Overview

overview

10

Static

static

8

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

4

Resubmissions

18-11-2020 14:18

201118-dj27sn3f52 10

18-11-2020 13:42

201118-1arz86e7w6 10

18-11-2020 13:38

201118-n8jh228ctn 10

Analysis

  • max time kernel
    1793s
  • max time network
    356s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    18-11-2020 13:42

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VPN/VyprVPN.exe

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 35 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 4 IoCs
    installer
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Modifies registry class 33 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of SetWindowsHookEx 3 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VPN\VyprVPN.exe
    "C:\Users\Admin\AppData\Local\Temp\VPN\VyprVPN.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:3412
    • C:\Users\Admin\AppData\Roaming\1337\joinResult.exe
      "C:\Users\Admin\AppData\Roaming\1337\joinResult.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:2096
      • C:\Users\Admin\AppData\Roaming\1337\1111.exe
        "C:\Users\Admin\AppData\Roaming\1337\1111.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:4048
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C ping 1.1.1.1 -n 3 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\1337\1111.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3988
          • C:\Windows\SysWOW64\PING.EXE
            ping 1.1.1.1 -n 3 -w 3000
            5⤵
            • Runs ping.exe
            PID:2088
      • C:\Users\Admin\AppData\Roaming\1337\Clipper.exe
        "C:\Users\Admin\AppData\Roaming\1337\Clipper.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:4012
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Service" /tr "C:\Users\Admin\WinService.exe" /f
          4⤵
          • Creates scheduled task(s)
          PID:2908
        • C:\Users\Admin\WinService.exe
          "C:\Users\Admin\WinService.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:3460
    • C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe
      "C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe"
      2⤵
      • Executes dropped EXE
      • Modifies registry class
      • Suspicious use of SetWindowsHookEx
      PID:2164
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3332
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3764
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1824
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:944
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2600
  • C:\Windows\SysWOW64\DllHost.exe
    C:\Windows\SysWOW64\DllHost.exe /Processid:{AB8902B4-09CA-4BB6-B78D-A8F59079A8D5}
    1⤵
      PID:512
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2244
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2572
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1316
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2344
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:580
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:684
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:744
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4016
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3860
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2520
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2612
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3612
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2892
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3372
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:4040
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3240
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2592
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1852
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2496
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2604
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2092
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:1996
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3088
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3368
    • C:\Users\Admin\WinService.exe
      C:\Users\Admin\WinService.exe
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:492

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • memory/492-161-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/580-81-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/684-85-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/744-89-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/944-57-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1316-73-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1824-53-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1852-133-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/1996-149-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2092-145-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2164-9-0x0000000000550000-0x0000000000551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2164-21-0x0000000005190000-0x0000000005191000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2164-27-0x00000000053A0000-0x00000000053A1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2164-26-0x0000000005090000-0x0000000005091000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2164-8-0x0000000073B90000-0x000000007427E000-memory.dmp

      Filesize

      6.9MB

      Download

    • memory/2164-15-0x00000000050F0000-0x00000000050F1000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2164-19-0x0000000005750000-0x0000000005751000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2244-65-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2344-77-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2496-137-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2520-101-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2572-69-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2592-129-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2600-61-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2604-141-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2612-105-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/2892-113-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3088-153-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3240-125-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3332-45-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3368-157-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3372-117-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3460-32-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3612-109-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3764-49-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/3860-97-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4012-18-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4012-24-0x0000000000550000-0x0000000000551000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4016-93-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4040-121-0x00007FFED9070000-0x00007FFED9A5C000-memory.dmp

      Filesize

      9.9MB

      Download

    • memory/4048-23-0x0000000003730000-0x0000000003731000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4048-22-0x0000000003630000-0x0000000003631000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4048-20-0x0000000003630000-0x0000000003631000-memory.dmp

      Filesize

      4KB

      Download