Analysis
-
max time kernel
139s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-es -
resource tags
arch:x64arch:x86image:win10v2004-20240508-eslocale:es-esos:windows10-2004-x64systemwindows -
submitted
07-06-2024 00:33
Static task
static1
Behavioral task
behavioral1
Sample
Eagle-Proxy-Scraper.exe
Resource
win7-20240220-es
Behavioral task
behavioral2
Sample
Eagle-Proxy-Scraper.exe
Resource
win10v2004-20240508-es
General
-
Target
Eagle-Proxy-Scraper.exe
-
Size
9.8MB
-
MD5
18ee8cdf6aed10d61d4828607ec170de
-
SHA1
53d2cf60c8fce58e744497a7691943735eb8507f
-
SHA256
d92eb9bb231cebaab7e021e48b134a77aab9b8866393183c4d603b95632bed96
-
SHA512
2229df87ab48080900df2d73b6582cc72b4047976b5d3668651c2c46792040e111aa93a79caf8abd08842c0cdf5152b5d7e23a2d73172adf47e0a31742f460ec
-
SSDEEP
196608:9K4070lT0HzMFUjejm04SVzVDg2g9sM0zbly7lyQgWx:9KVglIHzMFgej4EDgxmTqKI
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
Eagle-Proxy-Scraper.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation Eagle-Proxy-Scraper.exe -
Deletes itself 1 IoCs
Processes:
powershell.exepid process 4436 powershell.exe -
Executes dropped EXE 2 IoCs
Processes:
Eagle.Proxy.Scraper.exeEagle.Proxy.Scraper.exepid process 4816 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe -
Loads dropped DLL 17 IoCs
Processes:
Eagle.Proxy.Scraper.exepid process 2676 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe 2676 Eagle.Proxy.Scraper.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\_MEI48162\python310.dll upx behavioral2/memory/2676-59-0x00007FF9704B0000-0x00007FF970915000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48162\_ctypes.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48162\select.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48162\libssl-1_1.dll upx behavioral2/memory/2676-81-0x00007FF986450000-0x00007FF98647E000-memory.dmp upx behavioral2/memory/2676-85-0x00007FF970FE0000-0x00007FF971357000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48162\libcrypto-1_1.dll upx behavioral2/memory/2676-82-0x00007FF986390000-0x00007FF986447000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48162\_ssl.pyd upx behavioral2/memory/2676-76-0x00007FF986ED0000-0x00007FF986EDD000-memory.dmp upx behavioral2/memory/2676-72-0x00007FF986480000-0x00007FF986499000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48162\_socket.pyd upx behavioral2/memory/2676-90-0x00007FF986370000-0x00007FF986384000-memory.dmp upx behavioral2/memory/2676-101-0x00007FF986350000-0x00007FF986369000-memory.dmp upx behavioral2/memory/2676-103-0x00007FF974B10000-0x00007FF974B3C000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48162\_lzma.pyd upx behavioral2/memory/2676-100-0x00007FF9864A0000-0x00007FF9864C4000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48162\_bz2.pyd upx behavioral2/memory/2676-96-0x00007FF9770E0000-0x00007FF9771F8000-memory.dmp upx behavioral2/memory/2676-95-0x00007FF986D90000-0x00007FF986D9D000-memory.dmp upx behavioral2/memory/2676-94-0x00007FF9704B0000-0x00007FF970915000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48162\unicodedata.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48162\_queue.pyd upx C:\Users\Admin\AppData\Local\Temp\_MEI48162\_hashlib.pyd upx behavioral2/memory/2676-69-0x00007FF986F80000-0x00007FF986F8F000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\_MEI48162\libffi-7.dll upx behavioral2/memory/2676-67-0x00007FF9864A0000-0x00007FF9864C4000-memory.dmp upx behavioral2/memory/2676-105-0x00007FF986480000-0x00007FF986499000-memory.dmp upx behavioral2/memory/2676-106-0x00007FF986450000-0x00007FF98647E000-memory.dmp upx behavioral2/memory/2676-117-0x00007FF9770E0000-0x00007FF9771F8000-memory.dmp upx behavioral2/memory/2676-114-0x00007FF970FE0000-0x00007FF971357000-memory.dmp upx behavioral2/memory/2676-110-0x00007FF986480000-0x00007FF986499000-memory.dmp upx behavioral2/memory/2676-108-0x00007FF9864A0000-0x00007FF9864C4000-memory.dmp upx behavioral2/memory/2676-120-0x00007FF986390000-0x00007FF986447000-memory.dmp upx behavioral2/memory/2676-107-0x00007FF9704B0000-0x00007FF970915000-memory.dmp upx behavioral2/memory/2676-227-0x00007FF9770E0000-0x00007FF9771F8000-memory.dmp upx behavioral2/memory/2676-230-0x00007FF986D90000-0x00007FF986D9D000-memory.dmp upx behavioral2/memory/2676-229-0x00007FF986370000-0x00007FF986384000-memory.dmp upx behavioral2/memory/2676-228-0x00007FF970FE0000-0x00007FF971357000-memory.dmp upx behavioral2/memory/2676-226-0x00007FF986450000-0x00007FF98647E000-memory.dmp upx behavioral2/memory/2676-225-0x00007FF986ED0000-0x00007FF986EDD000-memory.dmp upx behavioral2/memory/2676-224-0x00007FF986480000-0x00007FF986499000-memory.dmp upx behavioral2/memory/2676-223-0x00007FF986F80000-0x00007FF986F8F000-memory.dmp upx behavioral2/memory/2676-222-0x00007FF9864A0000-0x00007FF9864C4000-memory.dmp upx behavioral2/memory/2676-221-0x00007FF986390000-0x00007FF986447000-memory.dmp upx behavioral2/memory/2676-220-0x00007FF974B10000-0x00007FF974B3C000-memory.dmp upx behavioral2/memory/2676-219-0x00007FF986350000-0x00007FF986369000-memory.dmp upx behavioral2/memory/2676-231-0x00007FF9704B0000-0x00007FF970915000-memory.dmp upx -
Detects Pyinstaller 1 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\Eagle.Proxy.Scraper.exe pyinstaller -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
powershell.exepid process 4436 powershell.exe 4436 powershell.exe -
Suspicious use of AdjustPrivilegeToken 2 IoCs
Processes:
Eagle-Proxy-Scraper.exepowershell.exedescription pid process Token: SeDebugPrivilege 3424 Eagle-Proxy-Scraper.exe Token: SeDebugPrivilege 4436 powershell.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
Eagle-Proxy-Scraper.exeEagle.Proxy.Scraper.exeEagle.Proxy.Scraper.exedescription pid process target process PID 3424 wrote to memory of 4816 3424 Eagle-Proxy-Scraper.exe Eagle.Proxy.Scraper.exe PID 3424 wrote to memory of 4816 3424 Eagle-Proxy-Scraper.exe Eagle.Proxy.Scraper.exe PID 4816 wrote to memory of 2676 4816 Eagle.Proxy.Scraper.exe Eagle.Proxy.Scraper.exe PID 4816 wrote to memory of 2676 4816 Eagle.Proxy.Scraper.exe Eagle.Proxy.Scraper.exe PID 2676 wrote to memory of 3932 2676 Eagle.Proxy.Scraper.exe cmd.exe PID 2676 wrote to memory of 3932 2676 Eagle.Proxy.Scraper.exe cmd.exe PID 2676 wrote to memory of 5064 2676 Eagle.Proxy.Scraper.exe cmd.exe PID 2676 wrote to memory of 5064 2676 Eagle.Proxy.Scraper.exe cmd.exe PID 3424 wrote to memory of 4436 3424 Eagle-Proxy-Scraper.exe powershell.exe PID 3424 wrote to memory of 4436 3424 Eagle-Proxy-Scraper.exe powershell.exe PID 2676 wrote to memory of 1920 2676 Eagle.Proxy.Scraper.exe cmd.exe PID 2676 wrote to memory of 1920 2676 Eagle.Proxy.Scraper.exe cmd.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\Eagle-Proxy-Scraper.exe"C:\Users\Admin\AppData\Local\Temp\Eagle-Proxy-Scraper.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3424 -
C:\Users\Admin\AppData\Local\Temp\Eagle.Proxy.Scraper.exe"C:\Users\Admin\AppData\Local\Temp\Eagle.Proxy.Scraper.exe"2⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:4816 -
C:\Users\Admin\AppData\Local\Temp\Eagle.Proxy.Scraper.exe"C:\Users\Admin\AppData\Local\Temp\Eagle.Proxy.Scraper.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c cls4⤵PID:3932
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c4⤵PID:5064
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c pause4⤵PID:1920
-
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\Eagle-Proxy-Scraper.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}2⤵
- Deletes itself
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4436
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3748
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
7.9MB
MD5dfeb0a30d42be19f656d8ff5bbcd88ec
SHA1d1b36243a6c62f01105efb9b8d4ac400297b082e
SHA25623f919ad8b14fde536bde3b03928e6d9b03e6079bb8a4f9aa6738711f9baae03
SHA5123d2d808f95877624a92daaf08b1f35d7adaab3a67fea5f053745a8741bf2aa50cb00d8159973a6c301150695b73258e1829c942950a7ff7d4c0848ffb8451082
-
Filesize
94KB
MD5a87575e7cf8967e481241f13940ee4f7
SHA1879098b8a353a39e16c79e6479195d43ce98629e
SHA256ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e
SHA512e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0
-
Filesize
44KB
MD5302d2cf22d29971a8d725ff11f6e8cd7
SHA10cd807fa37b9ad4decbb73d5169b9a3ebeb9bd96
SHA25653a92f440820c75dff70be3a31af343468f683d7b8400f146b41c5346c6c271f
SHA512c3557ca98b12780c7296f4093a5cec913a2f310441846101851a67901dc83a0abdcbfdd4b3c7aa43f477c1198b469452e92b38f79553591a6fc660b5272a501c
-
Filesize
54KB
MD5e28acb3e65ad0b0f56bbfa07a5524289
SHA1a36cebfed6887d32fc005cd74da22648e7ec8e6c
SHA256269a4c6d8deeb6cf5739573c71d1cfe1398f8d1a1508d1149efa926fd49138c9
SHA512527e1ab1638090e5c5f005a319d548c9bf0a530389ab82e4fe314cc7a6ac59ba74715b6e38a90f82ad3acd32533c0285b90f8b4b3b89b55ed31a8235ee835284
-
Filesize
31KB
MD59a2390ca31a028e316b5a4d7cf8d8dc9
SHA116af2b43daf6a9a675ee59e0202b07075b464c14
SHA256a5b5687e60c1502fbec0b90ec8a0d1e9145fc2b55b855dc8934c770bec2261d4
SHA5123a4cc8aa6614afe4dfd98e33ad02ee0989cf381c56f981096ce076f9a38a383e77040a5b7cd515e9765e7fc52c706e967fd250e6fef083f31caf05dff1b981ee
-
Filesize
81KB
MD564ed1f1417a833b0ac60afa13ff87990
SHA1f3a922268f95f83ad98f268e1232bb7b72d5c6d0
SHA25698ffc40b989149ea0c857ef60fa8fc25e975d98ef641afe88bc514f4d779d859
SHA51262ead58516d687a53fe4a7ab6434342a4d233820b2b2edeccc5c76599fc7b5a926b66fe07ef2a2bc8f14698a5848046734d41dd2159982a0655f605fdb3347b9
-
Filesize
21KB
MD57021606a60d9386e25b2eec2f8c955da
SHA1a82b0162c6ed8677dd5bdd8c1219ea97e5571d18
SHA256eff97d917b7469747f5da2c96e43d4169ca6fa72868541d9b06962c84ede3ebf
SHA512c90011f05acac9186914f0e8a0425958e48dba1a6a9884161e2d93cb1a22c48947b2e1ed80aa00375d07c3d0d877034d256924182fc3b2612beae58e40ca728a
-
Filesize
38KB
MD579ca909a112bf7e02eebbeb24c7fea66
SHA15c3724b1b715365b2754f91e73d044b2673f3903
SHA256f5aa56e1e206c680d02f398a9eeeb9e9986246178f616c59494c09aaf24d71d3
SHA512227fa2adcd9b9fd8058fe09c2918ef8e1ada50b5b58fc7898a0851086160f83a4fab8b934979a1e2d28449f30b0a689c2c096ea1c70779fb6b1daef564f9b980
-
Filesize
58KB
MD50b6d3bc967ef7da8c09e8ddd45a005e2
SHA17f06f42ece294f48fabe14736fda6c0d34a414a1
SHA256890ab17f9776aaf37b577b18b895e558f82cf521eadb84ce6072387c917d67b8
SHA5127c23537d75e6decd31df73b0d8da6b93cff515262eae816829c455d18df6df60bd7e867eb756ec7bbb9a139ea8033438d94965a8f04bf736b140962b6c3121ed
-
Filesize
812KB
MD5e11a6339fb0b1b4c46e616da6be00f07
SHA1764c5938e67497eaa72f087b7eec40666942a2e0
SHA256f64583427ce94822246429bb06e7a0f1edc82525d04f147e01a8a9931c3549ed
SHA512c5a36b7108e3a7c1b3a74ec28cbe95ea260869883fd01e1cb0faddfae3c28264bcd608245f752af53d2f49e9df5fadb028cb867a80bd52ab89694773fdf067d8
-
Filesize
259KB
MD5ea4ee2af66c4c57b8a275867e9dc07cd
SHA1d904976736e6db3c69c304e96172234078242331
SHA256fa883829ebb8cd2a602f9b21c1f85de24cf47949d520bceb1828b4cd1cb6906c
SHA5124114105f63e72b54e506d06168b102a9130263576200fb21532140c0e9936149259879ac30a8b78f15ae7cb0b59b043db5154091312da731ac16e67e6314c412
-
Filesize
1.1MB
MD51972b22cead0fa580ba4f48ab2189ffa
SHA1cd98e02653c15ca11526c608fb624d11c86842c3
SHA256a1b2c9629ae78ac3a81ca890148f6739a011ab9d73e139ee8a0dcae673991b07
SHA51239d03558e59c125e1536adbcee03fdbc646551a6c0469fef9f47789888cd0adaba2876b04f48fdabb2057569ff19fbd1d235f33ef5cf2c9c8ae397cef45f71f6
-
Filesize
23KB
MD5b5150b41ca910f212a1dd236832eb472
SHA1a17809732c562524b185953ffe60dfa91ba3ce7d
SHA2561a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a
SHA5129e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6
-
Filesize
199KB
MD54be0259d38999d6537ad6ebddfc1c609
SHA1922a8b26e557913d0a50f28b4406e1af1a46fc47
SHA256847582fe3215e7c3821a0424ffd0b7fd0b01b019caca883d8a84ec947a4159eb
SHA5126c80c395597781f01f244b64477b499ad7d73acb4fcb7c177f00c6d0c48e54d00a500679103f6f611ae970ec45adc9136304d92444d11adff422b2e12bbbe242
-
Filesize
60KB
MD5c38e9571f33898eb9f3da53dc29b512f
SHA15be348c829b6dfa008d0dd239414ad388e5d7ace
SHA25670596aea8c5ca8f3bf88e46a0606522413b50208ec9fcc6b706f7a064cf83b79
SHA5121704be273e3485013282c269fc974558683204639fccfb46e6eb640c64a0769a21572a07ee62fe1d5eb1eed4d1419f2293d6e4fd8193caafe128c6d66bd48f6e
-
Filesize
1.4MB
MD5b607df83392febab3f5745b79dc26c57
SHA158c4b08575afbca1cf21e0995ca9048290241ebd
SHA2566a21dc896a78c961eac3dad70a9addc289c6c8449fe5c09b37adf12310e06b0e
SHA512a341b1b1a725a6df59d3b0f8e1afd3c8d39b63d682f297321ac59418f1f8089b3caca8374dcf453a09e77c53f0f47e889b965b9f3d0ec9dd5b8cff8839838d4d
-
Filesize
21KB
MD56b060423e9286414cd6529d4ae6fcda5
SHA141f0f83c395a936b313001307cbbe2f01224fa35
SHA2566ee51b502c418c8a6d3e5c13f22bee6f72503043ac33b4f1ac01adf7531557ae
SHA51204256d6fb99296c6b3c29fd69b0f90ac1eb8a25c2e7750b3fda4a145d5d9bc7a6e5d5b3691c0784c810f3e7cea3f080325d6cec2901ed206b57dcf1b6777e4ff
-
Filesize
285KB
MD5be56a94f07b3f4593ef55de868c931ec
SHA162f4b81d4c280e631fbfee0eb13001c1bfee52da
SHA256659fc6eb5d80874d55e343949ed36b0c8f6f9abd396460c66085552d14e41432
SHA512db6adcb2b03be9305e852c07c29e1851d3e276eed447f7b597dc33345df9f8e8bd4bd8ccb62d8737130354b1e8ea46681dce1495c7c52dd92b87b0e607689cfb
-
Filesize
60B
MD5d17fe0a3f47be24a6453e9ef58c94641
SHA16ab83620379fc69f80c0242105ddffd7d98d5d9d
SHA25696ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7
SHA5125b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82