8d640da972040cdef95eee8c1f6f81511b2f79e61e6f3cbaeb434d1558a46b44

Analysis

max time kernel
68s
max time network
69s
platform
windows7_x64
resource
win7-20240708-en
resource tags

arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system
submitted
14/08/2024, 10:34

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/ProxyInstaller.exe
Size

85KB
MD5

77a694daac4aa5bb2e7ce6c1de817ca3
SHA1

17d6b573e8bf8c7f027c5cf29c766df1fc008d71
SHA256

fa0e6ed5b5b617fbdaa6a5d02503045864eb24f217ac7785ff1570ed86c76708
SHA512

be3795bea4b3b5db3376c20899b483f0c3da33442917562fa39aa3a313d040400bb52e92bc44c48cac0ba462eaabe9ba605b41c799df0944e5f5b4d1a05c2bce
SSDEEP

1536:yErPZ3IBZcbTfu1HlrJFCPcbPnSOH3/oi7sPBiJQRsCoH7hfJ85:BPC23aJFC0bPn/H3wzBiJQyC27Q5

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 19 IoCs

pid	Process
2644	ProxyInstaller.exe
2644	ProxyInstaller.exe
2644	ProxyInstaller.exe
2644	ProxyInstaller.exe
2644	ProxyInstaller.exe
2752	DownloadACC.exe
2752	DownloadACC.exe
2644	ProxyInstaller.exe
2644	ProxyInstaller.exe
2644	ProxyInstaller.exe
2644	ProxyInstaller.exe
2644	ProxyInstaller.exe
2644	ProxyInstaller.exe
2644	ProxyInstaller.exe
2644	ProxyInstaller.exe
2644	ProxyInstaller.exe
2644	ProxyInstaller.exe
2644	ProxyInstaller.exe
2644	ProxyInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProxyInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DownloadACC.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2752	DownloadACC.exe
Token: SeBackupPrivilege	2752	DownloadACC.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2644 wrote to memory of 2752	2644	ProxyInstaller.exe	30
PID 2644 wrote to memory of 2752	2644	ProxyInstaller.exe	30
PID 2644 wrote to memory of 2752	2644	ProxyInstaller.exe	30
PID 2644 wrote to memory of 2752	2644	ProxyInstaller.exe	30
PID 2644 wrote to memory of 2752	2644	ProxyInstaller.exe	30
PID 2644 wrote to memory of 2752	2644	ProxyInstaller.exe	30
PID 2644 wrote to memory of 2752	2644	ProxyInstaller.exe	30

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ProxyInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ProxyInstaller.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2644
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DownloadACC.exe
  DownloadACC.exe "-localPath=" "-url=http://" "-regPath=Software\Conduit\DistributionEngine\Download\\"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2752

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nso465.tmp\DownloadACC.dll

Filesize
214KB

MD5
d6af00f1e4ee33c1b91a4b958d8f6412

SHA1
afde2ad881d59879ff62112520ab03cb83f5b26e

SHA256
1e1943c0946f48f8acc573ce9485d98aa966ef3e56cb85e8d7d03b4bb0489cb1

SHA512
2f21c5aeacc7fecc7db8fed747f00d3b47cce788df05c7f816c15f1318542fa5c90cb3686307e68639cd8663d9d7505d25b35ee88620636e4019f37e0e2cc55c

Download Submit
\Users\Admin\AppData\Local\Temp\nso465.tmp\System.dll

Filesize
16KB

MD5
e3b0a969b5979531eb58e9f0c7934154

SHA1
c374f2e7b273e72aa9979eb90ae44fdf530e071d

SHA256
e8e8be33b82875d64cab1d6b29be8ec4469e8789f0829f686aff1d0c989390b5

SHA512
32daa856cd74273b5e0bc7e339968ac86ef93fb557a13703a662335223c2e6b6bfc7e8780ebb4934b3758bdbdabc8e9e1b298a6499da69278be4c50b0604c0cb

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3B9.tmp\System.dll

Filesize
16KB

MD5
f6029b4a0501aae178d8c718e38ee2b9

SHA1
ae2e181a799e638357c641103997cb24065d4f25

SHA256
a0336b52ec99ec4355e1cdc5b3374a45af586a60dc036917e1daff05fa151086

SHA512
6648c2a1f9b312f351810e1e7dc69f33a7cbceb710de96d585527fda5fa1e86b00a38034414597ea75ce0a5052c1e2bcae265d01d4541f666a61a0ec0a79bff9

Download Submit
\Users\Admin\AppData\Local\Temp\nsy3B9.tmp\inetc.dll

Filesize
28KB

MD5
2d949f5ca08919067c056f0a76c1c747

SHA1
fd1727b91b125b3e85d061cb1a06b45edf7f8701

SHA256
a4c6da1e7cb0691dba1cb6b47239ad5967a107e87221e402b853f64d798f2d94

SHA512
0b9a7f580e09541f9762ac755e056ee683612dec04801dfd2b9b03897765b3ab0d10e2be4b9636316c11cb8eba1cc60d1be60eaa90bbb0b9c1ee8994e01cdc2f

Download Submit