a2d3d6430f6775951cf988d960cfae4093d7a1e4d0f684ddfffaf4599ace9a71

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\WinService.exe"	Clipper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\WinService.exe"	Clipper.exe

Executes dropped EXE 35 IoCs

pid	Process
3028	joinResult.exe
3492	VyprVPN.exe
636	1111.exe
2620	Clipper.exe
3316	WinService.exe
2496	WinService.exe
2152	WinService.exe
3384	WinService.exe
3928	WinService.exe
728	WinService.exe
2280	WinService.exe
3992	WinService.exe
3828	WinService.exe
632	WinService.exe
2532	WinService.exe
1496	WinService.exe
3076	WinService.exe
1160	WinService.exe
3176	WinService.exe
4020	WinService.exe
4048	WinService.exe
1904	WinService.exe
3580	WinService.exe
3004	WinService.exe
2596	WinService.exe
2504	WinService.exe
3928	WinService.exe
1340	WinService.exe
60	WinService.exe
2008	WinService.exe
2284	WinService.exe
1836	WinService.exe
3216	WinService.exe
3640	WinService.exe
3236	WinService.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000\Control Panel\International\Geo\Nation	1111.exe

Loads dropped DLL 2 IoCs

pid	Process
732	VyprVPN.exe
3028	joinResult.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
636	1111.exe
636	1111.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 4 IoCs

installer

resource	yara_rule
behavioral14/files/0x000100000001aba4-2.dat	nsis_installer_1
behavioral14/files/0x000100000001aba4-2.dat	nsis_installer_2
behavioral14/files/0x000100000001aba4-3.dat	nsis_installer_1
behavioral14/files/0x000100000001aba4-3.dat	nsis_installer_2

Creates scheduled task(s) 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence

Scheduled Task

T1053

pid	Process
1340	schtasks.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
3548	PING.EXE

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
636	1111.exe
636	1111.exe

Suspicious use of AdjustPrivilegeToken 32 IoCs

description	pid	Process
Token: SeDebugPrivilege	2620	Clipper.exe
Token: SeDebugPrivilege	3316	WinService.exe
Token: SeDebugPrivilege	2496	WinService.exe
Token: SeDebugPrivilege	2152	WinService.exe
Token: SeDebugPrivilege	3384	WinService.exe
Token: SeDebugPrivilege	3928	WinService.exe
Token: SeDebugPrivilege	728	WinService.exe
Token: SeDebugPrivilege	2280	WinService.exe
Token: SeDebugPrivilege	3992	WinService.exe
Token: SeDebugPrivilege	3828	WinService.exe
Token: SeDebugPrivilege	632	WinService.exe
Token: SeDebugPrivilege	2532	WinService.exe
Token: SeDebugPrivilege	1496	WinService.exe
Token: SeDebugPrivilege	3076	WinService.exe
Token: SeDebugPrivilege	1160	WinService.exe
Token: SeDebugPrivilege	3176	WinService.exe
Token: SeDebugPrivilege	4020	WinService.exe
Token: SeDebugPrivilege	4048	WinService.exe
Token: SeDebugPrivilege	1904	WinService.exe
Token: SeDebugPrivilege	3580	WinService.exe
Token: SeDebugPrivilege	3004	WinService.exe
Token: SeDebugPrivilege	2596	WinService.exe
Token: SeDebugPrivilege	2504	WinService.exe
Token: SeDebugPrivilege	3928	WinService.exe
Token: SeDebugPrivilege	1340	WinService.exe
Token: SeDebugPrivilege	60	WinService.exe
Token: SeDebugPrivilege	2008	WinService.exe
Token: SeDebugPrivilege	2284	WinService.exe
Token: SeDebugPrivilege	1836	WinService.exe
Token: SeDebugPrivilege	3216	WinService.exe
Token: SeDebugPrivilege	3640	WinService.exe
Token: SeDebugPrivilege	3236	WinService.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
3492	VyprVPN.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
636	1111.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 732 wrote to memory of 3028	732	VyprVPN.exe	75
PID 732 wrote to memory of 3028	732	VyprVPN.exe	75
PID 732 wrote to memory of 3028	732	VyprVPN.exe	75
PID 732 wrote to memory of 3492	732	VyprVPN.exe	76
PID 732 wrote to memory of 3492	732	VyprVPN.exe	76
PID 732 wrote to memory of 3492	732	VyprVPN.exe	76
PID 3028 wrote to memory of 636	3028	joinResult.exe	77
PID 3028 wrote to memory of 636	3028	joinResult.exe	77
PID 3028 wrote to memory of 636	3028	joinResult.exe	77
PID 3028 wrote to memory of 2620	3028	joinResult.exe	78
PID 3028 wrote to memory of 2620	3028	joinResult.exe	78
PID 2620 wrote to memory of 1340	2620	Clipper.exe	80
PID 2620 wrote to memory of 1340	2620	Clipper.exe	80
PID 2620 wrote to memory of 3316	2620	Clipper.exe	82
PID 2620 wrote to memory of 3316	2620	Clipper.exe	82
PID 636 wrote to memory of 3144	636	1111.exe	83
PID 636 wrote to memory of 3144	636	1111.exe	83
PID 636 wrote to memory of 3144	636	1111.exe	83
PID 3144 wrote to memory of 3548	3144	cmd.exe	85
PID 3144 wrote to memory of 3548	3144	cmd.exe	85
PID 3144 wrote to memory of 3548	3144	cmd.exe	85

C:\Users\Admin\AppData\Local\Temp\VyprVPN.exe
"C:\Users\Admin\AppData\Local\Temp\VyprVPN.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:732
- C:\Users\Admin\AppData\Roaming\1337\joinResult.exe
  "C:\Users\Admin\AppData\Roaming\1337\joinResult.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of WriteProcessMemory
  PID:3028
- - C:\Users\Admin\AppData\Roaming\1337\1111.exe
    "C:\Users\Admin\AppData\Roaming\1337\1111.exe"
    3⤵
    - Executes dropped EXE
    - Checks computer location settings
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:636
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 3 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\1337\1111.exe"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:3144
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 3 -w 3000
        5⤵
        Runs ping.exe
        
        PID:3548
- - C:\Users\Admin\AppData\Roaming\1337\Clipper.exe
    "C:\Users\Admin\AppData\Roaming\1337\Clipper.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2620
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Service" /tr "C:\Users\Admin\WinService.exe" /f
      4⤵
      Creates scheduled task(s)
      PID:1340
  - - C:\Users\Admin\WinService.exe
      "C:\Users\Admin\WinService.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3316
- C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe
  "C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of FindShellTrayWindow
  PID:3492

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2496

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2152

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3384

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:728

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2280

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3992

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3828

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:632

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2532

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1496

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3076

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1160

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3176

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4020

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:4048

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1904

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3580

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3004

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2596

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2504

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3928

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1340

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:60

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2008

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2284

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1836

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3216

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3640

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:3236

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Winlogon Helper DLL

T1004

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

memory/60-130-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/632-70-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/636-15-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/636-17-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/636-16-0x0000000003110000-0x0000000003111000-memory.dmp

Filesize
4KB

Download
memory/728-54-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/1160-86-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/1340-126-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/1496-78-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/1836-142-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/1904-102-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/2008-134-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/2152-42-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/2280-58-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/2284-138-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/2496-38-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/2504-118-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/2532-74-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/2596-114-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/2620-14-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/2620-18-0x00000000006B0000-0x00000000006B1000-memory.dmp

Filesize
4KB

Download
memory/3004-110-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/3076-82-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/3176-90-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/3216-146-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/3236-154-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/3316-25-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/3384-46-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/3492-28-0x00000000005D0000-0x00000000005D1000-memory.dmp

Filesize
4KB

Download
memory/3492-36-0x00000000053E0000-0x00000000053E1000-memory.dmp

Filesize
4KB

Download
memory/3492-35-0x0000000005100000-0x0000000005101000-memory.dmp

Filesize
4KB

Download
memory/3492-20-0x0000000073C70000-0x000000007435E000-memory.dmp

Filesize
6.9MB

Download
memory/3492-32-0x0000000005220000-0x0000000005221000-memory.dmp

Filesize
4KB

Download
memory/3492-31-0x0000000005720000-0x0000000005721000-memory.dmp

Filesize
4KB

Download
memory/3492-30-0x0000000005180000-0x0000000005181000-memory.dmp

Filesize
4KB

Download
memory/3580-106-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/3640-150-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/3828-66-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/3928-122-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/3928-50-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/3992-62-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/4020-94-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download
memory/4048-98-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

Filesize
9.9MB

Download