afaf9770608b7ba29f183586c580fc8093a2efdd68febff71122ac41cedae49d

Analysis

max time kernel
144s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proxy Checker v0.2/Proxy Checker v0.2 By X-SLAYER.exe
Size

2.1MB
MD5

b472373d26e5446e44e11ee35803fb2c
SHA1

2f4d67d015fca0a3f7105d3fa7bfbbf48454dfe4
SHA256

fc897f290aab0e768822c3ee33e0b1ee2d15b6f23139f007299b26563efefc94
SHA512

41958196e899f325b4bea38696838eb6341246d7e6a1c311ec72dbf32dfc338c7e4f05e7fdd38b68d4f33c011867049c20cfbf625f36682219c3391b64062db4
SSDEEP

49152:wnsHyjtk2MYC5GD2T/t/GERDN+2VsjnAGERDi:wnsmtk2aaEv+2VUDEk

Score

8^/10

discovery macro persistence

Malware Config

Signatures

Suspicious Office macro 1 IoCs

Office document equipped with macros.

macro

resource
behavioral15/files/0x000500000001904d-108.dat

Executes dropped EXE 3 IoCs

pid	Process
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2816	Synaptics.exe
2632	._cache_Synaptics.exe

Loads dropped DLL 7 IoCs

pid	Process
1980	Proxy Checker v0.2 By X-SLAYER.exe
1980	Proxy Checker v0.2 By X-SLAYER.exe
1980	Proxy Checker v0.2 By X-SLAYER.exe
2816	Synaptics.exe
2816	Synaptics.exe
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Proxy Checker v0.2 By X-SLAYER.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Proxy Checker v0.2 By X-SLAYER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	EXCEL.EXE

Enumerates system info in registry 2 TTPs 1 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\FloatingPointProcessor	EXCEL.EXE

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
368	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 32 IoCs

pid	Process
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2632	._cache_Synaptics.exe
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2632	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 3 IoCs

pid	Process
2632	._cache_Synaptics.exe
2196	._cache_Proxy Checker v0.2 By X-SLAYER.exe
368	EXCEL.EXE

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 1980 wrote to memory of 2196	1980	Proxy Checker v0.2 By X-SLAYER.exe	31
PID 1980 wrote to memory of 2196	1980	Proxy Checker v0.2 By X-SLAYER.exe	31
PID 1980 wrote to memory of 2196	1980	Proxy Checker v0.2 By X-SLAYER.exe	31
PID 1980 wrote to memory of 2196	1980	Proxy Checker v0.2 By X-SLAYER.exe	31
PID 1980 wrote to memory of 2816	1980	Proxy Checker v0.2 By X-SLAYER.exe	32
PID 1980 wrote to memory of 2816	1980	Proxy Checker v0.2 By X-SLAYER.exe	32
PID 1980 wrote to memory of 2816	1980	Proxy Checker v0.2 By X-SLAYER.exe	32
PID 1980 wrote to memory of 2816	1980	Proxy Checker v0.2 By X-SLAYER.exe	32
PID 2816 wrote to memory of 2632	2816	Synaptics.exe	33
PID 2816 wrote to memory of 2632	2816	Synaptics.exe	33
PID 2816 wrote to memory of 2632	2816	Synaptics.exe	33
PID 2816 wrote to memory of 2632	2816	Synaptics.exe	33

C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\Proxy Checker v0.2 By X-SLAYER.exe
"C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\Proxy Checker v0.2 By X-SLAYER.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1980
- C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Proxy Checker v0.2 By X-SLAYER.exe
  "C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Proxy Checker v0.2 By X-SLAYER.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2196
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2816
- - C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious behavior: GetForegroundWindowSpam
    - Suspicious use of SetWindowsHookEx
    PID:2632

C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE
"C:\Program Files (x86)\Microsoft Office\Office14\EXCEL.EXE" /automation -Embedding
1⤵
- System Location Discovery: System Language Discovery
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.1MB

MD5
b472373d26e5446e44e11ee35803fb2c

SHA1
2f4d67d015fca0a3f7105d3fa7bfbbf48454dfe4

SHA256
fc897f290aab0e768822c3ee33e0b1ee2d15b6f23139f007299b26563efefc94

SHA512
41958196e899f325b4bea38696838eb6341246d7e6a1c311ec72dbf32dfc338c7e4f05e7fdd38b68d4f33c011867049c20cfbf625f36682219c3391b64062db4

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIkOFV8Z.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
C:\Users\Admin\AppData\Local\Temp\JIkOFV8Z.xlsm

Filesize
23KB

MD5
c95c6c679b92cc1b785a6f8a07a1c38f

SHA1
42d60a1fc40409fa2a971cdc6bb691a4dda4e8b3

SHA256
ca69975ae96b51023bb4f36d1cfaf89e0e3e29979d2bd7919f1d0e6d1c0043a5

SHA512
a66fbe4bef5f1507c9257671a38e37779a726ae241f62d794cbc0c68b33fb68b7f91b3ed3763a77ced7942c6279ea3b985710e9cf25af76996b6129c8c80f28f

Download Submit
\Users\Admin\AppData\Local\SkinSoft\VisualStyler\2.3.5.0\x64\ssapihook.dll

Filesize
66KB

MD5
c74d260d388f5ac3d95d8c1c3a27c989

SHA1
5da009086036004a7c670d608d5e1e923aead568

SHA256
dc1bebb8ce88d59e4b3130c1ff2c4b7f5df2701c7a71b476b8a6f2ed541db628

SHA512
6460db8f73806017d267c0e4e112902956a3bc53853c6a893cff66fe44772305b2c158ef8b58e993806d713aceaddcf2efa7ccf625063678444d3fd20b10546a

Download Submit
\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Proxy Checker v0.2 By X-SLAYER.exe

Filesize
1.4MB

MD5
6d0fc4a87660eb12e4748e3b38b26879

SHA1
a780cc0f3feb7cdfb09051a18dd102b9ab111ff1

SHA256
5d9a4b3353659a3e88b520ec6b2a9d461bcbf8866a37dde649a416f7532a30d4

SHA512
a413451a621f8df7f7256ea96695459d3e7f4963863523329e483850fa94569ec97e247ba614aff7416c678e270c0dbe282bff18be0dac057176fc964178f903

Download Submit
memory/368-97-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-98-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-92-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-114-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/368-96-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-99-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-88-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-90-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-91-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-93-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-95-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-73-0x000000005FFF0000-0x0000000060000000-memory.dmp

Filesize
64KB

Download
memory/368-77-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-89-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-94-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-79-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-83-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-76-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-78-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-80-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-81-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-82-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-84-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-85-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-86-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/368-87-0x00000000003B0000-0x00000000004B0000-memory.dmp

Filesize
1024KB

Download
memory/1980-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1980-21-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2196-62-0x000000001AAC0000-0x000000001AAC1000-memory.dmp

Filesize
4KB

Download
memory/2196-59-0x000000001AAA0000-0x000000001AAA1000-memory.dmp

Filesize
4KB

Download
memory/2196-43-0x0000000000C80000-0x0000000000C81000-memory.dmp

Filesize
4KB

Download
memory/2196-15-0x0000000000F60000-0x00000000010C8000-memory.dmp

Filesize
1.4MB

Download
memory/2196-41-0x0000000000BF0000-0x0000000000BF1000-memory.dmp

Filesize
4KB

Download
memory/2196-51-0x00000000024E0000-0x00000000024E1000-memory.dmp

Filesize
4KB

Download
memory/2196-45-0x0000000000C90000-0x0000000000C91000-memory.dmp

Filesize
4KB

Download
memory/2196-66-0x000007FE7B680000-0x000007FE7B681000-memory.dmp

Filesize
4KB

Download
memory/2196-47-0x0000000000CA0000-0x0000000000CA1000-memory.dmp

Filesize
4KB

Download
memory/2196-64-0x000000001AAD0000-0x000000001AAD1000-memory.dmp

Filesize
4KB

Download
memory/2196-49-0x00000000024D0000-0x00000000024D1000-memory.dmp

Filesize
4KB

Download
memory/2196-60-0x000000001AAB0000-0x000000001AAB1000-memory.dmp

Filesize
4KB

Download
memory/2196-57-0x000000001A990000-0x000000001A991000-memory.dmp

Filesize
4KB

Download
memory/2196-53-0x00000000024F0000-0x00000000024F1000-memory.dmp

Filesize
4KB

Download
memory/2196-55-0x000000001A980000-0x000000001A981000-memory.dmp

Filesize
4KB

Download
memory/2632-68-0x000007FE7B6B0000-0x000007FE7B6B1000-memory.dmp

Filesize
4KB

Download
memory/2632-52-0x000000001A890000-0x000000001A891000-memory.dmp

Filesize
4KB

Download
memory/2632-70-0x000007FE7B6C0000-0x000007FE7B6C1000-memory.dmp

Filesize
4KB

Download
memory/2632-58-0x000000001AD90000-0x000000001AD91000-memory.dmp

Filesize
4KB

Download
memory/2632-44-0x0000000002280000-0x0000000002281000-memory.dmp

Filesize
4KB

Download
memory/2632-50-0x000000001A880000-0x000000001A881000-memory.dmp

Filesize
4KB

Download
memory/2632-61-0x000000001ADA0000-0x000000001ADA1000-memory.dmp

Filesize
4KB

Download
memory/2632-48-0x000000001A870000-0x000000001A871000-memory.dmp

Filesize
4KB

Download
memory/2632-63-0x000000001ADB0000-0x000000001ADB1000-memory.dmp

Filesize
4KB

Download
memory/2632-46-0x000000001A860000-0x000000001A861000-memory.dmp

Filesize
4KB

Download
memory/2632-54-0x000000001A9A0000-0x000000001A9A1000-memory.dmp

Filesize
4KB

Download
memory/2632-56-0x000000001A9B0000-0x000000001A9B1000-memory.dmp

Filesize
4KB

Download
memory/2632-65-0x000000001ADC0000-0x000000001ADC1000-memory.dmp

Filesize
4KB

Download
memory/2632-42-0x0000000002270000-0x0000000002271000-memory.dmp

Filesize
4KB

Download
memory/2632-40-0x00000000009A0000-0x00000000009A1000-memory.dmp

Filesize
4KB

Download
memory/2632-33-0x000000001BB90000-0x000000001BC88000-memory.dmp

Filesize
992KB

Download
memory/2632-32-0x0000000000310000-0x0000000000334000-memory.dmp

Filesize
144KB

Download
memory/2632-31-0x00000000003A0000-0x0000000000508000-memory.dmp

Filesize
1.4MB

Download
memory/2816-72-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2816-115-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2816-116-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/2816-118-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download