Analysis

  • max time kernel
    94s
  • max time network
    148s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-11-2024 21:51

General

  • Target

    avg_antivirus_free_setup.exe

  • Size

    247KB

  • MD5

    18854664af657aa0a6d62196c321acf0

  • SHA1

    86c944fbadfc4481533fa6b948cb2879f9411a2c

  • SHA256

    979437ed2a4c9a008e48df0aa7f8c0470de20adcb4f83aaaf17903e1e4d55605

  • SHA512

    5ddbd2e06c33e6464bcc407b63da8e9173c44f4cb91a6870b5a3bbffec6edf647649c71a35d51a1c773c4acc6753d26ac87fe90f27d5b5210b873090a07bdc62

  • SSDEEP

    6144:PtgJcB7RG80fGwvDBn9Egw7Qj3EVfQ57:PtgJORaGiDB9y1fW7

Malware Config

Signatures

  • Downloads MZ/PE file
  • Writes to the Master Boot Record (MBR) 1 TTPs 5 IoCs

    Bootkits write to the MBR to gain persistence at a level below the operating system.

  • Executes dropped EXE 5 IoCs
  • Loads dropped DLL 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Checks processor information in registry 2 TTPs 9 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Modifies registry class 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 28 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 11 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

Processes

  • C:\Users\Admin\AppData\Local\Temp\avg_antivirus_free_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\avg_antivirus_free_setup.exe"
    1⤵
    • Writes to the Master Boot Record (MBR)
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2344
    • C:\Windows\Temp\asw.7ec29f343b974334\avg_antivirus_free_online_setup.exe
      "C:\Windows\Temp\asw.7ec29f343b974334\avg_antivirus_free_online_setup.exe" /cookie:mmm_bav_998_999_000_m:dlid_FREEGSR-FAD /ga_clientid:2bcd41ef-5f57-43e3-859b-424325aff52d /edat_dir:C:\Windows\Temp\asw.7ec29f343b974334 /geo:GB
      2⤵
      • Writes to the Master Boot Record (MBR)
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Modifies registry class
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:4020
      • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\common\icarus.exe
        C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\icarus-info.xml /install /cookie:mmm_bav_998_999_000_m:dlid_FREEGSR-FAD /edat_dir:C:\Windows\Temp\asw.7ec29f343b974334 /geo:GB /track-guid:2bcd41ef-5f57-43e3-859b-424325aff52d /sssid:4020
        3⤵
        • Writes to the Master Boot Record (MBR)
        • Executes dropped EXE
        • Checks processor information in registry
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:3260
        • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\common\icarus_ui.exe
          C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\common\icarus_ui.exe /cookie:mmm_bav_998_999_000_m:dlid_FREEGSR-FAD /edat_dir:C:\Windows\Temp\asw.7ec29f343b974334 /geo:GB /track-guid:2bcd41ef-5f57-43e3-859b-424325aff52d /sssid:4020 /er_master:master_ep_cd72cec4-86ae-4043-8ae0-dc54a8881369 /er_ui:ui_ep_eb5831b2-cd24-4eeb-9bde-fc61d72332ef
          4⤵
          • Executes dropped EXE
          • Checks processor information in registry
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          • Suspicious use of FindShellTrayWindow
          • Suspicious use of SetWindowsHookEx
          PID:4544
        • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\avg-av\icarus.exe
          C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\avg-av\icarus.exe /cookie:mmm_bav_998_999_000_m:dlid_FREEGSR-FAD /edat_dir:C:\Windows\Temp\asw.7ec29f343b974334 /geo:GB /track-guid:2bcd41ef-5f57-43e3-859b-424325aff52d /sssid:4020 /er_master:master_ep_cd72cec4-86ae-4043-8ae0-dc54a8881369 /er_ui:ui_ep_eb5831b2-cd24-4eeb-9bde-fc61d72332ef /er_slave:avg-av_slave_ep_997c4976-6a95-42df-b1d8-5a7d236b9215 /slave:avg-av
          4⤵
          • Writes to the Master Boot Record (MBR)
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:4360
        • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\avg-av-vps\icarus.exe
          C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\avg-av-vps\icarus.exe /cookie:mmm_bav_998_999_000_m:dlid_FREEGSR-FAD /edat_dir:C:\Windows\Temp\asw.7ec29f343b974334 /geo:GB /track-guid:2bcd41ef-5f57-43e3-859b-424325aff52d /sssid:4020 /er_master:master_ep_cd72cec4-86ae-4043-8ae0-dc54a8881369 /er_ui:ui_ep_eb5831b2-cd24-4eeb-9bde-fc61d72332ef /er_slave:avg-av-vps_slave_ep_bb4bb815-3f54-4ca1-a3e4-435c613d90ce /slave:avg-av-vps
          4⤵
          • Writes to the Master Boot Record (MBR)
          • Executes dropped EXE
          • Loads dropped DLL
          • Checks processor information in registry
          • Suspicious use of AdjustPrivilegeToken
          PID:4844

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\ProgramData\AVG\Icarus\Logs\icarus.log

    Filesize

    59KB

    MD5

    f78c8aa93f477a496d1fc08b79c89dd7

    SHA1

    d9f63a5538612efd29d1295d66c54e7267071647

    SHA256

    6099d5ec204a3efebb7421a7b8b1c7cccabbeb9cc204a76897e2e7bd9ae6bcb9

    SHA512

    0b15888a2c8d85f2beedd61841d2ffc279003c207812e817cf58688bd53b639864fb24b3f7b399ec4ee537ae0d542c93d9dd69a493a762724b5902dfc64851f0

  • C:\ProgramData\AVG\Icarus\Logs\icarus.log

    Filesize

    80KB

    MD5

    2cb0df02843dd19c898f263138355eb6

    SHA1

    59ccfaab9b77d63beea2ed26e0c652eb839ac9e3

    SHA256

    79e5c91fe5451779d2b1d4b3b3237fdfe2e0ab311a32bce3487f7f57b303397f

    SHA512

    a1aa3a8134977beabb5bb5531c0a7b4f0a5ce1e143e2bd45b530e8a23f3daeaa5c50e226b00dc786551aff3a6bdb48badba5e584122abfbee4b2650dc68c11d9

  • C:\ProgramData\AVG\Icarus\Logs\icarus.log

    Filesize

    97KB

    MD5

    17e6a571d5e95a47bab03113cc136282

    SHA1

    63ace74fbdae760f44684fa2b55a48a2b7fad706

    SHA256

    3cf7213d96bbafc510aa8863bb25d44b548ee8b352bb357f5308b5e93d4ac88d

    SHA512

    9e3f85c3ce0797a19359d28b4f3203ee4f515884d238c03dab7c137cee3f05ff740e0a7ac9b85cc65fbe074094dae339ba4b996fd64c22cd481e79cfac384334

  • C:\ProgramData\AVG\Icarus\Logs\report.log

    MD5

    d41d8cd98f00b204e9800998ecf8427e

    SHA1

    da39a3ee5e6b4b0d3255bfef95601890afd80709

    SHA256

    e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

    SHA512

    cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

  • C:\ProgramData\AVG\Icarus\Logs\sfx.log

    Filesize

    13KB

    MD5

    ef2d02b778150f1b822f35d9cd18290d

    SHA1

    b70cf735b05c013aa5e7766327365a4d9fef85cc

    SHA256

    0c3a794eb9fe57212d0fb5793d666ae444b98f4fadea76c407b8c14fd260bf99

    SHA512

    8f76619692fb70597fc18205517b730f9e2ca6a1a4b48ad590366b6158300d2372c96048a25ddbdbdcdfa9821757ef5fcb1268754f913d3bb353d4e3a28a3f4c

  • C:\ProgramData\AVG\Icarus\Logs\sui.log

    Filesize

    13KB

    MD5

    af40954d4102fa7c67c9ebb2a885522f

    SHA1

    16f6b8b7c1ca820a81ab227429655c4e177778b6

    SHA256

    749569751036dd2348ab7daa62c1e93f226c9fb1cb7ad8691638e76641ff3797

    SHA512

    a63acebed6c7eaf26c9f805562f3d9dade2915a02f4d69287068d0059f4918954719754171ce8d3ce937eeb45817f77299464cd62917520c2faa6dbab0a189f0

  • C:\ProgramData\AVG\Icarus\settings\temporary_proxy.ini

    Filesize

    278B

    MD5

    b8853a8e6228549b5d3ad97752d173d4

    SHA1

    cd471a5d57e0946c19a694a6be8a3959cef30341

    SHA256

    8e511706c04e382e58153c274138e99a298e87e29e12548d39b7f3d3442878b9

    SHA512

    cf4edd9ee238c1e621501f91a4c3338ec0cb07ca2c2df00aa7c44d3db7c4f3798bc4137c11c15379d0c71fab1c5c61f19be32ba3fc39dc242313d0947461a787

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\avg-av-vps\config.def

    Filesize

    549B

    MD5

    3e9c87ef79aec6ef3af203b32b003198

    SHA1

    82d9dbecbb20ff8160439d9f7d8b87466bcdfbef

    SHA256

    e3e8cbe0a09239f7c977bfc7d283c32e1a8dacd5fadc2f6643724e4e68cb8489

    SHA512

    88e65718a1d7b538c14822cbfe1eea21dd8c102c9b3c0c4b6dff719ec0f74e3c5c5b83b630f4c8506049b1e793ec2a1f4aed279bc44f904ca8355a0e1c4bfdc5

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\avg-av-vps\dump_process.exe

    Filesize

    3.4MB

    MD5

    5190cf05ae2e298cb94e85dc83f2e161

    SHA1

    6701689a71f7de48fc9bc990774d8d9fcee8bd4a

    SHA256

    e80d3f009fb029dbc537e9967bb00d8362d3e1ad6378cce6beeabf231cf86c0a

    SHA512

    63eb01823e15a7ec1e4fbf8eda944264db9c14fde404889312f0189a7559a3ea2ea93d216b78492ab2194923a056bea3f083d72c1650576823ef98091f2ef568

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\avg-av-vps\icarus_product.dll

    Filesize

    858KB

    MD5

    264df24da7afca448f922f625c1b8ced

    SHA1

    7cf8f98892aaa7a57920f7ff4fffe8b344e63f5e

    SHA256

    305a51e4f4c05a8e0332d039c7e5f36c0d9b75097754aa67f43153716c0d728b

    SHA512

    d73359b290ac3ed119fd208c58e983d74bc4d96fcb03b53d4f4c63330428e8f07e11931409655aa3070bae44accf1a4d9255b41b5db3b99219f27ddf5e61b929

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\avg-av-vps\product-def.xml

    Filesize

    59KB

    MD5

    02274717be3aa811396eef534c8293d7

    SHA1

    9faabeea2420bda93321dcd6e8a1b5304122d14c

    SHA256

    6aa0696f26308dc8a2b0017aefad751d2f8739dfd3e986426c456397d9077311

    SHA512

    f7b6ca8fc31140da32d534a6856e6137b34f14bbebf95b0da191f226363ed638769a8d44039888f5141441cb2d3533351f5dbfe8046e861ae5adeb00b5b4ade6

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\avg-av-vps\product-info.xml

    Filesize

    5KB

    MD5

    0dba1262a0b060555de8bec96d15745d

    SHA1

    05fad81ab461e3bb71d079b1d9499beef0f295f3

    SHA256

    4add8f24854b04409d9a1d422669354114edf068ad1255c307ca00c3102d87f2

    SHA512

    ca539f68272a1053acdce7ec785bebd622a681c4f1b7fefb0c1025ac1100dfcf7de454554f8e3ee83a1f8e90423eb60353c4129f1de9bf9b2b811084453b4504

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\avg-av\config.def

    Filesize

    709B

    MD5

    7f4e744fd9e79159cace879a9e6e04df

    SHA1

    2735b64ff03d0b5086865b59ecf795bd60ee072a

    SHA256

    26bd6950866b9668b3fff122f24ab483ed1932d4cc3ad9424aa32d5a9d99b264

    SHA512

    6ee3e9d7359ac9a971b4adf26fa2416b6622bfc992c382881c486f3d52a45d53a698412bc019e930fd3e07aff0fb2d4fb7227cc24f96f8ce457d851366c37644

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\avg-av\config.def.edat

    Filesize

    20KB

    MD5

    0ebc6555ec72edd10d3af993d6c2c646

    SHA1

    7177762bd74eb4eb0b9954cd7e576a28f2b90ab8

    SHA256

    6cb1bbff5f93c6b7fdcae067ce6e49c8cbc6cee7343aac6e0915b2a101933e35

    SHA512

    f4f12da80499353766c82b72feb39f777f2e63e5b0de770ef930cf35a26e1b2119aad8720176d955f288afcc48d221e7062919ab89b1fd1ee8d528029a69ec12

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\avg-av\edition.edat

    Filesize

    2B

    MD5

    9bf31c7ff062936a96d3c8bd1f8f2ff3

    SHA1

    f1abd670358e036c31296e66b3b66c382ac00812

    SHA256

    e629fa6598d732768f7c726b4b621285f9c3b85303900aa912017db7617d8bdb

    SHA512

    9a6398cffc55ade35b39f1e41cf46c7c491744961853ff9571d09abb55a78976f72c34cd7a8787674efa1c226eaa2494dbd0a133169c9e4e2369a7d2d02de31a

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\avg-av\icarus_product.dll

    Filesize

    6.7MB

    MD5

    7ff07f1d86a7b8c1d28b5de1760f9a71

    SHA1

    affc73ee9828bb2151a6c88b84098f9b8c0df1b5

    SHA256

    3024ac600d3b29893cc17f7615af081654930b55c356fdd9fbb51b2b17acd105

    SHA512

    cdba8696cda67582d769db58a28ac87d30fe9bc869f7a0f718d9149b6edd42622d5fa83e5b1f5c37e0433a244a3b020c9d90b8708927926c2480a7ed5bcc894a

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\common\bug_report.exe

    Filesize

    5.6MB

    MD5

    d51365da191d9548b76fae6cde050af2

    SHA1

    8445144dce25fe03dce30e0ec8099e2b926c2a43

    SHA256

    8c273c61324efbc3a773588dbbba308a6b148ea77cdc3703104dc4808655fc21

    SHA512

    4ee64c1c174971b7f7ea53cde92f2007bed50799140e164b93b03b86885226a0bc813686c4003b0f6b7e2c1f8b60db4fc66b96baff4bab860412c100bd7a4502

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\common\icarus.exe

    Filesize

    7.8MB

    MD5

    4e824521a083138869fa6246cb33ccde

    SHA1

    7228689c5088a6d4faf4f7dc5fdf4389c56f76cd

    SHA256

    6a16511aab82faa51440197bddd11c1cce52ddd20160a630ee191eb9f626ce6c

    SHA512

    a7af2652d1a5c810845f3e0f6115477fb5e47cf1db645a7d8567c100277d213103fe6418a52a71aa8c83ba5a47d2f81a98b429456293f58ef9aa730811b29c5f

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\common\icarus_mod.dll

    Filesize

    15KB

    MD5

    b58aa1772b0da86313ea07903be02002

    SHA1

    2e3cf5b6c6b575633b687de9463e247460d9c833

    SHA256

    801ff2ea4307cd3a1f6a6f3744f7510c3de7e9ddac1db863859ee7d3207d46ff

    SHA512

    075ab7db5632dd2ca6a63cd7d7e7df905c1348269b3f0e8e3bd2efff1663950b4c50f22ea8f1ab5286f55ba0d3eb1d234a631425c4578b27797f15ac88a6172d

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\common\icarus_ui.exe

    Filesize

    11.8MB

    MD5

    630f299a07c056d3ccfd8b6499304af4

    SHA1

    bb06310b3cfbe95069e37d389655b4616369c3e4

    SHA256

    5a717caa148a79724d65f72b437b7d169fef26cfa676ac8bf7fb59354cf489a0

    SHA512

    e68d70727e51008a3b7438b65e921be69e17eadc0b3e86b7010d4900ca50988d4a1e20ca869efcc5d3802bc22364aa7714d7a18592c736f18ea6bac822ae4035

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\common\product-def.xml

    Filesize

    1.3MB

    MD5

    0cbe03f2a4315fd99a2d7c1b3434e392

    SHA1

    542cdee4a6013afc88710b73bdb9f7bc73890bfb

    SHA256

    5ddc8de2bfd97b3e5ef529b3f340145bad10c122b6f00669d09e6ed6a8f22b43

    SHA512

    e72836cb99da8c0d14f5da9db02e0a855e231adebbd0255d56c1b05216e0058c443e2795e87868e85e18335231232ec75888f3722560e4835c14000edb73d5e2

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\common\product-info.xml

    Filesize

    9KB

    MD5

    d7e8b97d50765365e6793fade40742dc

    SHA1

    78229d4731a07f3efe18c6eb9bc36de380a98b5e

    SHA256

    d8780ee84985530a785f07c6f959de5d0835d7ee4db536bef5acef1379602e75

    SHA512

    d311d33f3b412132bf20e0f7773d32efbc4e71f5c19fa176cb6c994390dc5ce32ccaad2eb9081cb7bbcbf23cd0ddc916951781f83af68ba3c9084667a68b7e87

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\common\setupui.cont

    Filesize

    382KB

    MD5

    b790cb82fe208a019358579c9c610021

    SHA1

    98810354ed887fe4d5d83d379bf0776e51d71d4b

    SHA256

    175b34fdca1a4b61c1c95d4f27f2ca408eaf7607a7acbe51edd6484f01df2ba1

    SHA512

    2d58422aa465fdf2f5846516aa393bd1c47f6b46d6e37999de466fd48f8b4607bd0942d8a136ab48a6f19301df5b3a1374b73c6f516cc597c5637cfbf6410169

  • C:\Windows\Temp\asw-cea8b978-ac66-4ace-adeb-8cfaf5d72daf\icarus-info.xml

    Filesize

    1KB

    MD5

    cad050feb021e7ec84a243cffebee93e

    SHA1

    d7fd56080b5f6528f75d54adb289c94789f8bcc8

    SHA256

    ada81f215134896f29f9af4cb0fb7fb2abc1ba26e7c9e22219476b1f7da5e7db

    SHA512

    7e47393d056c47d0d39e247616e3e6d960842d31a96e181ed9cb616b3e72a9ee5075cbbdc62b4fece66f6dad43df865e9f423f21852f81641b58c0c3b9d767c5

  • C:\Windows\Temp\asw.7ec29f343b974334\avg_antivirus_free_online_setup.exe

    Filesize

    1.6MB

    MD5

    f09798c668ab48b3c69278290e971cfc

    SHA1

    28a88f8c2a11eee6200198d4c1ff85ebe7ee5be8

    SHA256

    1e628a18b0e339dc6f72441cd3fbe0f43248ad63ba2b8f8c648a2d450e5ba529

    SHA512

    8f42cad525d25f1df2a66be6f663c4a0a5a9fd001a54918eed1df9cff26518082a046bec9f46331338f306c3c0e4ed6f5a555ae6b4e5ad5bf70c6b03b7ceaf58

  • C:\Windows\Temp\asw.7ec29f343b974334\ecoo.edat

    Filesize

    38B

    MD5

    aaa8f0ca4acc800e63ec0cc3f9598380

    SHA1

    ba82445e4b1eae5bed00d6e5a78411b05700d88d

    SHA256

    9fa614083ebc934b52510cc41eb3246e1b0d199329ab1fd3aea08a5bce62bcdf

    SHA512

    cffec5401f95e8ddfd9edf6c2ea072114d3be913fd48f874938524046f08dea246823ce042fb9d452692c90c50a215c3dcaa19c02270d93534b6ff2da0d88dc0