Overview

overview

10

Static

static

8

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

4

Resubmissions

18-11-2020 14:18

201118-dj27sn3f52 10

18-11-2020 13:42

201118-1arz86e7w6 10

18-11-2020 13:38

201118-n8jh228ctn 10

Analysis

  • max time kernel
    1760s
  • max time network
    1701s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-11-2020 13:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VyprVPN.exe

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 35 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 4 IoCs
    installer
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VyprVPN.exe
    "C:\Users\Admin\AppData\Local\Temp\VyprVPN.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:732
    • C:\Users\Admin\AppData\Roaming\1337\joinResult.exe
      "C:\Users\Admin\AppData\Roaming\1337\joinResult.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:3028
      • C:\Users\Admin\AppData\Roaming\1337\1111.exe
        "C:\Users\Admin\AppData\Roaming\1337\1111.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:636
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C ping 1.1.1.1 -n 3 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\1337\1111.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3144
          • C:\Windows\SysWOW64\PING.EXE
            ping 1.1.1.1 -n 3 -w 3000
            5⤵
            • Runs ping.exe
            PID:3548
      • C:\Users\Admin\AppData\Roaming\1337\Clipper.exe
        "C:\Users\Admin\AppData\Roaming\1337\Clipper.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Service" /tr "C:\Users\Admin\WinService.exe" /f
          4⤵
          • Creates scheduled task(s)
          PID:1340
        • C:\Users\Admin\WinService.exe
          "C:\Users\Admin\WinService.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3316
    • C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe
      "C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe"
      2⤵
      • Executes dropped EXE
      • Suspicious use of FindShellTrayWindow
      PID:3492
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2496
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2152
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3384
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3928
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:728
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2280
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3992
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3828
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:632
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2532
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1496
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3076
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1160
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3176
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4020
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4048
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1904
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3580
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3004
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2596
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2504
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3928
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1340
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:60
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2008
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2284
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1836
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3216
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3640
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3236

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\1337\1111.exe
    Download Submit

  • C:\Users\Admin\AppData\Roaming\1337\1111.exe
    Download Submit

  • C:\Users\Admin\AppData\Roaming\1337\Clipper.exe
    Download Submit

  • C:\Users\Admin\AppData\Roaming\1337\Clipper.exe
    Download Submit

  • C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe
    Download Submit

  • C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe
    Download Submit

  • C:\Users\Admin\AppData\Roaming\1337\joinResult.exe
    MD5

    79022fbafee9fe740a5230f87bd33171

    SHA1

    42bf0f7bf41009fd0009535a8b1162cbe60dce6f

    SHA256

    640c30cfa519be11c02c4e51bf18979a93266887cc9ef19076b3d0f1f20528b6

    SHA512

    48e0d4a18d99dce4398de73895a157e13293115b52ee5158f9ea6fc73c4d5f4133e1cebba14ff5482b8c4f7dfeebfe3b003df1caf351314f1cc16944818df4b3

    Download Submit

  • C:\Users\Admin\AppData\Roaming\1337\joinResult.exe
    MD5

    79022fbafee9fe740a5230f87bd33171

    SHA1

    42bf0f7bf41009fd0009535a8b1162cbe60dce6f

    SHA256

    640c30cfa519be11c02c4e51bf18979a93266887cc9ef19076b3d0f1f20528b6

    SHA512

    48e0d4a18d99dce4398de73895a157e13293115b52ee5158f9ea6fc73c4d5f4133e1cebba14ff5482b8c4f7dfeebfe3b003df1caf351314f1cc16944818df4b3

    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • C:\Users\Admin\WinService.exe
    Download Submit

  • \Users\Admin\AppData\Local\Temp\nskC53C.tmp\System.dll
    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsvB965.tmp\System.dll
    Download Submit

  • memory/60-130-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/632-70-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/636-15-0x0000000003110000-0x0000000003111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/636-8-0x0000000000000000-mapping.dmp

    Download

  • memory/636-17-0x0000000003110000-0x0000000003111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/636-16-0x0000000003110000-0x0000000003111000-memory.dmp

    Filesize

    4KB

    Download

  • memory/728-54-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1160-86-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1340-21-0x0000000000000000-mapping.dmp

    Download

  • memory/1340-126-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1496-78-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1836-142-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/1904-102-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2008-134-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2152-42-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2280-58-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2284-138-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2496-38-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2504-118-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2532-74-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2596-114-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2620-14-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/2620-18-0x00000000006B0000-0x00000000006B1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2620-11-0x0000000000000000-mapping.dmp

    Download

  • memory/3004-110-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3028-1-0x0000000000000000-mapping.dmp

    Download

  • memory/3076-82-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3144-33-0x0000000000000000-mapping.dmp

    Download

  • memory/3176-90-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3216-146-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3236-154-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3316-25-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3316-22-0x0000000000000000-mapping.dmp

    Download

  • memory/3384-46-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3492-28-0x00000000005D0000-0x00000000005D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3492-36-0x00000000053E0000-0x00000000053E1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3492-35-0x0000000005100000-0x0000000005101000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3492-20-0x0000000073C70000-0x000000007435E000-memory.dmp

    Filesize

    6.9MB

    Download

  • memory/3492-4-0x0000000000000000-mapping.dmp

    Download

  • memory/3492-32-0x0000000005220000-0x0000000005221000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3492-31-0x0000000005720000-0x0000000005721000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3492-30-0x0000000005180000-0x0000000005181000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3548-34-0x0000000000000000-mapping.dmp

    Download

  • memory/3580-106-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3640-150-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3828-66-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3928-122-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3928-50-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/3992-62-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4020-94-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download

  • memory/4048-98-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp

    Filesize

    9.9MB

    Download