Analysis
-
max time kernel
153s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
-
submitted
25-11-2022 08:32
General
-
Target
6c9f67067a876c7c3397a455e410fb153915d092d20f07cc88aa77e9fddfee61.exe
-
Size
136KB
-
MD5
5e4be45a486cb897eb08299d30165cc5
-
SHA1
eee529acf2bda485924a9af7d0a48cba6ac9b44d
-
SHA256
6c9f67067a876c7c3397a455e410fb153915d092d20f07cc88aa77e9fddfee61
-
SHA512
a8e0992e51c59748d4a06b7ac857c9ce6d8866a6bffc751ebc282f5564b56638d0e5c2cb0b75c15e2cd2affbf30c658c40ac400193b9067514c702cbee7c0c00
-
SSDEEP
3072:RNrioZnIXNPfj7+wpqc7uZF4cK5BbRybFvJXztb3UNeIM:/riinId3+wpqquyT03UNW
Malware Config
Signatures
-
Creates new service(s) 1 TTPs
-
Downloads MZ/PE file
-
Executes dropped EXE 4 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 9 IoCs
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 64 IoCs
-
Launches sc.exe 3 IoCs
Sc.exe is a Windows utlilty to control services on the system.
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of WriteProcessMemory 18 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\6c9f67067a876c7c3397a455e410fb153915d092d20f07cc88aa77e9fddfee61.exe"C:\Users\Admin\AppData\Local\Temp\6c9f67067a876c7c3397a455e410fb153915d092d20f07cc88aa77e9fddfee61.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\installer_2.20.6.exeC:\Users\Admin\AppData\Local\Temp\installer_2.20.6.exe2⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\tmp8D76.exe"C:\Users\Admin\AppData\Local\Temp\tmp8D76.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /UTM=3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\is-IA8OT.tmp\tmp8D76.tmp"C:\Users\Admin\AppData\Local\Temp\is-IA8OT.tmp\tmp8D76.tmp" /SL5="$1601D6,1971045,721408,C:\Users\Admin\AppData\Local\Temp\tmp8D76.exe" /VERYSILENT /SUPPRESSMSGBOXES /NORESTART /UTM=4⤵
- Executes dropped EXE
- Drops file in Program Files directory
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" create ProxyVan2 obj= "LocalSystem" start= auto binPath= "C:\Program Files (x86)\ProxyVan\Service\ProxyVan.exe"5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" create ProxyVanUpdater obj= "LocalSystem" start= auto binPath= "C:\Program Files (x86)\ProxyVan\Updater\ProxyVanUpdater.exe"5⤵
- Launches sc.exe
-
C:\Windows\SysWOW64\sc.exe"C:\Windows\system32\sc.exe" start ProxyVan25⤵
- Launches sc.exe
-
C:\Program Files (x86)\ProxyVan\Service\ProxyVan.exe"C:\Program Files (x86)\ProxyVan\Service\ProxyVan.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
Network
MITRE ATT&CK Enterprise v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Program Files (x86)\ProxyVan\Service\CommandLine.dllFilesize
163KB
MD5c89c96f35f5688687bf820eb6d176953
SHA117916511dad10ff77b2d1b2a8d262bf6d16f0b55
SHA2561ecac5c982c2d3b9bbe1b7efbd16e309c29d06d6c9706f8585fb6878e0746698
SHA51211d2d0a7cda15715294858510dcde3025d9128ddef2eb353a327e23a6470e73fc0843b35a6c5cf05e7f7faf83efc19fb8a45b44980267b3a0f602377c09dd529
-
C:\Program Files (x86)\ProxyVan\Service\ProxyVan.Common.dllFilesize
18KB
MD5476763e15175f7325a61243c4ed22f95
SHA1f47d8dd7e2f05f75deed90ca6cd6a36e71385b10
SHA256cbe4f51b8c231078df0bd3b126906f419d5530e4998f1a537668c9116b23e9c2
SHA512e705a03e76347751501d1ae0b348028aa7e0f1573b808068ca61d189e7cc24ee9e534386f059bde419ea1661ecbccc8c930be081cb95c1e69699ce37d9db78cd
-
C:\Program Files (x86)\ProxyVan\Service\ProxyVan.Common.dllFilesize
18KB
MD5476763e15175f7325a61243c4ed22f95
SHA1f47d8dd7e2f05f75deed90ca6cd6a36e71385b10
SHA256cbe4f51b8c231078df0bd3b126906f419d5530e4998f1a537668c9116b23e9c2
SHA512e705a03e76347751501d1ae0b348028aa7e0f1573b808068ca61d189e7cc24ee9e534386f059bde419ea1661ecbccc8c930be081cb95c1e69699ce37d9db78cd
-
C:\Program Files (x86)\ProxyVan\Service\ProxyVan.Common.dllFilesize
18KB
MD5476763e15175f7325a61243c4ed22f95
SHA1f47d8dd7e2f05f75deed90ca6cd6a36e71385b10
SHA256cbe4f51b8c231078df0bd3b126906f419d5530e4998f1a537668c9116b23e9c2
SHA512e705a03e76347751501d1ae0b348028aa7e0f1573b808068ca61d189e7cc24ee9e534386f059bde419ea1661ecbccc8c930be081cb95c1e69699ce37d9db78cd
-
C:\Program Files (x86)\ProxyVan\Service\ProxyVan.exeFilesize
64KB
MD53c6f15c66356401af87603f894bb4976
SHA1e77b0b55da6a91121c405b3f460821de03f79758
SHA25659dc64d4264d06242c7c5b9774e1b02844f44cbec0b821c71ecf98a43fe1a439
SHA512def88a542a37c580a29ce64538fad04d0127bc95cf6974271f2e68872e59a8181647694feb455fa6fd5a38dfd52716fd58f09e45251efa5c024ab2d96115c4e2
-
C:\Program Files (x86)\ProxyVan\Service\ProxyVan.exeFilesize
64KB
MD53c6f15c66356401af87603f894bb4976
SHA1e77b0b55da6a91121c405b3f460821de03f79758
SHA25659dc64d4264d06242c7c5b9774e1b02844f44cbec0b821c71ecf98a43fe1a439
SHA512def88a542a37c580a29ce64538fad04d0127bc95cf6974271f2e68872e59a8181647694feb455fa6fd5a38dfd52716fd58f09e45251efa5c024ab2d96115c4e2
-
C:\Program Files (x86)\ProxyVan\Service\ProxyVan.exe.configFilesize
5KB
MD50bcc8797a2d76bc6d25070959ed5c649
SHA1008683e4c9517f280bf6a606d8c7316ce4e728a9
SHA2569f7c259d27fafd51175327e5e3db7558f07011de839aed7ebd46f8ee323d2679
SHA5125d84ca32a77be317fd0bc8cfa7f7c5102c229b9ca904bb83f4ace8460c2b90eff7d25bce9536fc3d47904e5271f9cb122a9980fde3ad35938a25f3287f0c74b6
-
C:\Program Files (x86)\ProxyVan\Service\Serilog.Sinks.Console.dllFilesize
31KB
MD5c48bf7030e583e273e94e2d32b752a83
SHA151666bcec96f529b1a28b72db54cc7fcdf68441d
SHA256ded3b57b64eca479f2a659a244e4c403ebfb83a9a9b30ced893c145e77affd29
SHA512475e61bbb4484f468548dd7590d1d0bcc19912b322eacf2960b32c2c3ff1084231ddf8e689735e385a1f43e9912f79a028eae136c7dc8e130f2d3dd1eaf1f004
-
C:\Program Files (x86)\ProxyVan\Service\Serilog.Sinks.Console.dllFilesize
31KB
MD5c48bf7030e583e273e94e2d32b752a83
SHA151666bcec96f529b1a28b72db54cc7fcdf68441d
SHA256ded3b57b64eca479f2a659a244e4c403ebfb83a9a9b30ced893c145e77affd29
SHA512475e61bbb4484f468548dd7590d1d0bcc19912b322eacf2960b32c2c3ff1084231ddf8e689735e385a1f43e9912f79a028eae136c7dc8e130f2d3dd1eaf1f004
-
C:\Program Files (x86)\ProxyVan\Service\Serilog.Sinks.Console.dllFilesize
31KB
MD5c48bf7030e583e273e94e2d32b752a83
SHA151666bcec96f529b1a28b72db54cc7fcdf68441d
SHA256ded3b57b64eca479f2a659a244e4c403ebfb83a9a9b30ced893c145e77affd29
SHA512475e61bbb4484f468548dd7590d1d0bcc19912b322eacf2960b32c2c3ff1084231ddf8e689735e385a1f43e9912f79a028eae136c7dc8e130f2d3dd1eaf1f004
-
C:\Program Files (x86)\ProxyVan\Service\Serilog.Sinks.File.dllFilesize
27KB
MD54c2b0737d9a73da09172d3c210b0265d
SHA1a35a98ec72154cc1d112f46bd177a7f043dbcd46
SHA2566d8d84c9c14201674d9a309f51e952cf148ad33cdb66507d9677ebf1b1e4432b
SHA512c605bef0a7caa12b0d7c47564c3a214ea1db40f901dfdc4c5b35bf73610a5d9030b67e495b409a79c76ad5ec6ef9962cd56c050c51883a3151d34931a8361aa8
-
C:\Program Files (x86)\ProxyVan\Service\Serilog.Sinks.File.dllFilesize
27KB
MD54c2b0737d9a73da09172d3c210b0265d
SHA1a35a98ec72154cc1d112f46bd177a7f043dbcd46
SHA2566d8d84c9c14201674d9a309f51e952cf148ad33cdb66507d9677ebf1b1e4432b
SHA512c605bef0a7caa12b0d7c47564c3a214ea1db40f901dfdc4c5b35bf73610a5d9030b67e495b409a79c76ad5ec6ef9962cd56c050c51883a3151d34931a8361aa8
-
C:\Program Files (x86)\ProxyVan\Service\Serilog.Sinks.File.dllFilesize
27KB
MD54c2b0737d9a73da09172d3c210b0265d
SHA1a35a98ec72154cc1d112f46bd177a7f043dbcd46
SHA2566d8d84c9c14201674d9a309f51e952cf148ad33cdb66507d9677ebf1b1e4432b
SHA512c605bef0a7caa12b0d7c47564c3a214ea1db40f901dfdc4c5b35bf73610a5d9030b67e495b409a79c76ad5ec6ef9962cd56c050c51883a3151d34931a8361aa8
-
C:\Program Files (x86)\ProxyVan\Service\Serilog.Sinks.RollingFile.dllFilesize
18KB
MD51956aa1e1eb74ca4b70c8a0c7268236f
SHA1653d77ad181a4ccf169db699a0c011e3ffe4b218
SHA25682d6c16a6c178416b05577cbe668713a08ae9fc874342408d4339a147020bc10
SHA5120815dc374855ea5753bd6ac624f5b8b7bfcaf9fac6155ca91e22e692611da6ac73dd42b5dbdd7631948de42ab91eb699b85da88aea13e4b688c91d8a82c03f0f
-
C:\Program Files (x86)\ProxyVan\Service\Serilog.Sinks.RollingFile.dllFilesize
18KB
MD51956aa1e1eb74ca4b70c8a0c7268236f
SHA1653d77ad181a4ccf169db699a0c011e3ffe4b218
SHA25682d6c16a6c178416b05577cbe668713a08ae9fc874342408d4339a147020bc10
SHA5120815dc374855ea5753bd6ac624f5b8b7bfcaf9fac6155ca91e22e692611da6ac73dd42b5dbdd7631948de42ab91eb699b85da88aea13e4b688c91d8a82c03f0f
-
C:\Program Files (x86)\ProxyVan\Service\Serilog.Sinks.RollingFile.dllFilesize
18KB
MD51956aa1e1eb74ca4b70c8a0c7268236f
SHA1653d77ad181a4ccf169db699a0c011e3ffe4b218
SHA25682d6c16a6c178416b05577cbe668713a08ae9fc874342408d4339a147020bc10
SHA5120815dc374855ea5753bd6ac624f5b8b7bfcaf9fac6155ca91e22e692611da6ac73dd42b5dbdd7631948de42ab91eb699b85da88aea13e4b688c91d8a82c03f0f
-
C:\Program Files (x86)\ProxyVan\Service\Serilog.dllFilesize
123KB
MD55ad091f31cfe9d0e1eb325c09a6440cc
SHA18655ac00f4eb82dd0c9dc632b02642a3240633b9
SHA2567344321f0385a0189d641d7a11371524b91327930bb8ebbef2dabd94bdac0ba8
SHA5120030f47ca6cfc53a0c2038792839e969a7e80a80669b9498b86ce27a34d49b67f530c09e6a20c79ad2e1b5073135edc46cc0665acbb1c9e2327c5d18da0dc1e6
-
C:\Program Files (x86)\ProxyVan\Service\Serilog.dllFilesize
123KB
MD55ad091f31cfe9d0e1eb325c09a6440cc
SHA18655ac00f4eb82dd0c9dc632b02642a3240633b9
SHA2567344321f0385a0189d641d7a11371524b91327930bb8ebbef2dabd94bdac0ba8
SHA5120030f47ca6cfc53a0c2038792839e969a7e80a80669b9498b86ce27a34d49b67f530c09e6a20c79ad2e1b5073135edc46cc0665acbb1c9e2327c5d18da0dc1e6
-
C:\Program Files (x86)\ProxyVan\Service\Serilog.dllFilesize
123KB
MD55ad091f31cfe9d0e1eb325c09a6440cc
SHA18655ac00f4eb82dd0c9dc632b02642a3240633b9
SHA2567344321f0385a0189d641d7a11371524b91327930bb8ebbef2dabd94bdac0ba8
SHA5120030f47ca6cfc53a0c2038792839e969a7e80a80669b9498b86ce27a34d49b67f530c09e6a20c79ad2e1b5073135edc46cc0665acbb1c9e2327c5d18da0dc1e6
-
C:\Users\Admin\AppData\Local\Temp\installer_2.20.6.exeFilesize
2.6MB
MD5d7f95e9e9a755adc5af39a34321b7a46
SHA1de079eeaf630d994ac463a85c59a2abecf500c60
SHA256928c26f80c0562d3af4f49c3a8fc8193d0bdcf17b4f44532009bceb9d84628c6
SHA512e050d2efaf9474e568cccbcafe0c493785b44e128fa7b6e229996cd402f4f9ecd9c6cb5f3157c1ebeb175d0595a7b3b517add74283f98f8cb8c1941431eaf33f
-
C:\Users\Admin\AppData\Local\Temp\installer_2.20.6.exeFilesize
2.6MB
MD5d7f95e9e9a755adc5af39a34321b7a46
SHA1de079eeaf630d994ac463a85c59a2abecf500c60
SHA256928c26f80c0562d3af4f49c3a8fc8193d0bdcf17b4f44532009bceb9d84628c6
SHA512e050d2efaf9474e568cccbcafe0c493785b44e128fa7b6e229996cd402f4f9ecd9c6cb5f3157c1ebeb175d0595a7b3b517add74283f98f8cb8c1941431eaf33f
-
C:\Users\Admin\AppData\Local\Temp\is-IA8OT.tmp\tmp8D76.tmpFilesize
2.4MB
MD5e14bbe9b410ff9c73da715b293dd47c4
SHA1ea4092753d1f596534caf74350a13770074afcb6
SHA25632b0e31bccf8b5d4eabefd6e1f0b7db3cfdd8bc0364c18daa92d8ba60415640d
SHA512a9bbc92fc1bba041646df79bab2253ffe68be2af31f976c7ed6c302294d59bab06304f096d2876e23fab1ff7571cf4cc1c1e2b63ad7f8d66038f457d15f7b75e
-
C:\Users\Admin\AppData\Local\Temp\is-IA8OT.tmp\tmp8D76.tmpFilesize
2.4MB
MD5e14bbe9b410ff9c73da715b293dd47c4
SHA1ea4092753d1f596534caf74350a13770074afcb6
SHA25632b0e31bccf8b5d4eabefd6e1f0b7db3cfdd8bc0364c18daa92d8ba60415640d
SHA512a9bbc92fc1bba041646df79bab2253ffe68be2af31f976c7ed6c302294d59bab06304f096d2876e23fab1ff7571cf4cc1c1e2b63ad7f8d66038f457d15f7b75e
-
C:\Users\Admin\AppData\Local\Temp\tmp8D76.exeFilesize
2.6MB
MD5a41586e828d97f5f0bcbac5b0a604e80
SHA1114292bf99ae576181b3a4f1c255677dda93eff2
SHA2569e162d04ce9427bc1dedb4dec70e1b503c32a2221ba93a2f6b460dbec1212808
SHA51298363440367d412ed7c4087459ef300cf1d1f965f9a7331ec70e7b18eb79f19a2aa73b97e48ebad16d1389ec902a1884c6e5a6208ed2ec835c27536245cebcd3
-
C:\Users\Admin\AppData\Local\Temp\tmp8D76.exeFilesize
2.6MB
MD5a41586e828d97f5f0bcbac5b0a604e80
SHA1114292bf99ae576181b3a4f1c255677dda93eff2
SHA2569e162d04ce9427bc1dedb4dec70e1b503c32a2221ba93a2f6b460dbec1212808
SHA51298363440367d412ed7c4087459ef300cf1d1f965f9a7331ec70e7b18eb79f19a2aa73b97e48ebad16d1389ec902a1884c6e5a6208ed2ec835c27536245cebcd3
-
memory/1172-160-0x0000000003650000-0x000000000365A000-memory.dmpFilesize
40KB
-
memory/1172-151-0x0000000000200000-0x0000000000216000-memory.dmpFilesize
88KB
-
memory/1172-173-0x0000000003780000-0x000000000378C000-memory.dmpFilesize
48KB
-
memory/1172-165-0x0000000003660000-0x000000000366E000-memory.dmpFilesize
56KB
-
memory/1172-152-0x0000000003680000-0x00000000036A2000-memory.dmpFilesize
136KB
-
memory/1172-169-0x00000000036E0000-0x00000000036EE000-memory.dmpFilesize
56KB
-
memory/1172-156-0x00000000036B0000-0x00000000036D6000-memory.dmpFilesize
152KB
-
memory/1724-145-0x0000000000000000-mapping.dmp
-
memory/1912-142-0x0000000000000000-mapping.dmp
-
memory/2052-135-0x00000000009F0000-0x0000000000C86000-memory.dmpFilesize
2.6MB
-
memory/2052-132-0x0000000000000000-mapping.dmp
-
memory/2216-138-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/2216-141-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/2216-162-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/2216-136-0x0000000000000000-mapping.dmp
-
memory/2360-147-0x0000000000000000-mapping.dmp
-
memory/4864-146-0x0000000000000000-mapping.dmp