| File name: | avast_cleanup_online_setup.exe |
| Full analysis: | https://app.any.run/tasks/cccae5ee-422f-44c8-9430-3246a67ff242 |
| Verdict: | Malicious activity |
| Analysis date: | June 09, 2024, 20:44:22 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32 executable (GUI) Intel 80386, for MS Windows |
| MD5: | C16610645E37402B49D478EA1015471B |
| SHA1: | E8F47463C587992B44BC73EA9A798DD118109D6F |
| SHA256: | 13CE949A162816C81E54C6E3E4AF2E22BD73706318C2E7E9ADB230DA6CB67668 |
| SSDEEP: | 49152:2SYjq9+4pc2UOmL/+BBJ/EHQnwsSXLA1xqKm9XUeVCf2D0u:2SYjXic2U5L/+BBJ/EHQnWbA1xqKmS |
MALICIOUS
Drops the executable file immediately after the start
- avast_cleanup_online_setup.exe (PID: 6480)
- icarus.exe (PID: 6804)
- icarus.exe (PID: 7020)
Creates a writable file in the system directory
- icarus.exe (PID: 7020)
SUSPICIOUS
Executable content was dropped or overwritten
- avast_cleanup_online_setup.exe (PID: 6480)
- icarus.exe (PID: 6804)
- icarus.exe (PID: 7020)
Starts itself from another location
- icarus.exe (PID: 6804)
Process drops legitimate windows executable
- icarus.exe (PID: 7020)
The process drops C-runtime libraries
- icarus.exe (PID: 7020)
The process creates files with name similar to system file names
- icarus.exe (PID: 7020)
The process verifies whether the antivirus software is installed
- icarus.exe (PID: 7020)
INFO
Reads the machine GUID from the registry
- avast_cleanup_online_setup.exe (PID: 6480)
- icarus.exe (PID: 6804)
- icarus.exe (PID: 7020)
- icarus_ui.exe (PID: 6852)
Reads the computer name
- avast_cleanup_online_setup.exe (PID: 6480)
- icarus_ui.exe (PID: 6852)
- icarus.exe (PID: 7020)
- icarus.exe (PID: 6804)
Checks supported languages
- avast_cleanup_online_setup.exe (PID: 6480)
- icarus_ui.exe (PID: 6852)
- icarus.exe (PID: 7020)
- icarus.exe (PID: 6804)
Creates files in the program directory
- avast_cleanup_online_setup.exe (PID: 6480)
- icarus.exe (PID: 6804)
- icarus_ui.exe (PID: 6852)
- icarus.exe (PID: 7020)
Create files in a temporary directory
- avast_cleanup_online_setup.exe (PID: 6480)
- icarus.exe (PID: 6804)
- icarus.exe (PID: 7020)
Checks proxy server information
- avast_cleanup_online_setup.exe (PID: 6480)
Reads the software policy settings
- avast_cleanup_online_setup.exe (PID: 6480)
Reads CPU info
- icarus.exe (PID: 6804)
- icarus_ui.exe (PID: 6852)
- icarus.exe (PID: 7020)
Dropped object may contain TOR URL's
- icarus.exe (PID: 7020)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win64 Executable (generic) (76.4) |
|---|---|---|
| .exe | | | Win32 Executable (generic) (12.4) |
| .exe | | | Generic Win/DOS Executable (5.5) |
| .exe | | | DOS Executable Generic (5.5) |
EXIF
EXE
| MachineType: | Intel 386 or later, and compatibles |
|---|---|
| TimeStamp: | 2024:03:05 07:08:45+00:00 |
| ImageFileCharacteristics: | Executable, 32-bit, Removable run from swap, Net run from swap |
| PEType: | PE32 |
| LinkerVersion: | 14.38 |
| CodeSize: | 1030656 |
| InitializedDataSize: | 510976 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x52810 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 24.2.7007.0 |
| ProductVersionNumber: | 23.4.15807.16040 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | Avast Software |
| FileDescription: | Avast Self-Extract Package |
| FileVersion: | 24.2.7007.0 |
| InternalName: | icarus_sfx |
| LegalCopyright: | Copyright © 2024 Avast Software |
| MainProductId: | avast-tu |
| OriginalFileName: | icarus_sfx.exe |
| ProductId: | avast-icarus |
| ProductName: | Avast Installer |
| ProductVersion: | 23.4.15807.16040 |
Total processes
121
Monitored processes
5
Malicious processes
3
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 6432 | "C:\Users\admin\Desktop\avast_cleanup_online_setup.exe" | C:\Users\admin\Desktop\avast_cleanup_online_setup.exe | — | explorer.exe | |||||||||||
User: admin Company: Avast Software Integrity Level: MEDIUM Description: Avast Self-Extract Package Exit code: 3221226540 Version: 24.2.7007.0 Modules
| |||||||||||||||
| 6480 | "C:\Users\admin\Desktop\avast_cleanup_online_setup.exe" | C:\Users\admin\Desktop\avast_cleanup_online_setup.exe | explorer.exe | ||||||||||||
User: admin Company: Avast Software Integrity Level: HIGH Description: Avast Self-Extract Package Version: 24.2.7007.0 Modules
| |||||||||||||||
| 6804 | C:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\icarus.exe /icarus-info-path:C:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\icarus-info.xml /install /sssid:6480 | C:\Windows\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\icarus.exe | avast_cleanup_online_setup.exe | ||||||||||||
User: admin Company: Avast Software Integrity Level: HIGH Description: Avast Installer Version: 24.2.7007.0 Modules
| |||||||||||||||
| 6852 | C:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\icarus_ui.exe /sssid:6480 /er_master:master_ep_116959b4-3f16-4701-b9ae-c3061bceecfa /er_ui:ui_ep_7c1652ee-bd78-4ccf-aa77-403ab48ef0a2 | C:\Windows\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\icarus_ui.exe | — | icarus.exe | |||||||||||
User: admin Company: Avast Software Integrity Level: HIGH Description: Avast UI Version: 24.2.7007.0 Modules
| |||||||||||||||
| 7020 | C:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\avast-tu\icarus.exe /sssid:6480 /er_master:master_ep_116959b4-3f16-4701-b9ae-c3061bceecfa /er_ui:ui_ep_7c1652ee-bd78-4ccf-aa77-403ab48ef0a2 /er_slave:avast-tu_slave_ep_8814d526-2e98-460c-a316-db64db823c26 /slave:avast-tu | C:\Windows\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\avast-tu\icarus.exe | icarus.exe | ||||||||||||
User: admin Company: Avast Software Integrity Level: HIGH Description: Avast Installer Version: 24.2.7007.0 Modules
| |||||||||||||||
Total events
5 359
Read events
5 334
Write events
24
Delete events
1
Modification events
| (PID) Process: | (6480) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198 |
| Operation: | write | Name: | 5FD38555-4B16-40AE-9A09-E2C969CB74AF |
Value: F6D4F52220BB5A3D7246A004278BB23F | |||
| (PID) Process: | (6480) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F |
| Operation: | write | Name: | 7CCD586D-2ABC-42FF-A23B-3731F4F183D9 |
Value: F6D4F52220BB5A3D7246A004278BB23F | |||
| (PID) Process: | (6480) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198 |
| Operation: | write | Name: | 8C5CFDF4-AB05-4EB0-8EF6-7B4620DC2CF3 |
Value: AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA0N29cCFdeU6bRZGXes+ZTAQAAAACAAAAAAAQZgAAAAEAACAAAADbr9u+dbcCPauZyyavv2uML6INvFKz6Tq5J6gPVMT36AAAAAAOgAAAAAIAACAAAAB8KHs6U4zy4osLgqY0V89EPWERYuK5WajeDmTPagrGU1AAAACpT+0BtWw5lunKGgmDs2qvMJlZQu8R0AP4XooanrpLusKgtvmMelf0q4SsIB3jDUvPbxv00dnsAPNirpCDkiEA3uXnFit7PpIyo/sqy/xjCUAAAADwU5OHhZiE1STTPA0u2Apbv7FxOTGyzFZzMk5tsWvrCW+TRaWai5I5VgfFoNok3dzxiiEHmHcjjxe5FXQX0jxn | |||
| (PID) Process: | (6480) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F |
| Operation: | write | Name: | 5E1D6A55-0134-486E-A166-38C2E4919BB1 |
Value: AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAA0N29cCFdeU6bRZGXes+ZTAQAAAACAAAAAAAQZgAAAAEAACAAAADbr9u+dbcCPauZyyavv2uML6INvFKz6Tq5J6gPVMT36AAAAAAOgAAAAAIAACAAAAB8KHs6U4zy4osLgqY0V89EPWERYuK5WajeDmTPagrGU1AAAACpT+0BtWw5lunKGgmDs2qvMJlZQu8R0AP4XooanrpLusKgtvmMelf0q4SsIB3jDUvPbxv00dnsAPNirpCDkiEA3uXnFit7PpIyo/sqy/xjCUAAAADwU5OHhZiE1STTPA0u2Apbv7FxOTGyzFZzMk5tsWvrCW+TRaWai5I5VgfFoNok3dzxiiEHmHcjjxe5FXQX0jxn | |||
| (PID) Process: | (6480) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\1D0EC6DE-4A80-4CC3-A335-E6E41C951198 |
| Operation: | write | Name: | 144807F0-DE37-4C62-9C05-EB4CC64A7A2F |
Value: 3a75e3d4-bed1-4c75-865b-3b9822451d42 | |||
| (PID) Process: | (6480) avast_cleanup_online_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F |
| Operation: | write | Name: | 56C7A9DA-4B11-406A-8B1A-EFF157C294D6 |
Value: 3a75e3d4-bed1-4c75-865b-3b9822451d42 | |||
| (PID) Process: | (6804) icarus.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198 |
| Operation: | write | Name: | 144807F0-DE37-4C62-9C05-EB4CC64A7A2F |
Value: 3a75e3d4-bed1-4c75-865b-3b9822451d42 | |||
| (PID) Process: | (6804) icarus.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F |
| Operation: | write | Name: | 56C7A9DA-4B11-406A-8B1A-EFF157C294D6 |
Value: 3a75e3d4-bed1-4c75-865b-3b9822451d42 | |||
| (PID) Process: | (6804) icarus.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\1D0EC6DE-4A80-4CC3-A335-E6E41C951198 |
| Operation: | write | Name: | 5FD38555-4B16-40AE-9A09-E2C969CB74AF |
Value: F6D4F52220BB5A3D7246A004278BB23F | |||
| (PID) Process: | (6804) icarus.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F |
| Operation: | write | Name: | 7CCD586D-2ABC-42FF-A23B-3731F4F183D9 |
Value: F6D4F52220BB5A3D7246A004278BB23F | |||
Executable files
83
Suspicious files
71
Text files
22
Unknown types
0
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6480 | avast_cleanup_online_setup.exe | C:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\fecc1d20-7e61-48c2-a50c-ab505c706e7a | binary | |
MD5:E98A6FFDC8FCA4D3CF0E3EE8AEF10D67 | SHA256:8108ADF3E6E394C42E0D419B2072B39EA62C907A32C4E84319399D89AF4C09CC | |||
| 6480 | avast_cleanup_online_setup.exe | C:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\dump_process.exe | executable | |
MD5:1C04C437444D3CF6EB95AC4BD61A96A9 | SHA256:473FB60161CE8ACA028DFE95745B614CF32C4B74928D9A17F53F3A34D897AE6F | |||
| 6480 | avast_cleanup_online_setup.exe | C:\ProgramData\Avast Software\Icarus\Logs\sfx.log | text | |
MD5:ECAA88F7FA0BF610A5A26CF545DCD3AA | SHA256:F1945CD6C19E56B3C1C78943EF5EC18116907A4CA1EFC40A57D48AB1DB7ADFC5 | |||
| 6480 | avast_cleanup_online_setup.exe | C:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\157d0ea2-0d1e-4750-869a-0371ce63b3b5 | binary | |
MD5:6265D6F250DD097BFE6950F44E7DB05D | SHA256:E2A82BAD092C2AA69BC4B65528357D8E22C00AF644837CE92B1F474C264F480B | |||
| 6480 | avast_cleanup_online_setup.exe | C:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\ecoo.edat | text | |
MD5:8665B427A5D7E79975307738D5200A8E | SHA256:A1CD56D90A8BC3B2A11C93E88DB32468CAA3607FEACE07563F890D4E9E10E040 | |||
| 6804 | icarus.exe | C:\ProgramData\Avast Software\Icarus\Logs\report.log | — | |
MD5:— | SHA256:— | |||
| 6480 | avast_cleanup_online_setup.exe | C:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\a4bf9c9a-7e62-4da0-99cf-72bdb04bb6d2 | binary | |
MD5:02806F3C99B2CAB6D8DEFE7A2745B933 | SHA256:F57F33041244E4DE5AF5ED2F0855622DF7A37C1ED7319A51E6B8B65C1075F845 | |||
| 6480 | avast_cleanup_online_setup.exe | C:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\icarus_ui.exe | executable | |
MD5:59FA7564E52436739CBE6AFDB3D01EB7 | SHA256:AB57748F6C1079E61DE1397CC853BAA1EBC5D6DD6731227AD26D6A073DD523D8 | |||
| 6480 | avast_cleanup_online_setup.exe | C:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\e1ac603a-b96b-4912-b2c0-b066e6920781 | compressed | |
MD5:57EAB53E4880E5EC19C4442CA7FDB56F | SHA256:6F7FC3D20D1B2A9A9A62004B0CD34024B64C42BDE54CB10E5F236CA29C14EA87 | |||
| 6480 | avast_cleanup_online_setup.exe | C:\WINDOWS\Temp\asw-91f53179-ad14-4128-a090-2765197baef0\common\product-def.xml | xml | |
MD5:F688B8E5ED2716F3AA67E4E65EB3D02D | SHA256:A1A09BAD86329D618E67E323D367B24C244CF693CCBB6214918E229E18C58F99 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
168
TCP/UDP connections
40
DNS requests
46
Threats
10
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
528 | svchost.exe | GET | 200 | 23.216.155.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
5140 | MoUsoCoreWorker.exe | GET | 200 | 23.216.155.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
4856 | RUXIMICS.exe | GET | 200 | 23.216.155.114:80 | http://crl.microsoft.com/pki/crl/products/MicRooCerAut2011_2011_03_22.crl | unknown | — | — | unknown |
— | — | GET | 200 | 23.61.132.66:443 | https://honzik.avcdn.net/defs/avast-tu/release.xml.lzma | unknown | — | 1.91 Kb | unknown |
4856 | RUXIMICS.exe | GET | 200 | 23.37.9.217:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
528 | svchost.exe | GET | 200 | 23.37.9.217:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
5140 | MoUsoCoreWorker.exe | GET | 200 | 23.37.9.217:80 | http://www.microsoft.com/pkiops/crl/MicSecSerCA2011_2011-10-18.crl | unknown | — | — | unknown |
— | — | GET | 200 | 23.61.132.66:443 | https://honzik.avcdn.net/universe/fa0c/81ba/c68e/fa0c81bac68ef3134599ff8cc558fcf540b050808cab02f74d1aa1605dfd4207.lzma | unknown | — | — | unknown |
— | — | GET | 200 | 23.61.132.66:443 | https://honzik.avcdn.net/universe/473f/b601/61ce/473fb60161ce8aca028dfe95745b614cf32c4b74928d9a17f53f3a34d897ae6f.lzma | unknown | — | 946 Kb | unknown |
— | — | GET | 200 | 23.61.132.66:443 | https://honzik.avcdn.net/universe/a1a0/9bad/8632/a1a09bad86329d618e67e323d367b24c244cf693ccbb6214918e229e18c58f99.lzma | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
528 | svchost.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
4856 | RUXIMICS.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
5140 | MoUsoCoreWorker.exe | 40.127.240.158:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | IE | unknown |
528 | svchost.exe | 23.216.155.114:80 | crl.microsoft.com | Akamai International B.V. | IE | unknown |
5140 | MoUsoCoreWorker.exe | 23.216.155.114:80 | crl.microsoft.com | Akamai International B.V. | IE | unknown |
— | — | 239.255.255.250:1900 | — | — | — | unknown |
4856 | RUXIMICS.exe | 23.216.155.114:80 | crl.microsoft.com | Akamai International B.V. | IE | unknown |
528 | svchost.exe | 23.37.9.217:80 | www.microsoft.com | AKAMAI-AS | PH | unknown |
4856 | RUXIMICS.exe | 23.37.9.217:80 | www.microsoft.com | AKAMAI-AS | PH | unknown |
DNS requests
Domain | IP | Reputation |
|---|---|---|
crl.microsoft.com |
| whitelisted |
www.microsoft.com |
| whitelisted |
analytics.avcdn.net |
| unknown |
honzik.avcdn.net |
| unknown |
settings-win.data.microsoft.com |
| whitelisted |
shepherd.avcdn.net |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |
Threats
PID | Process | Class | Message |
|---|---|---|---|
— | — | A Network Trojan was detected | ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection |
— | — | A Network Trojan was detected | ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection |
— | — | A Network Trojan was detected | ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection |
— | — | A Network Trojan was detected | ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection |
— | — | A Network Trojan was detected | ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection |
— | — | A Network Trojan was detected | ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection |
— | — | A Network Trojan was detected | ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection |
— | — | A Network Trojan was detected | ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection |
— | — | A Network Trojan was detected | ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection |
— | — | A Network Trojan was detected | ET HUNTING Suspicious POST With Reference to WINDOWS Folder Possible Malware Infection |