8e5e0fec5acb44fdc4c3755f8848fc44979902ba37b2e272c71ad8c755e08caa

General

Target

aa65cfc2688aed643300bfe43ed882c8.exe
Size

7.0MB
MD5

aa65cfc2688aed643300bfe43ed882c8
SHA1

9c5dab09ea411b17c485cfd77d5fb1677f562103
SHA256

8e5e0fec5acb44fdc4c3755f8848fc44979902ba37b2e272c71ad8c755e08caa
SHA512

b0198bc12ec102368d1c210207b2963aa0179adf55a19eb418d15d607de59ae045b26f776a9929c99406a543bae95ff101c3b0ae874cddd2fbddfb606590dfaf
SSDEEP

98304:bOJICXX3T5fkbnTH3M/YDdTaVBB8QLIN0d6/yaZ0Z5oBGWl1St+PGgSeCe1wpN7x:biubn15TCgG6/yq0WdwQg21itxfnCc

Score

7^/10

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApplicationFrameHost.exe	aa65cfc2688aed643300bfe43ed882c8.exe

Executes dropped EXE 3 IoCs

pid	Process
2156	Eagle.Proxy.Scraper.exe
2804	ApplicationFrameHost.exe
2536	Eagle.Proxy.Scraper.exe

Loads dropped DLL 4 IoCs

pid	Process
2668	aa65cfc2688aed643300bfe43ed882c8.exe
2668	aa65cfc2688aed643300bfe43ed882c8.exe
2156	Eagle.Proxy.Scraper.exe
2536	Eagle.Proxy.Scraper.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/files/0x000600000001755b-44.dat	upx
behavioral1/files/0x000600000001755b-45.dat	upx
behavioral1/memory/2536-46-0x000007FEF5C10000-0x000007FEF6097000-memory.dmp	upx

Detects Pyinstaller 5 IoCs

pyinstaller

resource	yara_rule
behavioral1/files/0x0034000000015dc1-7.dat	pyinstaller
behavioral1/files/0x0034000000015dc1-5.dat	pyinstaller
behavioral1/files/0x0034000000015dc1-43.dat	pyinstaller
behavioral1/files/0x0034000000015dc1-42.dat	pyinstaller
behavioral1/files/0x0034000000015dc1-9.dat	pyinstaller

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
2804	ApplicationFrameHost.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2668 wrote to memory of 2156	2668	aa65cfc2688aed643300bfe43ed882c8.exe	28
PID 2668 wrote to memory of 2156	2668	aa65cfc2688aed643300bfe43ed882c8.exe	28
PID 2668 wrote to memory of 2156	2668	aa65cfc2688aed643300bfe43ed882c8.exe	28
PID 2668 wrote to memory of 2156	2668	aa65cfc2688aed643300bfe43ed882c8.exe	28
PID 2668 wrote to memory of 2804	2668	aa65cfc2688aed643300bfe43ed882c8.exe	30
PID 2668 wrote to memory of 2804	2668	aa65cfc2688aed643300bfe43ed882c8.exe	30
PID 2668 wrote to memory of 2804	2668	aa65cfc2688aed643300bfe43ed882c8.exe	30
PID 2668 wrote to memory of 2804	2668	aa65cfc2688aed643300bfe43ed882c8.exe	30
PID 2156 wrote to memory of 2536	2156	Eagle.Proxy.Scraper.exe	29
PID 2156 wrote to memory of 2536	2156	Eagle.Proxy.Scraper.exe	29
PID 2156 wrote to memory of 2536	2156	Eagle.Proxy.Scraper.exe	29

C:\Users\Admin\AppData\Local\Temp\aa65cfc2688aed643300bfe43ed882c8.exe
"C:\Users\Admin\AppData\Local\Temp\aa65cfc2688aed643300bfe43ed882c8.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2668
- C:\Eagle.Proxy.Scraper.exe\Eagle.Proxy.Scraper.exe
  "C:\Eagle.Proxy.Scraper.exe\Eagle.Proxy.Scraper.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:2156
- - C:\Eagle.Proxy.Scraper.exe\Eagle.Proxy.Scraper.exe
    "C:\Eagle.Proxy.Scraper.exe\Eagle.Proxy.Scraper.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    PID:2536
- C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApplicationFrameHost.exe
  "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApplicationFrameHost.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: AddClipboardFormatListener
  PID:2804

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Eagle.Proxy.Scraper.exe\Eagle.Proxy.Scraper.exe

Filesize
833KB

MD5
9a4206a8694f96551af4cb82c22ed9a6

SHA1
fc7104b40c5901e9a4f7ab53d94a157dfcb371df

SHA256
f6311b7aeec56f5794bace097697f61ec92d540780127816a79e353b49c39cd7

SHA512
c1cfb533968b5c521deb230a9597d843bf6817f64d299a9ecd560c877dd5962b7792c4dcef9fbc69e414d9452c4b2e0e2d64de981ef72d4168bbc9515472ad6d

Download Submit
C:\Eagle.Proxy.Scraper.exe\Eagle.Proxy.Scraper.exe

Filesize
133KB

MD5
078e0a558721bfa79a48eaffc1db91fb

SHA1
ef5a3c461f52fd2c648a7d703451141d965ecbee

SHA256
53b288859b8c374c724d2ff986e2b9a9da713ec3ff9fdc308bdc9cc7e9ab704f

SHA512
adeecb0ef4e7a111c62b5b084c660528d85bfaf3e92dc3915763ad13c6a9bcfc08bcee28a92aa5b7e2880340e3d48ae28f0896675035c45549eabee230de7e78

Download Submit
C:\Eagle.Proxy.Scraper.exe\Eagle.Proxy.Scraper.exe

Filesize
817KB

MD5
8ee5b113a0b14cbfb751b19e9dfde293

SHA1
5e99e29da9004df862dc64710cd7ef0be982a887

SHA256
03d44731e6011981c4bd5d95463b366be19b33dbdbf2e4b811c746456306831f

SHA512
f7bb05b3d7776eacefedb0c0dd0ccf5f3a730a15c7e93909ce6e97de2709ca50db3b309eed79c89f393f5d1e0af3fe12ca4b38f0a94cab4e4821bca713309e1d

Download Submit
C:\Users\Admin\AppData\Local\Temp\_MEI21562\python39.dll

Filesize
626KB

MD5
6ef412051e553433ed6f65fc0628b435

SHA1
5825cac53dd650d3bbc343e60d790a02fa44693b

SHA256
e586b4ed28f377c4ce59c68e847c4a66aa5aa5ee8e507278e9e747a27023fef9

SHA512
6e292a01993bb03e8bd9da1709a904cc6a0e211cc904d42e8327364a5bf0d6178896bd49eb0d100041d49ff0c6b09484e96dfab1334662dd93347795efc76c06

Download Submit
\Eagle.Proxy.Scraper.exe\Eagle.Proxy.Scraper.exe

Filesize
440KB

MD5
69946f207417224564920dc7629a3ccf

SHA1
bcecc70c7e3046bde9dff9441e16d1ea7809cfac

SHA256
2a52adc1aeaf60bca5f4f379214663bb08d0a6f241c516d27e1b13edd79a5011

SHA512
170b4da0310fc4e2c2ea2bc6881ac47117c809b200885495dc65b0a6296d6e0ae7abc0b884a28a7bc259c30250557d42e2bbaed8e5916187ad379d9b4a46581f

Download Submit
\Eagle.Proxy.Scraper.exe\Eagle.Proxy.Scraper.exe

Filesize
64KB

MD5
44aefaa852ae96cca16a1ec1506c780e

SHA1
8553d7b4bc9bd76bca69acdecbe82043c52627eb

SHA256
5129200cfa8586a173a2b22eebcf21c05e6e6d63ad121a75484c339a9aba1f3b

SHA512
22f9a6594d2475382f25ed71bfad78fc10b14b4a1249f9bba043d6e74fba8dc69bcb823f0958fe54fc9baa8f4f68e468582e755c0681a15ccee34a9a418df1c1

Download Submit
\Users\Admin\AppData\Local\Temp\_MEI21562\python39.dll

Filesize
647KB

MD5
ecb38ff7c63ea5286846f2ab41de9b2d

SHA1
149f27ddcd823eb7655d1b9bbc9ffc0f7d07580d

SHA256
c6d6c68db0d1ef67c6b11ebc97ee472cf60b83a548e9ae8cd7af99a5f87e6c5f

SHA512
e71ea9f20b1181c5d3ea8cda8e3842bcd725aaad2274c4cb19ddfea5cfe762bc4c22f1fe1cd68f0cd5c7e7aa818a5aaa8e8e31724664560c45c8925c1f1b0d09

Download Submit
\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\ApplicationFrameHost.exe

Filesize
53KB

MD5
574296ff0f8368f078343a66be300c12

SHA1
77afc0f26fd852163f716ba18023169f6044ae6a

SHA256
61e3dd8fe365f9159e57d6c66fc20e1040e229039bdd69d749361c1850961275

SHA512
a6d1d741302c4a03e397c1fff32a3926aa44ee09afc15496e008b54f88a2b075299b744832c93d9dedf8c639439118f3e40e49ec1280a7478a3a943b4c3b1636

Download Submit
memory/2536-46-0x000007FEF5C10000-0x000007FEF6097000-memory.dmp

Filesize
4.5MB

Download
memory/2668-2-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-1-0x0000000000B40000-0x0000000000B80000-memory.dmp

Filesize
256KB

Download
memory/2668-38-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/2668-0-0x0000000074280000-0x000000007482B000-memory.dmp

Filesize
5.7MB

Download
memory/2804-47-0x00000000008F0000-0x0000000000902000-memory.dmp

Filesize
72KB

Download
memory/2804-48-0x00000000722B0000-0x000000007299E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-49-0x0000000000320000-0x0000000000338000-memory.dmp

Filesize
96KB

Download
memory/2804-50-0x0000000000340000-0x0000000000346000-memory.dmp

Filesize
24KB

Download
memory/2804-51-0x0000000000350000-0x0000000000390000-memory.dmp

Filesize
256KB

Download
memory/2804-76-0x00000000722B0000-0x000000007299E000-memory.dmp

Filesize
6.9MB

Download
memory/2804-77-0x0000000000350000-0x0000000000390000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing