Analysis

  • max time kernel
    139s
  • max time network
    103s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240508-es
  • resource tags

    arch:x64arch:x86image:win10v2004-20240508-eslocale:es-esos:windows10-2004-x64systemwindows
  • submitted
    07-06-2024 00:33

General

  • Target

    Eagle-Proxy-Scraper.exe

  • Size

    9.8MB

  • MD5

    18ee8cdf6aed10d61d4828607ec170de

  • SHA1

    53d2cf60c8fce58e744497a7691943735eb8507f

  • SHA256

    d92eb9bb231cebaab7e021e48b134a77aab9b8866393183c4d603b95632bed96

  • SHA512

    2229df87ab48080900df2d73b6582cc72b4047976b5d3668651c2c46792040e111aa93a79caf8abd08842c0cdf5152b5d7e23a2d73172adf47e0a31742f460ec

  • SSDEEP

    196608:9K4070lT0HzMFUjejm04SVzVDg2g9sM0zbly7lyQgWx:9KVglIHzMFgej4EDgxmTqKI

Score
7/10

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Deletes itself 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Loads dropped DLL 17 IoCs
  • UPX packed file 49 IoCs

    Detects executables packed with UPX/modified UPX open source packer.

  • Detects Pyinstaller 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Eagle-Proxy-Scraper.exe
    "C:\Users\Admin\AppData\Local\Temp\Eagle-Proxy-Scraper.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:3424
    • C:\Users\Admin\AppData\Local\Temp\Eagle.Proxy.Scraper.exe
      "C:\Users\Admin\AppData\Local\Temp\Eagle.Proxy.Scraper.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of WriteProcessMemory
      PID:4816
      • C:\Users\Admin\AppData\Local\Temp\Eagle.Proxy.Scraper.exe
        "C:\Users\Admin\AppData\Local\Temp\Eagle.Proxy.Scraper.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • Suspicious use of WriteProcessMemory
        PID:2676
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /c cls
          4⤵
            PID:3932
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /c
            4⤵
              PID:5064
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /c pause
              4⤵
                PID:1920
          • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
            "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" $file='C:\Users\Admin\AppData\Local\Temp\Eagle-Proxy-Scraper.exe';for($i=1;$i -le 600 -and (Test-Path $file -PathType leaf);$i++){Remove-Item $file;Start-Sleep -m 100}
            2⤵
            • Deletes itself
            • Suspicious behavior: EnumeratesProcesses
            • Suspicious use of AdjustPrivilegeToken
            PID:4436
        • C:\Windows\System32\rundll32.exe
          C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
          1⤵
            PID:3748

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\Eagle.Proxy.Scraper.exe

            Filesize

            7.9MB

            MD5

            dfeb0a30d42be19f656d8ff5bbcd88ec

            SHA1

            d1b36243a6c62f01105efb9b8d4ac400297b082e

            SHA256

            23f919ad8b14fde536bde3b03928e6d9b03e6079bb8a4f9aa6738711f9baae03

            SHA512

            3d2d808f95877624a92daaf08b1f35d7adaab3a67fea5f053745a8741bf2aa50cb00d8159973a6c301150695b73258e1829c942950a7ff7d4c0848ffb8451082

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\VCRUNTIME140.dll

            Filesize

            94KB

            MD5

            a87575e7cf8967e481241f13940ee4f7

            SHA1

            879098b8a353a39e16c79e6479195d43ce98629e

            SHA256

            ded5adaa94341e6c62aea03845762591666381dca30eb7c17261dd154121b83e

            SHA512

            e112f267ae4c9a592d0dd2a19b50187eb13e25f23ded74c2e6ccde458bcdaee99f4e3e0a00baf0e3362167ae7b7fe4f96ecbcd265cc584c1c3a4d1ac316e92f0

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\_bz2.pyd

            Filesize

            44KB

            MD5

            302d2cf22d29971a8d725ff11f6e8cd7

            SHA1

            0cd807fa37b9ad4decbb73d5169b9a3ebeb9bd96

            SHA256

            53a92f440820c75dff70be3a31af343468f683d7b8400f146b41c5346c6c271f

            SHA512

            c3557ca98b12780c7296f4093a5cec913a2f310441846101851a67901dc83a0abdcbfdd4b3c7aa43f477c1198b469452e92b38f79553591a6fc660b5272a501c

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\_ctypes.pyd

            Filesize

            54KB

            MD5

            e28acb3e65ad0b0f56bbfa07a5524289

            SHA1

            a36cebfed6887d32fc005cd74da22648e7ec8e6c

            SHA256

            269a4c6d8deeb6cf5739573c71d1cfe1398f8d1a1508d1149efa926fd49138c9

            SHA512

            527e1ab1638090e5c5f005a319d548c9bf0a530389ab82e4fe314cc7a6ac59ba74715b6e38a90f82ad3acd32533c0285b90f8b4b3b89b55ed31a8235ee835284

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\_hashlib.pyd

            Filesize

            31KB

            MD5

            9a2390ca31a028e316b5a4d7cf8d8dc9

            SHA1

            16af2b43daf6a9a675ee59e0202b07075b464c14

            SHA256

            a5b5687e60c1502fbec0b90ec8a0d1e9145fc2b55b855dc8934c770bec2261d4

            SHA512

            3a4cc8aa6614afe4dfd98e33ad02ee0989cf381c56f981096ce076f9a38a383e77040a5b7cd515e9765e7fc52c706e967fd250e6fef083f31caf05dff1b981ee

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\_lzma.pyd

            Filesize

            81KB

            MD5

            64ed1f1417a833b0ac60afa13ff87990

            SHA1

            f3a922268f95f83ad98f268e1232bb7b72d5c6d0

            SHA256

            98ffc40b989149ea0c857ef60fa8fc25e975d98ef641afe88bc514f4d779d859

            SHA512

            62ead58516d687a53fe4a7ab6434342a4d233820b2b2edeccc5c76599fc7b5a926b66fe07ef2a2bc8f14698a5848046734d41dd2159982a0655f605fdb3347b9

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\_queue.pyd

            Filesize

            21KB

            MD5

            7021606a60d9386e25b2eec2f8c955da

            SHA1

            a82b0162c6ed8677dd5bdd8c1219ea97e5571d18

            SHA256

            eff97d917b7469747f5da2c96e43d4169ca6fa72868541d9b06962c84ede3ebf

            SHA512

            c90011f05acac9186914f0e8a0425958e48dba1a6a9884161e2d93cb1a22c48947b2e1ed80aa00375d07c3d0d877034d256924182fc3b2612beae58e40ca728a

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\_socket.pyd

            Filesize

            38KB

            MD5

            79ca909a112bf7e02eebbeb24c7fea66

            SHA1

            5c3724b1b715365b2754f91e73d044b2673f3903

            SHA256

            f5aa56e1e206c680d02f398a9eeeb9e9986246178f616c59494c09aaf24d71d3

            SHA512

            227fa2adcd9b9fd8058fe09c2918ef8e1ada50b5b58fc7898a0851086160f83a4fab8b934979a1e2d28449f30b0a689c2c096ea1c70779fb6b1daef564f9b980

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\_ssl.pyd

            Filesize

            58KB

            MD5

            0b6d3bc967ef7da8c09e8ddd45a005e2

            SHA1

            7f06f42ece294f48fabe14736fda6c0d34a414a1

            SHA256

            890ab17f9776aaf37b577b18b895e558f82cf521eadb84ce6072387c917d67b8

            SHA512

            7c23537d75e6decd31df73b0d8da6b93cff515262eae816829c455d18df6df60bd7e867eb756ec7bbb9a139ea8033438d94965a8f04bf736b140962b6c3121ed

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\base_library.zip

            Filesize

            812KB

            MD5

            e11a6339fb0b1b4c46e616da6be00f07

            SHA1

            764c5938e67497eaa72f087b7eec40666942a2e0

            SHA256

            f64583427ce94822246429bb06e7a0f1edc82525d04f147e01a8a9931c3549ed

            SHA512

            c5a36b7108e3a7c1b3a74ec28cbe95ea260869883fd01e1cb0faddfae3c28264bcd608245f752af53d2f49e9df5fadb028cb867a80bd52ab89694773fdf067d8

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\certifi\cacert.pem

            Filesize

            259KB

            MD5

            ea4ee2af66c4c57b8a275867e9dc07cd

            SHA1

            d904976736e6db3c69c304e96172234078242331

            SHA256

            fa883829ebb8cd2a602f9b21c1f85de24cf47949d520bceb1828b4cd1cb6906c

            SHA512

            4114105f63e72b54e506d06168b102a9130263576200fb21532140c0e9936149259879ac30a8b78f15ae7cb0b59b043db5154091312da731ac16e67e6314c412

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\libcrypto-1_1.dll

            Filesize

            1.1MB

            MD5

            1972b22cead0fa580ba4f48ab2189ffa

            SHA1

            cd98e02653c15ca11526c608fb624d11c86842c3

            SHA256

            a1b2c9629ae78ac3a81ca890148f6739a011ab9d73e139ee8a0dcae673991b07

            SHA512

            39d03558e59c125e1536adbcee03fdbc646551a6c0469fef9f47789888cd0adaba2876b04f48fdabb2057569ff19fbd1d235f33ef5cf2c9c8ae397cef45f71f6

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\libffi-7.dll

            Filesize

            23KB

            MD5

            b5150b41ca910f212a1dd236832eb472

            SHA1

            a17809732c562524b185953ffe60dfa91ba3ce7d

            SHA256

            1a106569ac0ad3152f3816ff361aa227371d0d85425b357632776ac48d92ea8a

            SHA512

            9e82b0caa3d72bb4a7ad7d66ebfb10edb778749e89280bca67c766e72dc794e99aab2bc2980d64282a384699929ce6cc996462a73584898d2df67a57bff2a9c6

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\libssl-1_1.dll

            Filesize

            199KB

            MD5

            4be0259d38999d6537ad6ebddfc1c609

            SHA1

            922a8b26e557913d0a50f28b4406e1af1a46fc47

            SHA256

            847582fe3215e7c3821a0424ffd0b7fd0b01b019caca883d8a84ec947a4159eb

            SHA512

            6c80c395597781f01f244b64477b499ad7d73acb4fcb7c177f00c6d0c48e54d00a500679103f6f611ae970ec45adc9136304d92444d11adff422b2e12bbbe242

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\python3.dll

            Filesize

            60KB

            MD5

            c38e9571f33898eb9f3da53dc29b512f

            SHA1

            5be348c829b6dfa008d0dd239414ad388e5d7ace

            SHA256

            70596aea8c5ca8f3bf88e46a0606522413b50208ec9fcc6b706f7a064cf83b79

            SHA512

            1704be273e3485013282c269fc974558683204639fccfb46e6eb640c64a0769a21572a07ee62fe1d5eb1eed4d1419f2293d6e4fd8193caafe128c6d66bd48f6e

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\python310.dll

            Filesize

            1.4MB

            MD5

            b607df83392febab3f5745b79dc26c57

            SHA1

            58c4b08575afbca1cf21e0995ca9048290241ebd

            SHA256

            6a21dc896a78c961eac3dad70a9addc289c6c8449fe5c09b37adf12310e06b0e

            SHA512

            a341b1b1a725a6df59d3b0f8e1afd3c8d39b63d682f297321ac59418f1f8089b3caca8374dcf453a09e77c53f0f47e889b965b9f3d0ec9dd5b8cff8839838d4d

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\select.pyd

            Filesize

            21KB

            MD5

            6b060423e9286414cd6529d4ae6fcda5

            SHA1

            41f0f83c395a936b313001307cbbe2f01224fa35

            SHA256

            6ee51b502c418c8a6d3e5c13f22bee6f72503043ac33b4f1ac01adf7531557ae

            SHA512

            04256d6fb99296c6b3c29fd69b0f90ac1eb8a25c2e7750b3fda4a145d5d9bc7a6e5d5b3691c0784c810f3e7cea3f080325d6cec2901ed206b57dcf1b6777e4ff

          • C:\Users\Admin\AppData\Local\Temp\_MEI48162\unicodedata.pyd

            Filesize

            285KB

            MD5

            be56a94f07b3f4593ef55de868c931ec

            SHA1

            62f4b81d4c280e631fbfee0eb13001c1bfee52da

            SHA256

            659fc6eb5d80874d55e343949ed36b0c8f6f9abd396460c66085552d14e41432

            SHA512

            db6adcb2b03be9305e852c07c29e1851d3e276eed447f7b597dc33345df9f8e8bd4bd8ccb62d8737130354b1e8ea46681dce1495c7c52dd92b87b0e607689cfb

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_utrhvmcf.cfe.ps1

            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

          • memory/2676-85-0x00007FF970FE0000-0x00007FF971357000-memory.dmp

            Filesize

            3.5MB

          • memory/2676-114-0x00007FF970FE0000-0x00007FF971357000-memory.dmp

            Filesize

            3.5MB

          • memory/2676-76-0x00007FF986ED0000-0x00007FF986EDD000-memory.dmp

            Filesize

            52KB

          • memory/2676-72-0x00007FF986480000-0x00007FF986499000-memory.dmp

            Filesize

            100KB

          • memory/2676-86-0x000001FF81FC0000-0x000001FF82337000-memory.dmp

            Filesize

            3.5MB

          • memory/2676-90-0x00007FF986370000-0x00007FF986384000-memory.dmp

            Filesize

            80KB

          • memory/2676-101-0x00007FF986350000-0x00007FF986369000-memory.dmp

            Filesize

            100KB

          • memory/2676-103-0x00007FF974B10000-0x00007FF974B3C000-memory.dmp

            Filesize

            176KB

          • memory/2676-231-0x00007FF9704B0000-0x00007FF970915000-memory.dmp

            Filesize

            4.4MB

          • memory/2676-100-0x00007FF9864A0000-0x00007FF9864C4000-memory.dmp

            Filesize

            144KB

          • memory/2676-81-0x00007FF986450000-0x00007FF98647E000-memory.dmp

            Filesize

            184KB

          • memory/2676-96-0x00007FF9770E0000-0x00007FF9771F8000-memory.dmp

            Filesize

            1.1MB

          • memory/2676-95-0x00007FF986D90000-0x00007FF986D9D000-memory.dmp

            Filesize

            52KB

          • memory/2676-94-0x00007FF9704B0000-0x00007FF970915000-memory.dmp

            Filesize

            4.4MB

          • memory/2676-59-0x00007FF9704B0000-0x00007FF970915000-memory.dmp

            Filesize

            4.4MB

          • memory/2676-219-0x00007FF986350000-0x00007FF986369000-memory.dmp

            Filesize

            100KB

          • memory/2676-220-0x00007FF974B10000-0x00007FF974B3C000-memory.dmp

            Filesize

            176KB

          • memory/2676-69-0x00007FF986F80000-0x00007FF986F8F000-memory.dmp

            Filesize

            60KB

          • memory/2676-221-0x00007FF986390000-0x00007FF986447000-memory.dmp

            Filesize

            732KB

          • memory/2676-67-0x00007FF9864A0000-0x00007FF9864C4000-memory.dmp

            Filesize

            144KB

          • memory/2676-222-0x00007FF9864A0000-0x00007FF9864C4000-memory.dmp

            Filesize

            144KB

          • memory/2676-223-0x00007FF986F80000-0x00007FF986F8F000-memory.dmp

            Filesize

            60KB

          • memory/2676-105-0x00007FF986480000-0x00007FF986499000-memory.dmp

            Filesize

            100KB

          • memory/2676-106-0x00007FF986450000-0x00007FF98647E000-memory.dmp

            Filesize

            184KB

          • memory/2676-117-0x00007FF9770E0000-0x00007FF9771F8000-memory.dmp

            Filesize

            1.1MB

          • memory/2676-82-0x00007FF986390000-0x00007FF986447000-memory.dmp

            Filesize

            732KB

          • memory/2676-110-0x00007FF986480000-0x00007FF986499000-memory.dmp

            Filesize

            100KB

          • memory/2676-108-0x00007FF9864A0000-0x00007FF9864C4000-memory.dmp

            Filesize

            144KB

          • memory/2676-120-0x00007FF986390000-0x00007FF986447000-memory.dmp

            Filesize

            732KB

          • memory/2676-107-0x00007FF9704B0000-0x00007FF970915000-memory.dmp

            Filesize

            4.4MB

          • memory/2676-121-0x000001FF81FC0000-0x000001FF82337000-memory.dmp

            Filesize

            3.5MB

          • memory/2676-224-0x00007FF986480000-0x00007FF986499000-memory.dmp

            Filesize

            100KB

          • memory/2676-225-0x00007FF986ED0000-0x00007FF986EDD000-memory.dmp

            Filesize

            52KB

          • memory/2676-226-0x00007FF986450000-0x00007FF98647E000-memory.dmp

            Filesize

            184KB

          • memory/2676-228-0x00007FF970FE0000-0x00007FF971357000-memory.dmp

            Filesize

            3.5MB

          • memory/2676-229-0x00007FF986370000-0x00007FF986384000-memory.dmp

            Filesize

            80KB

          • memory/2676-230-0x00007FF986D90000-0x00007FF986D9D000-memory.dmp

            Filesize

            52KB

          • memory/2676-227-0x00007FF9770E0000-0x00007FF9771F8000-memory.dmp

            Filesize

            1.1MB

          • memory/3424-4-0x00000000270F0000-0x00000000278EC000-memory.dmp

            Filesize

            8.0MB

          • memory/3424-2-0x000000001D5E0000-0x000000001E1EA000-memory.dmp

            Filesize

            12.0MB

          • memory/3424-123-0x00007FF9765B0000-0x00007FF977071000-memory.dmp

            Filesize

            10.8MB

          • memory/3424-58-0x00007FF9765B0000-0x00007FF977071000-memory.dmp

            Filesize

            10.8MB

          • memory/3424-3-0x00007FF9765B0000-0x00007FF977071000-memory.dmp

            Filesize

            10.8MB

          • memory/3424-1-0x0000000000CC0000-0x000000000169A000-memory.dmp

            Filesize

            9.9MB

          • memory/3424-5-0x00007FF9765B3000-0x00007FF9765B5000-memory.dmp

            Filesize

            8KB

          • memory/3424-6-0x0000000002500000-0x0000000002540000-memory.dmp

            Filesize

            256KB

          • memory/3424-0-0x00007FF9765B3000-0x00007FF9765B5000-memory.dmp

            Filesize

            8KB

          • memory/4436-130-0x00000292ADC90000-0x00000292ADCB2000-memory.dmp

            Filesize

            136KB

          • memory/4436-135-0x0000029295680000-0x0000029295690000-memory.dmp

            Filesize

            64KB

          • memory/4436-136-0x00000292ADFC0000-0x00000292AE0C2000-memory.dmp

            Filesize

            1.0MB

          • memory/4436-124-0x00000292ADD20000-0x00000292ADDA2000-memory.dmp

            Filesize

            520KB