afaf9770608b7ba29f183586c580fc8093a2efdd68febff71122ac41cedae49d

Analysis

max time kernel
149s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19-09-2024 02:27

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proxy Checker v0.2/Proxy Checker v0.2 By X-SLAYER.exe
Size

2.1MB
MD5

b472373d26e5446e44e11ee35803fb2c
SHA1

2f4d67d015fca0a3f7105d3fa7bfbbf48454dfe4
SHA256

fc897f290aab0e768822c3ee33e0b1ee2d15b6f23139f007299b26563efefc94
SHA512

41958196e899f325b4bea38696838eb6341246d7e6a1c311ec72dbf32dfc338c7e4f05e7fdd38b68d4f33c011867049c20cfbf625f36682219c3391b64062db4
SSDEEP

49152:wnsHyjtk2MYC5GD2T/t/GERDN+2VsjnAGERDi:wnsmtk2aaEv+2VUDEk

Score

7^/10

discovery persistence

Malware Config

Signatures

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Proxy Checker v0.2 By X-SLAYER.exe
Key value queried	\REGISTRY\USER\S-1-5-21-523280732-2327480845-3730041215-1000\Control Panel\International\Geo\Nation	Synaptics.exe

Executes dropped EXE 3 IoCs

pid	Process
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
1376	Synaptics.exe
2824	._cache_Synaptics.exe

Loads dropped DLL 2 IoCs

pid	Process
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2824	._cache_Synaptics.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Synaptics Pointing Device Driver = "C:\\ProgramData\\Synaptics\\Synaptics.exe"	Proxy Checker v0.2 By X-SLAYER.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Proxy Checker v0.2 By X-SLAYER.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Synaptics.exe

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	EXCEL.EXE

Enumerates system info in registry 2 TTPs 3 IoCs

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemFamily	EXCEL.EXE
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	EXCEL.EXE

Modifies registry class 2 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Proxy Checker v0.2 By X-SLAYER.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	Synaptics.exe

Suspicious behavior: AddClipboardFormatListener 1 IoCs

pid	Process
212	EXCEL.EXE

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe
2824	._cache_Synaptics.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
2160	._cache_Proxy Checker v0.2 By X-SLAYER.exe
2824	._cache_Synaptics.exe
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE
212	EXCEL.EXE

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1724 wrote to memory of 2160	1724	Proxy Checker v0.2 By X-SLAYER.exe	82
PID 1724 wrote to memory of 2160	1724	Proxy Checker v0.2 By X-SLAYER.exe	82
PID 1724 wrote to memory of 1376	1724	Proxy Checker v0.2 By X-SLAYER.exe	83
PID 1724 wrote to memory of 1376	1724	Proxy Checker v0.2 By X-SLAYER.exe	83
PID 1724 wrote to memory of 1376	1724	Proxy Checker v0.2 By X-SLAYER.exe	83
PID 1376 wrote to memory of 2824	1376	Synaptics.exe	84
PID 1376 wrote to memory of 2824	1376	Synaptics.exe	84

C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\Proxy Checker v0.2 By X-SLAYER.exe
"C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\Proxy Checker v0.2 By X-SLAYER.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1724
- C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Proxy Checker v0.2 By X-SLAYER.exe
  "C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Proxy Checker v0.2 By X-SLAYER.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  PID:2160
- C:\ProgramData\Synaptics\Synaptics.exe
  "C:\ProgramData\Synaptics\Synaptics.exe" InjUpdate
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of WriteProcessMemory
  PID:1376
- - C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Synaptics.exe
    "C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Synaptics.exe" InjUpdate
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    PID:2824

C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE
"C:\Program Files\Microsoft Office\Root\Office16\EXCEL.EXE" /automation -Embedding
1⤵
- Checks processor information in registry
- Enumerates system info in registry
- Suspicious behavior: AddClipboardFormatListener
- Suspicious use of SetWindowsHookEx
PID:212

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\Synaptics\Synaptics.exe

Filesize
2.1MB

MD5
b472373d26e5446e44e11ee35803fb2c

SHA1
2f4d67d015fca0a3f7105d3fa7bfbbf48454dfe4

SHA256
fc897f290aab0e768822c3ee33e0b1ee2d15b6f23139f007299b26563efefc94

SHA512
41958196e899f325b4bea38696838eb6341246d7e6a1c311ec72dbf32dfc338c7e4f05e7fdd38b68d4f33c011867049c20cfbf625f36682219c3391b64062db4

Download Submit
C:\Users\Admin\AppData\Local\SkinSoft\VisualStyler\2.3.5.0\x64\ssapihook.dll

Filesize
66KB

MD5
c74d260d388f5ac3d95d8c1c3a27c989

SHA1
5da009086036004a7c670d608d5e1e923aead568

SHA256
dc1bebb8ce88d59e4b3130c1ff2c4b7f5df2701c7a71b476b8a6f2ed541db628

SHA512
6460db8f73806017d267c0e4e112902956a3bc53853c6a893cff66fe44772305b2c158ef8b58e993806d713aceaddcf2efa7ccf625063678444d3fd20b10546a

Download Submit
C:\Users\Admin\AppData\Local\Temp\A4B75E00

Filesize
22KB

MD5
3dd3f39c90718bc719114d01cb7cfb27

SHA1
8d11c4ea0be1dfe93ee87bb77724314faaec8d43

SHA256
fe8b6679eb15e13859800f2115b9a56434acb6b65e6590428e41f867311498c8

SHA512
5fa20e634039b10b2de09204aa3d971ccf2b73e298e3e41750aed7cdd7266fdecb19e714d4325d3bd5534f07b3a1c67909923de7d57d364e7ff31c4401a779d0

Download Submit
C:\Users\Admin\AppData\Local\Temp\Proxy Checker v0.2\._cache_Proxy Checker v0.2 By X-SLAYER.exe

Filesize
1.4MB

MD5
6d0fc4a87660eb12e4748e3b38b26879

SHA1
a780cc0f3feb7cdfb09051a18dd102b9ab111ff1

SHA256
5d9a4b3353659a3e88b520ec6b2a9d461bcbf8866a37dde649a416f7532a30d4

SHA512
a413451a621f8df7f7256ea96695459d3e7f4963863523329e483850fa94569ec97e247ba614aff7416c678e270c0dbe282bff18be0dac057176fc964178f903

Download Submit
C:\Users\Admin\AppData\Local\Temp\gCfln7is.xlsm

Filesize
17KB

MD5
e566fc53051035e1e6fd0ed1823de0f9

SHA1
00bc96c48b98676ecd67e81a6f1d7754e4156044

SHA256
8e574b4ae6502230c0829e2319a6c146aebd51b7008bf5bbfb731424d7952c15

SHA512
a12f56ff30ea35381c2b8f8af2446cf1daa21ee872e98cad4b863db060acd4c33c5760918c277dadb7a490cb4ca2f925d59c70dc5171e16601a11bc4a6542b04

Download Submit
memory/212-181-0x00007FF9B2BD0000-0x00007FF9B2BE0000-memory.dmp

Filesize
64KB

Download
memory/212-183-0x00007FF9B03D0000-0x00007FF9B03E0000-memory.dmp

Filesize
64KB

Download
memory/212-182-0x00007FF9B03D0000-0x00007FF9B03E0000-memory.dmp

Filesize
64KB

Download
memory/212-180-0x00007FF9B2BD0000-0x00007FF9B2BE0000-memory.dmp

Filesize
64KB

Download
memory/212-178-0x00007FF9B2BD0000-0x00007FF9B2BE0000-memory.dmp

Filesize
64KB

Download
memory/212-179-0x00007FF9B2BD0000-0x00007FF9B2BE0000-memory.dmp

Filesize
64KB

Download
memory/212-177-0x00007FF9B2BD0000-0x00007FF9B2BE0000-memory.dmp

Filesize
64KB

Download
memory/1376-233-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1376-276-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1376-174-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1724-72-0x0000000000400000-0x0000000000622000-memory.dmp

Filesize
2.1MB

Download
memory/1724-0-0x00000000023B0000-0x00000000023B1000-memory.dmp

Filesize
4KB

Download
memory/2160-139-0x00007FF9720A0000-0x00007FF9720A1000-memory.dmp

Filesize
4KB

Download
memory/2160-175-0x00007FF9D4750000-0x00007FF9D5211000-memory.dmp

Filesize
10.8MB

Download
memory/2160-155-0x00007FF972110000-0x00007FF972111000-memory.dmp

Filesize
4KB

Download
memory/2160-158-0x00007FF9720F0000-0x00007FF9720F1000-memory.dmp

Filesize
4KB

Download
memory/2160-161-0x00007FF972120000-0x00007FF972121000-memory.dmp

Filesize
4KB

Download
memory/2160-163-0x00007FF972140000-0x00007FF972141000-memory.dmp

Filesize
4KB

Download
memory/2160-165-0x00007FF96DCD0000-0x00007FF96DCD1000-memory.dmp

Filesize
4KB

Download
memory/2160-166-0x00007FF96DD20000-0x00007FF96DD21000-memory.dmp

Filesize
4KB

Download
memory/2160-169-0x00007FF96DD30000-0x00007FF96DD31000-memory.dmp

Filesize
4KB

Download
memory/2160-152-0x00007FF9720E0000-0x00007FF9720E1000-memory.dmp

Filesize
4KB

Download
memory/2160-173-0x000000001C080000-0x000000001C229000-memory.dmp

Filesize
1.7MB

Download
memory/2160-153-0x00007FF972100000-0x00007FF972101000-memory.dmp

Filesize
4KB

Download
memory/2160-11-0x00007FF9D4753000-0x00007FF9D4755000-memory.dmp

Filesize
8KB

Download
memory/2160-149-0x00007FF9720D0000-0x00007FF9720D1000-memory.dmp

Filesize
4KB

Download
memory/2160-147-0x00007FF972130000-0x00007FF972131000-memory.dmp

Filesize
4KB

Download
memory/2160-145-0x00007FF9720C0000-0x00007FF9720C1000-memory.dmp

Filesize
4KB

Download
memory/2160-144-0x00007FF9720B0000-0x00007FF9720B1000-memory.dmp

Filesize
4KB

Download
memory/2160-141-0x00007FF9703F0000-0x00007FF9703F1000-memory.dmp

Filesize
4KB

Download
memory/2160-140-0x00007FF972090000-0x00007FF972091000-memory.dmp

Filesize
4KB

Download
memory/2160-105-0x000000001BF80000-0x000000001C078000-memory.dmp

Filesize
992KB

Download
memory/2160-73-0x00007FF9D4750000-0x00007FF9D5211000-memory.dmp

Filesize
10.8MB

Download
memory/2160-69-0x000000001B550000-0x000000001B574000-memory.dmp

Filesize
144KB

Download
memory/2160-13-0x00000000008B0000-0x0000000000A18000-memory.dmp

Filesize
1.4MB

Download
memory/2824-176-0x000000001C150000-0x000000001C2F9000-memory.dmp

Filesize
1.7MB

Download