Analysis

  • max time kernel
    137s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31/10/2024, 16:59

General

  • Target

    12118d48fffbcd5000dcb74258b9200b166b17d56c03c856dad22604c5071bf4.exe

  • Size

    219KB

  • MD5

    b20a6cc6bb92aac556cb1c3f383628d9

  • SHA1

    a37727da979560c8c6fb9cd09f3fc33d78643b84

  • SHA256

    12118d48fffbcd5000dcb74258b9200b166b17d56c03c856dad22604c5071bf4

  • SHA512

    18a2c0b7b533dd6ced92bc8317e62326ff0d31a725705068c37739ffac69b808d695035aad43384af4ad662e4c994d291a63c842df3983426bd224b42f85c0b2

  • SSDEEP

    3072:J2RaiKg4xmUh1WXHqw/l+qmOELhakVsm3mxB32tLEv8zfdn5f2dZLCoKOhhWK0Ks:J0KgGwHqwOOELha+sm2D2+UhngNQK4dD

Malware Config

Signatures

  • Downloads MZ/PE file
  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 4 IoCs
  • Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\12118d48fffbcd5000dcb74258b9200b166b17d56c03c856dad22604c5071bf4.exe
    "C:\Users\Admin\AppData\Local\Temp\12118d48fffbcd5000dcb74258b9200b166b17d56c03c856dad22604c5071bf4.exe"
    1⤵
    • Loads dropped DLL
    • Writes to the Master Boot Record (MBR)
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2616
    • C:\Windows\Temp\asw.95d094aa5ed81b06\avg_antivirus_free_online_setup.exe
      "C:\Windows\Temp\asw.95d094aa5ed81b06\avg_antivirus_free_online_setup.exe" /cookie:mmm_bav_998_999_000_m:dlid_FREEGSR-FAD /ga_clientid:4b269ae0-64e2-480b-a783-6c313afc2870 /edat_dir:C:\Windows\Temp\asw.95d094aa5ed81b06
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Writes to the Master Boot Record (MBR)
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4004
      • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\common\icarus.exe
        C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\icarus-info.xml /install /cookie:mmm_bav_998_999_000_m:dlid_FREEGSR-FAD /edat_dir:C:\Windows\Temp\asw.95d094aa5ed81b06 /track-guid:4b269ae0-64e2-480b-a783-6c313afc2870 /sssid:4004
        3⤵
        • Executes dropped EXE
        • Writes to the Master Boot Record (MBR)
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4796
        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\common\icarus_ui.exe
          C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\common\icarus_ui.exe /cookie:mmm_bav_998_999_000_m:dlid_FREEGSR-FAD /edat_dir:C:\Windows\Temp\asw.95d094aa5ed81b06 /track-guid:4b269ae0-64e2-480b-a783-6c313afc2870 /sssid:4004 /er_master:master_ep_0cfd89bd-45a9-44f2-8b8d-9607bb8ce8c9 /er_ui:ui_ep_eaf31416-53c0-402c-aca3-9b881d76e486
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:4596
        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\avg-av\icarus.exe
          C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\avg-av\icarus.exe /cookie:mmm_bav_998_999_000_m:dlid_FREEGSR-FAD /edat_dir:C:\Windows\Temp\asw.95d094aa5ed81b06 /track-guid:4b269ae0-64e2-480b-a783-6c313afc2870 /sssid:4004 /er_master:master_ep_0cfd89bd-45a9-44f2-8b8d-9607bb8ce8c9 /er_ui:ui_ep_eaf31416-53c0-402c-aca3-9b881d76e486 /er_slave:avg-av_slave_ep_7f846ea3-4577-487a-aeb1-832cb1cc27f9 /slave:avg-av
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Writes to the Master Boot Record (MBR)
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:1604
        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\avg-av-vps\icarus.exe
          C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\avg-av-vps\icarus.exe /cookie:mmm_bav_998_999_000_m:dlid_FREEGSR-FAD /edat_dir:C:\Windows\Temp\asw.95d094aa5ed81b06 /track-guid:4b269ae0-64e2-480b-a783-6c313afc2870 /sssid:4004 /er_master:master_ep_0cfd89bd-45a9-44f2-8b8d-9607bb8ce8c9 /er_ui:ui_ep_eaf31416-53c0-402c-aca3-9b881d76e486 /er_slave:avg-av-vps_slave_ep_0ed8bdcb-9413-4d8d-85ca-5ae09e6c1bc2 /slave:avg-av-vps
          4⤵
          • Executes dropped EXE
          • Loads dropped DLL
          • Writes to the Master Boot Record (MBR)
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:5080

Network

        MITRE ATT&CK Enterprise v15

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\ProgramData\AVG\Icarus\Logs\icarus.log

          Filesize

          89KB

          MD5

          b9bef55526ebe3370543767bf1f50b96

          SHA1

          07a38f22281bd9e85880a42bce93772c8142a954

          SHA256

          413cfeeeab83854d1579548beccc40fb3b29150c7514f8771ea551b7a65abb9e

          SHA512

          adfb99b38027798253b2c14842ea9fcc502c5f0fb42d7d22e1049da33ccf561598be4edcac782094a9258ef17c2458cefd50bd8128797d264e1555782dbd28a6

        • C:\ProgramData\AVG\Icarus\Logs\icarus.log

          Filesize

          167KB

          MD5

          49fc3e797d559f71eba3007ce5632923

          SHA1

          69180a9329628777e821ae4b3cc8ba91256fa1ad

          SHA256

          edb5a333f3afeecf7ddda9ea5107f4b3203b3f7a07c29cd197cdbfb772f219c8

          SHA512

          e3f5aa99e8ef9bf372636e596979b48d226a77ace6b07613588cce1eb9b31995717ac94859a3eb91046cccf79f178780d1cdb7a93ab6c7d1841dcd7c2a57a68e

        • C:\ProgramData\AVG\Icarus\Logs\icarus.log

          Filesize

          105KB

          MD5

          48989f88052bfe3df9296b10a7a666c2

          SHA1

          a880ab47a63a86efd2692a6b8e4048f2dac69af6

          SHA256

          4be493694c0b2208fcb1c5479cde7f6db23efd9c78e48ed09abc789564d11aaa

          SHA512

          ba5f41293e5eefd434ed572725107f8d0e904b0cfa3719e57ad92036823a9a8f822ed75deebee755dec3257d4091d82643ffee84c34e46c5953673c300333546

        • C:\ProgramData\AVG\Icarus\Logs\sfx.log

          Filesize

          13KB

          MD5

          45ff25379aadc7543a4286cedf1d86f4

          SHA1

          84432d2159706a706d5b6c40b8be3ab8042d33f3

          SHA256

          c88cc18ea863e585473dcef8dc43ffb671672c91558139979676f653b63b1161

          SHA512

          8db319a34eb2d18d13c2ea5fb72641c1f84c9f8531a2e7f541c3d77fc1b14d50d909aec9cd2852359951f90807bcd7fc10ea393633a93d8a1d51d874f777616f

        • C:\ProgramData\AVG\Icarus\Logs\sui.log

          Filesize

          37KB

          MD5

          814c18983908cc1fa8e970d0263a0881

          SHA1

          9da4a5a1571cbb7c96caad867e9198946ff9b1c0

          SHA256

          9f592fe5c3338a15d0bc0106be422b3651087369ff05e39b592b41090509badb

          SHA512

          67ae9b6c7489d344b2ffb2effb49cc5c3a807012eb281703225e5c757e256ca74f0adbd30a85b2bd77a38c3a6f07b9d39a835cc8596644f5c57ac197680be518

        • C:\ProgramData\AVG\Icarus\settings\temporary_proxy.ini

          Filesize

          278B

          MD5

          b8853a8e6228549b5d3ad97752d173d4

          SHA1

          cd471a5d57e0946c19a694a6be8a3959cef30341

          SHA256

          8e511706c04e382e58153c274138e99a298e87e29e12548d39b7f3d3442878b9

          SHA512

          cf4edd9ee238c1e621501f91a4c3338ec0cb07ca2c2df00aa7c44d3db7c4f3798bc4137c11c15379d0c71fab1c5c61f19be32ba3fc39dc242313d0947461a787

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\avg-av-vps\config.def

          Filesize

          549B

          MD5

          3e9c87ef79aec6ef3af203b32b003198

          SHA1

          82d9dbecbb20ff8160439d9f7d8b87466bcdfbef

          SHA256

          e3e8cbe0a09239f7c977bfc7d283c32e1a8dacd5fadc2f6643724e4e68cb8489

          SHA512

          88e65718a1d7b538c14822cbfe1eea21dd8c102c9b3c0c4b6dff719ec0f74e3c5c5b83b630f4c8506049b1e793ec2a1f4aed279bc44f904ca8355a0e1c4bfdc5

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\avg-av-vps\icarus_product.dll

          Filesize

          858KB

          MD5

          264df24da7afca448f922f625c1b8ced

          SHA1

          7cf8f98892aaa7a57920f7ff4fffe8b344e63f5e

          SHA256

          305a51e4f4c05a8e0332d039c7e5f36c0d9b75097754aa67f43153716c0d728b

          SHA512

          d73359b290ac3ed119fd208c58e983d74bc4d96fcb03b53d4f4c63330428e8f07e11931409655aa3070bae44accf1a4d9255b41b5db3b99219f27ddf5e61b929

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\avg-av-vps\product-def.xml

          Filesize

          59KB

          MD5

          c098fcd02daf5d7df8745c0b76bc366d

          SHA1

          f9a6badd0c60336ee266825586589c7dfb99a1ac

          SHA256

          b92fa68a147f97031a38d1b5f600751a9ef90a75de5b2b1a3890eee9418f260b

          SHA512

          a65e3e28c986903f0b2c7d31f8538f673498fc05b9a20dd97236d3faddbd92209f37bbf618b9070832c1e9150522f30ecfdf7ce13149fd678541d9c0a2147d3b

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\avg-av-vps\product-info.xml

          Filesize

          5KB

          MD5

          f72e34a1663ca928afca6a0f98a331de

          SHA1

          4246e1d21471c72b0cd07a4047fc08c48a75670a

          SHA256

          57b8d37ae14fe34c0f78a9b37d965af08926fdf650f21996b8ae1c15224ae824

          SHA512

          ae1ece937d718940a16d46cebe1490d0bd9658acc55076ccc80a543f6f646f51f9fc8745cfc079a956400239949cad6c9e8029ae907d5a1768f75d2c714740ed

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\avg-av\config.def

          Filesize

          709B

          MD5

          7f4e744fd9e79159cace879a9e6e04df

          SHA1

          2735b64ff03d0b5086865b59ecf795bd60ee072a

          SHA256

          26bd6950866b9668b3fff122f24ab483ed1932d4cc3ad9424aa32d5a9d99b264

          SHA512

          6ee3e9d7359ac9a971b4adf26fa2416b6622bfc992c382881c486f3d52a45d53a698412bc019e930fd3e07aff0fb2d4fb7227cc24f96f8ce457d851366c37644

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\avg-av\config.def.edat

          Filesize

          20KB

          MD5

          0ebc6555ec72edd10d3af993d6c2c646

          SHA1

          7177762bd74eb4eb0b9954cd7e576a28f2b90ab8

          SHA256

          6cb1bbff5f93c6b7fdcae067ce6e49c8cbc6cee7343aac6e0915b2a101933e35

          SHA512

          f4f12da80499353766c82b72feb39f777f2e63e5b0de770ef930cf35a26e1b2119aad8720176d955f288afcc48d221e7062919ab89b1fd1ee8d528029a69ec12

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\avg-av\edition.edat

          Filesize

          2B

          MD5

          9bf31c7ff062936a96d3c8bd1f8f2ff3

          SHA1

          f1abd670358e036c31296e66b3b66c382ac00812

          SHA256

          e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb

          SHA512

          9a6398cffc55ade35b39f1e41cf46c7c491744961853ff9571d09abb55a78976f72c34cd7a8787674efa1c226eaa2494dbd0a133169c9e4e2369a7d2d02de31a

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\avg-av\icarus_product.dll

          Filesize

          6.7MB

          MD5

          7ff07f1d86a7b8c1d28b5de1760f9a71

          SHA1

          affc73ee9828bb2151a6c88b84098f9b8c0df1b5

          SHA256

          3024ac600d3b29893cc17f7615af081654930b55c356fdd9fbb51b2b17acd105

          SHA512

          cdba8696cda67582d769db58a28ac87d30fe9bc869f7a0f718d9149b6edd42622d5fa83e5b1f5c37e0433a244a3b020c9d90b8708927926c2480a7ed5bcc894a

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\common\bug_report.exe

          Filesize

          5.6MB

          MD5

          d51365da191d9548b76fae6cde050af2

          SHA1

          8445144dce25fe03dce30e0ec8099e2b926c2a43

          SHA256

          8c273c61324efbc3a773588dbbba308a6b148ea77cdc3703104dc4808655fc21

          SHA512

          4ee64c1c174971b7f7ea53cde92f2007bed50799140e164b93b03b86885226a0bc813686c4003b0f6b7e2c1f8b60db4fc66b96baff4bab860412c100bd7a4502

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\common\dump_process.exe

          Filesize

          3.4MB

          MD5

          5190cf05ae2e298cb94e85dc83f2e161

          SHA1

          6701689a71f7de48fc9bc990774d8d9fcee8bd4a

          SHA256

          e80d3f009fb029dbc537e9967bb00d8362d3e1ad6378cce6beeabf231cf86c0a

          SHA512

          63eb01823e15a7ec1e4fbf8eda944264db9c14fde404889312f0189a7559a3ea2ea93d216b78492ab2194923a056bea3f083d72c1650576823ef98091f2ef568

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\common\icarus.exe

          Filesize

          7.8MB

          MD5

          4e824521a083138869fa6246cb33ccde

          SHA1

          7228689c5088a6d4faf4f7dc5fdf4389c56f76cd

          SHA256

          6a16511aab82faa51440197bddd11c1cce52ddd20160a630ee191eb9f626ce6c

          SHA512

          a7af2652d1a5c810845f3e0f6115477fb5e47cf1db645a7d8567c100277d213103fe6418a52a71aa8c83ba5a47d2f81a98b429456293f58ef9aa730811b29c5f

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\common\icarus_mod.dll

          Filesize

          15KB

          MD5

          b58aa1772b0da86313ea07903be02002

          SHA1

          2e3cf5b6c6b575633b687de9463e247460d9c833

          SHA256

          801ff2ea4307cd3a1f6a6f3744f7510c3de7e9ddac1db863859ee7d3207d46ff

          SHA512

          075ab7db5632dd2ca6a63cd7d7e7df905c1348269b3f0e8e3bd2efff1663950b4c50f22ea8f1ab5286f55ba0d3eb1d234a631425c4578b27797f15ac88a6172d

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\common\icarus_ui.exe

          Filesize

          11.8MB

          MD5

          630f299a07c056d3ccfd8b6499304af4

          SHA1

          bb06310b3cfbe95069e37d389655b4616369c3e4

          SHA256

          5a717caa148a79724d65f72b437b7d169fef26cfa676ac8bf7fb59354cf489a0

          SHA512

          e68d70727e51008a3b7438b65e921be69e17eadc0b3e86b7010d4900ca50988d4a1e20ca869efcc5d3802bc22364aa7714d7a18592c736f18ea6bac822ae4035

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\common\product-def.xml

          Filesize

          1.3MB

          MD5

          0cbe03f2a4315fd99a2d7c1b3434e392

          SHA1

          542cdee4a6013afc88710b73bdb9f7bc73890bfb

          SHA256

          5ddc8de2bfd97b3e5ef529b3f340145bad10c122b6f00669d09e6ed6a8f22b43

          SHA512

          e72836cb99da8c0d14f5da9db02e0a855e231adebbd0255d56c1b05216e0058c443e2795e87868e85e18335231232ec75888f3722560e4835c14000edb73d5e2

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\common\product-info.xml

          Filesize

          9KB

          MD5

          d7e8b97d50765365e6793fade40742dc

          SHA1

          78229d4731a07f3efe18c6eb9bc36de380a98b5e

          SHA256

          d8780ee84985530a785f07c6f959de5d0835d7ee4db536bef5acef1379602e75

          SHA512

          d311d33f3b412132bf20e0f7773d32efbc4e71f5c19fa176cb6c994390dc5ce32ccaad2eb9081cb7bbcbf23cd0ddc916951781f83af68ba3c9084667a68b7e87

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\common\setupui.cont

          Filesize

          382KB

          MD5

          b790cb82fe208a019358579c9c610021

          SHA1

          98810354ed887fe4d5d83d379bf0776e51d71d4b

          SHA256

          175b34fdca1a4b61c1c95d4f27f2ca408eaf7607a7acbe51edd6484f01df2ba1

          SHA512

          2d58422aa465fdf2f5846516aa393bd1c47f6b46d6e37999de466fd48f8b4607bd0942d8a136ab48a6f19301df5b3a1374b73c6f516cc597c5637cfbf6410169

        • C:\Windows\Temp\asw-af44b925-9c7e-4b72-b22f-eaa4627ffc69\icarus-info.xml

          Filesize

          1KB

          MD5

          4fccca72fe56d3138ff0a6758553abd9

          SHA1

          96375d9ac1f8dc8561f3b2fd61e725c957e353c0

          SHA256

          c27ac776700d4bc03704b53f938bb16a6a9150cf9e7fea6c23ae888022e970d0

          SHA512

          07835594c7956a9fe6d7aa5145725c2b0ff1d98b5299a79200f089a8ccb71768c029bcb89114fe076dd5e3cdb32a302dd527f54d8d57c43b4ac2c49c1aa78cc4

        • C:\Windows\Temp\asw.95d094aa5ed81b06\avg_antivirus_free_online_setup.exe

          Filesize

          1.6MB

          MD5

          f09798c668ab48b3c69278290e971cfc

          SHA1

          28a88f8c2a11eee6200198d4c1ff85ebe7ee5be8

          SHA256

          1e628a18b0e339dc6f72441cd3fbe0f43248ad63ba2b8f8c648a2d450e5ba529

          SHA512

          8f42cad525d25f1df2a66be6f663c4a0a5a9fd001a54918eed1df9cff26518082a046bec9f46331338f306c3c0e4ed6f5a555ae6b4e5ad5bf70c6b03b7ceaf58