Resubmissions
18-11-2020 14:18
201118-dj27sn3f52 1018-11-2020 13:42
201118-1arz86e7w6 1018-11-2020 13:38
201118-n8jh228ctn 10Analysis
-
max time kernel
1793s -
max time network
356s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 13:42
General
-
Target
VPN/VyprVPN.exe
Score
10/10
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Executes dropped EXE 35 IoCs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
-
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Modifies registry class 33 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 32 IoCs
-
Suspicious use of SetWindowsHookEx 3 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\VPN\VyprVPN.exe"C:\Users\Admin\AppData\Local\Temp\VPN\VyprVPN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1337\joinResult.exe"C:\Users\Admin\AppData\Roaming\1337\joinResult.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1337\1111.exe"C:\Users\Admin\AppData\Roaming\1337\1111.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 3 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\1337\1111.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 3 -w 30005⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\1337\Clipper.exe"C:\Users\Admin\AppData\Roaming\1337\Clipper.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Service" /tr "C:\Users\Admin\WinService.exe" /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\WinService.exe"C:\Users\Admin\WinService.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe"C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe"2⤵
- Executes dropped EXE
- Modifies registry class
- Suspicious use of SetWindowsHookEx
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\SysWOW64\DllHost.exeC:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}1⤵
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\1337\1111.exe
-
C:\Users\Admin\AppData\Roaming\1337\1111.exe
-
C:\Users\Admin\AppData\Roaming\1337\Clipper.exe
-
C:\Users\Admin\AppData\Roaming\1337\Clipper.exe
-
C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe
-
C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe
-
C:\Users\Admin\AppData\Roaming\1337\joinResult.exeMD5
79022fbafee9fe740a5230f87bd33171
SHA142bf0f7bf41009fd0009535a8b1162cbe60dce6f
SHA256640c30cfa519be11c02c4e51bf18979a93266887cc9ef19076b3d0f1f20528b6
SHA51248e0d4a18d99dce4398de73895a157e13293115b52ee5158f9ea6fc73c4d5f4133e1cebba14ff5482b8c4f7dfeebfe3b003df1caf351314f1cc16944818df4b3
-
C:\Users\Admin\AppData\Roaming\1337\joinResult.exeMD5
79022fbafee9fe740a5230f87bd33171
SHA142bf0f7bf41009fd0009535a8b1162cbe60dce6f
SHA256640c30cfa519be11c02c4e51bf18979a93266887cc9ef19076b3d0f1f20528b6
SHA51248e0d4a18d99dce4398de73895a157e13293115b52ee5158f9ea6fc73c4d5f4133e1cebba14ff5482b8c4f7dfeebfe3b003df1caf351314f1cc16944818df4b3
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
\Users\Admin\AppData\Local\Temp\nsv2FB3.tmp\System.dll
-
\Users\Admin\AppData\Local\Temp\nsw3252.tmp\System.dll
-
memory/492-161-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/580-81-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/684-85-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/744-89-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/944-57-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/1316-73-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/1824-53-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/1852-133-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/1996-149-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/2088-36-0x0000000000000000-mapping.dmp
-
memory/2092-145-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/2096-1-0x0000000000000000-mapping.dmp
-
memory/2164-3-0x0000000000000000-mapping.dmp
-
memory/2164-9-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/2164-21-0x0000000005190000-0x0000000005191000-memory.dmpFilesize
4KB
-
memory/2164-27-0x00000000053A0000-0x00000000053A1000-memory.dmpFilesize
4KB
-
memory/2164-26-0x0000000005090000-0x0000000005091000-memory.dmpFilesize
4KB
-
memory/2164-8-0x0000000073B90000-0x000000007427E000-memory.dmpFilesize
6.9MB
-
memory/2164-15-0x00000000050F0000-0x00000000050F1000-memory.dmpFilesize
4KB
-
memory/2164-19-0x0000000005750000-0x0000000005751000-memory.dmpFilesize
4KB
-
memory/2244-65-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/2344-77-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/2496-137-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/2520-101-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/2572-69-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/2592-129-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/2600-61-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/2604-141-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/2612-105-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/2892-113-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/2908-28-0x0000000000000000-mapping.dmp
-
memory/3088-153-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/3240-125-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/3332-45-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/3368-157-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/3372-117-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/3460-32-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/3460-29-0x0000000000000000-mapping.dmp
-
memory/3612-109-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/3764-49-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/3860-97-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/3988-35-0x0000000000000000-mapping.dmp
-
memory/4012-14-0x0000000000000000-mapping.dmp
-
memory/4012-18-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/4012-24-0x0000000000550000-0x0000000000551000-memory.dmpFilesize
4KB
-
memory/4016-93-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/4040-121-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmpFilesize
9.9MB
-
memory/4048-23-0x0000000003730000-0x0000000003731000-memory.dmpFilesize
4KB
-
memory/4048-22-0x0000000003630000-0x0000000003631000-memory.dmpFilesize
4KB
-
memory/4048-20-0x0000000003630000-0x0000000003631000-memory.dmpFilesize
4KB
-
memory/4048-11-0x0000000000000000-mapping.dmp