Analysis
-
max time kernel
138s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
-
submitted
01/09/2024, 14:22
General
-
Target
PenguinProxy.exe
-
Size
68.7MB
-
MD5
96684c702e0c0de05558dc02cb86f81d
-
SHA1
53594ede3e37f193c5f25fda819588e7e526af94
-
SHA256
948a55e050f0d8fbaf359ddb6b6abbb6132af66354d7e930c7ce901c76f5e7b9
-
SHA512
8f0c0fe22cf73b0f09ecdd2301b60af2b4721800e315a2edca4965754e449f47c9cba681c38ffa2fcf29ef9f68fd05613c274502f65337ebc5ceac0302dda8e4
-
SSDEEP
1572864:MvPu4OjcNP43qLW6GRXS2Fgh53VIRTR3qw7uTvury4B03T4O:OuAyfS2Fgh53Vy3X7Uury3TN
Malware Config
Signatures
-
Adds Run key to start application 2 TTPs 1 IoCs
-
Legitimate hosting services abused for malware hosting/C2 1 TTPs 5 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Executes dropped EXE 7 IoCs
-
Loads dropped DLL 18 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 16 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Modifies system certificate store 2 TTPs 2 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
-
Suspicious use of FindShellTrayWindow 6 IoCs
-
Suspicious use of SendNotifyMessage 5 IoCs
-
Suspicious use of WriteProcessMemory 63 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\PenguinProxy.exe"C:\Users\Admin\AppData\Local\Temp\PenguinProxy.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe"C:\Users\Admin\AppData\Local\SquirrelTemp\Update.exe" --install .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\PenguinProxy\app-0.3.1\PenguinProxy.exe"C:\Users\Admin\AppData\Local\PenguinProxy\app-0.3.1\PenguinProxy.exe" --squirrel-install 0.3.13⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\PenguinProxy\app-0.3.1\PenguinProxy.exe"C:\Users\Admin\AppData\Local\PenguinProxy\app-0.3.1\PenguinProxy.exe" --squirrel-firstrun3⤵
- Adds Run key to start application
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Modifies system certificate store
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\PenguinProxy\app-0.3.1\PenguinProxy.exe"C:\Users\Admin\AppData\Local\PenguinProxy\app-0.3.1\PenguinProxy.exe" --type=gpu-process --enable-features=SharedArrayBuffer --no-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=14694501790752275826 --mojo-platform-channel-handle=952 /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v ProxyEnable /t REG_DWORD /d 0 /f5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL /t REG_SZ /d "https://www.penguinproxy.com/static/download/config.pac" /f"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings" /v AutoConfigURL /t REG_SZ /d "https://www.penguinproxy.com/static/download/config.pac" /f5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v DefaultConnectionSettings /t REG_Binary /d 46000000050000000500000000000000000000003700000068747470733A2F2F7777772E70656E6775696E70726F78792E636F6D2F7374617469632F646F776E6C6F61642F636F6E6669672E7061630000000000000000000000000000000000000000000000000000000000000000 /f"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v DefaultConnectionSettings /t REG_Binary /d 46000000050000000500000000000000000000003700000068747470733A2F2F7777772E70656E6775696E70726F78792E636F6D2F7374617469632F646F776E6C6F61642F636F6E6669672E7061630000000000000000000000000000000000000000000000000000000000000000 /f5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /d /s /c "REG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v SavedLegacySettings /t REG_Binary /d 46000000050000000500000000000000000000003700000068747470733A2F2F7777772E70656E6775696E70726F78792E636F6D2F7374617469632F646F776E6C6F61642F636F6E6669672E7061630000000000000000000000000000000000000000000000000000000000000000 /f"4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\reg.exeREG ADD "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\Connections" /v SavedLegacySettings /t REG_Binary /d 46000000050000000500000000000000000000003700000068747470733A2F2F7777772E70656E6775696E70726F78792E636F6D2F7374617469632F646F776E6C6F61642F636F6E6669672E7061630000000000000000000000000000000000000000000000000000000000000000 /f5⤵
- System Location Discovery: System Language Discovery
-
-
-
C:\Users\Admin\AppData\Local\PenguinProxy\app-0.3.1\PenguinProxy.exe"C:\Users\Admin\AppData\Local\PenguinProxy\app-0.3.1\PenguinProxy.exe" --type=renderer --no-sandbox --enable-features=SharedArrayBuffer --service-pipe-token=3436332418067241056 --lang=en-US --app-user-model-id=com.squirrel.PenguinProxy.PenguinProxy --app-path="C:\Users\Admin\AppData\Local\PenguinProxy\app-0.3.1\resources\app.asar" --node-integration=true --webview-tag=true --no-sandbox --background-color=#fff --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=3436332418067241056 --renderer-client-id=4 --mojo-platform-channel-handle=1324 /prefetch:14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\PenguinProxy\app-0.3.1\PenguinProxy.exe"C:\Users\Admin\AppData\Local\PenguinProxy\app-0.3.1\PenguinProxy.exe" --type=renderer --no-sandbox --enable-features=SharedArrayBuffer --service-pipe-token=9587732904055868101 --lang=en-US --app-user-model-id=com.squirrel.PenguinProxy.PenguinProxy --app-path="C:\Users\Admin\AppData\Local\PenguinProxy\app-0.3.1\resources\app.asar" --node-integration=true --webview-tag=true --no-sandbox --background-color=#fff --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --service-request-channel-token=9587732904055868101 --renderer-client-id=6 --mojo-platform-channel-handle=1420 /prefetch:14⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
C:\Users\Admin\AppData\Local\PenguinProxy\app-0.3.1\PenguinProxy.exe"C:\Users\Admin\AppData\Local\PenguinProxy\app-0.3.1\PenguinProxy.exe" --type=gpu-process --enable-features=SharedArrayBuffer --disable-gpu-sandbox --no-sandbox --gpu-preferences=KAAAAAAAAACAAwBAAQAAAAAAAAAAAGAAAAAAAAAAAAAIAAAAAAAAACgAAAAEAAAAIAAAAAAAAAAoAAAAAAAAADAAAAAAAAAAOAAAAAAAAAAQAAAAAAAAAAAAAAAKAAAAEAAAAAAAAAAAAAAACwAAABAAAAAAAAAAAQAAAAoAAAAQAAAAAAAAAAEAAAALAAAA --service-request-channel-token=3094385517678997761 --mojo-platform-channel-handle=2508 /prefetch:24⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
-
-
-
Network
MITRE ATT&CK Enterprise v15
Privilege Escalation
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Defense Evasion
Modify Registry
2Subvert Trust Controls
1Install Root Certificate
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
3.5MB
MD5587a415cd5ac2069813adef5f7685021
SHA1ca0e2fe1922b3cdc9e96e636a73e5c85a838e863
SHA2562ad0d4987fc4624566b190e747c9d95038443956ed816abfd1e2d389b5ec0851
SHA5120fa0e89ea1c1cb27ac7f621feb484438e378a8f5675eca7a91f24e0569174bd848d470d6b3e237fe6ab27ca1eb1ecc09b5f044e53a6d98bf908e77ac511183e2
-
Filesize
163KB
MD56b0554d58e8c0cdbf0bb88ee032fdc4b
SHA10985707237768abbf89acb3d362c7e62f9ef80bb
SHA256ebc1a06972979c372fda5711d505a3b5041e6ee448d80de84f9eda84d37e4a86
SHA512c01af1a038030f0141988cc4c0e6676c50934e705f13046dc57b00b4814abb37c88d623aa1c64ae0740be191bf261e6ce3c1a05100037a9c33eb877b0b8b95ad
-
Filesize
243KB
MD58ab92f2b5d78419af2e4e66d4391dfd2
SHA1220e001d9fac6f01217b6f6d9b167aa5d9654620
SHA256b2d93b68f9b8e3b6ccfa4d0225af4d6e55e2a47ace53e4e64d105ce7183a04d6
SHA512afdb8d9345720ac7bcecb376ce21bc07ebed978e8b8c451762b50b1108127b1dbb04a1010cd746cc06084339b2e0dcc38dde16192ae26faa1d5030b87fee729c
-
Filesize
1.9MB
MD544bea9a3cc38abd2e34dbdd5eea97cc2
SHA135249b19a3eb3da54cbc2502cec1e9247d56a57e
SHA2561bbcae9241fdc6ddeeeb125abeb307700c05868525f02cf8637d7d3a965510b0
SHA51271760eef5354f88292f136a5a9e25887b454fa72d915cbddaa025a0d2fd3b84a7663f3f46b2b9845eab8db0bf133b9cf95a3eca1d98e90f97c37222d94d71956
-
Filesize
9.7MB
MD58cda09112153ff6dc3aded6ffeb6835f
SHA1bdbbdfd4079b3a418272e8bdf015e1b259aa1333
SHA2566c98bb4ccc3888ad4f94163d1654578442506f04012d5da819445a80bb85636f
SHA51265727e37d6802ed42b4be4e4d9a172e0cb28c85dcefd5567888bf2342a58541fcfe0c1248822f17d7641ea40af1262fa6f5733417a62b9e19c8bedd357ad625c
-
Filesize
58KB
MD5104437c82defe34717b1dc667d9e28aa
SHA1844b450de3f12e1c4b76bb32f3513ab3a7331dc8
SHA256df2f5f3830fc3fdeaf4f941b6b30cf051ab52b592bc6e31ae7176eecfda0c1a7
SHA512f7d917bc492c8aba74eb2148baf9836bb6cb3ed058c53ae3eac7128f5156da54384d5dac2134b35f6b5ae05bf086fcaf2977e9a4374f14aee64d942329042572
-
Filesize
122KB
MD599e9ed492dc4b9318704745f69e3ff43
SHA14276e245efeb0256bbbdefa77063d2585712198e
SHA256ad6654fca057a8b8735c8b5cdba9d322396befe7e706429b8236c234a3941da1
SHA5125163af106d268ff2a324519eac9a17572191add3a5283496170dcff10f52bd9854e47a00c4fe40d83c01b8cd21eaaa0665647044ddb038cf7191ff19c95af539
-
Filesize
8.3MB
MD5c1ec43bae5c76eac7b228b26656c5257
SHA1a76383f0208d864fdc8dce15552fcd1345a958b6
SHA256e2dfed05af7e2a59b90cf3cdd257d0922f1a2ca4533ecaa7e0702d7d49305d24
SHA51257088d1f9ebfdd964785668edca30fa6dd6cf68445337fc6083a127aeb6013a1584391a397ff9ef98783c45a131eef2dac4db1b011cdd5e1bb41ab4933a459c9
-
Filesize
32.8MB
MD5c811d07f609dc91deb08ddf3fe98dc61
SHA1231529766ae86a4194e828ea66754a9eaa79f390
SHA256bb6d4648979e16cd77f3a071f313ab7d52e8feb77be8cb000a3f714b3dbeaee4
SHA51265c6a5573fa28e0012bdfca8c5dbc0e686dd783eb9844ca984dca62847f8685e629640330dba1550d221612e27fa92a004aab807205e37d8913d774f5a0d41e4
-
Filesize
270KB
MD50769239ccfdfd438696737af57c9e9a5
SHA145a4667e0f98c7db78de1785274b00f142d8dc0a
SHA2569c4559f387d6d9157f2e7c9eca0ada63468c07a3a2b6d471b0ccd134595b8fd0
SHA5124827b9b0123e1b382ed3b1b61d889e32374906009723db109aae6ec662252416af4e640ada4a4bebdba219d0a5583d17752b50f0f2b2b0c99703aa04f9504077
-
Filesize
114KB
MD5b984b93be6b2694d57025bad3019a24d
SHA1ba86f04511b3b2e0f10715f7824f4356dd844c4c
SHA256fe3f081756ae2cea66d85104e2be506ba3bc563352b74ed0933d075d378c6c95
SHA512a9fc05386a34e3505e86f6093e31c6fb566d76928951d28f75f458952877bea2cfabfb73a747382ca78bec7d48947fba14fa6c7949b327f358b4b2c85b2cbf70
-
Filesize
2.1MB
MD5b53176cc73ec1659486076db5465f812
SHA1ecd75d965a6a985ff068d52f5ef964bf74562d38
SHA256b1689d18ef96c35ea07a658662a842f1ade67b787820537e86d37fbfed382220
SHA5122c7bb81a92030008a944537ed60a3db2ff1e19505ad95a255753527458607d8da1be9cc6aef9ddd0f969ffed195134ac5175cacba50bae0e04db6fe32b268f3e
-
Filesize
1.5MB
MD54348e3d1404c42e69f86de6f182288e3
SHA10445fe9e300b2ffb53c7a61e31ef7191dc125747
SHA2561f2575702e760efc0ceb73fa521bc16aa801e3d8bc97be613c107938b40edc79
SHA5126b30cbeee40ded83fc97d299b07b67809b89ec4b484db6e5cda3cd0f2070b3681a708e62ab9cae36798565d16e2b82e694a2d32d6d6fc159b18632c64fae0bf4
-
Filesize
82B
MD5eea6b17bdb75f336eba41849d3a8c6e1
SHA16b69f33920b36a3c3a0778cda84f2189aad7dc4d
SHA256915d639f30cd0abb16f04a1872e3918d413cf2baeb474000c3bed227e3d539d1
SHA5129cd8e7e61a421c06d768f44d15186b98d2bffb99c4d510995c8737b10d526bc655cb79e12762676403db960580df38833c6639f02625da2bc51a3ab4aa95fa3a
-
Filesize
79B
MD5f310866be12de8996c140f2d9b39279e
SHA156adf0b77ac69f682a1b8fd9fe146589b49f59c1
SHA2569e9ba6c77707a05f5e82f0985dface2240c50226ad6552e503ee2c5790d351de
SHA512d2ff39082588be4c6d6d8dfc3c4a42fb3c6642b1ecf8ae8f32ce4adead79cbfd7491f5ad5d0b6fad3069e96a0a19806ac1d54e918321430c0b5535cff5f89b20
-
Filesize
20KB
MD5397d481010dca12cd7acdf8fefa120f5
SHA1e8e165794a182fd656dc3f5f2bb497a3e7e00dca
SHA256cb5eb255c8d52fa7e4eee86e3e3b9285c3447ce31c420fa443bf9921d831b61a
SHA51277a48c78d9c04027d4ef037f3969e27d6794cef9886c3f0c180eee84e13c47057bb1b084b40c15c5dcba187bc7be018806348230882cd1351e06597a5f1b7255
-
Filesize
3KB
MD5969845c6c54d535b599bd80e9d8a1bdf
SHA14ee9e59b8bd5b5dde0c4e9917ffa401e47779d1e
SHA256d6d0a15aad78eadc670b606d0ddb07525a218f6532527cf52b3485d2b0b4bd18
SHA512659ec00e1f4a0e81350fa91e4bb6fd9ce49615d2f3a59cbb13f97aec63892d8aa14335d20d0e991c7a21451db87620fd70f0fb907a19b5a3038b22a67cf1e8c3
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
553B
MD55c5c7c2b37374c1fe9ccd5ba83537a5c
SHA19867f68ff736af52a710fcd6f7d88bde3fb42362
SHA25649456bcefac83401d37eeb1a79c563425b70cd7b5f569be8fc24d9bda6bcc7e2
SHA5128b25d5eedeb81809e68bf0b34a904a6ffdbffe2d4e011a1f8e8a594c1a0a964f701a31ef0c9f5cb849bf663130c7d9502342d8b06c8199ed9cc2681a5e300f9f
-
Filesize
1.8MB
MD5b30b80f3ad32d8ad0bc4339b4e776e11
SHA197f12b3febe164994a0d8ecf867a5e774c8b39b6
SHA2560a24c5eae41415f19dc7673cdd651727f78dcc9814e4fc6e3858b00bd419959c
SHA512dabb51a751f3fddbc35d8cfbf9c29aa6bda703604e7cd8c71a801ea76a3d6297ed570477bcca763dc241f2f6f77d2060505ec5aed9534ab1edb90318d0717abb
-
Filesize
4KB
-
Filesize
40KB
-
Filesize
4KB
-
Filesize
1.8MB
-
Filesize
6.9MB
-
Filesize
6.9MB
-
Filesize
40KB
-
Filesize
6.9MB
