Malware Analysis Report

2025-01-03 09:07

Sample ID 240620-njgbvavdjg
Target 2024-06-20_455caecc79ff99c68305b7e013818c77_magniber
SHA256 0d2b4798b8aa77c8c817d46e9cedc4654af7794ab8de3d40f621e0a08d17f76f
Tags
bootkit persistence
score
6/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
6/10

SHA256

0d2b4798b8aa77c8c817d46e9cedc4654af7794ab8de3d40f621e0a08d17f76f

Threat Level: Shows suspicious behavior

The file 2024-06-20_455caecc79ff99c68305b7e013818c77_magniber was found to be: Shows suspicious behavior.

Malicious Activity Summary

bootkit persistence

Writes to the Master Boot Record (MBR)

Executes dropped EXE

Loads dropped DLL

Suspicious behavior: EnumeratesProcesses

Suspicious use of AdjustPrivilegeToken

Suspicious use of FindShellTrayWindow

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Uses Task Scheduler COM API

Checks processor information in registry

Modifies registry class

Modifies system certificate store

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-20 11:25

Signatures

N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 11:25

Reported

2024-06-20 11:27

Platform

win7-20240221-en

Max time kernel

121s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_455caecc79ff99c68305b7e013818c77_magniber.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\privax-vpn\icarus.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-20_455caecc79ff99c68305b7e013818c77_magniber.exe N/A

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus_ui.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus_ui.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\privax-vpn\icarus.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\privax-vpn\icarus.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe N/A

Modifies registry class

Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2" C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\privax-vpn\icarus.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "585c961e-5216-4629-90df-1fa3163aa0d8" C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\7CCD586D-2ABC-42FF-A23B-3731F4F183D9 = "66FC9A86B023D8FFC79948E2D373B0F2" C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\5E1D6A55-0134-486E-A166-38C2E4919BB1 = "AQAAANCMnd8BFdERjHoAwE/Cl+sBAAAAwu3JkhG/l0WFqQ1tXFoYBgQAAAACAAAAAAAQZgAAAAEAACAAAAAimBbtLQ3NQqbZG/gU77xVqW4ZrPvbsD2nmRDS3deUTgAAAAAOgAAAAAIAACAAAABeyuVND4DeaK6GOmonUwJa5F+QTG0sRaJ9BqwjizhNdGAAAAAs9LxOZxwUZW7c4UokzGDfYxHYquDqlg96TALUs6/rDbbDnF+Ok2H18YT5l7DrcaXJMxXUxc3uMwabB6x/rfrHhMQcTolqVqrU/iOuEsjdiG2J16oaJc7RR9yaobCLs7tAAAAAg8x6ZY9KAEUhW9uqXDqRBRa8FwEPasGag+n0QyE3CySsJjPgLHzOaEb1m8v9EaRTCeyR3/qL7e3CY475/EW2nQ==" C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\privax-vpn\icarus.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\C06AEB9D-8774-46E7-8160-8321BCD14D9F\56C7A9DA-4B11-406A-8B1A-EFF157C294D6 = "585c961e-5216-4629-90df-1fa3163aa0d8" C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\privax-vpn\icarus.exe N/A

Modifies system certificate store

evasion spyware trojan
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436 C:\Users\Admin\AppData\Local\Temp\2024-06-20_455caecc79ff99c68305b7e013818c77_magniber.exe N/A
Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde C:\Users\Admin\AppData\Local\Temp\2024-06-20_455caecc79ff99c68305b7e013818c77_magniber.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus_ui.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus_ui.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\privax-vpn\icarus.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus_ui.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2160 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_455caecc79ff99c68305b7e013818c77_magniber.exe C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe
PID 2160 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_455caecc79ff99c68305b7e013818c77_magniber.exe C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe
PID 2160 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_455caecc79ff99c68305b7e013818c77_magniber.exe C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe
PID 2160 wrote to memory of 1244 N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_455caecc79ff99c68305b7e013818c77_magniber.exe C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe
PID 1244 wrote to memory of 2672 N/A C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus_ui.exe
PID 1244 wrote to memory of 2672 N/A C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus_ui.exe
PID 1244 wrote to memory of 2672 N/A C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus_ui.exe
PID 1244 wrote to memory of 1992 N/A C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\privax-vpn\icarus.exe
PID 1244 wrote to memory of 1992 N/A C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\privax-vpn\icarus.exe
PID 1244 wrote to memory of 1992 N/A C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\privax-vpn\icarus.exe

Uses Task Scheduler COM API

persistence

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-20_455caecc79ff99c68305b7e013818c77_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_455caecc79ff99c68305b7e013818c77_magniber.exe"

C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe

C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe /icarus-info-path:C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\icarus-info.xml /install /sssid:2160

C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus_ui.exe

C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus_ui.exe /sssid:2160 /er_master:master_ep_d1c415c9-2f22-4ab0-bafa-36c20606cc3c /er_ui:ui_ep_177aa07a-0932-40d1-be0d-05f22203ef98

C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\privax-vpn\icarus.exe

C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\privax-vpn\icarus.exe /sssid:2160 /er_master:master_ep_d1c415c9-2f22-4ab0-bafa-36c20606cc3c /er_ui:ui_ep_177aa07a-0932-40d1-be0d-05f22203ef98 /er_slave:privax-vpn_slave_ep_4cd64ba4-0588-437e-8e60-089198f55330 /slave:privax-vpn

Network

Country Destination Domain Proto
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 honzik.avcdn.net udp
GB 2.21.189.79:443 honzik.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 shepherd.ff.avast.com udp
US 34.160.176.28:443 shepherd.ff.avast.com tcp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
GB 2.21.189.79:443 honzik.avcdn.net tcp
GB 2.21.189.79:443 honzik.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp
US 8.8.8.8:53 analytics.avcdn.net udp
US 34.117.223.223:443 analytics.avcdn.net tcp

Files

\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus.exe

MD5 c48866efc173ea0ec9bf50997667832a
SHA1 8c12528e50f9050f55837dc64c394018cdfee028
SHA256 622e14f175b2a018786f29354ca8373bc0f6b2b5b2be06ebebdc5bed37d16b86
SHA512 cd8b1ed0d1a184a3fafc44785bfb470fa0dc84db4812e381cc0fcd8ce959a0c17188641c945c268bbe78c80fc716c59fbaaade22b3e3af57560d9364337b7d65

C:\ProgramData\Privax\Icarus\Logs\sfx.log

MD5 cc9e016cd7c996936864ee3efaf6026f
SHA1 4f00cbef9f1ef3a00f441f2b68f018a884f3a831
SHA256 8c9d1c227a20532b506f4fb6deee848278c9cba56d3b8e49ac121dfd6815149e
SHA512 36d2f3b278f6d9a4eb6393cd986e59ef8caec6fc9b46bcb48c9ceb68dd7380eeafa2363c0e75f4c2a37d538aea79ff4cdd06b5c7e98e62f97c0e71e259812ee8

C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\icarus-info.xml

MD5 427404042c3c8f616e52ca47359d6c32
SHA1 efe4ddf9ae1313931f2030169dd1cebb45afa855
SHA256 dd8acebec1f6a0094f9410955988d66cd472914503c19b93144f2b14d7355643
SHA512 1dcd80b4764bb2ef896c7effeb616ce2be72ec05e90bfec571355baaba971c7c08ce9bff12a2d18c57789ed3b110e07846ed8d40990504efe5c459b97f0ef63f

C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\icarus_ui.exe

MD5 a6d1dc0f66b7589ec7955533ea590f22
SHA1 59f175a71ba4623f77b9a0e60e1bcfb997e595b5
SHA256 19a3159e31fb6e46eec37ecee440dcc51ce3bf92a98593443f11099c83d4370a
SHA512 b743e403aab45183da20c50893af98f6206437cb90e478614de19cfe8ee44ec986acbb1504a8375c7d5c39fcabb5ef2f2be50ae3c0c36ebf72a02fa5d8126201

C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\setupui.cont

MD5 99ddbdb14e14e5e46049412a31825ecd
SHA1 7df3a1c3b6aa9e9a8de102886ef882c7df843974
SHA256 d26ecdd36d4b0cb1162d180c675e3f5bd125142899cfa23246c8b50dd7313a1a
SHA512 353f511bfc3b7bb3a70b6e005b91131f21cfb60a5960191d4b14791ffe892c5925f4658cbeb141873f12aa25a418e118822dfb3b96fef1c41f48c813c2c0faa5

C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\product-info.xml

MD5 cc0bee1c46961ec7fa9fd97f83d8859e
SHA1 73b29e5b9b5138f71ca0f35224de1ffb51546861
SHA256 1f87d953b36d47ad82354d72ade7f831ce3e850948c428f53e0d5f5f5a966a97
SHA512 0d8d7106ade53cc66f1202f46bd96ba8cc17148a90aa634692323bf65892c113173bf9813206352204af4d8cd9cc59f11994a6d3f6f4503f2aa6b731903c24e5

C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\ecoo.edat

MD5 5832246a21ba0792a54f8b4ac451caf3
SHA1 6404694caa0a26ba8fb4061c13691ba3cec07801
SHA256 ce596aa7c218d9263e8ab78a069c07c144b6e40301b2b737184650db465162de
SHA512 2187ee742ea77e57d0123811f7c0a1f27275ecd33a9a456716f61f65ba38f9a746e46b7f14b934cc252274da510b173ba5cb7ff5dbc180c6cd03e6060307e437

C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\dump_process.exe

MD5 c5822242c24400d1e9c8020864dd77d2
SHA1 feb315bbc33090cdac29608f2f608ecc983481dc
SHA256 8bd9cf28bd7d4c1f6fab7955f294fb69074d76666bf5b332bde5ca5c0d3019ad
SHA512 2dfd3b65f8b1e3e5aab4a169dbfea3659f7cacdf628fe4d6b45f97c7cdef076440c7900407b3772504ea1b40c090905a348757c54d83edff604d856ee43370d6

C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\bug_report.exe

MD5 9317c087c4407638c1f2e9b0088ea301
SHA1 dcb654b51748dad9b71e10b2b00e132b904bd114
SHA256 5ead5cf5ade667f404c5d08324708d2363ea205de723fdb6cbe92cec832c85e1
SHA512 8a1413e7738b6f26126755a680ea6ba744c641743a98b4b968b0b7cc4d33646b7d31a9a840ade4d5b933903f118bf4a5f7da78814eac894e61440f01c06aff8e

C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\common\product-def.xml

MD5 b0bed9d5cf5961d533f2193e6b10581a
SHA1 af69d5d08f8a1234db89e4af0c13cc3d4607b408
SHA256 6b64579b507508892f0fe699473aeb1cf2f2fdf6d346455437cea863149414ee
SHA512 d8e59f5bedd985d29bdfb3d53102d5fb849ff1d8ea7b559021860dfe8dbe5ef89a3fb90d1da8bd5c3c983d425ae1b34c83cf34ff4c725cf15473d695c2bf94d2

C:\ProgramData\Privax\Icarus\Logs\icarus.log

MD5 3966ec429c807c6df37f059d1f760bdf
SHA1 0121c09ecfc7b1439e895044b969af41148a4aba
SHA256 770ffb12213f00e08ebf81f282f9ba6e3f3e50b1566b1ec2e2122f7047a3cc10
SHA512 284e9552df2fbaacc5873dd70d503eed56b542720842098cbfe7abf5a23f91dbd7d3a1636400324a681abe57278119c45f57a569d9cc5e35b11b2ff09b62a1ea

C:\ProgramData\Privax\Icarus\Logs\sui.log

MD5 450871ad7e5b809832b4875fd7aa58e2
SHA1 88a5db30792332c4f44272e20e49a8033908cee6
SHA256 c6572eb5f367f289fd2eed21291c508502107d24bc87674adec1807b354d7422
SHA512 75c4269fa147a062609d0d7b5677dcc37429e43502a6cfe1f601233878c094fd19c7cb3811bdcd1fdcece64c13ee7638bb081bc5c46a26affc10c89b1deb5fcd

C:\ProgramData\Privax\Icarus\Logs\report.log

MD5 d41d8cd98f00b204e9800998ecf8427e
SHA1 da39a3ee5e6b4b0d3255bfef95601890afd80709
SHA256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855
SHA512 cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

C:\ProgramData\Privax\Icarus\settings\proxy.ini

MD5 d6de6577f75a4499fe64be2006979ae5
SHA1 0c83a2008fa28a97eb4b01d98aeab90a2e4c8e69
SHA256 87d882d37f63429088955a59b126f0d44fa728ce60142478004381a3604c9ea9
SHA512 cb4b42c07aa2da7857106c92bc6860a29d8a92f00e34f0df54f68c17945982bc01475c83b1a1079543404bb49342fc7cdc41d2ac32d71332439ceb27b5ad1c0c

C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\privax-vpn\icarus_product.dll

MD5 93e13290e97a3bb0710d581566d0b105
SHA1 ec34348ca5e1689183b2b7576749365e83095935
SHA256 b95f1578fe5c03b23450c4294dc8a573a9f0b86163fba77dcbcd465ae2ada87c
SHA512 0e119e093b2b35d0719cfd4bf95fd14786b5879d06aa0d28ce0bc0996616d32191bbc13bf9ebc0e6f8c3ffdebd0e3b092cf03047edb9d84d37b9216f3e00da7b

C:\Users\Admin\AppData\Local\Temp\D566D7D7-DCD6-471C-8109-BE0AD33199E3

MD5 22417b5d5eb168147f2c237d658a7163
SHA1 6ae67daf07c0a187f397923ecba497e5ab01ed58
SHA256 f1945b77f21bf5b8174bc94d0d69d4446baffd6808185554f8ae541e4254ecb1
SHA512 392b79a63b451495cc81877c288c0068d6c159bf0d7ce9ac0cc290128e57a5a1ebe0569dcbab85433448b3c1928be03cf01300ec7ae99573cfc4ef8c4c9b3cb8

C:\Users\Admin\AppData\Local\Temp\F07D8C6A-04B6-4025-869C-70A788D7B5C0

MD5 96302eb020601aee7c3ba86932ff12bc
SHA1 66609bc1d21fe18073878bec0dc77e10dcfd4e63
SHA256 1e71992608d73e44dc6d3f85b884e930753ea52d70990a7476377e42504ebf34
SHA512 5ca0f9dbcfe79a8a38eec750c77659f98a0e04d5845623b393f00e45f1b56a9d3bfeb518f9157f89c6843196502449cac29d86e36e207ca7469c0b12f71ce1e9

C:\Windows\Temp\asw-5eae5d15-07e8-4f1c-8fa8-0e71bbe120f7\privax-vpn\config.def

MD5 daaa17da8179678d2a8f28f93b0afcd7
SHA1 d6cb5fae2e99dde34feb09adfccbadb4ecb86bc4
SHA256 8be127d77130e20ee46f084231853266becaa0349a44da6ed4270c9b04c9261f
SHA512 1133753c891d59ef8ebb43a7601aa2ba5a72e32300ae32b847f75c3164b294dab9b24e57f3c66ae0e4c0ca75e2cbb175d49698540d972cdff2fd3b3ea887d4b4

memory/2672-116-0x000007FFFFF90000-0x000007FFFFFA0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 11:25

Reported

2024-06-20 11:27

Platform

win10v2004-20240508-en

Max time kernel

147s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_455caecc79ff99c68305b7e013818c77_magniber.exe"

Signatures

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\2024-06-20_455caecc79ff99c68305b7e013818c77_magniber.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\2024-06-20_455caecc79ff99c68305b7e013818c77_magniber.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\2024-06-20_455caecc79ff99c68305b7e013818c77_magniber.exe

"C:\Users\Admin\AppData\Local\Temp\2024-06-20_455caecc79ff99c68305b7e013818c77_magniber.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 analytics.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 analytics.avcdn.net udp
US 8.8.8.8:53 honzik.avcdn.net udp
US 8.8.8.8:53 analytics.avcdn.net udp

Files

N/A