Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
16-06-2024 16:43
Static task
static1
Behavioral task
behavioral1
Sample
2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exe
Resource
win10v2004-20240226-en
General
-
Target
2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exe
-
Size
1.5MB
-
MD5
f5f76a42c4a1de9a5125d46a065dd3a3
-
SHA1
645ebb0adb846d0108819827a1cb2f74f1c366f7
-
SHA256
0b0b1c81aa571bc75d537588798c410d9ba11c8fd2b3669f6445d084d575d2b9
-
SHA512
3023405384ae867e713dfd52d8007ea6f16118b7ac95f0f82b33eb781da41cc6db9abfdd96f9e77b6ae802d4fdb29ff916bc5749cc9472b0ced87a9e4d49c805
-
SSDEEP
49152:oWUMv5De9/yG9/ooooERQr0tb6H8RlOuQhRe4hvR:oWUMqyGB0Z6H8Rl4y0
Malware Config
Signatures
-
Checks for any installed AV software in registry 1 TTPs 1 IoCs
Processes:
icarus.exedescription ioc process Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avast Software\Avast icarus.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exeicarus.exeicarus.exedescription ioc process File opened for modification \??\PhysicalDrive0 2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exe File opened for modification \??\PhysicalDrive0 icarus.exe File opened for modification \??\PhysicalDrive0 icarus.exe -
Executes dropped EXE 3 IoCs
Processes:
icarus.exeicarus_ui.exeicarus.exepid process 2792 icarus.exe 2500 icarus_ui.exe 1200 icarus.exe -
Loads dropped DLL 6 IoCs
Processes:
2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exeicarus.exeicarus.exepid process 2136 2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exe 2792 icarus.exe 2792 icarus.exe 2792 icarus.exe 2792 icarus.exe 1200 icarus.exe -
Checks processor information in registry 2 TTPs 7 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
icarus.exeicarus.exeicarus_ui.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz icarus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 icarus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString icarus.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz icarus.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 icarus_ui.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz icarus_ui.exe Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 icarus.exe -
Modifies registry class 10 IoCs
Processes:
icarus.exeicarus.exe2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F icarus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "96c0dcf9-92b2-4228-a5e8-6e7164b7fe98" icarus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367" icarus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367" icarus.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F 2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "96c0dcf9-92b2-4228-a5e8-6e7164b7fe98" 2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F icarus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "96c0dcf9-92b2-4228-a5e8-6e7164b7fe98" icarus.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "4DEC930631D6A523D3820D3CE1249367" 2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAXbzwj9XFyEmkcJ2mGkMFiQQAAAACAAAAAAAQZgAAAAEAACAAAAA737ztBx8DWUzdTE62Ia0oMQIJlUi3j8mSnYKooR7F5QAAAAAOgAAAAAIAACAAAAAdE0CNX0bYNhe2VTHTzSzW5iK9OtIy3dblvEyqR354dDAAAAA4C/jE/GRotcQsV1mJyCmZDwg8Yj1MPZ2hJ+5nIep1zEOU91pSHxhHOWbk/VWgUvVAAAAAFB66zaEx8QrmtS9vWQxgPXmKxp3qPxGfUAN+cLB7LM6DupO0Riqcq5ykduUq591jy4Nk7ncnc3hXvr43QAx0CQ==" 2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
icarus_ui.exepid process 2500 icarus_ui.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
icarus.exeicarus_ui.exeicarus.exedescription pid process Token: SeRestorePrivilege 2792 icarus.exe Token: SeTakeOwnershipPrivilege 2792 icarus.exe Token: SeRestorePrivilege 2792 icarus.exe Token: SeTakeOwnershipPrivilege 2792 icarus.exe Token: SeRestorePrivilege 2792 icarus.exe Token: SeTakeOwnershipPrivilege 2792 icarus.exe Token: SeRestorePrivilege 2792 icarus.exe Token: SeTakeOwnershipPrivilege 2792 icarus.exe Token: SeDebugPrivilege 2792 icarus.exe Token: SeDebugPrivilege 2500 icarus_ui.exe Token: SeRestorePrivilege 1200 icarus.exe Token: SeTakeOwnershipPrivilege 1200 icarus.exe Token: SeRestorePrivilege 1200 icarus.exe Token: SeTakeOwnershipPrivilege 1200 icarus.exe Token: SeRestorePrivilege 1200 icarus.exe Token: SeTakeOwnershipPrivilege 1200 icarus.exe Token: SeRestorePrivilege 1200 icarus.exe Token: SeTakeOwnershipPrivilege 1200 icarus.exe Token: SeDebugPrivilege 1200 icarus.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exeicarus_ui.exepid process 2136 2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exe 2500 icarus_ui.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
icarus_ui.exepid process 2500 icarus_ui.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exeicarus.exedescription pid process target process PID 2136 wrote to memory of 2792 2136 2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exe icarus.exe PID 2136 wrote to memory of 2792 2136 2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exe icarus.exe PID 2136 wrote to memory of 2792 2136 2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exe icarus.exe PID 2136 wrote to memory of 2792 2136 2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exe icarus.exe PID 2792 wrote to memory of 2500 2792 icarus.exe icarus_ui.exe PID 2792 wrote to memory of 2500 2792 icarus.exe icarus_ui.exe PID 2792 wrote to memory of 2500 2792 icarus.exe icarus_ui.exe PID 2792 wrote to memory of 1200 2792 icarus.exe icarus.exe PID 2792 wrote to memory of 1200 2792 icarus.exe icarus.exe PID 2792 wrote to memory of 1200 2792 icarus.exe icarus.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exe"C:\Users\Admin\AppData\Local\Temp\2024-06-16_f5f76a42c4a1de9a5125d46a065dd3a3_magniber.exe"1⤵
- Writes to the Master Boot Record (MBR)
- Loads dropped DLL
- Modifies registry class
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2136 -
C:\Windows\Temp\asw-560490c1-1316-4e94-b4b5-e2328e6c423c\common\icarus.exeC:\Windows\Temp\asw-560490c1-1316-4e94-b4b5-e2328e6c423c\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-560490c1-1316-4e94-b4b5-e2328e6c423c\icarus-info.xml /install /sssid:21362⤵
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\Temp\asw-560490c1-1316-4e94-b4b5-e2328e6c423c\common\icarus_ui.exeC:\Windows\Temp\asw-560490c1-1316-4e94-b4b5-e2328e6c423c\common\icarus_ui.exe /sssid:2136 /er_master:master_ep_ca3619dc-b6e9-4e4e-9dd8-a521e1a509ce /er_ui:ui_ep_aba6db0a-f234-4fd1-833a-abb6b8fde9a43⤵
- Executes dropped EXE
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
PID:2500 -
C:\Windows\Temp\asw-560490c1-1316-4e94-b4b5-e2328e6c423c\avg-tu\icarus.exeC:\Windows\Temp\asw-560490c1-1316-4e94-b4b5-e2328e6c423c\avg-tu\icarus.exe /sssid:2136 /er_master:master_ep_ca3619dc-b6e9-4e4e-9dd8-a521e1a509ce /er_ui:ui_ep_aba6db0a-f234-4fd1-833a-abb6b8fde9a4 /er_slave:avg-tu_slave_ep_43e0c415-4ed5-483e-8ade-a7105453af9b /slave:avg-tu3⤵
- Checks for any installed AV software in registry
- Writes to the Master Boot Record (MBR)
- Executes dropped EXE
- Loads dropped DLL
- Checks processor information in registry
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
PID:1200
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
44KB
MD5795332dfb7848e8ca91b8e0b72a448fa
SHA174e3b4597c9046a2af5ec6852a08a5250a6ac2a3
SHA25625c48b5670aeeb28b4f3a9a3a96443d98cd8bcb847275196b9de5fbc1c8c0116
SHA51222979779de29816359567685fa7296adf2c7a4890a7e78077205c38d484559fc61e5269a087a5c7ad84c64930b048e0d0a7417feb88b26075f7f3b269d1ad98b
-
MD5
d41d8cd98f00b204e9800998ecf8427e
SHA1da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e
-
Filesize
11KB
MD5d1ca94e73d54dfaeda71eebcb010d9d4
SHA148992924739ad633a2a45f96a719649e5c8b24d4
SHA256de250fbd096215f130860035a3973a974ae5be5a114edcfcfeee71ef1ffb9892
SHA512261347484d7bc1df4364fb6ddd2867fcc0b22c77fa8c8ef3954286b521b07cbf47c4c13c7ce1604315feb336bb08563b59fc753beaf85774acac337c7e68166d
-
Filesize
11KB
MD503d52c9a44c6d15a2510527a8158f50b
SHA180a1190c21e6bca75a79cca3d63ff603c0e60d7a
SHA2563288769497eb2490089d7a8ac7eddfe92dce4a52edc0c1c211ccfe217ba039b3
SHA51231b58f692459919b2e3d17feb60002749334abe60389b6cc1a1a25d5e680d9a46df6a246fc829c616a4bd0793fc5e61858d14a3b172bfe450402d397f17ea2bf
-
Filesize
278B
MD5b8853a8e6228549b5d3ad97752d173d4
SHA1cd471a5d57e0946c19a694a6be8a3959cef30341
SHA2568e511706c04e382e58153c274138e99a298e87e29e12548d39b7f3d3442878b9
SHA512cf4edd9ee238c1e621501f91a4c3338ec0cb07ca2c2df00aa7c44d3db7c4f3798bc4137c11c15379d0c71fab1c5c61f19be32ba3fc39dc242313d0947461a787
-
Filesize
67KB
MD52d3dcf90f6c99f47e7593ea250c9e749
SHA151be82be4a272669983313565b4940d4b1385237
SHA2568714e7be9f9b6de26673d9d09bd4c9f41b1b27ae10b1d56a7ad83abd7430ebd4
SHA5129c11dd7d448ffebe2167acde37be77d42175edacf5aaf6fb31d3bdfe6bb1f63f5fdbc9a0a2125ed9d5ce0529b6b548818c8021532e1ea6b324717cc9bec0aaa5
-
Filesize
64B
MD5168f03c5c241049561d93853fa2304dc
SHA1ee086aa5bc60436a75015003cb2dd27ae57620ff
SHA256374d172fa5910a136fd3adba14744e6f740efc9dd62e34f870ea5698e349f60e
SHA512169897b850ad3fa154452c34b87813f31723914110bf41e711c614e18b9850d036a2083cf908286a406d45db1c4a51f3b320792672b3287cfca08e756b5ee179
-
Filesize
72B
MD5b21e2390ca2a8418bde8bdc2d458243f
SHA1950341ebc7ca1217d464faab507c2eb0da98ef9b
SHA256e8647c083b2954f96f7e50c50097c9999ecc13f1324d21dd46a3c437458b4316
SHA512fb5f0ea8507b0295557c95fa097a95e10560daca819285cbfebd3d8b5a0140dc993b5e4d489a9b41249bdbf06414a93f75fad28ecc104cba3ff34df3a6f1aad6
-
Filesize
549B
MD5d74cac8e23617717dcbac5d12be7e108
SHA1573f84282e738e302b822eb9842500bf1b4b3b39
SHA256a7f55316856c9eddb54a08fee7cd386aa07c27034c0ddd784cb0f4fc2fb0c55b
SHA512b482cbeef3789d2c74e8035488aca68b33b395e1c561223a3c9a3cc5687a89cbbad88a84e4bdef8d1a55dfa831089075086362b02781726b55f260727af49052
-
Filesize
3.4MB
MD5c22d80d43019235520344972efec9ff2
SHA11a2b4b2a52d820f9233ca0201be9ee7f6d82adbc
SHA2565841a3df4784e008b8f2c567f15bb28cdb4cb4ca35c750f1108dfb1ccb6011f0
SHA512f1cadbc3077379a6d7e36b8cf3bc830f44b5e668d4a6c0ce6b62bde292498c4f41c6588c5eba2599aa67524acfd125b7f23c419ae2b4a8e4afea7708aad83edc
-
Filesize
1.2MB
MD52f8931c51ebbe01d0c1d87d5ad2d652f
SHA1a322fec62bbfe4d8b46199bc9001b4af74bbaf93
SHA256add1dd3fb660dfb534317cb29e18a37e82f4e27000004ef29213914a6b6d5cfd
SHA5122018cbf3179db624de67860370b80c46d8dbf59c9286e24c89e4edbf348720e38080aa1c5f8c6519593960057eb7fb3fa19b490bda5bc5fcafed2654dbb57890
-
Filesize
228KB
MD54f70105a30bbb4c3ac6e563f02852e62
SHA1ff5c730804a6d4c4806f82848e6a38c6dc9f07c9
SHA2565d06d8b936bfefeb3d0abfe5b37ad6dbb154d87696b7081b69bdc88af282e1e0
SHA51290295b97d8bdf8fd4b55fbafa9eba1e8751af9d4c95e795bd22684c81fab9fc7a53399fdbf301a1520a42d361765017e25721bc5f953921907b957ba01c648e5
-
Filesize
4.8MB
MD50c0f0ca2bb49dfa3743e9d4156007c70
SHA1042fdfba346a89a83f0c782117038a82b29a28d1
SHA2560e1865702916ae47aafc54c6199e3a73acb735ae888f9a8dd7bc4656268ef9ea
SHA512e15f826ce67d4d5224cdcefc3194a5a9144e152ad16136f5774d2ca29484fc11e778e2e9d114af80ad2a99907bd4999e6eef95c7b7dbbe6a7829d67c1b6bbc92
-
Filesize
11.8MB
MD57ebae16a6ea514e55f7160c3539261cc
SHA1ae74b3af4926b6932aea68a32c7c8727d53a94e7
SHA256f27f92f003505dbca839513d233198211860de0ef487973a5ce0761d8e8ebfb9
SHA512f7c7c084517785f21ae0bd82509ddc31e985edbe9e07f275414806afa3f696037340ea0e6091221a5d81250adf170ca0fa4345915d000eaba6034a9db0f61369
-
Filesize
6KB
MD5bdc8e86d841795137dc29fa962aa1ee6
SHA16e847883cc6884a8c269adfd19022cbba4be58cd
SHA25673dc254c937d42f2cfa42c983df343969d59d6ef671d0b9bfcc95ce9e797e86b
SHA51212ad0d7090caabfa3d4c25bdee5a9a0b09787631451d73de5f9a71404f39c955d46a78779af111ce333ad246246b56a64d712dfd5ee8117c3259273aba1ec96c
-
Filesize
257KB
MD5c95dc978812b51e1b9aa38c27faf3b1a
SHA170dee9e4f828652f6be927a193be6938bc175ce4
SHA2564bafb54cd8637586dbfe316ea6e7f9f50010ff021f813128490d2a9c34a89bf0
SHA5125202548902634ee28ce8fdab32f1fb8797881e3643b74d892da0155c3e90cbd98e837a85069c5bf1b06518e8355660486e63abefe41b2a484b4683f29fb1f0d0
-
Filesize
21B
MD524db7359a3bd3947b750594af0f959f6
SHA10d2e88bef39c2ae1329f3635dff2302cfbb5166d
SHA256fe8c8dbe1ae7bf180b15f0a1df407c6e8243f5bbbe3adba04fabad3c2ae353fa
SHA512eac1585ab7cbd647f3f716a2b8d1ac58d767d1584a7cc246234d6722cca9eedacf14d25d3246006e8e1de39bd1786a2adb39b0f27097c676fae984a6e9f3e8e6
-
Filesize
51B
MD590393b99cbdbe0ff222a4987e3e20605
SHA175add246c8ad221099e753746050e492f55c45ea
SHA2566e848b8564fe151cf4f8960dececbf6080cff79c885da3401c84680f9a13b933
SHA5126f9d0a1b225377052fb65f988969aa0b8f0b67cfd5c1d11a9db2af53cb3205820ad01a2b469d13de7b9161d427791f8d7e80a1b3d0381284c4cccc1a9708706e
-
Filesize
1KB
MD52fc7795fd6cb2805b9948f3b4d0ff2ee
SHA12c4301f696313a9c49aaa36bee12027c68c217b3
SHA256c7f1dc4b86245adf0bdd0e4d2e624a2d2ab2ef73c23af276e155f2b6c9bd18c6
SHA5122bc1197ee2d42f0c43508c9b69d4fbcc605427c16c432cb61e6b078dc953f8d5c8459fd497869a2437744f96870bea5c63103edd6b6bcf1aa55bd735173c8588
-
Filesize
7.7MB
MD597856ab19be2842f985c899ccde7e312
SHA14b33ff3baeba3b61ee040b1d00ebff0531cc21ef
SHA2562569a72d3a55ea7ad690d708907245c221664c5c88cadbc19e1967135fa40514
SHA512b2f57fd7c482977ebf52b49e50e57f60f1bf87be5bbf54c0dcfb3038c0f46b89c70f10161fab7585d01b90c4fdc00b86932444f32528fed04b514c6746bff29f