Analysis
-
max time kernel
147s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240220-es -
resource tags
arch:x64arch:x86image:win7-20240220-eslocale:es-esos:windows7-x64systemwindows -
submitted
07-06-2024 00:33
Static task
static1
Behavioral task
behavioral1
Sample
Eagle-Proxy-Scraper.exe
Resource
win7-20240220-es
Behavioral task
behavioral2
Sample
Eagle-Proxy-Scraper.exe
Resource
win10v2004-20240508-es
General
-
Target
Eagle-Proxy-Scraper.exe
-
Size
9.8MB
-
MD5
18ee8cdf6aed10d61d4828607ec170de
-
SHA1
53d2cf60c8fce58e744497a7691943735eb8507f
-
SHA256
d92eb9bb231cebaab7e021e48b134a77aab9b8866393183c4d603b95632bed96
-
SHA512
2229df87ab48080900df2d73b6582cc72b4047976b5d3668651c2c46792040e111aa93a79caf8abd08842c0cdf5152b5d7e23a2d73172adf47e0a31742f460ec
-
SSDEEP
196608:9K4070lT0HzMFUjejm04SVzVDg2g9sM0zbly7lyQgWx:9KVglIHzMFgej4EDgxmTqKI
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
powershell.exepid process 1408 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
Eagle.Proxy.Scraper.exeEagle.Proxy.Scraper.exepid process 2500 Eagle.Proxy.Scraper.exe 2460 Eagle.Proxy.Scraper.exe -
Loads dropped DLL 4 IoCs
Processes:
Eagle-Proxy-Scraper.exeEagle.Proxy.Scraper.exeEagle.Proxy.Scraper.exepid process 2100 Eagle-Proxy-Scraper.exe 2520 2500 Eagle.Proxy.Scraper.exe 2460 Eagle.Proxy.Scraper.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI25002\python310.dll upx behavioral1/memory/2460-53-0x000007FEF08D0000-0x000007FEF0D35000-memory.dmp upx -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule \Users\Admin\AppData\Local\Temp\Eagle.Proxy.Scraper.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
powershell.exepid process 1408 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Eagle-Proxy-Scraper.exepowershell.exedescription pid process Token: SeDebugPrivilege 2100 Eagle-Proxy-Scraper.exe Token: SeDebugPrivilege 1408 powershell.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
Eagle-Proxy-Scraper.exeEagle.Proxy.Scraper.exedescription pid process target process PID 2100 wrote to memory of 2500 2100 Eagle-Proxy-Scraper.exe Eagle.Proxy.Scraper.exe PID 2100 wrote to memory of 2500 2100 Eagle-Proxy-Scraper.exe Eagle.Proxy.Scraper.exe PID 2100 wrote to memory of 2500 2100 Eagle-Proxy-Scraper.exe Eagle.Proxy.Scraper.exe PID 2500 wrote to memory of 2460 2500 Eagle.Proxy.Scraper.exe Eagle.Proxy.Scraper.exe PID 2500 wrote to memory of 2460 2500 Eagle.Proxy.Scraper.exe Eagle.Proxy.Scraper.exe PID 2500 wrote to memory of 2460 2500 Eagle.Proxy.Scraper.exe Eagle.Proxy.Scraper.exe PID 2100 wrote to memory of 1408 2100 Eagle-Proxy-Scraper.exe powershell.exe PID 2100 wrote to memory of 1408 2100 Eagle-Proxy-Scraper.exe powershell.exe PID 2100 wrote to memory of 1408 2100 Eagle-Proxy-Scraper.exe powershell.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Eagle-Proxy-Scraper.exe"C:\Users\Admin\AppData\Local\Temp\Eagle-Proxy-Scraper.exe"1⤵
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2100 -
C:\Users\Admin\AppData\Local\Temp\Eagle.Proxy.Scraper.exe"C:\Users\Admin\AppData\Local\Temp\Eagle.Proxy.Scraper.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\Eagle.Proxy.Scraper.exe"C:\Users\Admin\AppData\Local\Temp\Eagle.Proxy.Scraper.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2460 -
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\Eagle-Proxy-Scraper.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1408
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.4MB
MD5b607df83392febab3f5745b79dc26c57
SHA158c4b08575afbca1cf21e0995ca9048290241ebd
SHA2566a21dc896a78c961eac3dad70a9addc289c6c8449fe5c09b37adf12310e06b0e
SHA512a341b1b1a725a6df59d3b0f8e1afd3c8d39b63d682f297321ac59418f1f8089b3caca8374dcf453a09e77c53f0f47e889b965b9f3d0ec9dd5b8cff8839838d4d
-
Filesize
7.9MB
MD5dfeb0a30d42be19f656d8ff5bbcd88ec
SHA1d1b36243a6c62f01105efb9b8d4ac400297b082e
SHA25623f919ad8b14fde536bde3b03928e6d9b03e6079bb8a4f9aa6738711f9baae03
SHA5123d2d808f95877624a92daaf08b1f35d7adaab3a67fea5f053745a8741bf2aa50cb00d8159973a6c301150695b73258e1829c942950a7ff7d4c0848ffb8451082