1ec294c1fb059743f946ed9cdd9949d45a724db845ad8af8ac46f35d13c09e73

Analysis

max time kernel
147s
max time network
133s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
28-10-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Proxy Tools and Grabbers/vProxy v1.4 by Yani/data/LICENCE.zip
Size

77KB
MD5

5180046f168dfd684b5bf268f5a0fa56
SHA1

ac8202ad5c94eb4d9e6227af92b5120e6d1b7ce7
SHA256

4139baa8beebcde4504c33bc88cf13b9ab9f32e4a054871ebeb82be6b84edc01
SHA512

04add8dc053c39a594e7889071b3fb9036fdc978b6f39f769c38b322e18a4ea6e05b6b66d97f0ac40c58f39120c791006a5b732da46ceba799e0db74afbed3e0
SSDEEP

1536:bI/R7579yweD2eLs3GBO1RC519JDVvJtHpm66QTpWoF6Twijg6:G9ZyweDLLs3GYCnDTdp76K6su

Score

8^/10

discovery execution

Malware Config

Signatures

Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

Run Powershell to modify Windows Defender settings to add exclusions for file extensions, paths, and processes.

execution

PowerShell

T1059.001

pid	Process
1948	powershell.exe

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vProxy.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Launcher.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	powershell.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vProxy.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1864	Launcher.exe
1948	powershell.exe
1864	Launcher.exe
1864	Launcher.exe

Suspicious behavior: GetForegroundWindowSpam 2 IoCs

pid	Process
2648	7zFM.exe
2224	vProxy.exe

Suspicious use of AdjustPrivilegeToken 7 IoCs

description	pid	Process
Token: SeRestorePrivilege	2648	7zFM.exe
Token: 35	2648	7zFM.exe
Token: SeSecurityPrivilege	2648	7zFM.exe
Token: SeSecurityPrivilege	2648	7zFM.exe
Token: SeSecurityPrivilege	2648	7zFM.exe
Token: SeDebugPrivilege	1864	Launcher.exe
Token: SeDebugPrivilege	1948	powershell.exe

Suspicious use of FindShellTrayWindow 6 IoCs

pid	Process
2648	7zFM.exe
2648	7zFM.exe
2648	7zFM.exe
2648	7zFM.exe
2648	7zFM.exe
2648	7zFM.exe

Suspicious use of WriteProcessMemory 22 IoCs

description	pid	Process	procid_target
PID 2648 wrote to memory of 292	2648	7zFM.exe	31
PID 2648 wrote to memory of 292	2648	7zFM.exe	31
PID 2648 wrote to memory of 292	2648	7zFM.exe	31
PID 2648 wrote to memory of 292	2648	7zFM.exe	31
PID 292 wrote to memory of 1864	292	vProxy.exe	32
PID 292 wrote to memory of 1864	292	vProxy.exe	32
PID 292 wrote to memory of 1864	292	vProxy.exe	32
PID 292 wrote to memory of 1864	292	vProxy.exe	32
PID 292 wrote to memory of 1864	292	vProxy.exe	32
PID 292 wrote to memory of 1864	292	vProxy.exe	32
PID 292 wrote to memory of 1864	292	vProxy.exe	32
PID 1864 wrote to memory of 1948	1864	Launcher.exe	33
PID 1864 wrote to memory of 1948	1864	Launcher.exe	33
PID 1864 wrote to memory of 1948	1864	Launcher.exe	33
PID 1864 wrote to memory of 1948	1864	Launcher.exe	33
PID 1864 wrote to memory of 1948	1864	Launcher.exe	33
PID 1864 wrote to memory of 1948	1864	Launcher.exe	33
PID 1864 wrote to memory of 1948	1864	Launcher.exe	33
PID 292 wrote to memory of 2224	292	vProxy.exe	35
PID 292 wrote to memory of 2224	292	vProxy.exe	35
PID 292 wrote to memory of 2224	292	vProxy.exe	35
PID 292 wrote to memory of 2224	292	vProxy.exe	35

C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\Proxy Tools and Grabbers\vProxy v1.4 by Yani\data\LICENCE.zip"
1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2648
- C:\Users\Admin\AppData\Local\Temp\Proxy Tools and Grabbers\vProxy v1.4 by Yani\vProxy.exe
  "C:\Users\Admin\AppData\Local\Temp\Proxy Tools and Grabbers\vProxy v1.4 by Yani\vProxy.exe"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:292
- - C:\Users\Admin\AppData\Local\Temp\Proxy Tools and Grabbers\vProxy v1.4 by Yani\data\Launcher.exe
    "C:\Users\Admin\AppData\Local\Temp\Proxy Tools and Grabbers\vProxy v1.4 by Yani\data\Launcher.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1864
  - - C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
      "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
      4⤵
      Command and Scripting Interpreter: PowerShell
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1948
- - C:\Users\Admin\AppData\Local\Temp\Proxy Tools and Grabbers\vProxy v1.4 by Yani\data\vProxy.exe
    "C:\Users\Admin\AppData\Local\Temp\Proxy Tools and Grabbers\vProxy v1.4 by Yani\data\vProxy.exe"
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: GetForegroundWindowSpam
    PID:2224

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

PowerShell

T1059.001

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\vProxy\Settings.ini

Filesize
286B

MD5
2404826b39971e89ee460a2b2f5d48ab

SHA1
4bc4f470bf984f38e090a9a42d7bb7f4d51802a4

SHA256
b45dd9801d45c95a199fa89ac40f0397eda15268c900e801e2734e32e26d46f8

SHA512
89f8d428178cc624668e0d473c4e751f95e132f1a23a46ac818234e767b8b683fc9f877a53861bf407a1b6e8ffde7917592d6f34a05e878680879adfb5a9cdf8

Download Submit
memory/292-1-0x0000000000050000-0x0000000000088000-memory.dmp

Filesize
224KB

Download
memory/1864-2-0x0000000000F10000-0x0000000000F24000-memory.dmp

Filesize
80KB

Download
memory/1864-3-0x00000000009C0000-0x0000000000A3E000-memory.dmp

Filesize
504KB

Download
memory/2224-6-0x0000000001140000-0x00000000011BA000-memory.dmp

Filesize
488KB

Download
memory/2224-36-0x0000000005F80000-0x0000000006073000-memory.dmp

Filesize
972KB

Download
memory/2224-37-0x0000000000CD0000-0x0000000000CF0000-memory.dmp

Filesize
128KB

Download