f0729e62c4bc3633797eea6c70969503993eebfce3fb8a852a029c0ea81c43f6

Analysis

max time kernel
93s
max time network
89s
platform
windows11-21h2_x64
resource
win11-20231215-en
resource tags

arch:x64arch:x86image:win11-20231215-enlocale:en-usos:windows11-21h2-x64system
submitted
06/01/2024, 16:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

windowsProxy_2.0.9.0.exe
Size

62.4MB
MD5

6790611f5b8913cdd10f4c284af8da08
SHA1

93c081a1a6b3656fcb66beead69587878d392d99
SHA256

f0729e62c4bc3633797eea6c70969503993eebfce3fb8a852a029c0ea81c43f6
SHA512

3e7eafd3c1bfe782676e702474565d546c1e2f6cfa7feff351f915eb0d12a25050edfb07635b1bab5963afe2302ad9502595005291fe1b9e8f83c2449c51bee4
SSDEEP

1572864:5ypH6HJ6XKAZJy9oxpwAlroxZXWjqyE1rTR9Et5nubC4:YYQK0y9oYA4XWNEWnubC4

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
5036	windowsProxy_2.0.9.0.tmp

Loads dropped DLL 2 IoCs

pid	Process
5036	windowsProxy_2.0.9.0.tmp
5036	windowsProxy_2.0.9.0.tmp

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\images\node\is-00SAH.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\fonts\is-VKJM3.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-HOLIB.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\is-VB9EQ.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\bin\is-R4R9T.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\images\logo\is-A9M1S.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-U2DNT.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-TR4F5.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-UF0G3.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\images\node\is-563I3.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-THJNG.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-6P69F.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\is-5F6M0.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-C7UKJ.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-8RFEH.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\vc_redist.x64.exe	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\images\login\is-08C8Q.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-JFT1H.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-HCEOU.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\dep\is-11U28.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-7C8E9.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-UL7R0.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-EC38J.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-KRBO0.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\naiyouwl.exe	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\bin\ccore-windows-amd64.exe	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-G6490.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\images\logo\is-28ARP.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\images\main\is-TPEF0.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-V5DA7.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-NS77D.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-EBKFI.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\protocol_handler_plugin.dll	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-KLDSI.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-PNLRF.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-QN95G.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-0EGPI.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\images\main\is-719VB.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-I2NJT.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-BMN0L.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-UGIT0.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-6PV3E.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-39ICL.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\images\main\is-5GV0H.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-418TF.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\connectivity_plus_windows_plugin.dll	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\bin\is-IDS1H.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-N7HTI.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-L6EFF.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\tray_manager_plugin.dll	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\is-IT3SN.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-O56BN.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\proxy_manager_plugin.dll	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\dep\wintun.dll	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-M75H7.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\screen_retriever_plugin.dll	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\images\main\is-OMI3D.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-FBHHO.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\file_selector_windows_plugin.dll	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\is-R0CEK.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\dep\is-SI700.tmp	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\packages\bruno\assets\icons\is-2DBOF.tmp	windowsProxy_2.0.9.0.tmp
File opened for modification	C:\Program Files (x86)\winproxy2.0\window_manager_plugin.dll	windowsProxy_2.0.9.0.tmp
File created	C:\Program Files (x86)\winproxy2.0\data\flutter_assets\assets\images\main\is-FSG7B.tmp	windowsProxy_2.0.9.0.tmp

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5036	windowsProxy_2.0.9.0.tmp
5036	windowsProxy_2.0.9.0.tmp

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
5036	windowsProxy_2.0.9.0.tmp

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 436 wrote to memory of 5036	436	windowsProxy_2.0.9.0.exe	39
PID 436 wrote to memory of 5036	436	windowsProxy_2.0.9.0.exe	39
PID 436 wrote to memory of 5036	436	windowsProxy_2.0.9.0.exe	39

C:\Users\Admin\AppData\Local\Temp\windowsProxy_2.0.9.0.exe
"C:\Users\Admin\AppData\Local\Temp\windowsProxy_2.0.9.0.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:436
- C:\Users\Admin\AppData\Local\Temp\is-8HBF7.tmp\windowsProxy_2.0.9.0.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-8HBF7.tmp\windowsProxy_2.0.9.0.tmp" /SL5="$701F0,64583684,1047040,C:\Users\Admin\AppData\Local\Temp\windowsProxy_2.0.9.0.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  PID:5036
- - C:\Program Files (x86)\winproxy2.0\vc_redist.x64.exe
    "C:\Program Files (x86)\winproxy2.0\vc_redist.x64.exe"
    3⤵
    PID:2228
  - - C:\Windows\Temp\{5496164C-3431-41D1-98E0-2204A9D57C47}\.cr\vc_redist.x64.exe
      "C:\Windows\Temp\{5496164C-3431-41D1-98E0-2204A9D57C47}\.cr\vc_redist.x64.exe" -burn.clean.room="C:\Program Files (x86)\winproxy2.0\vc_redist.x64.exe" -burn.filehandle.attached=728 -burn.filehandle.self=732
      4⤵
      PID:4232
- - C:\Windows\SysWOW64\NOTEPAD.EXE
    "C:\Windows\system32\NOTEPAD.EXE" C:\Program Files (x86)\winproxy2.0\ppt.TXT
    3⤵
    PID:2480

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\winproxy2.0\naiyouwl.exe

Filesize
71KB

MD5
57ef7050657dc0893162cfa6c91b9231

SHA1
946134410cfe9f2a56faaa3c9941161d3e9296c2

SHA256
778c2bc1d8b08366e9f7c8f8e4a8610bcbec3edc7b7e4deffd0e05c9157c4c25

SHA512
3f63f7ce8d0d9a89bfa9000a2f8a887df89653e3d06b9064711217248aa7ac9eb4da6db48e7e5240320d81b8bb834b46aa699c2cc23160d753daae28896da0c7

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8HBF7.tmp\windowsProxy_2.0.9.0.tmp

Filesize
1.4MB

MD5
c228af0fba332c4c280e7b71c882bd40

SHA1
01fccfa65c18d029669b480c6a5bd5e2cf6df274

SHA256
8b12721c27cb65a5d37e2ea20e7326718e41dafb477646d7601b730dfac23688

SHA512
6d47db051507301cc973c3b1238b7b51cf0e84e709e67b6173257e9c74012bfdf1e371b2bb80d2f7bde3ddd6fffd260882e6ada286a58099fb2e88d949448323

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-8HBF7.tmp\windowsProxy_2.0.9.0.tmp

Filesize
381KB

MD5
de6fee42d11b574527fb286a11a0c5dc

SHA1
5c882047c0c06edca500d0492930f7046de3d159

SHA256
6cc760795f47aba493b1f54647c55904a1ae50c1319059d02ee2ffd038d3072c

SHA512
4677844222281dc02f852150a77c25dd3a352c1a418ef12982647df0216ac7744fcf6ff66df4e8f39e9ce88991a6e7b78c3646999b5c7c19702e6e80c6a12c9c

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-ILC47.tmp\_isetup\_isdecmp.dll

Filesize
28KB

MD5
077cb4461a2767383b317eb0c50f5f13

SHA1
584e64f1d162398b7f377ce55a6b5740379c4282

SHA256
8287d0e287a66ee78537c8d1d98e426562b95c50f569b92cea9ce36a9fa57e64

SHA512
b1fcb0265697561ef497e6a60fcee99dc5ea0cf02b4010da9f5ed93bce88bdfea6bfe823a017487b8059158464ea29636aad8e5f9dd1e8b8a1b6eaaab670e547

Download Submit
memory/436-1-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/436-13-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/436-536-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/5036-6-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/5036-14-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/5036-17-0x0000000002730000-0x0000000002731000-memory.dmp

Filesize
4KB

Download
memory/5036-82-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download
memory/5036-533-0x0000000000400000-0x0000000000748000-memory.dmp

Filesize
3.3MB

Download