Resubmissions
18-11-2020 14:18
201118-dj27sn3f52 1018-11-2020 13:42
201118-1arz86e7w6 1018-11-2020 13:38
201118-n8jh228ctn 10Analysis
-
max time kernel
1760s -
max time network
1701s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 13:42
General
-
Target
VyprVPN.exe
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Executes dropped EXE 35 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 1 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\VyprVPN.exe"C:\Users\Admin\AppData\Local\Temp\VyprVPN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1337\joinResult.exe"C:\Users\Admin\AppData\Roaming\1337\joinResult.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1337\1111.exe"C:\Users\Admin\AppData\Roaming\1337\1111.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 3 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\1337\1111.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 3 -w 30005⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\1337\Clipper.exe"C:\Users\Admin\AppData\Roaming\1337\Clipper.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Service" /tr "C:\Users\Admin\WinService.exe" /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\WinService.exe"C:\Users\Admin\WinService.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe"C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe"2⤵
- Executes dropped EXE
- Suspicious use of FindShellTrayWindow
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\1337\1111.exe
-
C:\Users\Admin\AppData\Roaming\1337\1111.exe
-
C:\Users\Admin\AppData\Roaming\1337\Clipper.exe
-
C:\Users\Admin\AppData\Roaming\1337\Clipper.exe
-
C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe
-
C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe
-
C:\Users\Admin\AppData\Roaming\1337\joinResult.exeMD5
79022fbafee9fe740a5230f87bd33171
SHA142bf0f7bf41009fd0009535a8b1162cbe60dce6f
SHA256640c30cfa519be11c02c4e51bf18979a93266887cc9ef19076b3d0f1f20528b6
SHA51248e0d4a18d99dce4398de73895a157e13293115b52ee5158f9ea6fc73c4d5f4133e1cebba14ff5482b8c4f7dfeebfe3b003df1caf351314f1cc16944818df4b3
-
C:\Users\Admin\AppData\Roaming\1337\joinResult.exeMD5
79022fbafee9fe740a5230f87bd33171
SHA142bf0f7bf41009fd0009535a8b1162cbe60dce6f
SHA256640c30cfa519be11c02c4e51bf18979a93266887cc9ef19076b3d0f1f20528b6
SHA51248e0d4a18d99dce4398de73895a157e13293115b52ee5158f9ea6fc73c4d5f4133e1cebba14ff5482b8c4f7dfeebfe3b003df1caf351314f1cc16944818df4b3
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
\Users\Admin\AppData\Local\Temp\nskC53C.tmp\System.dll
-
\Users\Admin\AppData\Local\Temp\nsvB965.tmp\System.dll
-
memory/60-130-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/632-70-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/636-15-0x0000000003110000-0x0000000003111000-memory.dmpFilesize
4KB
-
memory/636-8-0x0000000000000000-mapping.dmp
-
memory/636-17-0x0000000003110000-0x0000000003111000-memory.dmpFilesize
4KB
-
memory/636-16-0x0000000003110000-0x0000000003111000-memory.dmpFilesize
4KB
-
memory/728-54-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/1160-86-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/1340-21-0x0000000000000000-mapping.dmp
-
memory/1340-126-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/1496-78-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/1836-142-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/1904-102-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/2008-134-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/2152-42-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/2280-58-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/2284-138-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/2496-38-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/2504-118-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/2532-74-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/2596-114-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/2620-14-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/2620-18-0x00000000006B0000-0x00000000006B1000-memory.dmpFilesize
4KB
-
memory/2620-11-0x0000000000000000-mapping.dmp
-
memory/3004-110-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/3028-1-0x0000000000000000-mapping.dmp
-
memory/3076-82-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/3144-33-0x0000000000000000-mapping.dmp
-
memory/3176-90-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/3216-146-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/3236-154-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/3316-25-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/3316-22-0x0000000000000000-mapping.dmp
-
memory/3384-46-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/3492-28-0x00000000005D0000-0x00000000005D1000-memory.dmpFilesize
4KB
-
memory/3492-36-0x00000000053E0000-0x00000000053E1000-memory.dmpFilesize
4KB
-
memory/3492-35-0x0000000005100000-0x0000000005101000-memory.dmpFilesize
4KB
-
memory/3492-20-0x0000000073C70000-0x000000007435E000-memory.dmpFilesize
6.9MB
-
memory/3492-4-0x0000000000000000-mapping.dmp
-
memory/3492-32-0x0000000005220000-0x0000000005221000-memory.dmpFilesize
4KB
-
memory/3492-31-0x0000000005720000-0x0000000005721000-memory.dmpFilesize
4KB
-
memory/3492-30-0x0000000005180000-0x0000000005181000-memory.dmpFilesize
4KB
-
memory/3548-34-0x0000000000000000-mapping.dmp
-
memory/3580-106-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/3640-150-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/3828-66-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/3928-122-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/3928-50-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/3992-62-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/4020-94-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB
-
memory/4048-98-0x00007FFD71840000-0x00007FFD7222C000-memory.dmpFilesize
9.9MB