Malware Analysis Report

2024-09-23 12:07

Sample ID 240612-wck1fsteja
Target 2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber
SHA256 24cdc7f0c20c323f251648e4144711d0348fa2458e94fa1784808a42376b889a
Tags
bootkit persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

24cdc7f0c20c323f251648e4144711d0348fa2458e94fa1784808a42376b889a

Threat Level: Shows suspicious behavior

The file 2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Writes to the Master Boot Record (MBR)

Checks for any installed AV software in registry

Executes dropped EXE

Loads dropped DLL

Suspicious behavior: EnumeratesProcesses

Checks processor information in registry

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-12 17:46

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-12 17:46

Reported

2024-06-12 17:49

Platform

win7-20240221-en

Max time kernel

127s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe"

Signatures

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.2883a0727b486b71\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.2883a0727b486b71\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.2883a0727b486b71\instup.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.2883a0727b486b71\instup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.2883a0727b486b71\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.2883a0727b486b71\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\CurrentPatchLevel C:\Windows\Temp\asw.2883a0727b486b71\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.2883a0727b486b71\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.2883a0727b486b71\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.2883a0727b486b71\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.2883a0727b486b71\instup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "15" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "68" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "94" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "100" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "36" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "78" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "10" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "21" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "26" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "31" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "42" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "84" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "89" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "5" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "47" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "52" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "57" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "63" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "73" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw.2883a0727b486b71\instup.exe N/A
Token: 32 N/A C:\Windows\Temp\asw.2883a0727b486b71\instup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.2883a0727b486b71\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.2883a0727b486b71\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.2883a0727b486b71\instup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe"

C:\Windows\Temp\asw.2883a0727b486b71\instup.exe

"C:\Windows\Temp\asw.2883a0727b486b71\instup.exe" /sfx:clear /sfxstorage:C:\Windows\Temp\asw.2883a0727b486b71 /prod:ais /wait /stub_context:2cd70376-6542-42f7-970e-b87b5e2dd61b:15154656

Network

Country Destination Domain Proto
US 8.8.8.8:53 analytics.avcdn.net udp
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 34.117.223.223:443 v7event.stats.avcdn.net tcp
US 34.117.223.223:443 v7event.stats.avcdn.net tcp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 34.160.176.28:443 shepherd.avcdn.net tcp

Files

C:\Windows\Temp\asw.2883a0727b486b71\servers.def

MD5 2b62fb1ecd174c7e951f2b8af502c1c0
SHA1 90744a9355dd5b74d2ecc7ee34fccbeca1c18f1b
SHA256 1fc616dd97e72451eda1324979f65df6af823aaaee1c83e5c2c3f3308cd26a67
SHA512 0f14fbab88469ed19cde8d54ad74276ae4b03a783bf99def2d0f4d655a6ff86a35aa7ce4e8a7dcb936c70789efc4714b9bf1b317e485a6a44f150be6792cd7a0

\Windows\Temp\asw.2883a0727b486b71\Instup.exe

MD5 ff5e2157cdb884d405019eff5f319120
SHA1 d5a97c8e24e8f83741724c5003753a7ada407c33
SHA256 711e8d499fc490cbbe571485d249e483c3bec7084ca298a7158d81641b2b0863
SHA512 98129fc9276ac642d0e34b47c33674c6ab9d49784067e8f7a7993f7be89629f85e9c92ae5a878db7f810b5c5750e1497ef39b0f1499c8fc939648b551226dfc7

C:\Windows\Temp\asw.2883a0727b486b71\Instup.dll

MD5 624fb0914c589de09dbfc0f99d643256
SHA1 5b24cd12f5705caa695a647c81adc21582ded878
SHA256 5dd4950ef312869c5c3056397d53bdc633ad7ff793e288a21771879ab562952c
SHA512 f0856f9f441ddcb965ac4f9f07ef0ab009fe265719c1f3edc332b6f8dfeaa6c3eac9caed0b52a9a433ccf0cc04e6179fe23a9d14cd4445be9fcf0ba23377ac42

C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Clear.log

MD5 4cd8e295b277f2f9ca2e71be7150ba49
SHA1 b37bf6afe4495bb97a402bd1c475ec98a63458dd
SHA256 01fe30239aa3b52f36e198fcdd96faa98fa61970bde10dbb9e564f06fb0f1bcc
SHA512 5f7ece4ee825cd803cc14b575dbf9b7185c913385a67d36ef4f437b59d220c3b3d7827810118bb98da621a0fe8ca249934741cba927dcee1b539531cb78c03c4

C:\Windows\Temp\asw.2883a0727b486b71\config.def

MD5 b86dd14aadb9e34d004ad39a4693ced0
SHA1 1cb7775cee3e4106b2ddba89a0ccdc9dd547c521
SHA256 b64d1d23aef5cdeeb2279216a00c931b201bce90407c9cbff3a7ef2742873878
SHA512 03cb9215521da45e1df7b926fad7b0afd5ee001944c475a90c8646d7621d0d062267a682e102d81da0b5204ed215ec6ba4c7646d9340d71b0cb77ca12ddef0c1

C:\Windows\Temp\asw.2883a0727b486b71\prod-pgm.vpx

MD5 6d08ac0131cac7a2f9f2ea5d9d0b0cc6
SHA1 25983c1419089c6a7570963dda2d06e022b3b36d
SHA256 846f9f2f624c8a1f001a4bd7c7ca3158c8c79cb11fa6d474cfdf8e48d0238a3f
SHA512 753890f34fc1a925177a594c8bc5e19dc509fb8b32c1eef429496c5d19421200bdd75879c529981823340718bee82dafdf3f262a9ecf65de9ef03d12a1684b2c

C:\Windows\Temp\asw.2883a0727b486b71\part-prg_ais-18050d08.vpx

MD5 d264bf74d7ffcbad341d9fcefa4893bb
SHA1 c7e9a0972524fa573825865c46eb6728d3e219e0
SHA256 4b01a68078d7e1af1c0197baddbbb1ef4d3cbf13f71e8b9df766f88b4e6d8025
SHA512 afbfdf6fdeb5dc427340de691726e79cb5bcc41bd488c557c684efe3f26d83a17f1118cc50bd64541a9a839d3dd4329a72a9423e65d3e9cdcfbd14003f1e0dc3

C:\Windows\Temp\asw.2883a0727b486b71\part-setup_ais-18050d08.vpx

MD5 0344288a18997069003d84c226a168f9
SHA1 0fe47920601834e620737ad321fbb24d38c7ee94
SHA256 675bd92f752a51bd7d9797895252b3130095a06d7d5db8f221ab6251735ead8d
SHA512 b1680ef42d7e2e56fbb124c91da27f15e6c946450c7d03d95b937c3cde80dbc2260e11926578075df255058c2307058429fd2f7307fc0a105c775a9b8aa82429

C:\Windows\Temp\asw.2883a0727b486b71\prod-vps.vpx

MD5 b516373c4f4f0bd98bbbcd71b4022e4d
SHA1 fb2ccdcbec8ddcd91f35fd762dd86a5b2cb8e062
SHA256 52e06087d9c0968150bc5d3b06895e3ab9b69aebea20e0328434b703aa242099
SHA512 b1ef7ffd12b104a3caf8676c95285693c2af057537df0e87a292cea51bddf34be3ff00adae1337ecede93a8de9bb9ee71c464920f9f54c7bf3236d74aae98469

C:\Windows\Temp\asw.2883a0727b486b71\part-jrog2-137e.vpx

MD5 5246545bb7faf8b82921c4317839dfac
SHA1 198aaf355de19f24fdc0a677325eac2bc72d016e
SHA256 354de0df08232274092f9041151a1ef7c809221aa07683b5be22c5a1bb5ad41f
SHA512 6fa0a3950de735da1217f7bf224a16cf1e7816e8e00eed205be31ac600d530a839cea29e8d2a8f1db19f72d4e627ad694ae5afc3fb831a004a84e568333f08e4

C:\Windows\Temp\asw.2883a0727b486b71\part-vps_windows-24052800.vpx

MD5 93a7ccb20993b55cce86867cd309c984
SHA1 b6fb34ef95c8fc76b4ab5d7798f774ce18fa7bcd
SHA256 d32d1058daa6dd510801d18a43e06daef33d3f6f957fb9677eb6cd1471a99c11
SHA512 255fface6307e49c4878189010fbcccc5b824206c0d78bcf18d48cf84bb453f909c3c3685c29daab749e10f1aea9afd61b462a506a9ed7f1628c464a5dd7af4d

C:\Windows\Temp\asw.2883a0727b486b71\asw436fd68c0da8f701.ini

MD5 ca2254dec12e5c85c312c81f4c1dc51b
SHA1 5694943a6247191d509981fc318dba0ade38baf1
SHA256 5edf19b89999d7b845336ff9127f1669f2effdf98148d186023d556049474de7
SHA512 99ee411cce9cfdc4320169376ae60148c8c5c9d8849e20e70f9a0fefa7cf7a301d5046cd3e9471d57a41ab12140d43e2cc2ac8055ccbcaa795920507c1e85dd0

C:\Windows\Temp\asw.2883a0727b486b71\config.def

MD5 e9402726825b0fb645708ca5e929f518
SHA1 308c616ee174d7c1f0602375f4db32e829ce5760
SHA256 281c89160557a3bf7eaa7761479938a6924aed9bc90b279d2f2ee1aa1d5b4cee
SHA512 f7df5255c2e2a0e17266c71c2cf2878883645e755bf5cf7eb779c55eb42a70a29fa2142fe4e5f6a32247575f0502bb47695a35cb35312b7d8fb4d5763a2eef60

C:\Windows\Temp\asw.2883a0727b486b71\config.ini

MD5 ab95959523a5abc20413b542ceade8d3
SHA1 532adb9a5e0c9cc3df216789ba7348d0778d1f51
SHA256 3c4fe9205af3ea71f3423c653dcca3ebc4def290f4f2ac5711c97c3a9d6b8547
SHA512 5e4d4b2ba76e1fbd6faa7a768989e62e8273f02f0b4ebb94f418ae2a8fbb353e8bdd475bea468450373bd09bf28bf8d8d2f7827afbfb52580f01a7d3cf8c4399

C:\Windows\Temp\asw.2883a0727b486b71\HTMLayout.dll

MD5 94e0a71ece8c5f96c066efd19b146ee3
SHA1 ff4072b7d6a19655cd4f37b13a62a2940b1b4f03
SHA256 4682931b759eed08e06e0b4925c68e902c2731a564716b85b2b3a0d32b049e31
SHA512 072088e6a03daf3174272b182f4e60f3929b2075f04321e359948a3bd917c7bceff28e34b1858da5de6376771fc630004f2256f533c89199fd621992e3c498b4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-12 17:46

Reported

2024-06-12 17:49

Platform

win10v2004-20240611-en

Max time kernel

93s

Max time network

124s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe"

Signatures

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Key opened \REGISTRY\MACHINE\Software\AVAST Software\Avast C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe N/A
Key opened \REGISTRY\MACHINE\Software\Avira\Antivirus C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Signature C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe N/A
Key opened \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Update Revision C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "31" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "36" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "52" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "68" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "89" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "94" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "15" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "21" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "100" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "5" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "73" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "42" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "47" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "10" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "57" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "63" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "78" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "84" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "0" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Set value (int) \REGISTRY\MACHINE\SOFTWARE\Classes\AvgPersistentStorage\SfxInstProgress = "26" C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: 32 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe N/A
Token: 32 N/A C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe N/A
N/A N/A C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-12_30f437644f78ba8e9e222851c182a6ef_magniber.exe"

C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe

"C:\Windows\Temp\asw.7eb4ba69c5d3de1a\instup.exe" /sfx:clear /sfxstorage:C:\Windows\Temp\asw.7eb4ba69c5d3de1a /prod:ais /wait /stub_context:88926bc8-37e0-466d-a7b1-2152966f049f:15154656

Network

Country Destination Domain Proto
US 8.8.8.8:53 v7event.stats.avcdn.net udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.75:443 www.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 68.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 223.223.117.34.in-addr.arpa udp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 205.47.74.20.in-addr.arpa udp
US 8.8.8.8:53 75.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 34.160.176.28:443 shepherd.avcdn.net tcp
US 8.8.8.8:53 28.176.160.34.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 100.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 30.243.111.52.in-addr.arpa udp
US 8.8.8.8:53 99.58.20.217.in-addr.arpa udp

Files

C:\Windows\Temp\asw.7eb4ba69c5d3de1a\servers.def

MD5 2b62fb1ecd174c7e951f2b8af502c1c0
SHA1 90744a9355dd5b74d2ecc7ee34fccbeca1c18f1b
SHA256 1fc616dd97e72451eda1324979f65df6af823aaaee1c83e5c2c3f3308cd26a67
SHA512 0f14fbab88469ed19cde8d54ad74276ae4b03a783bf99def2d0f4d655a6ff86a35aa7ce4e8a7dcb936c70789efc4714b9bf1b317e485a6a44f150be6792cd7a0

C:\Windows\Temp\asw.7eb4ba69c5d3de1a\Instup.exe

MD5 ff5e2157cdb884d405019eff5f319120
SHA1 d5a97c8e24e8f83741724c5003753a7ada407c33
SHA256 711e8d499fc490cbbe571485d249e483c3bec7084ca298a7158d81641b2b0863
SHA512 98129fc9276ac642d0e34b47c33674c6ab9d49784067e8f7a7993f7be89629f85e9c92ae5a878db7f810b5c5750e1497ef39b0f1499c8fc939648b551226dfc7

C:\Windows\Temp\asw.7eb4ba69c5d3de1a\Instup.dll

MD5 624fb0914c589de09dbfc0f99d643256
SHA1 5b24cd12f5705caa695a647c81adc21582ded878
SHA256 5dd4950ef312869c5c3056397d53bdc633ad7ff793e288a21771879ab562952c
SHA512 f0856f9f441ddcb965ac4f9f07ef0ab009fe265719c1f3edc332b6f8dfeaa6c3eac9caed0b52a9a433ccf0cc04e6179fe23a9d14cd4445be9fcf0ba23377ac42

C:\ProgramData\AVG\Persistent Data\Antivirus\Logs\Clear.log

MD5 9754be352f3485735dfcc82f9c91fd38
SHA1 79dfc135cd8a185d3699aa9a5cc759021b4995f8
SHA256 43455e0deffe1af858bdf53577056b3b75153abcde0d24be4ac5bbca75794b2a
SHA512 4bf718dac12143d1f24995f0de47854ef0fc38ec5941aaa9789d5c7d28a6bbd98225aeeeedf7ec7a5ec0dbddf3ff262325631da1087e0fe618bbd790893b4654

C:\Windows\Temp\asw.7eb4ba69c5d3de1a\config.def

MD5 b86dd14aadb9e34d004ad39a4693ced0
SHA1 1cb7775cee3e4106b2ddba89a0ccdc9dd547c521
SHA256 b64d1d23aef5cdeeb2279216a00c931b201bce90407c9cbff3a7ef2742873878
SHA512 03cb9215521da45e1df7b926fad7b0afd5ee001944c475a90c8646d7621d0d062267a682e102d81da0b5204ed215ec6ba4c7646d9340d71b0cb77ca12ddef0c1

C:\Windows\Temp\asw.7eb4ba69c5d3de1a\prod-pgm.vpx

MD5 6d08ac0131cac7a2f9f2ea5d9d0b0cc6
SHA1 25983c1419089c6a7570963dda2d06e022b3b36d
SHA256 846f9f2f624c8a1f001a4bd7c7ca3158c8c79cb11fa6d474cfdf8e48d0238a3f
SHA512 753890f34fc1a925177a594c8bc5e19dc509fb8b32c1eef429496c5d19421200bdd75879c529981823340718bee82dafdf3f262a9ecf65de9ef03d12a1684b2c

C:\Windows\Temp\asw.7eb4ba69c5d3de1a\part-prg_ais-18050d08.vpx

MD5 d264bf74d7ffcbad341d9fcefa4893bb
SHA1 c7e9a0972524fa573825865c46eb6728d3e219e0
SHA256 4b01a68078d7e1af1c0197baddbbb1ef4d3cbf13f71e8b9df766f88b4e6d8025
SHA512 afbfdf6fdeb5dc427340de691726e79cb5bcc41bd488c557c684efe3f26d83a17f1118cc50bd64541a9a839d3dd4329a72a9423e65d3e9cdcfbd14003f1e0dc3

C:\Windows\Temp\asw.7eb4ba69c5d3de1a\part-setup_ais-18050d08.vpx

MD5 0344288a18997069003d84c226a168f9
SHA1 0fe47920601834e620737ad321fbb24d38c7ee94
SHA256 675bd92f752a51bd7d9797895252b3130095a06d7d5db8f221ab6251735ead8d
SHA512 b1680ef42d7e2e56fbb124c91da27f15e6c946450c7d03d95b937c3cde80dbc2260e11926578075df255058c2307058429fd2f7307fc0a105c775a9b8aa82429

C:\Windows\Temp\asw.7eb4ba69c5d3de1a\prod-vps.vpx

MD5 b516373c4f4f0bd98bbbcd71b4022e4d
SHA1 fb2ccdcbec8ddcd91f35fd762dd86a5b2cb8e062
SHA256 52e06087d9c0968150bc5d3b06895e3ab9b69aebea20e0328434b703aa242099
SHA512 b1ef7ffd12b104a3caf8676c95285693c2af057537df0e87a292cea51bddf34be3ff00adae1337ecede93a8de9bb9ee71c464920f9f54c7bf3236d74aae98469

C:\Windows\Temp\asw.7eb4ba69c5d3de1a\part-jrog2-137e.vpx

MD5 5246545bb7faf8b82921c4317839dfac
SHA1 198aaf355de19f24fdc0a677325eac2bc72d016e
SHA256 354de0df08232274092f9041151a1ef7c809221aa07683b5be22c5a1bb5ad41f
SHA512 6fa0a3950de735da1217f7bf224a16cf1e7816e8e00eed205be31ac600d530a839cea29e8d2a8f1db19f72d4e627ad694ae5afc3fb831a004a84e568333f08e4

C:\Windows\Temp\asw.7eb4ba69c5d3de1a\part-vps_windows-24052800.vpx

MD5 93a7ccb20993b55cce86867cd309c984
SHA1 b6fb34ef95c8fc76b4ab5d7798f774ce18fa7bcd
SHA256 d32d1058daa6dd510801d18a43e06daef33d3f6f957fb9677eb6cd1471a99c11
SHA512 255fface6307e49c4878189010fbcccc5b824206c0d78bcf18d48cf84bb453f909c3c3685c29daab749e10f1aea9afd61b462a506a9ed7f1628c464a5dd7af4d

C:\Windows\Temp\asw.7eb4ba69c5d3de1a\config.ini

MD5 505d0a04faa909624d6278f4a34fb23c
SHA1 f7ebed06d3cf87b1ab61ee14762f2785f5ac8e30
SHA256 dadac1dbf6d491d2caa59cc1d0d3fbd76df94b7808565298f9e8bed30dddfc33
SHA512 ac2a2fba51c21ec07b5ef7fec4eef346b7ee69818f2afaef09404fd95dd591af9a5ea580b3183809c825e68dbd3571f6e81702417ee344ad23d63f44424a5213

C:\Windows\Temp\asw.7eb4ba69c5d3de1a\HTMLayout.dll

MD5 94e0a71ece8c5f96c066efd19b146ee3
SHA1 ff4072b7d6a19655cd4f37b13a62a2940b1b4f03
SHA256 4682931b759eed08e06e0b4925c68e902c2731a564716b85b2b3a0d32b049e31
SHA512 072088e6a03daf3174272b182f4e60f3929b2075f04321e359948a3bd917c7bceff28e34b1858da5de6376771fc630004f2256f533c89199fd621992e3c498b4

C:\Windows\Temp\asw.7eb4ba69c5d3de1a\config.def

MD5 d55937f0c612c3644de6b0e1081c8657
SHA1 db70b3cbbf68d4fc58259e95a72a0c5883719076
SHA256 1239d155068a909a1395948ce25c9cec9954e912da29a4e5e5eb347c3005021c
SHA512 e0ae4e7ea82e32ac356f2888e69c06b95e2554e6694bbcd1952f53c7726ec3485eddbc41f31c856ea0719a6402462aa7cd242af2424bf04610335164c574bc91