ad76f55cc9758121c75f14c16d54bc98de61d5fd381f101522753811c158407d

Analysis

max time kernel
16s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
19-09-2024 04:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/ProxyInstaller.exe
Size

88KB
MD5

06826f8c75d1a05b8bffd183eb79e8bf
SHA1

59f8b4fe13b77525ae8213ecb0c24c725aa4fa50
SHA256

76d51fd7959167aed22d67c4b6819c69c6be00d3216ff11b9ddf5d6f8720c787
SHA512

5798be15a85743deed873c85b62b5e3ba28045e57758b4a6dca0899149278182c502769ebb551320078f51dc64b8fc50735d9e2ea987a63490819a2a37698b3a
SSDEEP

1536:KErPZ3IBZcbTfu1HlrJFCPcbPnLOR8Y5jzRE8euOXLcCz1utYo9iQjPANHB:5PC23aJFC0bPn6GY5HeNACz1utXzyHB

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 19 IoCs

pid	Process
1520	ProxyInstaller.exe
1520	ProxyInstaller.exe
1520	ProxyInstaller.exe
1520	ProxyInstaller.exe
1520	ProxyInstaller.exe
2848	DownloadACC.exe
2848	DownloadACC.exe
1520	ProxyInstaller.exe
1520	ProxyInstaller.exe
1520	ProxyInstaller.exe
1520	ProxyInstaller.exe
1520	ProxyInstaller.exe
1520	ProxyInstaller.exe
1520	ProxyInstaller.exe
1520	ProxyInstaller.exe
1520	ProxyInstaller.exe
1520	ProxyInstaller.exe
1520	ProxyInstaller.exe
1520	ProxyInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DownloadACC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProxyInstaller.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeRestorePrivilege	2848	DownloadACC.exe
Token: SeBackupPrivilege	2848	DownloadACC.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1520 wrote to memory of 2848	1520	ProxyInstaller.exe	30
PID 1520 wrote to memory of 2848	1520	ProxyInstaller.exe	30
PID 1520 wrote to memory of 2848	1520	ProxyInstaller.exe	30
PID 1520 wrote to memory of 2848	1520	ProxyInstaller.exe	30
PID 1520 wrote to memory of 2848	1520	ProxyInstaller.exe	30
PID 1520 wrote to memory of 2848	1520	ProxyInstaller.exe	30
PID 1520 wrote to memory of 2848	1520	ProxyInstaller.exe	30

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ProxyInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ProxyInstaller.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1520
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DownloadACC.exe
  DownloadACC.exe "-localPath=" "-url=http://" "-regPath=Software\Conduit\DistributionEngine\Download\\"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

\Users\Admin\AppData\Local\Temp\nseB6B3.tmp\DownloadACC.dll

Filesize
220KB

MD5
57463c2c84c4fc17de2115b9266a8625

SHA1
5bb9d6ff3a51c651c6514e3fa13bc78545e06b25

SHA256
572dea9525e06db6aee8474f5228511357ed8a4fc3aa5e05799954f4bbbbfd3f

SHA512
cb9823deacfbbdc14148e41e7def09d3d5544466a574fe29f201c7f96c6a4e6b5c5d6b252f4a74b1c128d7f7c92f573b332c9d8dcdcfa602b09dbbfc2093995e

Download Submit
\Users\Admin\AppData\Local\Temp\nszB5AA.tmp\System.dll

Filesize
17KB

MD5
ea466672af35f704f1e8738ce4381857

SHA1
245a02c01302cf0151c07d915f028e3d822846da

SHA256
54e5770328d8bc66ae751cba53eed2988cff81d9a0c627e006ee8de01ba71ed3

SHA512
619619a5fca42129087b597ef8ff3acb6f423e5c0f6add72d6c2709e6018c66933e16678dcc6e5716f191763cb23929f7cd8ae700f8c919bfa08fad8193dede2

Download Submit
\Users\Admin\AppData\Local\Temp\nszB5AA.tmp\inetc.dll

Filesize
29KB

MD5
392f88a1357c739c0825d4fa26fb5286

SHA1
02646547510dcfa5e44d461ae0fa50a2273f1010

SHA256
66d111ed5526e6c43956ea615254bf140eee4c3f07521ee9a1d6f6e760821949

SHA512
79909b909aac3f1a7fb36ee7b3702877b1bf588821df1a0aedcb0f033ff6087dd22ea38408a1505e86c8a300e6b32309924bee901d31f92cf15d697b9a9dcce5

Download Submit