6be5f33bdac0c92c73419414cd425d6196efc813265ebae7974663d25e27f81c

Analysis

max time kernel
94s
max time network
122s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
04/10/2024, 16:49

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

$PLUGINSDIR/ProxyInstaller.exe
Size

78KB
MD5

ae5d42ce095d402ade7d89282b491853
SHA1

aa8ce006ec5d99f4c026af2ec7867ca19fe0b173
SHA256

264d6cecf4ea999f73803e20f555a12860613367eca779ab013c5d1519f2f10e
SHA512

6208134fba80a217f7d9e912cc5fda37c538139205e84f95e8f5c2e4b73f323783aaa03c4e785d7e404f5b9976b615013ee6e46ba9fb1e0a16928b494862727a
SSDEEP

1536:hVdePelp2Xy+tuQOzOYE5aXPn7F8bgooz2HaBwHIZ3U1ez7zxnM/3:yweqOYEUXPnYfwwoZnFnA3

Score

7^/10

discovery

Malware Config

Signatures

Loads dropped DLL 19 IoCs

pid	Process
4332	ProxyInstaller.exe
4332	ProxyInstaller.exe
5096	DownloadACC.exe
5096	DownloadACC.exe
3064	BI.exe
3064	BI.exe
3064	BI.exe
4332	ProxyInstaller.exe
3192	BI.exe
3380	BI.exe
4332	ProxyInstaller.exe
4332	ProxyInstaller.exe
3380	BI.exe
4332	ProxyInstaller.exe
3192	BI.exe
3380	BI.exe
3192	BI.exe
4332	ProxyInstaller.exe
4332	ProxyInstaller.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DownloadACC.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BI.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ProxyInstaller.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	BI.exe

Suspicious use of WriteProcessMemory 12 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 3064	4332	ProxyInstaller.exe	83
PID 4332 wrote to memory of 3064	4332	ProxyInstaller.exe	83
PID 4332 wrote to memory of 3064	4332	ProxyInstaller.exe	83
PID 4332 wrote to memory of 5096	4332	ProxyInstaller.exe	84
PID 4332 wrote to memory of 5096	4332	ProxyInstaller.exe	84
PID 4332 wrote to memory of 5096	4332	ProxyInstaller.exe	84
PID 4332 wrote to memory of 3380	4332	ProxyInstaller.exe	94
PID 4332 wrote to memory of 3380	4332	ProxyInstaller.exe	94
PID 4332 wrote to memory of 3380	4332	ProxyInstaller.exe	94
PID 4332 wrote to memory of 3192	4332	ProxyInstaller.exe	95
PID 4332 wrote to memory of 3192	4332	ProxyInstaller.exe	95
PID 4332 wrote to memory of 3192	4332	ProxyInstaller.exe	95

C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ProxyInstaller.exe
"C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\ProxyInstaller.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BI.exe
  BI.exe { "json_send_time" : "4/10/2024 18:49:12:536" , "condition_type" : "" , "root_offer_id" : "" , "error_details" : "" , "result" : "Success" , "is_accelerator" : "1" , "accelerator_split_parts" : "6" , "Download_Method" : "FDM Accelerator" , "download_url" : "" , "rule_id" : "" , "offer_type" : "" , "offer_suggestion_number" : "" , "mrs_id" : "" , "vector_id" : "" , "product_id_version" : "" , "product_type" : "" , "product_id" : "" , "offer_id" : "" , "user_operating_system_bits" : "64" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "" , "is_silent" : "0" , "user_ms_dotnet_framework_ver" : "4.0" , "user_acount_type" : "" , "user_ie_version" : "9.11.19041.0" , "user_default_browser_version" : "" , "user_default_browser" : "IEXPLORE.EXE" , "user_service_pack" : "0.0" , "user_operating_system" : "Windows 10 Enterprise" , "revision_number" : "" , "build_id" : "" , "dm_version" : "" , "bundle_id" : "" , "machine_user_id" : "" , "send_attempt" : "0" , "channel_id" : "" , "installation_session_id" : "" , "publisher_internal_id" : "" , "publisher_id" : "" , "publisher_account_id" : "" , "order" : "4." , "phase" : "DownloadStart" , "Is_Test" : "0" }
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3064
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\DownloadACC.exe
  DownloadACC.exe "-localPath=" "-url=http://" "-regPath=Software\Conduit\DistributionEngine\Download\\"
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:5096
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BI.exe
  BI.exe { "json_send_time" : "4/10/2024 18:49:46:286" , "condition_type" : "" , "install_command_line" : "" , "root_offer_id" : "" , "is_accelerator" : "1" , "accelerator_split_parts" : "6" , "Download_Method" : "FDM Accelerator" , "general_status_code" : "11" , "duration_details" : "" , "phase_duration" : "33750" , "error_details" : "Unable to resolve the server name" , "result" : "Error" , "download_url" : "http://" , "rule_id" : "" , "offer_type" : "" , "offer_suggestion_number" : "" , "mrs_id" : "" , "vector_id" : "" , "product_id_version" : "" , "product_type" : "" , "product_id" : "" , "offer_id" : "" , "user_operating_system_bits" : "64" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "" , "is_silent" : "0" , "user_ms_dotnet_framework_ver" : "4.0" , "user_acount_type" : "" , "user_ie_version" : "9.11.19041.0" , "user_default_browser_version" : "" , "user_default_browser" : "IEXPLORE.EXE" , "user_service_pack" : "0.0" , "user_operating_system" : "Windows 10 Enterprise" , "revision_number" : "" , "build_id" : "" , "dm_version" : "" , "bundle_id" : "" , "machine_user_id" : "" , "send_attempt" : "0" , "channel_id" : "" , "installation_session_id" : "" , "publisher_internal_id" : "" , "publisher_id" : "" , "publisher_account_id" : "" , "order" : "5." , "phase" : "DownloadComplete" , "Is_Test" : "0" }
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3380
- C:\Users\Admin\AppData\Local\Temp\$PLUGINSDIR\BI.exe
  BI.exe { "json_send_time" : "4/10/2024 18:49:46:286" , "condition_type" : "" , "root_offer_id" : "" , "error_details" : "" , "result" : "Success" , "is_accelerator" : "0" , "accelerator_split_parts" : "1" , "Download_Method" : "Inetc" , "download_url" : "http://" , "rule_id" : "" , "offer_type" : "" , "offer_suggestion_number" : "" , "mrs_id" : "" , "vector_id" : "" , "product_id_version" : "" , "product_type" : "" , "product_id" : "" , "offer_id" : "" , "user_operating_system_bits" : "64" , "current_default_search" : "" , "current_homepage" : "" , "current_toolbars" : "" , "attempt_number" : "1" , "is_silent" : "0" , "user_ms_dotnet_framework_ver" : "4.0" , "user_acount_type" : "" , "user_ie_version" : "9.11.19041.0" , "user_default_browser_version" : "" , "user_default_browser" : "IEXPLORE.EXE" , "user_service_pack" : "0.0" , "user_operating_system" : "Windows 10 Enterprise" , "revision_number" : "" , "build_id" : "" , "dm_version" : "" , "bundle_id" : "" , "machine_user_id" : "" , "send_attempt" : "0" , "channel_id" : "" , "installation_session_id" : "" , "publisher_internal_id" : "" , "publisher_id" : "" , "publisher_account_id" : "" , "order" : "4." , "phase" : "DownloadStart" , "Is_Test" : "0" }
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3192

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsaBB14.tmp\DownloadACC.dll

Filesize
214KB

MD5
50528a6cf8fe747c4dad8bb0c03f7600

SHA1
dcee55360ef9fd60573c26ff61119dc0be847351

SHA256
4b1926c947c08198b3cf7e75202309680a75288c08bd5481a155f2a0ac1a9c39

SHA512
271a82adca498e8a39bf703eea7b62c6c6611c2d8db3845545504d12229482d326e0a0539630788512abf8ff8af18548f79aee6096c2763117c6ccd8788f92cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsbBB63.tmp\inetc.dll

Filesize
29KB

MD5
dccdcb124064a1d9a5eb12232348b898

SHA1
f294fac154cb1c6c18fe054ac584f767594b93fb

SHA256
37adc0183d94ae6ca1895643423dac0c97750d7103e6b00c14299dfc4ad2271e

SHA512
bd89bcd513bb7120db80e1115b4caceaa18c4ea863fe29b232002d447c3813133ff2849fcb2d4df45e3ff67e0e0d9d340d61060b9c74045b17efa5b1c1f5b05e

Download Submit
C:\Users\Admin\AppData\Local\Temp\nslBAB7.tmp\System.dll

Filesize
17KB

MD5
a4f38d1c7a480f5da1bb8097b8b939db

SHA1
b3129c2a0e61881381463f5e0cbbffa573daa845

SHA256
e1180e1e3344c7536150275e33de53dc1dd1a3ca03be66c4d4875fe5bcd4e436

SHA512
fed89f7ee9364fc2f4b9f82c4563713497043947e98dbb03e7d755681adf3ae661aba80d08e59988a23695fc64481b69d9842b7ec7d2b572cc872c4c9957febc

Download Submit