Malware Analysis Report

2024-12-07 02:05

Sample ID 241110-3mb9mazrhq
Target 6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2
SHA256 6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2
Tags
bootkit discovery persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2

Threat Level: Shows suspicious behavior

The file 6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2 was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit discovery persistence

Checks for any installed AV software in registry

Writes to the Master Boot Record (MBR)

Loads dropped DLL

Executes dropped EXE

System Location Discovery: System Language Discovery

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Modifies system certificate store

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious use of SetWindowsHookEx

Checks processor information in registry

Suspicious behavior: EnumeratesProcesses

Uses Task Scheduler COM API

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-10 23:37

Signatures

N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-10 23:37

Reported

2024-11-10 23:40

Platform

win10v2004-20241007-en

Max time kernel

93s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe"

Signatures

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Avast Software\Avast C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus_ui.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus_ui.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA718CvQxznESUHC+dzeYPpwQAAAACAAAAAAAQZgAAAAEAACAAAAA7kh7s2ZbbXNVUwbHtYLr6PrzbY2vS7evkhDRZsqZbaAAAAAAOgAAAAAIAACAAAAB+4HI0G2HINfY5LtDMukNg5v/RXas/48rdBr6Y9hq09TAAAAD3S211YJTn4AKidtmjuiUZ/lPAJKtVoeVKI0aiTrVln8POD0Db/0R0GYY+hjrYJ3xAAAAA9VKF7SJanYSlK6/XJT9UVEAGMkUM/82QUVIdMpObgXz1hATcKYVxcXHD2ASE5rmBPrQx6WA0DLjyFwibPD0T0Q==" C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "6b545c89-9771-416a-b7ee-96cd7d659aa9" C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "65F115A51CCCDBF623206AEDE3B3D8A4" C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "65F115A51CCCDBF623206AEDE3B3D8A4" C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "6b545c89-9771-416a-b7ee-96cd7d659aa9" C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "6b545c89-9771-416a-b7ee-96cd7d659aa9" C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "65F115A51CCCDBF623206AEDE3B3D8A4" C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus_ui.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus_ui.exe N/A

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe

"C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe"

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\icarus-info.xml /install /sssid:1908

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus_ui.exe

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus_ui.exe /sssid:1908 /er_master:master_ep_1150c9a0-16b4-4e0c-a840-0097592589c3 /er_ui:ui_ep_bf6b46af-a490-44d2-b4fd-1a63d82ff02a

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus.exe /sssid:1908 /er_master:master_ep_1150c9a0-16b4-4e0c-a840-0097592589c3 /er_ui:ui_ep_bf6b46af-a490-44d2-b4fd-1a63d82ff02a /er_slave:norton-tu_slave_ep_125f6c76-85d7-448d-8e1e-baeb03e0fd50 /slave:norton-tu

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 honzik.avcdn.net udp
GB 2.23.221.82:443 honzik.avcdn.net tcp
US 8.8.8.8:53 branding.norton.com udp
GB 23.223.127.228:443 branding.norton.com tcp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 223.223.117.34.in-addr.arpa udp
US 8.8.8.8:53 82.221.23.2.in-addr.arpa udp
US 8.8.8.8:53 228.127.223.23.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 0.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 34.160.176.28:443 shepherd.avcdn.net tcp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
GB 2.23.221.82:443 honzik.avcdn.net tcp
GB 2.23.221.82:443 honzik.avcdn.net tcp
US 8.8.8.8:53 28.176.160.34.in-addr.arpa udp
US 8.8.8.8:53 branding.norton.com udp
GB 23.223.127.228:443 branding.norton.com tcp
US 8.8.8.8:53 branding.norton.com udp
GB 23.223.127.228:443 branding.norton.com tcp
US 8.8.8.8:53 branding.norton.com udp
GB 23.223.127.228:443 branding.norton.com tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 43.229.111.52.in-addr.arpa udp

Files

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus.exe

MD5 11b2f7dbc3da98d3d3ad8d6435e1c950
SHA1 d538607c16fbf52adba259e5828801bded454859
SHA256 98ae83e57d5d44e8966683e67caf5e1ffa9245554e5ed2f006703c708ee0ab75
SHA512 a01361d3f200b6733477c25f6821405068e49599c6312ac7e60baebf75f4329ad292157d050cb2778e17637e1225a62fd0014092bd8b227567be24787b2323bf

C:\ProgramData\Norton\Icarus\Logs\sfx.log

MD5 dd10a0f05e994f8c573104a13146fa9b
SHA1 350ba56eb151d9adf6b137f712bb05530f734631
SHA256 1cbeda8f5157f5b1f1022b95b6f3255a640f8fcf4543f3cd6c2378a534bcd453
SHA512 0c3338f0a079067a10c7825bfa04bde8d66b3d1daf690af9d3adfb1933567075e8a621cbf4e02b221c93d1af33ed3884a67b350e2091345ddc0b0586ab3024ca

C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI

MD5 0f8a20c13d13bdb0dda00b0d88787b41
SHA1 c02696f7cf3b78775a43da14da9c5c022bae1768
SHA256 affcb8f2a9437a8dfe43589ac39777eceab914566b62ced2bccc0fdf4065d31b
SHA512 7e2fce4fbe0c47094f3e3202e22f3dafc9f6c00fd891a98ece7ebb7956748d522df5087a97f7863b34179abf20990b8ced66f3bb42c1c7e8b7eea13e3cb82b1b

C:\Users\Admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0

MD5 1cc2f619c83ffd3a894a36a006a5ccd3
SHA1 3e9d70266752afb0b8fdd3d771876f1e0d8c9728
SHA256 73d0a65b3e59fe7ffbfb5f4387a4a3bb1af69ad48f4556399a76f775b18db169
SHA512 3eda9029f2ec8f130912857d11ec2842444482bef007c99bffa623cc6a0a2cc5c1a0bed2eb42c4fdfea394f044f69c09daf48ee7fe73eeb3e893556300a2f8c5

C:\Users\Admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

MD5 cf7d2ba867042501d22fe4651ec2084b
SHA1 ee2b6143daeb6693a034f46fa69cafeb798a7449
SHA256 50e2919ba15af354d757bdd8ae19eb931e4fb9ad8c0a05b6acab7a97898935a6
SHA512 4f8807fa9c3fb81b6a3b53396a0bc18aa7cb68f1a61b804c3b848f433baaed380baccdbfc50442dab5a225031ba8ad1e9c9024823ba3306f92334ee79d7ffe53

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\policy.def

MD5 26eba6f4d836c33e1f35c8d4610195ae
SHA1 aa1b56f813a2c2e386de30dce7a69cfa2c0af146
SHA256 c8587ec8666b3ce33682002dc19b5c265741a3933ca07c189f0801d0a36768ca
SHA512 7fdfd930585a81706286d98f23a30d61fedb2b7033799522ca78b03ea25231c0dd38cf8147184311718c2905a13ad41a1d8c56139b4d533149e92e228f135297

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\icarus-info.xml

MD5 c38dfa0e3c3982a9b193cf8f69a7f34b
SHA1 630ebbfea3ca957a904d5eefb6da30a984aaeb45
SHA256 fa02039b58b710c4d58ecd275b94a07109f924a03e6a74812338a3d3a8ef9289
SHA512 7b7beef51f125c60efc076a53104793c12c34a13ae0c316c7efcdedbed61b6a73bc2809cdfd076082212c4d6c6de9f9417e6c078376fd371806c7b83de4f9986

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\icarus_ui.exe

MD5 a21a0fe807bc141d015b8bb5f9e90603
SHA1 5918070a64d7afbd4ec85ebf5b883fc914cb208b
SHA256 c8163fe6b573f4890f7412e1480fe8fc9aa19da416916d22a0d13d2ceabde5d2
SHA512 f5a561a1e1ff88ce649c664bc3d9c8f0949e5ffbabeeebd8f95e631c2f3623cba566e8770a6516d9fd5d4aff60d2affba6581068b2bf4ec8be7919b15234bc27

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\product-info.xml

MD5 16e5fe23b68d797c3ddd94c8620b4280
SHA1 aca1aa0b1ca802bbe08c499722f26d81e7f20240
SHA256 9562bffe6edd081aa6def7aa826be05f0249fb9390a1270d6f430f99da610d24
SHA512 5d7a90ed9b6cbb75db1b32a931ec0049c4d6c15f1bffe35208f127ffffc32b950bd9b01e4436f9482a6045d51af8c2feb6ef772f7978ae9dfce18de89a1f5713

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\skup.edat

MD5 8171e534a3212857afafb9b1efb932d4
SHA1 0b39ea6ff598e7aa901b8ef9533799e2f591e312
SHA256 d935884a506338429059daf494ced1e8fef9d61fe041dfec54293a5fb33c9f2e
SHA512 3959be6bb45cbeaaf3ba72ccd1d164a8375df7f9ab9a75de11f9a6911e6afda9fb99e2f71b503c049ad45b350e4a249665871666e13dd69f4247452126f411c3

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\gpud.edat

MD5 6651526b6fb8f29a00507de6a49ce30f
SHA1 3abb2c704de83074078dd74b39578f40b133434d
SHA256 5008a184a9ed025b6380c79a07a851600d0f6245c98c404795b53de8e31e3f44
SHA512 a9c1a713c68aa0b0196926085c959fbe7fb8ee62edb36ab692bc8bcc7028b1b487f40c5f0ed256914b6739208168e490b9a473349faff32e476c4d4c366d2b36

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\gpid.edat

MD5 a9b7ba70783b617e9998dc4dd82eb3c5
SHA1 e3cbba8883fe746c6e35783c9404b4bc0c7ee9eb
SHA256 40510175845988f13f6162ed8526f0b09f73384467fa855e1e79b44a56562a58
SHA512 1227de669e122a546edf39f0ded50cd2b6332793dc55d835b21be05bd529511655877292748c25f8fc2b5f1d5c987d9aaed2fc92c7e59a448e51cdf1dc5351a3

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\common\bug_report.exe

MD5 87a16c9c128e71768f21a4d27da0dbae
SHA1 4f8bc7d1fb172584c75a5c71f2291ea7c0f7a0a6
SHA256 0bdd629f4a69f04f701d4841e8d761f18c50fa18a3071e152aadb0cbf7699977
SHA512 df59a6caaaacde949d764cb4287dcd44747b26bc6bc25b39927584a6a5099b980907ce4c600e97a2ceec1bc33ff34e2a4205fc0f5f4050b35e3fc6fbbe2b5bdb

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\dump_process.exe

MD5 0d6d4d713d4a0681494a06b3faf8af87
SHA1 c21cfebf398857376d497a25a9684ab653239fb7
SHA256 2eb0c3dfef9d4febe1c92af7631d8b802e29be9c85f1affa3a5b40835ec09694
SHA512 ac74ec9e686ac652960423c1226b6b319f83fa0b46741d669279ea9261337305d85d5b2b904ff3d695660e750bdbf1190186bc1182aa33372f0324ba37c52dcd

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\setupui.cont

MD5 c1d9d4fa89293562dd516ec949293b40
SHA1 fa0bfccbeec9e1e4c6e38df8bc5a08f183526ac8
SHA256 a6486173fc442ba2059bcdf19c9a513d97d1a464ab323bf7252108ae169ad124
SHA512 814e709311ebc27aa0e5cdcd369293688ad79aa6629b126315efdc11fc0ab789f71936dbd7246d1c1c8658ca984b9fc33983587d21f6710f7a47ce7d54f4f3c2

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\product-def.xml

MD5 837cd922e13eed349f2f14594d54582f
SHA1 4a00a8bd074cc9d481e74ef6bfc87b1bfa38e4bf
SHA256 4ccf556656d33cb4d9bc789ffdf1e6f7f3a99bdbd0035d79b28e443110756dd7
SHA512 4d755b8d01c016ee7192f756b83357d554d0579ea4e5b1c19960132d1ed3c258c226314cc41b49b4385b967befd17df0cf9ed4911a5f9cc24332353116492ff4

C:\ProgramData\Norton\Icarus\Logs\sui.log

MD5 7676298149db11980cf9be9082f82d3b
SHA1 8b1d546311a554bcd4d57950dd67381354549e96
SHA256 1301aa0849b47a42e3a413ccbf0c4c84cd9643a5ee51a31f5af40cc4fcd088fa
SHA512 ee839d35669cac2156b0cd3ef4d4318f7b58b4c863146a0a8b6172859ed1514f2213ad12c30e4fa5a715481817159e807b1ee53da29aa6e49424ec51b092cae9

C:\ProgramData\Norton\Icarus\Logs\report.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\Norton\Icarus\Logs\icarus.log

MD5 c6046f80c8124142332f78884853e2ae
SHA1 1918cc2cabe9a7f65363427087c2ec5f4852c4dd
SHA256 f142c0da3145297a394a86ed2f0f1777106673667f2cde727ca0d62e3216bc10
SHA512 5cd04a3189dbb6a73fc74dda32ed87f10e50e92b5e37cd26d705b714999114db4d2685210e20494697f87cbd40c6f7ac53efd5cb2ab804bee94db8b207fb4215

C:\ProgramData\Norton\Icarus\settings\proxy.ini

MD5 b8853a8e6228549b5d3ad97752d173d4
SHA1 cd471a5d57e0946c19a694a6be8a3959cef30341
SHA256 8e511706c04e382e58153c274138e99a298e87e29e12548d39b7f3d3442878b9
SHA512 cf4edd9ee238c1e621501f91a4c3338ec0cb07ca2c2df00aa7c44d3db7c4f3798bc4137c11c15379d0c71fab1c5c61f19be32ba3fc39dc242313d0947461a787

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\config.def

MD5 480e976228c7fa81a2047292c8350b2e
SHA1 73bddc38e6eeae67b92f491ee66f9a5ab91d066b
SHA256 feb70768ec2658cbca8214a27ef5d5f502ae7a55e51e4484b969e9fb859b095a
SHA512 34ad279c0ab217a0ace6488e839e878d3970ea4611f5bb8fb865a5ffa6ad31c698b8fc439e1eb8b4de1d4844d6b8dfb283a6f1f5550ae8475b6248e6cd9fb86a

C:\Windows\Temp\asw-a2d499a8-6774-41d3-81a5-54c4b065a12f\norton-tu\icarus_product.dll

MD5 425d9c4579dfec13f34228eb9980cfc3
SHA1 34aa8c38e71d9578be6db5629237f7de187e89e6
SHA256 d8d4f5e293f164f727f3c1c0de1131f34201b3099410a819eb750cc300ce5dc3
SHA512 d12a368e223506e3dc19d0cfc58f93a76ada6ac8a02c83ab36ff6161a4a0d9d5db2991bd98487c448c2f99a48c93469032462152754060c42a151896ca63baf8

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-10 23:37

Reported

2024-11-10 23:40

Platform

win7-20241010-en

Max time kernel

20s

Max time network

25s

Command Line

"C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe"

Signatures

Checks for any installed AV software in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Avast Software\Avast C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe N/A

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus_ui.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus_ui.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "b8439b0c-a87b-460d-a0cb-9c146448e882" C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "b8439b0c-a87b-460d-a0cb-9c146448e882" C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "65F115A51CCCDBF623206AEDE3B3D8A4" C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "65F115A51CCCDBF623206AEDE3B3D8A4" C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "65F115A51CCCDBF623206AEDE3B3D8A4" C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAj3HBL64GRUKWJvM/EeqamwQAAAACAAAAAAAQZgAAAAEAACAAAADUGKeeEAnktumYvkdqkPJ67bopa+KOvEI9o28KBvgpSwAAAAAOgAAAAAIAACAAAAASsRRSUKcnm45mMDmPvOJNsuprxlTxOLMoF+vKM/rOVTAAAAAWN3jswc2cs1ST+xKVW0+qd24KtwLVqVWCpq8Lnw/6+p0hAF9Xjp3yMOdHa09s801AAAAA81R+Za9RoC9qUx3aJ0ngoKhD+dkiSQIN2vZUnbyXCyHn8IUH/GGuV8D6IpBLEJ0Z4NSIIGkIk1ngjG/AJnhbLQ==" C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "b8439b0c-a87b-460d-a0cb-9c146448e882" C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus_ui.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus_ui.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus_ui.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2116 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe
PID 2116 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe
PID 2116 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe
PID 2116 wrote to memory of 2880 N/A C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe
PID 2880 wrote to memory of 816 N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus_ui.exe
PID 2880 wrote to memory of 816 N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus_ui.exe
PID 2880 wrote to memory of 816 N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus_ui.exe
PID 2880 wrote to memory of 2820 N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe
PID 2880 wrote to memory of 2820 N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe
PID 2880 wrote to memory of 2820 N/A C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe

"C:\Users\Admin\AppData\Local\Temp\6d93d6a5b0c66d7d1aed0812069a56a2c06f750c63bdcf637a9b0d3fcabaf0e2.exe"

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\icarus-info.xml /install /sssid:2116

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus_ui.exe

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus_ui.exe /sssid:2116 /er_master:master_ep_44ae9d3a-1b97-4f91-b2c5-f5c9ac16cc00 /er_ui:ui_ep_e2f62b7e-4730-4f55-b5f5-271c0658ec15

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus.exe /sssid:2116 /er_master:master_ep_44ae9d3a-1b97-4f91-b2c5-f5c9ac16cc00 /er_ui:ui_ep_e2f62b7e-4730-4f55-b5f5-271c0658ec15 /er_slave:norton-tu_slave_ep_e132d0eb-baa4-46f3-bdc7-52551e530b6f /slave:norton-tu

Network

Country Destination Domain Proto
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 honzik.avcdn.net udp
GB 2.23.221.82:443 honzik.avcdn.net tcp
US 8.8.8.8:53 branding.norton.com udp
GB 23.223.127.228:443 branding.norton.com tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.avcdn.net udp
US 34.160.176.28:443 shepherd.avcdn.net tcp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
GB 2.23.221.82:443 honzik.avcdn.net tcp
GB 2.23.221.82:443 honzik.avcdn.net tcp
US 8.8.8.8:53 branding.norton.com udp
GB 23.223.127.228:443 branding.norton.com tcp
US 8.8.8.8:53 branding.norton.com udp
GB 23.223.127.228:443 branding.norton.com tcp
US 8.8.8.8:53 branding.norton.com udp
GB 23.223.127.228:443 branding.norton.com tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp

Files

\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus.exe

MD5 11b2f7dbc3da98d3d3ad8d6435e1c950
SHA1 d538607c16fbf52adba259e5828801bded454859
SHA256 98ae83e57d5d44e8966683e67caf5e1ffa9245554e5ed2f006703c708ee0ab75
SHA512 a01361d3f200b6733477c25f6821405068e49599c6312ac7e60baebf75f4329ad292157d050cb2778e17637e1225a62fd0014092bd8b227567be24787b2323bf

C:\ProgramData\Norton\Icarus\Logs\sfx.log

MD5 7939b55c85fe227b079405b65aff0c5d
SHA1 fa1708438e5590f739b4575373667f03e72ce4ae
SHA256 c248f91ec5c2a67904f49d2f69a57a25e720f328c2ea69410b79da78268da0de
SHA512 fb404ad2cd0d267b9eb8b9035e45d8487ccf00932f2341d5630e7e41661bd1166a4cd384c4d78bde9c20566a6ceb747407393ceb6909844fbc1b5ce6354b410d

C:\ProgramData\Norton\{086A63F0-6B13-4F29-9695-134E7A01E963}\LC.INI

MD5 8534e315f5f74ae13054491ed7a16db5
SHA1 133cc4d6e883dea8edbd8cc3d74d6d14d85fef8c
SHA256 0792e3849032dfc6341f55015a4e0443153b82347e7b98f4caba910a5b96b4d4
SHA512 6277d8bbe1f3d364c28a4689ed9a3b585ea0c57286c545e777bfa68eb23c9065eb7f5db26248e6ce0857f09ebb5a0c5dd1322f6dd4f5cc067b1ec203a882f7a9

C:\Users\Admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0

MD5 3a1744695de91289414b2679c6e2473d
SHA1 9874daaf4ee2d5d9347281fec618a559cca8f898
SHA256 dbb2c59d6cf6f91b6063c9e3b95c7aabc16d0813116a9247c77730f56cc01da4
SHA512 e676835b247497ba59ca6511126cb160caaf0cba24f468d0875e10aa300b228c79b7a295eff791e652defafdba651eba3a01307745358057b70248f38b22e4bc

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\policy.def

MD5 26eba6f4d836c33e1f35c8d4610195ae
SHA1 aa1b56f813a2c2e386de30dce7a69cfa2c0af146
SHA256 c8587ec8666b3ce33682002dc19b5c265741a3933ca07c189f0801d0a36768ca
SHA512 7fdfd930585a81706286d98f23a30d61fedb2b7033799522ca78b03ea25231c0dd38cf8147184311718c2905a13ad41a1d8c56139b4d533149e92e228f135297

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\icarus-info.xml

MD5 01b22ea6de924eaf2e544bb76737d860
SHA1 e74604eb4259b0b65081de8b9b39755cfdd16a4f
SHA256 4c01bb3da2c212d60c4ddb78dc024e061814e36fde808e76e8d1eb50d432b185
SHA512 83047bbcb6b3416c40c969fa55b5a0195466852319f635a956bc907e8d8f3af8a0490b6bb5bcf793bd7dbf0efd81239e2d086b82e7c42326fb1d59855b65faa6

C:\Users\Admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

MD5 cf7d2ba867042501d22fe4651ec2084b
SHA1 ee2b6143daeb6693a034f46fa69cafeb798a7449
SHA256 50e2919ba15af354d757bdd8ae19eb931e4fb9ad8c0a05b6acab7a97898935a6
SHA512 4f8807fa9c3fb81b6a3b53396a0bc18aa7cb68f1a61b804c3b848f433baaed380baccdbfc50442dab5a225031ba8ad1e9c9024823ba3306f92334ee79d7ffe53

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\icarus_ui.exe

MD5 a21a0fe807bc141d015b8bb5f9e90603
SHA1 5918070a64d7afbd4ec85ebf5b883fc914cb208b
SHA256 c8163fe6b573f4890f7412e1480fe8fc9aa19da416916d22a0d13d2ceabde5d2
SHA512 f5a561a1e1ff88ce649c664bc3d9c8f0949e5ffbabeeebd8f95e631c2f3623cba566e8770a6516d9fd5d4aff60d2affba6581068b2bf4ec8be7919b15234bc27

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\skup.edat

MD5 8171e534a3212857afafb9b1efb932d4
SHA1 0b39ea6ff598e7aa901b8ef9533799e2f591e312
SHA256 d935884a506338429059daf494ced1e8fef9d61fe041dfec54293a5fb33c9f2e
SHA512 3959be6bb45cbeaaf3ba72ccd1d164a8375df7f9ab9a75de11f9a6911e6afda9fb99e2f71b503c049ad45b350e4a249665871666e13dd69f4247452126f411c3

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\gpud.edat

MD5 6651526b6fb8f29a00507de6a49ce30f
SHA1 3abb2c704de83074078dd74b39578f40b133434d
SHA256 5008a184a9ed025b6380c79a07a851600d0f6245c98c404795b53de8e31e3f44
SHA512 a9c1a713c68aa0b0196926085c959fbe7fb8ee62edb36ab692bc8bcc7028b1b487f40c5f0ed256914b6739208168e490b9a473349faff32e476c4d4c366d2b36

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\product-info.xml

MD5 16e5fe23b68d797c3ddd94c8620b4280
SHA1 aca1aa0b1ca802bbe08c499722f26d81e7f20240
SHA256 9562bffe6edd081aa6def7aa826be05f0249fb9390a1270d6f430f99da610d24
SHA512 5d7a90ed9b6cbb75db1b32a931ec0049c4d6c15f1bffe35208f127ffffc32b950bd9b01e4436f9482a6045d51af8c2feb6ef772f7978ae9dfce18de89a1f5713

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\gpid.edat

MD5 a9b7ba70783b617e9998dc4dd82eb3c5
SHA1 e3cbba8883fe746c6e35783c9404b4bc0c7ee9eb
SHA256 40510175845988f13f6162ed8526f0b09f73384467fa855e1e79b44a56562a58
SHA512 1227de669e122a546edf39f0ded50cd2b6332793dc55d835b21be05bd529511655877292748c25f8fc2b5f1d5c987d9aaed2fc92c7e59a448e51cdf1dc5351a3

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\bug_report.exe

MD5 87a16c9c128e71768f21a4d27da0dbae
SHA1 4f8bc7d1fb172584c75a5c71f2291ea7c0f7a0a6
SHA256 0bdd629f4a69f04f701d4841e8d761f18c50fa18a3071e152aadb0cbf7699977
SHA512 df59a6caaaacde949d764cb4287dcd44747b26bc6bc25b39927584a6a5099b980907ce4c600e97a2ceec1bc33ff34e2a4205fc0f5f4050b35e3fc6fbbe2b5bdb

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\dump_process.exe

MD5 0d6d4d713d4a0681494a06b3faf8af87
SHA1 c21cfebf398857376d497a25a9684ab653239fb7
SHA256 2eb0c3dfef9d4febe1c92af7631d8b802e29be9c85f1affa3a5b40835ec09694
SHA512 ac74ec9e686ac652960423c1226b6b319f83fa0b46741d669279ea9261337305d85d5b2b904ff3d695660e750bdbf1190186bc1182aa33372f0324ba37c52dcd

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\common\setupui.cont

MD5 c1d9d4fa89293562dd516ec949293b40
SHA1 fa0bfccbeec9e1e4c6e38df8bc5a08f183526ac8
SHA256 a6486173fc442ba2059bcdf19c9a513d97d1a464ab323bf7252108ae169ad124
SHA512 814e709311ebc27aa0e5cdcd369293688ad79aa6629b126315efdc11fc0ab789f71936dbd7246d1c1c8658ca984b9fc33983587d21f6710f7a47ce7d54f4f3c2

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\product-def.xml

MD5 837cd922e13eed349f2f14594d54582f
SHA1 4a00a8bd074cc9d481e74ef6bfc87b1bfa38e4bf
SHA256 4ccf556656d33cb4d9bc789ffdf1e6f7f3a99bdbd0035d79b28e443110756dd7
SHA512 4d755b8d01c016ee7192f756b83357d554d0579ea4e5b1c19960132d1ed3c258c226314cc41b49b4385b967befd17df0cf9ed4911a5f9cc24332353116492ff4

memory/816-113-0x000007FFFFF70000-0x000007FFFFF80000-memory.dmp

C:\ProgramData\Norton\Icarus\Logs\sui.log

MD5 0fcef9cfb0248d94cb49d15f4af45750
SHA1 657a7baf3db0ea2450cc9b589fbf8d5d1aaf132b
SHA256 793c2787609bffdedb20f1848ce53cdbd1baa2062c81d4e2b52a5356ca0e96c6
SHA512 b3378819feef30872d4ffcab49fc29e126afe02acdfc2e71d653107d23571aef31299956c7bcd3e402ee7fa70d4514218b86f0aa61fe427658935e735d8a389d

C:\ProgramData\Norton\Icarus\Logs\report.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\config.def

MD5 480e976228c7fa81a2047292c8350b2e
SHA1 73bddc38e6eeae67b92f491ee66f9a5ab91d066b
SHA256 feb70768ec2658cbca8214a27ef5d5f502ae7a55e51e4484b969e9fb859b095a
SHA512 34ad279c0ab217a0ace6488e839e878d3970ea4611f5bb8fb865a5ffa6ad31c698b8fc439e1eb8b4de1d4844d6b8dfb283a6f1f5550ae8475b6248e6cd9fb86a

C:\Windows\Temp\asw-a8a49445-1c66-438a-8de4-87cbb61a5eef\norton-tu\icarus_product.dll

MD5 425d9c4579dfec13f34228eb9980cfc3
SHA1 34aa8c38e71d9578be6db5629237f7de187e89e6
SHA256 d8d4f5e293f164f727f3c1c0de1131f34201b3099410a819eb750cc300ce5dc3
SHA512 d12a368e223506e3dc19d0cfc58f93a76ada6ac8a02c83ab36ff6161a4a0d9d5db2991bd98487c448c2f99a48c93469032462152754060c42a151896ca63baf8

C:\ProgramData\Norton\Icarus\Logs\icarus.log

MD5 9c07c8e6dc7c56b62fb71c57beb9e8b8
SHA1 3881d52b78f652de05e0300562e26ac541c3b5a1
SHA256 105e995b42ef1059ec43b68127301502f04b0d23d74822035e9b3bba06954f50
SHA512 be4352452c623c863e7d196e6573945434d341299067184b6401919641c809cab395f89b46c5a460326cba99ef0c56125dc23014b822dbf4957b500136a81b78

C:\ProgramData\Norton\Icarus\settings\proxy.ini

MD5 b8853a8e6228549b5d3ad97752d173d4
SHA1 cd471a5d57e0946c19a694a6be8a3959cef30341
SHA256 8e511706c04e382e58153c274138e99a298e87e29e12548d39b7f3d3442878b9
SHA512 cf4edd9ee238c1e621501f91a4c3338ec0cb07ca2c2df00aa7c44d3db7c4f3798bc4137c11c15379d0c71fab1c5c61f19be32ba3fc39dc242313d0947461a787