Windows Analysis Report
Proxy32.exe

Overview

General Information

Sample name:	Proxy32.exe
Analysis ID:	1545401
MD5:	bc50255ce73b64580fcc217e2a3b699a
SHA1:	00431c708367a2125ffe6599c5e9a8b47c8ad259
SHA256:	5704b15d5a1bc9c2f8b3351169362440bcb6901984050f3bb3824437fca13c68
Infos:

Detection

Score:	5
Range:	0 - 100
Whitelisted:	false
Confidence:	80%

Signatures

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Contains functionality to dynamically determine API calls

Contains functionality to query locales information (e.g. system language)

Detected potential crypto function

Found evasive API chain (may stop execution after checking a module file name)

Found large amount of non-executed APIs

Found potential string decryption / allocating functions

Program does not show much activity (idle)

Sample file is different than original file name gathered from version info

Uses 32bit PE files

Uses code obfuscation techniques (call, push, ret)

Classification

Signatures

Uses 32bit PE files

Source: Proxy32.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: Proxy32.exe

Static PE information: certificate valid

Source: Proxy32.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source:

Binary string: c:\Program Files\Tyler Technologies\IMS\Proxy32.pdb source: Proxy32.exe

Source: Proxy32.exe	String found in binary or memory: http://crl.thawte.com/ThawteTimestampingCA.crl0
Source: Proxy32.exe	String found in binary or memory: http://ocsp.thawte.com0
Source: Proxy32.exe	String found in binary or memory: http://ts-aia.ws.symantec.com/tss-ca-g2.cer0
Source: Proxy32.exe	String found in binary or memory: http://ts-crl.ws.symantec.com/tss-ca-g2.crl0(
Source: Proxy32.exe	String found in binary or memory: http://ts-ocsp.ws.symantec.com07

Detected potential crypto function

Source: C:\Users\user\Desktop\Proxy32.exe

Code function: 0_2_005165BD

0_2_005165BD

Found potential string decryption / allocating functions

Source: C:\Users\user\Desktop\Proxy32.exe

Code function: String function: 00516B84 appears 36 times

Sample file is different than original file name gathered from version info

Source: Proxy32.exe, 00000000.00000000.1722601783.0000000000526000.00000002.00000001.01000000.00000003.sdmp	Binary or memory string: OriginalFilenameProxy.exe@ vs Proxy32.exe
Source: Proxy32.exe	Binary or memory string: OriginalFilenameProxy.exe@ vs Proxy32.exe

Uses 32bit PE files

Source: Proxy32.exe

Static PE information: EXECUTABLE_IMAGE, 32BIT_MACHINE

Source: classification engine

Classification label: clean5.winEXE@1/0@0/0

Source: C:\Users\user\Desktop\Proxy32.exe

Code function: 0_2_005131E0 GetCurrentProcess,OpenProcessToken,LookupPrivilegeValueW,AdjustTokenPrivileges,CloseHandle,GetLastError,CloseHandle,GetLastError,

0_2_005131E0

Source: C:\Users\user\Desktop\Proxy32.exe

Code function: 0_2_00512D40 SleepEx,CreateToolhelp32Snapshot,_memset,Process32FirstW,__wcsicoll,OpenProcess,GetProcessImageFileNameW,__wcsicoll,__wcsicoll,_memset,CloseHandle,GetLastError,Process32NextW,GetLastError,CloseHandle,GetLastError,

0_2_00512D40

Source: C:\Users\user\Desktop\Proxy32.exe

Code function: 0_2_005121B0 CoInitializeEx,_memset,_memset,CoCreateInstance,VariantInit,VariantChangeType,VariantClear,__wcsicoll,SysAllocStringLen,OpenProcess,WaitForSingleObject,_fwprintf,_fwprintf,CloseHandle,SysFreeString,CoUninitialize,_fwprintf,CoUninitialize,CoUninitialize,CoUninitialize,

0_2_005121B0

Source: C:\Users\user\Desktop\Proxy32.exe

Code function: 0_2_00513520 OpenSCManagerW,OpenServiceW,GetLastError,CloseServiceHandle,GetLastError,CloseServiceHandle,GetLastError,GetLastError,ChangeServiceConfigW,GetLastError,CloseServiceHandle,

0_2_00513520

Source: Proxy32.exe

Static PE information: Section: .text IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ

Source: C:\Users\user\Desktop\Proxy32.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: acgenral.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: winmm.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: samcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: msacm32.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: userenv.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: dwmapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: urlmon.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: mpr.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: sspicli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: winmmbase.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: iertutil.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: srvcli.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: netutils.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: aclayers.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: sfc.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: sfc_os.dll	Jump to behavior
Source: C:\Users\user\Desktop\Proxy32.exe	Section loaded: kernel.appcore.dll	Jump to behavior

Source: Proxy32.exe

Static PE information: certificate valid

Source: Proxy32.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IMPORT
Source: Proxy32.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_RESOURCE
Source: Proxy32.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_BASERELOC
Source: Proxy32.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG
Source: Proxy32.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG
Source: Proxy32.exe	Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_IAT

Source: Proxy32.exe

Static PE information: DYNAMIC_BASE, NX_COMPAT, TERMINAL_SERVER_AWARE

Source: Proxy32.exe

Static PE information: data directory type: IMAGE_DIRECTORY_ENTRY_DEBUG

Source:

Binary string: c:\Program Files\Tyler Technologies\IMS\Proxy32.pdb source: Proxy32.exe

Source: Proxy32.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IMPORT is in: .rdata
Source: Proxy32.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_RESOURCE is in: .rsrc
Source: Proxy32.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_BASERELOC is in: .reloc
Source: Proxy32.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG is in: .rdata
Source: Proxy32.exe	Static PE information: Data directory: IMAGE_DIRECTORY_ENTRY_IAT is in: .rdata

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Proxy32.exe

Code function: 0_2_0051B906 LoadLibraryA,GetProcAddress,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,GetProcAddress,__encode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,__decode_pointer,

0_2_0051B906

Uses code obfuscation techniques (call, push, ret)

Source: C:\Users\user\Desktop\Proxy32.exe

Code function: 0_2_00516BC9 push ecx; ret

0_2_00516BDC

Found evasive API chain (may stop execution after checking a module file name)

Source: C:\Users\user\Desktop\Proxy32.exe

Evasive API call chain: GetModuleFileName,DecisionNodes,Sleep

Found large amount of non-executed APIs

Source: C:\Users\user\Desktop\Proxy32.exe

API coverage: 4.9 %

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Contains functionality to check if a debugger is running (IsDebuggerPresent)

Source: C:\Users\user\Desktop\Proxy32.exe

Code function: 0_2_00515D07 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,

0_2_00515D07

Contains functionality to dynamically determine API calls

Source: C:\Users\user\Desktop\Proxy32.exe

0_2_0051B906

Program does not show much activity (idle)

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: C:\Users\user\Desktop\Proxy32.exe	Code function: 0_2_00515D07 _memset,IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_00515D07
Source: C:\Users\user\Desktop\Proxy32.exe	Code function: 0_2_0051376A IsDebuggerPresent,SetUnhandledExceptionFilter,UnhandledExceptionFilter,GetCurrentProcess,TerminateProcess,	0_2_0051376A
Source: C:\Users\user\Desktop\Proxy32.exe	Code function: 0_2_0051C7FA __NMSG_WRITE,_raise,_memset,SetUnhandledExceptionFilter,UnhandledExceptionFilter,	0_2_0051C7FA
Source: C:\Users\user\Desktop\Proxy32.exe	Code function: 0_2_005187E0 SetUnhandledExceptionFilter,	0_2_005187E0

Contains functionality to query locales information (e.g. system language)

Source: C:\Users\user\Desktop\Proxy32.exe

Code function: GetLocaleInfoA,

0_2_0051BE58

Source: C:\Users\user\Desktop\Proxy32.exe

Code function: 0_2_00518EE7 GetSystemTimeAsFileTime,GetCurrentProcessId,GetCurrentThreadId,GetTickCount,QueryPerformanceCounter,

0_2_00518EE7

Screenshots

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Network Map

⊘No contacted IP infos

ID:	1545401
Product:	CloudBasic
Start time:	14:15:54
Start date:	30.10.2024
Sample:	Proxy32.exe
Cookbook:	default.jbs
System description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Architecture:	WINDOWS
MD5:	bc50255ce73b64580fcc217e2a3b699a
SHA1:	00431c708367a2125ffe6599c5e9a8b47c8ad259
SHA256:	5704b15d5a1bc9c2f8b3351169362440bcb6901984050f3bb3824437fca13c68
Filetype:	Win32 Executable (generic) a (10002005/4) 99.96%

Windows Analysis Report
Proxy32.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report Proxy32.exe

Overview

General Information

Detection

Signatures

Classification

Signatures

Compliance

Networking

System Summary

Data Obfuscation

Malware Analysis System Evasion

Anti Debugging

Language, Device and Operating System Detection

Screenshots

Behavior Graph

Network Map

Windows Analysis Report
Proxy32.exe