Malware Analysis Report

2024-09-23 11:49

Sample ID 240614-tgryfsxelb
Target 2024-06-14_01c5ef469f65d6c81979672eb5d17849_magniber
SHA256 79b1c84f3b20e6fd49efbb5e3b815f0ca418bf5828c02061bb83e10e0626d298
Tags
bootkit persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

79b1c84f3b20e6fd49efbb5e3b815f0ca418bf5828c02061bb83e10e0626d298

Threat Level: Shows suspicious behavior

The file 2024-06-14_01c5ef469f65d6c81979672eb5d17849_magniber was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Writes to the Master Boot Record (MBR)

Loads dropped DLL

Executes dropped EXE

Suspicious use of WriteProcessMemory

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Modifies registry class

Suspicious use of FindShellTrayWindow

Uses Task Scheduler COM API

MITRE ATT&CK Matrix V13

Analysis: static1

Detonation Overview

Reported

2024-06-14 16:02

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 16:02

Reported

2024-06-14 16:04

Platform

win7-20231129-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-14_01c5ef469f65d6c81979672eb5d17849_magniber.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\avg-vpn\icarus.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-14_01c5ef469f65d6c81979672eb5d17849_magniber.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus_ui.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus_ui.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\avg-vpn\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\avg-vpn\icarus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2" C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\avg-vpn\icarus.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "756170d9-0634-4845-928e-fc3e93bdefbf" C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2" C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAfse5j2U+g0WNCH4zS1AZEwQAAAACAAAAAAAQZgAAAAEAACAAAABKpGauwjOOALy+mB2Pe/hhCozkiV1Iiq7XVNPAJ58rtgAAAAAOgAAAAAIAACAAAADpyHqd/WkQVAHpcWspcsP6LTrc8LLEjyy3fFMein8ehGAAAAAC9CktD3rPl2OUFLBoPBRf2CnSbVZlqWd3gZxMJHXHdtLDGAXKe0PJp3hmAgQeePhwlpHajPuOTVvH3J5CX0T9TMNzMikUYWyQZyha+inLizp3+RnjolEvZqj/gCq6r09AAAAAnq+PHHypO3TaLTsi4kUDXE01Io1N43B3aDTRJhbwpCXefs7FiSoCFqqW+hh/Gwcg7huLLnsV7FPfjlww77puKw==" C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\avg-vpn\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "756170d9-0634-4845-928e-fc3e93bdefbf" C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\avg-vpn\icarus.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus_ui.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus_ui.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\avg-vpn\icarus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus_ui.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1368 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-14_01c5ef469f65d6c81979672eb5d17849_magniber.exe C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe
PID 1368 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-14_01c5ef469f65d6c81979672eb5d17849_magniber.exe C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe
PID 1368 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-14_01c5ef469f65d6c81979672eb5d17849_magniber.exe C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe
PID 1368 wrote to memory of 2476 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-14_01c5ef469f65d6c81979672eb5d17849_magniber.exe C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe
PID 2476 wrote to memory of 2792 N/A C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus_ui.exe
PID 2476 wrote to memory of 2792 N/A C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus_ui.exe
PID 2476 wrote to memory of 2792 N/A C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus_ui.exe
PID 2476 wrote to memory of 1872 N/A C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\avg-vpn\icarus.exe
PID 2476 wrote to memory of 1872 N/A C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\avg-vpn\icarus.exe
PID 2476 wrote to memory of 1872 N/A C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\avg-vpn\icarus.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-14_01c5ef469f65d6c81979672eb5d17849_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-14_01c5ef469f65d6c81979672eb5d17849_magniber.exe"

C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe

C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\icarus-info.xml /install /sssid:1368

C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus_ui.exe

C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus_ui.exe /sssid:1368 /er_master:master_ep_eddd2680-dd39-47b8-962e-6c47d9fd7f00 /er_ui:ui_ep_1bf327ac-f038-4d1b-a90a-47da8579e58e

C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\avg-vpn\icarus.exe

C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\avg-vpn\icarus.exe /sssid:1368 /er_master:master_ep_eddd2680-dd39-47b8-962e-6c47d9fd7f00 /er_ui:ui_ep_1bf327ac-f038-4d1b-a90a-47da8579e58e /er_slave:avg-vpn_slave_ep_2f8d2658-fc81-49c3-ab04-51b6dd074e94 /slave:avg-vpn

Network

Country Destination Domain Proto
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 honzik.avcdn.net udp
US 23.220.113.74:443 honzik.avcdn.net tcp
US 8.8.8.8:53 pki.goog udp
US 216.239.32.29:80 pki.goog tcp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
US 23.220.113.74:443 honzik.avcdn.net tcp
US 23.220.113.74:443 honzik.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp

Files

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus.exe

MD5 00f3158aa3cac845a8ddbce86cf20560
SHA1 8a4f81c33de9df0b93408035e7f3b01549775299
SHA256 9aacb21993e4e40a503c34fb2fa0e5fc315902b76ebb902c2eea340d84d17b33
SHA512 f3bf4729dde81fb99a501725376fbdd57eb05f3290d314a5f9742c4da7e794d3ea85b6bad6c07f1103707261ef78b38d0a9afd2fb75fc62abfc27a59ff533a6e

C:\ProgramData\AVG\Icarus\Logs\sfx.log

MD5 6c493873c15884266a4480f02fa6a717
SHA1 87b8a0e0b02b6c25a908ee10203ff23f65462207
SHA256 e058e4d20b9da260e43848256155c5e9e57e32d7f0d38f5e88fa2ad6c5a27f64
SHA512 726652fd59e11fff09e6725d45f7b83143a23d14ca58debb1beebd672f9613e7c9ae428e8cd6b17b6b47879ab5decc17627329bd96bb5b4f0a210e38a6bb1ade

C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\icarus-info.xml

MD5 8db0a82580a4681767e1c0b56577cf9d
SHA1 fec45e512b3b1dedef80567392f8eb3ae3bd210b
SHA256 761004dc7fab761168af0721fb83dab89e8cbe15a7382d27f5e52fd2aaf88ca6
SHA512 3f36b39a02a7d8b0ef47007a99177b3f8000e1532e6f352b4b8ddbda01ce2fc33c33b44985ae0fcac1bf1ed85efc8b00930a15bdb5c079e2b654f0cd69b7a69f

C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\icarus_ui.exe

MD5 9e6da0ffec832dcb2bb0626e2fab333d
SHA1 a89f931b7c7fdc69d6255c4d7291ea3506a1b93e
SHA256 3746c214adcc94110a99a9839c57cb1cb4b2cfd0f461909252bfe3ad2a0ad7d6
SHA512 b6553729876d1b80416470ac409ea72d6eb35eed6d858a9485ade0dbb2a35a228dff5a1046cfbd31d99ba3f5a49284b23db102292728a9d2f90b10a50821a680

C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\setupui.cont

MD5 73b65ea51fb95e10c6d663019d4d6d33
SHA1 ce2f4bcb4e17f6c66b54594764d43ed61e973f64
SHA256 4af8c6f38e464a4798756d16418ba06d97dc9f264a5c9c3b77136d733b0fc00c
SHA512 3b0b8176616efe5828826a9eb7c882b38810ca677bd5a664f638185ab16d2e3d247a4f624b0952287a94e74f2dc0a10d48dac1503ab514af667e4dd3e12728ca

C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\product-info.xml

MD5 f68142c409fd2e1cbd7fe0600627cbc2
SHA1 640b7954bd54930b16e4752d24838d07d8c556e7
SHA256 44883c3e0ab5a5b9360c2a1c623bf31a2cc55ef1c9ac06f6955837a3a68cf29a
SHA512 59decefa54b9d8629c1256510e6a14718037918237fd2fd7836b51646dd304d2da2c6d722ecb3b8b3d1e47ffd9cb908574474c6547868b8d7bcc110dbea25b2d

C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\ecoo.edat

MD5 4426ed8f59ccf97dd466f40c1557fe84
SHA1 569c46e1ecb7656db4bc369174f747350392ed28
SHA256 fc572759fdea49d7171f749d7c41fc25a132bc9b34d554f39cd9a1d3a860bc4c
SHA512 8416cd07faf6ede4cd4e7ebf5a32137e13f7d3f2d182fd9ecd02710e9fc7f48c5bba2d4c42bdb2a7b47b38cce40b91433d0db0811b4928df2ba96e2294e75ecf

C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\dump_process.exe

MD5 753b023dc1463ecd7b3f8807d2c5efc9
SHA1 ec45bed427e799844154d008bee2aa9d7b07715b
SHA256 c2295b9476901ae35fdc80dfd888aa056d15d1ef8de6de4a3e85f583ad65a5e0
SHA512 59bda01e96c0e3efda02dfb9ace0ea5e962bb117bca83f0af0a02df04a609bd755fd538bc1b960e154ccd23d596afa6a46088e274cd96ecf239900505a0b9db2

C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\common\bug_report.exe

MD5 f0ad6609b15fba048671a46959b34d12
SHA1 02ea65d9fb66ab8684215c388c04f496e570ffe3
SHA256 9522b2b05dc88174518cc635909bd39ea1ad017b972fc0b84c0b2c66fe20c7fa
SHA512 a86634798c703685f66e562e79badd768bc168a6182cbda4df9a740177b3acab8bd5a33b31de3fd77501adfbb81fab71796f76b678cc455b3d3061fd1e1ca4ae

C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\avg-vpn\product-def.xml

MD5 74aa51ff5c6f2ec92e80521bc2b789b9
SHA1 f2797f9312ab78243f034ee6fd24571e9abc9357
SHA256 84f5653580855533733b3eb87cf1b316f654bc09becd77156078c7dd632406a1
SHA512 4c9eb0f20507247864240bc6da67b35d96961bcb4e33a74ccc086296156111c0aff22e5a710c645d7aff2d9b6bcb30fae408f702c53d6690158aaad4d1f04f41

C:\ProgramData\AVG\Icarus\Logs\sui.log

MD5 0545aeead7919b6e1fa2deef1b9be768
SHA1 0472bc1cd94d4a8b149cb728365fe48388f6bd0e
SHA256 c42946161a363aa495a29edefe486d560b7dacac54ea01a1702cd85e782205fb
SHA512 ab20a915a5ef5238149bc70897459ca823840c57ccea5af02aab68a5a5cb1d70f2b9722b5a648626a2507c54931fc13740cd23f093a42ff7d964b481e7679af1

C:\ProgramData\AVG\Icarus\Logs\report.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\AVG\Icarus\Logs\icarus.log

MD5 838d57cb91bde33240d1ecdc99ed2e01
SHA1 75e401937e8a2cf6dbc21cb815441fd8b3cae839
SHA256 b9d35dbe42a7a6e0fbf9d0868a1fa6b09306e15c4c8f30737c779cbcbf05e9a5
SHA512 f6b3f7fd45f0e821488473132dc1f122d9632e674658c27d5e4606cd3aecc1009659bd98c9e765ebb4cb397f68536ee681020a9f93cb8ebb7aefc48869a2ed9f

C:\ProgramData\AVG\Icarus\settings\proxy.ini

MD5 d6de6577f75a4499fe64be2006979ae5
SHA1 0c83a2008fa28a97eb4b01d98aeab90a2e4c8e69
SHA256 87d882d37f63429088955a59b126f0d44fa728ce60142478004381a3604c9ea9
SHA512 cb4b42c07aa2da7857106c92bc6860a29d8a92f00e34f0df54f68c17945982bc01475c83b1a1079543404bb49342fc7cdc41d2ac32d71332439ceb27b5ad1c0c

C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\avg-vpn\config.def

MD5 daaa17da8179678d2a8f28f93b0afcd7
SHA1 d6cb5fae2e99dde34feb09adfccbadb4ecb86bc4
SHA256 8be127d77130e20ee46f084231853266becaa0349a44da6ed4270c9b04c9261f
SHA512 1133753c891d59ef8ebb43a7601aa2ba5a72e32300ae32b847f75c3164b294dab9b24e57f3c66ae0e4c0ca75e2cbb175d49698540d972cdff2fd3b3ea887d4b4

C:\Users\Admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

MD5 22417b5d5eb168147f2c237d658a7163
SHA1 6ae67daf07c0a187f397923ecba497e5ab01ed58
SHA256 f1945b77f21bf5b8174bc94d0d69d4446baffd6808185554f8ae541e4254ecb1
SHA512 392b79a63b451495cc81877c288c0068d6c159bf0d7ce9ac0cc290128e57a5a1ebe0569dcbab85433448b3c1928be03cf01300ec7ae99573cfc4ef8c4c9b3cb8

C:\Users\Admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0

MD5 44ee7c7d7187d5e6b09f1e8951ce1355
SHA1 faf67bb8ccc52eeac421227ee248049f6f7c97f5
SHA256 8386c4aa65ee1b1c312c1e68ac6e53fe89a7a3f1e95249e50c7ffcacfe43fe11
SHA512 9683e30bbe72daf60ba7e7270284431cdb719c23a1f5a5d4308c70bcf185949a9d09ef0bdaeef5223f34e22c3dbbf1f6df6868ba81fe049209b65566cf67d89e

C:\Windows\Temp\asw-07f64d5c-f8f5-4b8d-9432-0f20d5aef7ab\avg-vpn\icarus_product.dll

MD5 2def504900ab97e99cad21ad6e5cc7c4
SHA1 55c878e53437954fb5828ebb4981458f7ca7e002
SHA256 bc25ea6ca68d9660df19bc204dc394af3dc1d27b9766e275765c6edd68456664
SHA512 8e9b9029bca807b5b1de4b77714edc9dacc8a1695d31801b3ede5f92116b4ec80090bffcee4aee374ae45dc04e9a60c364204008a6bb3da2b1e9d008602b7af9

memory/2792-147-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 16:02

Reported

2024-06-14 16:04

Platform

win10v2004-20240611-en

Max time kernel

92s

Max time network

94s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-14_01c5ef469f65d6c81979672eb5d17849_magniber.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-14_01c5ef469f65d6c81979672eb5d17849_magniber.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\avg-vpn\icarus.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\avg-vpn\icarus.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus_ui.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\avg-vpn\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\avg-vpn\icarus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus_ui.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "96611d8d-0121-4bdc-baa3-ce55cb259631" C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367" C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA9LwN9XjrHkeaFpKmtNrmHwQAAAACAAAAAAAQZgAAAAEAACAAAADw7qC/Q+QnhaTT+Q+XHBz7l1YoeI+/UFF1mb50IPdefQAAAAAOgAAAAAIAACAAAABzyXkrnkalqwTwNmOJ9Cv0BYbh7QOj9nhP7HdnNvr8gjAAAAAYDje9Em6nWNlommnPTmEboa8eclk5lgwGW43H4xxfQ/NpsnGAvMi0PflGKjhagH9AAAAA7LUFmRoftNljayowARPQpZKGpmnK7LErl43NjDP/GNXQhZ83NgCXDYP5vqnIeL8wnzXVwuHI6qYXzNgkx8W66g==" C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\avg-vpn\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "96611d8d-0121-4bdc-baa3-ce55cb259631" C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\avg-vpn\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367" C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\avg-vpn\icarus.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus_ui.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\avg-vpn\icarus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus_ui.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-14_01c5ef469f65d6c81979672eb5d17849_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-14_01c5ef469f65d6c81979672eb5d17849_magniber.exe"

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus.exe

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\icarus-info.xml /install /sssid:4356

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus_ui.exe

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus_ui.exe /sssid:4356 /er_master:master_ep_ef61480f-aad2-4103-9bcc-eb0d86734c0c /er_ui:ui_ep_37416e16-2007-404f-84b0-ac3d2b27085b

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\avg-vpn\icarus.exe

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\avg-vpn\icarus.exe /sssid:4356 /er_master:master_ep_ef61480f-aad2-4103-9bcc-eb0d86734c0c /er_ui:ui_ep_37416e16-2007-404f-84b0-ac3d2b27085b /er_slave:avg-vpn_slave_ep_3e5c7cb4-21e2-45da-b6a2-661dccd2a742 /slave:avg-vpn

Network

Country Destination Domain Proto
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 honzik.avcdn.net udp
US 23.220.113.74:443 honzik.avcdn.net tcp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 223.223.117.34.in-addr.arpa udp
US 8.8.8.8:53 74.113.220.23.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 25.24.18.2.in-addr.arpa udp
NL 23.62.61.72:443 www.bing.com tcp
US 8.8.8.8:53 72.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
US 23.220.113.74:443 honzik.avcdn.net tcp
US 23.220.113.74:443 honzik.avcdn.net tcp
US 8.8.8.8:53 28.176.160.34.in-addr.arpa udp
US 8.8.8.8:53 203.33.253.131.in-addr.arpa udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 21.121.18.2.in-addr.arpa udp
US 8.8.8.8:53 208.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 199.131.50.23.in-addr.arpa udp
US 8.8.8.8:53 11.227.111.52.in-addr.arpa udp

Files

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus.exe

MD5 00f3158aa3cac845a8ddbce86cf20560
SHA1 8a4f81c33de9df0b93408035e7f3b01549775299
SHA256 9aacb21993e4e40a503c34fb2fa0e5fc315902b76ebb902c2eea340d84d17b33
SHA512 f3bf4729dde81fb99a501725376fbdd57eb05f3290d314a5f9742c4da7e794d3ea85b6bad6c07f1103707261ef78b38d0a9afd2fb75fc62abfc27a59ff533a6e

C:\ProgramData\AVG\Icarus\Logs\sfx.log

MD5 5e0bb65a968dc8928f9f07047013d594
SHA1 93fa62a7ce6fc6978e95e33a91252a2a16e94b68
SHA256 70fdcb973ff8494c97d9007b33eeba1a3a7e19f7aea8a5aef4628360f9205c5b
SHA512 e9c48c382ac80789aa72f332815b6f02dace2dac7a9ffced43e00a28cd5de675c511c02ba6c822eeb088a722cdfc9af7ed9eccf9a173553de5bddfb57cc97322

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\icarus-info.xml

MD5 708c39916bc0a13c9db99ce4d62c987b
SHA1 8ce68481deb739a5aa49de8ad2320d66402b905a
SHA256 21c2bfeb768be0cc6b05eca90daa7362e6471bc6ba1afabde311ddf6c4b7d422
SHA512 dff76afe01f06021c0e0dc3160067e1dd970ff07824486ba20da94781c25f18baff5019e25b65abc7e05466e97ee420feb35a5b221bd3ef49acadc224fa5b60b

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\icarus_ui.exe

MD5 9e6da0ffec832dcb2bb0626e2fab333d
SHA1 a89f931b7c7fdc69d6255c4d7291ea3506a1b93e
SHA256 3746c214adcc94110a99a9839c57cb1cb4b2cfd0f461909252bfe3ad2a0ad7d6
SHA512 b6553729876d1b80416470ac409ea72d6eb35eed6d858a9485ade0dbb2a35a228dff5a1046cfbd31d99ba3f5a49284b23db102292728a9d2f90b10a50821a680

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\setupui.cont

MD5 73b65ea51fb95e10c6d663019d4d6d33
SHA1 ce2f4bcb4e17f6c66b54594764d43ed61e973f64
SHA256 4af8c6f38e464a4798756d16418ba06d97dc9f264a5c9c3b77136d733b0fc00c
SHA512 3b0b8176616efe5828826a9eb7c882b38810ca677bd5a664f638185ab16d2e3d247a4f624b0952287a94e74f2dc0a10d48dac1503ab514af667e4dd3e12728ca

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\product-info.xml

MD5 f68142c409fd2e1cbd7fe0600627cbc2
SHA1 640b7954bd54930b16e4752d24838d07d8c556e7
SHA256 44883c3e0ab5a5b9360c2a1c623bf31a2cc55ef1c9ac06f6955837a3a68cf29a
SHA512 59decefa54b9d8629c1256510e6a14718037918237fd2fd7836b51646dd304d2da2c6d722ecb3b8b3d1e47ffd9cb908574474c6547868b8d7bcc110dbea25b2d

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\ecoo.edat

MD5 4426ed8f59ccf97dd466f40c1557fe84
SHA1 569c46e1ecb7656db4bc369174f747350392ed28
SHA256 fc572759fdea49d7171f749d7c41fc25a132bc9b34d554f39cd9a1d3a860bc4c
SHA512 8416cd07faf6ede4cd4e7ebf5a32137e13f7d3f2d182fd9ecd02710e9fc7f48c5bba2d4c42bdb2a7b47b38cce40b91433d0db0811b4928df2ba96e2294e75ecf

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\dump_process.exe

MD5 753b023dc1463ecd7b3f8807d2c5efc9
SHA1 ec45bed427e799844154d008bee2aa9d7b07715b
SHA256 c2295b9476901ae35fdc80dfd888aa056d15d1ef8de6de4a3e85f583ad65a5e0
SHA512 59bda01e96c0e3efda02dfb9ace0ea5e962bb117bca83f0af0a02df04a609bd755fd538bc1b960e154ccd23d596afa6a46088e274cd96ecf239900505a0b9db2

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\common\bug_report.exe

MD5 f0ad6609b15fba048671a46959b34d12
SHA1 02ea65d9fb66ab8684215c388c04f496e570ffe3
SHA256 9522b2b05dc88174518cc635909bd39ea1ad017b972fc0b84c0b2c66fe20c7fa
SHA512 a86634798c703685f66e562e79badd768bc168a6182cbda4df9a740177b3acab8bd5a33b31de3fd77501adfbb81fab71796f76b678cc455b3d3061fd1e1ca4ae

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\avg-vpn\product-def.xml

MD5 74aa51ff5c6f2ec92e80521bc2b789b9
SHA1 f2797f9312ab78243f034ee6fd24571e9abc9357
SHA256 84f5653580855533733b3eb87cf1b316f654bc09becd77156078c7dd632406a1
SHA512 4c9eb0f20507247864240bc6da67b35d96961bcb4e33a74ccc086296156111c0aff22e5a710c645d7aff2d9b6bcb30fae408f702c53d6690158aaad4d1f04f41

C:\ProgramData\AVG\Icarus\Logs\sui.log

MD5 0f4e5f09caa94ac97f31607a89866ffe
SHA1 1c23cad58def36a49b2588ce04169ff38161e4ec
SHA256 259849a0af68a01ed2102334f8927bce3616b21e47fde914d21a0aa44e307ed6
SHA512 52b071fee1691c82526c7efad28d8aea7302bc03e28a15f6da0e4d3ae175fae35eb9217e7d80cd57a775939b01842a29a92978db28e31167a733a1a45d875c3c

C:\ProgramData\AVG\Icarus\Logs\sfx.log

MD5 ba6461c421297aac9a2e9e3f04b642f5
SHA1 d3277177ca7822f7e802898a64856d6d8a91b15a
SHA256 e03171aa10f0c44aed869dcf5482f8f2b64e5d1c0635a50b56cf7792107aaa51
SHA512 2e2ae93134a67eb225447a45c34885f6ee49f857a558fbe407ff4858859a6d25184f74f3c3541fab414ca37152eba99e6d0f0719aa8e486fc89d1d599ad3e0cf

C:\ProgramData\AVG\Icarus\Logs\report.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\AVG\Icarus\Logs\icarus.log

MD5 725dd8a2d41a672af6787afde9712eea
SHA1 7ff4cf02b5b8dd07f560cae0ced9aafdd20e2ced
SHA256 e62bf292cd62c4c8ca8575ef805e30f799f77d973054ccd79da8fbda4501edf0
SHA512 278eb7b8ec581b8182261b56952efb6179150028a5bfdd0af577629cd01fd4f52b3db65d98dc7721d47a3bf4187ceb0d651e5cd10f06ff84814231095c9501c3

C:\ProgramData\AVG\Icarus\settings\proxy.ini

MD5 d6de6577f75a4499fe64be2006979ae5
SHA1 0c83a2008fa28a97eb4b01d98aeab90a2e4c8e69
SHA256 87d882d37f63429088955a59b126f0d44fa728ce60142478004381a3604c9ea9
SHA512 cb4b42c07aa2da7857106c92bc6860a29d8a92f00e34f0df54f68c17945982bc01475c83b1a1079543404bb49342fc7cdc41d2ac32d71332439ceb27b5ad1c0c

C:\Users\Admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0

MD5 72c51a8fef8cdf327dcac6254f59a2c0
SHA1 4ad1a09f016741d04b8fb9db5075fe0e755478db
SHA256 4edd07bd0ea6899ca820cd2f01bca95ac0442224d63212d71582169abbbcdd5e
SHA512 684035189bff612b1072b32eda9b1ded8d29b7423c1441386335a1486ce6c12540dfc50ca218afb26c6edd69932566b3e9125bd26cf2ab0f615f34d82e9c4b07

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\avg-vpn\config.def

MD5 daaa17da8179678d2a8f28f93b0afcd7
SHA1 d6cb5fae2e99dde34feb09adfccbadb4ecb86bc4
SHA256 8be127d77130e20ee46f084231853266becaa0349a44da6ed4270c9b04c9261f
SHA512 1133753c891d59ef8ebb43a7601aa2ba5a72e32300ae32b847f75c3164b294dab9b24e57f3c66ae0e4c0ca75e2cbb175d49698540d972cdff2fd3b3ea887d4b4

C:\Users\Admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

MD5 168f03c5c241049561d93853fa2304dc
SHA1 ee086aa5bc60436a75015003cb2dd27ae57620ff
SHA256 374d172fa5910a136fd3adba14744e6f740efc9dd62e34f870ea5698e349f60e
SHA512 169897b850ad3fa154452c34b87813f31723914110bf41e711c614e18b9850d036a2083cf908286a406d45db1c4a51f3b320792672b3287cfca08e756b5ee179

C:\Windows\Temp\asw-ff5e1a11-79c8-4c5e-8bbd-ddd07b398621\avg-vpn\icarus_product.dll

MD5 2def504900ab97e99cad21ad6e5cc7c4
SHA1 55c878e53437954fb5828ebb4981458f7ca7e002
SHA256 bc25ea6ca68d9660df19bc204dc394af3dc1d27b9766e275765c6edd68456664
SHA512 8e9b9029bca807b5b1de4b77714edc9dacc8a1695d31801b3ede5f92116b4ec80090bffcee4aee374ae45dc04e9a60c364204008a6bb3da2b1e9d008602b7af9