |
| US | 8.8.8.8:53 | 28.176.160.34.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 56.126.166.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 100.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 30.243.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.58.20.217.in-addr.arpa | udp |
Files
C:\Windows\Temp\asw.7eb4ba69c5d3de1a\servers.def
| MD5 | 2b62fb1ecd174c7e951f2b8af502c1c0 |
| SHA1 | 90744a9355dd5b74d2ecc7ee34fccbeca1c18f1b |
| SHA256 | 1fc616dd97e72451eda1324979f65df6af823aaaee1c83e5c2c3f3308cd26a67 |
| SHA512 | 0f14fbab88469ed19cde8d54ad74276ae4b03a783bf99def2d0f4d655a6ff86a35aa7ce4e8a7dcb936c70789efc4714b9bf1b317e485a6a44f150be6792cd7a0 |
C:\Windows\Temp\asw.7eb4ba69c5d3de1a\Instup.exe
| MD5 | ff5e2157cdb884d405019eff5f319120 |
| SHA1 | d5a97c8e24e8f83741724c5003753a7ada407c33 |
| SHA256 | 711e8d499fc490cbbe571485d249e483c3bec7084ca298a7158d81641b2b0863 |
| SHA512 | 98129fc9276ac642d0e34b47c33674c6ab9d49784067e8f7a7993f7be89629f85e9c92ae5a878db7f810b5c5750e1497ef39b0f1499c8fc939648b551226dfc7 |
C:\Windows\Temp\asw.7eb4ba69c5d3de1a\Instup.dll
| MD5 | 624fb0914c589de09dbfc0f99d643256 |
| SHA1 | 5b24cd12f5705caa695a647c81adc21582ded878 |
| SHA256 | 5dd4950ef312869c5c3056397d53bdc633ad7ff793e288a21771879ab562952c |
| SHA512 | f0856f9f441ddcb965ac4f9f07ef0ab009fe265719c1f3edc332b6f8dfeaa6c3eac9caed0b52a9a433ccf0cc04e6179fe23a9d14cd4445be9fcf0ba23377ac42 |
C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Clear.log
| MD5 | 9754be352f3485735dfcc82f9c91fd38 |
| SHA1 | 79dfc135cd8a185d3699aa9a5cc759021b4995f8 |
| SHA256 | 43455e0deffe1af858bdf53577056b3b75153abcde0d24be4ac5bbca75794b2a |
| SHA512 | 4bf718dac12143d1f24995f0de47854ef0fc38ec5941aaa9789d5c7d28a6bbd98225aeeeedf7ec7a5ec0dbddf3ff262325631da1087e0fe618bbd790893b4654 |
C:\Windows\Temp\asw.7eb4ba69c5d3de1a\config.def
| MD5 | b86dd14aadb9e34d004ad39a4693ced0 |
| SHA1 | 1cb7775cee3e4106b2ddba89a0ccdc9dd547c521 |
| SHA256 | b64d1d23aef5cdeeb2279216a00c931b201bce90407c9cbff3a7ef2742873878 |
| SHA512 | 03cb9215521da45e1df7b926fad7b0afd5ee001944c475a90c8646d7621d0d062267a682e102d81da0b5204ed215ec6ba4c7646d9340d71b0cb77ca12ddef0c1 |
C:\Windows\Temp\asw.7eb4ba69c5d3de1a\prod-pgm.vpx
| MD5 | 6d08ac0131cac7a2f9f2ea5d9d0b0cc6 |
| SHA1 | 25983c1419089c6a7570963dda2d06e022b3b36d |
| SHA256 | 846f9f2f624c8a1f001a4bd7c7ca3158c8c79cb11fa6d474cfdf8e48d0238a3f |
| SHA512 | 753890f34fc1a925177a594c8bc5e19dc509fb8b32c1eef429496c5d19421200bdd75879c529981823340718bee82dafdf3f262a9ecf65de9ef03d12a1684b2c |
C:\Windows\Temp\asw.7eb4ba69c5d3de1a\part-prg_ais-18050d08.vpx
| MD5 | d264bf74d7ffcbad341d9fcefa4893bb |
| SHA1 | c7e9a0972524fa573825865c46eb6728d3e219e0 |
| SHA256 | 4b01a68078d7e1af1c0197baddbbb1ef4d3cbf13f71e8b9df766f88b4e6d8025 |
| SHA512 | afbfdf6fdeb5dc427340de691726e79cb5bcc41bd488c557c684efe3f26d83a17f1118cc50bd64541a9a839d3dd4329a72a9423e65d3e9cdcfbd14003f1e0dc3 |
C:\Windows\Temp\asw.7eb4ba69c5d3de1a\part-setup_ais-18050d08.vpx
| MD5 | 0344288a18997069003d84c226a168f9 |
| SHA1 | 0fe47920601834e620737ad321fbb24d38c7ee94 |
| SHA256 | 675bd92f752a51bd7d9797895252b3130095a06d7d5db8f221ab6251735ead8d |
| SHA512 | b1680ef42d7e2e56fbb124c91da27f15e6c946450c7d03d95b937c3cde80dbc2260e11926578075df255058c2307058429fd2f7307fc0a105c775a9b8aa82429 |
C:\Windows\Temp\asw.7eb4ba69c5d3de1a\prod-vps.vpx
| MD5 | b516373c4f4f0bd98bbbcd71b4022e4d |
| SHA1 | fb2ccdcbec8ddcd91f35fd762dd86a5b2cb8e062 |
| SHA256 | 52e06087d9c0968150bc5d3b06895e3ab9b69aebea20e0328434b703aa242099 |
| SHA512 | b1ef7ffd12b104a3caf8676c95285693c2af057537df0e87a292cea51bddf34be3ff00adae1337ecede93a8de9bb9ee71c464920f9f54c7bf3236d74aae98469 |
C:\Windows\Temp\asw.7eb4ba69c5d3de1a\part-jrog2-137e.vpx
| MD5 | 5246545bb7faf8b82921c4317839dfac |
| SHA1 | 198aaf355de19f24fdc0a677325eac2bc72d016e |
| SHA256 | 354de0df08232274092f9041151a1ef7c809221aa07683b5be22c5a1bb5ad41f |
| SHA512 | 6fa0a3950de735da1217f7bf224a16cf1e7816e8e00eed205be31ac600d530a839cea29e8d2a8f1db19f72d4e627ad694ae5afc3fb831a004a84e568333f08e4 |
C:\Windows\Temp\asw.7eb4ba69c5d3de1a\part-vps_windows-24052800.vpx
| MD5 | 93a7ccb20993b55cce86867cd309c984 |
| SHA1 | b6fb34ef95c8fc76b4ab5d7798f774ce18fa7bcd |
| SHA256 | d32d1058daa6dd510801d18a43e06daef33d3f6f957fb9677eb6cd1471a99c11 |
| SHA512 | 255fface6307e49c4878189010fbcccc5b824206c0d78bcf18d48cf84bb453f909c3c3685c29daab749e10f1aea9afd61b462a506a9ed7f1628c464a5dd7af4d |
C:\Windows\Temp\asw.7eb4ba69c5d3de1a\config.ini
| MD5 | 505d0a04faa909624d6278f4a34fb23c |
| SHA1 | f7ebed06d3cf87b1ab61ee14762f2785f5ac8e30 |
| SHA256 | dadac1dbf6d491d2caa59cc1d0d3fbd76df94b7808565298f9e8bed30dddfc33 |
| SHA512 | ac2a2fba51c21ec07b5ef7fec4eef346b7ee69818f2afaef09404fd95dd591af9a5ea580b3183809c825e68dbd3571f6e81702417ee344ad23d63f44424a5213 |
C:\Windows\Temp\asw.7eb4ba69c5d3de1a\HTMLayout.dll
| MD5 | 94e0a71ece8c5f96c066efd19b146ee3 |
| SHA1 | ff4072b7d6a19655cd4f37b13a62a2940b1b4f03 |
| SHA256 | 4682931b759eed08e06e0b4925c68e902c2731a564716b85b2b3a0d32b049e31 |
| SHA512 | 072088e6a03daf3174272b182f4e60f3929b2075f04321e359948a3bd917c7bceff28e34b1858da5de6376771fc630004f2256f533c89199fd621992e3c498b4 |
C:\Windows\Temp\asw.7eb4ba69c5d3de1a\config.def
| MD5 | d55937f0c612c3644de6b0e1081c8657 |
| SHA1 | db70b3cbbf68d4fc58259e95a72a0c5883719076 |
| SHA256 | 1239d155068a909a1395948ce25c9cec9954e912da29a4e5e5eb347c3005021c |
| SHA512 | e0ae4e7ea82e32ac356f2888e69c06b95e2554e6694bbcd1952f53c7726ec3485eddbc41f31c856ea0719a6402462aa7cd242af2424bf04610335164c574bc91 |