f0729e62c4bc3633797eea6c70969503993eebfce3fb8a852a029c0ea81c43f6

Analysis

max time kernel
123s
max time network
133s
platform
windows10-1703_x64
resource
win10-20231220-en
resource tags

arch:x64arch:x86image:win10-20231220-enlocale:en-usos:windows10-1703-x64system
submitted
06/01/2024, 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windowsProxy_2.0.9.0.exe
Size

62.4MB
MD5

6790611f5b8913cdd10f4c284af8da08
SHA1

93c081a1a6b3656fcb66beead69587878d392d99
SHA256

f0729e62c4bc3633797eea6c70969503993eebfce3fb8a852a029c0ea81c43f6
SHA512

3e7eafd3c1bfe782676e702474565d546c1e2f6cfa7feff351f915eb0d12a25050edfb07635b1bab5963afe2302ad9502595005291fe1b9e8f83c2449c51bee4
SSDEEP

1572864:5ypH6HJ6XKAZJy9oxpwAlroxZXWjqyE1rTR9Et5nubC4:YYQK0y9oYA4XWNEWnubC4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
228	windowsProxy_2.0.9.0.tmp

Loads dropped DLL 2 IoCs

pid	Process
228	windowsProxy_2.0.9.0.tmp
228	windowsProxy_2.0.9.0.tmp

Drops file in Program Files directory 51 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\winproxy2.0\url_launcher_windows_plugin.dll	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-3GM0O.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\connectivity_plus_windows_plugin.dll	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\proxy_manager_plugin.dll	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-F768Q.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\screen_retriever_plugin.dll	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\bin\ccore-service-windows-amd64.exe	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-PPHI9.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\is-Q8BGB.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\flutter_windows.dll	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\tray_manager_plugin.dll	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-6EGQ8.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-2D9GI.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\file_selector_windows_plugin.dll	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\window_manager_plugin.dll	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-L80OQ.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-JR53K.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-Q41I7.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\bin\is-PCR23.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\dep\is-NCRTU.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\dep\is-8RKCE.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\protocol_handler_plugin.dll	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\vc_redist.x64.exe	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-727QR.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\dep\is-TLG32.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\flutter_secure_storage_windows_plugin.dll	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\dep\wintun.dll	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\bin\is-OLMAS.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\unins000.dat	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\is-K6JAF.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\dep\is-S1DO6.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\naiyouwl.exe	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-HI9GG.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-KQKKK.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-3ACKC.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\is-A7BBT.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\is-46C38.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\permission_handler_windows_plugin.dll	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\wl_base_help_plugin.dll	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-0DBKN.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\bin\is-95SDB.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\dep\is-9SRPT.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\bin\sysproxy64.exe	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-EI07M.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\is-SFA0D.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\bin\ccore-windows-amd64.exe	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-Q0U6P.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-KNFN6.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-73VGQ.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\is-IAAUO.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\bin\is-LAK5S.tmp	windowsProxy_2.0.9.0.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
228	windowsProxy_2.0.9.0.tmp
228	windowsProxy_2.0.9.0.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
228	windowsProxy_2.0.9.0.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 228	2232	windowsProxy_2.0.9.0.exe	25
PID 2232 wrote to memory of 228	2232	windowsProxy_2.0.9.0.exe	25
PID 2232 wrote to memory of 228	2232	windowsProxy_2.0.9.0.exe	25

C:\Users\Admin\AppData\Local\Temp\windowsProxy_2.0.9.0.exe
"C:\Users\Admin\AppData\Local\Temp\windowsProxy_2.0.9.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Users\Admin\AppData\Local\Temp\is-AI37L.tmp\windowsProxy_2.0.9.0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-AI37L.tmp\windowsProxy_2.0.9.0.tmp" /SL5="$50226,64583684,1047040,C:\Users\Admin\AppData\Local\Temp\windowsProxy_2.0.9.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:228
- - C:\Program Files (x86)\winproxy2.0\vc_redist.x64.exe
    "C:\Program Files (x86)\winproxy2.0\vc_redist.x64.exe"
    3⤵
    PID:1136
  - - C:\Windows\Temp\{C9A864E7-7F56-4A6D-9E59-F205070A9578}\.cr\vc_redist.x64.exe
      "C:\Windows\Temp\{C9A864E7-7F56-4A6D-9E59-F205070A9578}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Program Files (x86)\winproxy2.0\vc_redist.x64.exe" -burn.filehandle.attached=536 -burn.filehandle.self=532
      4⤵
      PID:1712

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/228-5-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/228-13-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/228-16-0x00000000007E0000-0x00000000007E1000-memory.dmp

Filesize
4KB

Download
memory/228-47-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/228-539-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/2232-0-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/2232-12-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download