Overview
overview
10Static
static
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
4ฺฺฺK...ฺฺ
windows10_x64
7ฺฺฺK...ฺฺ
windows10_x64
3ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
8ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
10ฺฺฺK...ฺฺ
windows10_x64
1ฺฺฺK...ฺฺ
windows10_x64
3Resubmissions
18-11-2020 14:18
201118-dj27sn3f52 1018-11-2020 13:42
201118-1arz86e7w6 1018-11-2020 13:38
201118-n8jh228ctn 10Analysis
-
max time kernel
361s -
max time network
463s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
18-11-2020 14:18
Static task
static1
Behavioral task
behavioral1
Sample
2019-09-02_22-41-10.bin.exe
Resource
win10v20201028
Behavioral task
behavioral2
Sample
31.bin.exe
Resource
win10v20201028
Behavioral task
behavioral3
Sample
3DMark 11 Advanced Edition.bin.exe
Resource
win10v20201028
Behavioral task
behavioral4
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.bin.exe
Resource
win10v20201028
Behavioral task
behavioral5
Sample
CVE-2018-15982_PoC.swf
Resource
win10v20201028
Behavioral task
behavioral6
Sample
DiskInternals_Uneraser_v5_keygen.bin.exe
Resource
win10v20201028
Behavioral task
behavioral7
Sample
ForceOp 2.8.7 - By RaiSence.bin.exe
Resource
win10v20201028
Behavioral task
behavioral8
Sample
HYDRA.bin.exe
Resource
win10v20201028
Behavioral task
behavioral9
Sample
Keygen.bin.exe
Resource
win10v20201028
Behavioral task
behavioral10
Sample
LtHv0O2KZDK4M637.bin.exe
Resource
win10v20201028
Behavioral task
behavioral11
Sample
OnlineInstaller.bin.exe
Resource
win10v20201028
Behavioral task
behavioral12
Sample
Remouse.Micro.Micro.v3.5.3.serial.maker.by.aaocg.bin.exe
Resource
win10v20201028
Behavioral task
behavioral13
Sample
Treasure.Vault.3D.Screensaver.keygen.by.Paradox.bin.exe
Resource
win10v20201028
Behavioral task
behavioral14
Sample
VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral15
Sample
WSHSetup[1].bin.exe
Resource
win10v20201028
Behavioral task
behavioral16
Sample
api.exe
Resource
win10v20201028
Behavioral task
behavioral17
Sample
efd97b1038e063779fb32a3ab35adc481679a5c6c8e3f4f69c44987ff08b6ea4.js
Resource
win10v20201028
Behavioral task
behavioral18
Sample
good.bin.exe
Resource
win10v20201028
Behavioral task
behavioral19
Sample
infected dot net installer.bin.exe
Resource
win10v20201028
Behavioral task
behavioral20
Sample
update.bin.exe
Resource
win10v20201028
Behavioral task
behavioral21
Sample
vir1.xls
Resource
win10v20201028
Behavioral task
behavioral22
Sample
xNet.dll
Resource
win10v20201028
Behavioral task
behavioral23
Sample
1.bin.exe
Resource
win10v20201028
Behavioral task
behavioral24
Sample
VPN/VyprVPN.exe
Resource
win10v20201028
Behavioral task
behavioral25
Sample
VPN/xNet.dll
Resource
win10v20201028
Behavioral task
behavioral26
Sample
WSHSetup[1].bin.exe
Resource
win10v20201028
General
-
Target
VyprVPN.exe
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
Clipper.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\WinService.exe" Clipper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\WinService.exe" Clipper.exe -
Executes dropped EXE 6 IoCs
Processes:
joinResult.exeVyprVPN.exe1111.exeClipper.exeWinService.exeWinService.exepid process 4260 joinResult.exe 4288 VyprVPN.exe 2208 1111.exe 4192 Clipper.exe 4464 WinService.exe 1784 WinService.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1111.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3341490333-719741536-2920803124-1000\Control Panel\International\Geo\Nation 1111.exe -
Loads dropped DLL 2 IoCs
Processes:
VyprVPN.exejoinResult.exepid process 4792 VyprVPN.exe 4260 joinResult.exe -
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
1111.exepid process 2208 1111.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
NSIS installer 4 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\1337\joinResult.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\1337\joinResult.exe nsis_installer_2 C:\Users\Admin\AppData\Roaming\1337\joinResult.exe nsis_installer_1 C:\Users\Admin\AppData\Roaming\1337\joinResult.exe nsis_installer_2 -
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
1111.exepid process 2208 1111.exe 2208 1111.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
Processes:
Clipper.exeWinService.exeWinService.exedescription pid process Token: SeDebugPrivilege 4192 Clipper.exe Token: SeDebugPrivilege 4464 WinService.exe Token: SeDebugPrivilege 1784 WinService.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1111.exepid process 2208 1111.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
VyprVPN.exejoinResult.exeClipper.exe1111.execmd.exedescription pid process target process PID 4792 wrote to memory of 4260 4792 VyprVPN.exe joinResult.exe PID 4792 wrote to memory of 4260 4792 VyprVPN.exe joinResult.exe PID 4792 wrote to memory of 4260 4792 VyprVPN.exe joinResult.exe PID 4792 wrote to memory of 4288 4792 VyprVPN.exe VyprVPN.exe PID 4792 wrote to memory of 4288 4792 VyprVPN.exe VyprVPN.exe PID 4792 wrote to memory of 4288 4792 VyprVPN.exe VyprVPN.exe PID 4260 wrote to memory of 2208 4260 joinResult.exe 1111.exe PID 4260 wrote to memory of 2208 4260 joinResult.exe 1111.exe PID 4260 wrote to memory of 2208 4260 joinResult.exe 1111.exe PID 4260 wrote to memory of 4192 4260 joinResult.exe Clipper.exe PID 4260 wrote to memory of 4192 4260 joinResult.exe Clipper.exe PID 4192 wrote to memory of 4528 4192 Clipper.exe schtasks.exe PID 4192 wrote to memory of 4528 4192 Clipper.exe schtasks.exe PID 4192 wrote to memory of 4464 4192 Clipper.exe WinService.exe PID 4192 wrote to memory of 4464 4192 Clipper.exe WinService.exe PID 2208 wrote to memory of 660 2208 1111.exe cmd.exe PID 2208 wrote to memory of 660 2208 1111.exe cmd.exe PID 2208 wrote to memory of 660 2208 1111.exe cmd.exe PID 660 wrote to memory of 932 660 cmd.exe PING.EXE PID 660 wrote to memory of 932 660 cmd.exe PING.EXE PID 660 wrote to memory of 932 660 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\VyprVPN.exe"C:\Users\Admin\AppData\Local\Temp\VyprVPN.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1337\joinResult.exe"C:\Users\Admin\AppData\Roaming\1337\joinResult.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1337\1111.exe"C:\Users\Admin\AppData\Roaming\1337\1111.exe"3⤵
- Executes dropped EXE
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 3 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\1337\1111.exe"4⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 3 -w 30005⤵
- Runs ping.exe
-
C:\Users\Admin\AppData\Roaming\1337\Clipper.exe"C:\Users\Admin\AppData\Roaming\1337\Clipper.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Service" /tr "C:\Users\Admin\WinService.exe" /f4⤵
- Creates scheduled task(s)
-
C:\Users\Admin\WinService.exe"C:\Users\Admin\WinService.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe"C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe"2⤵
- Executes dropped EXE
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\1337\1111.exe
-
C:\Users\Admin\AppData\Roaming\1337\1111.exe
-
C:\Users\Admin\AppData\Roaming\1337\Clipper.exe
-
C:\Users\Admin\AppData\Roaming\1337\Clipper.exe
-
C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe
-
C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe
-
C:\Users\Admin\AppData\Roaming\1337\joinResult.exeMD5
79022fbafee9fe740a5230f87bd33171
SHA142bf0f7bf41009fd0009535a8b1162cbe60dce6f
SHA256640c30cfa519be11c02c4e51bf18979a93266887cc9ef19076b3d0f1f20528b6
SHA51248e0d4a18d99dce4398de73895a157e13293115b52ee5158f9ea6fc73c4d5f4133e1cebba14ff5482b8c4f7dfeebfe3b003df1caf351314f1cc16944818df4b3
-
C:\Users\Admin\AppData\Roaming\1337\joinResult.exeMD5
79022fbafee9fe740a5230f87bd33171
SHA142bf0f7bf41009fd0009535a8b1162cbe60dce6f
SHA256640c30cfa519be11c02c4e51bf18979a93266887cc9ef19076b3d0f1f20528b6
SHA51248e0d4a18d99dce4398de73895a157e13293115b52ee5158f9ea6fc73c4d5f4133e1cebba14ff5482b8c4f7dfeebfe3b003df1caf351314f1cc16944818df4b3
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
C:\Users\Admin\WinService.exe
-
\Users\Admin\AppData\Local\Temp\nsh581A.tmp\System.dll
-
\Users\Admin\AppData\Local\Temp\nsz5DE7.tmp\System.dll
-
memory/660-35-0x0000000000000000-mapping.dmp
-
memory/932-36-0x0000000000000000-mapping.dmp
-
memory/1784-38-0x00007FFBE3760000-0x00007FFBE414C000-memory.dmpFilesize
9.9MB
-
memory/2208-9-0x0000000000000000-mapping.dmp
-
memory/2208-20-0x00000000037D0000-0x00000000037D1000-memory.dmpFilesize
4KB
-
memory/2208-22-0x00000000038D0000-0x00000000038D1000-memory.dmpFilesize
4KB
-
memory/2208-21-0x00000000037D0000-0x00000000037D1000-memory.dmpFilesize
4KB
-
memory/4192-13-0x0000000000000000-mapping.dmp
-
memory/4192-17-0x00007FFBE38F0000-0x00007FFBE42DC000-memory.dmpFilesize
9.9MB
-
memory/4192-24-0x0000000000FC0000-0x0000000000FC1000-memory.dmpFilesize
4KB
-
memory/4260-1-0x0000000000000000-mapping.dmp
-
memory/4288-11-0x0000000000500000-0x0000000000501000-memory.dmpFilesize
4KB
-
memory/4288-27-0x0000000005360000-0x0000000005361000-memory.dmpFilesize
4KB
-
memory/4288-26-0x0000000005040000-0x0000000005041000-memory.dmpFilesize
4KB
-
memory/4288-23-0x0000000005200000-0x0000000005201000-memory.dmpFilesize
4KB
-
memory/4288-19-0x0000000005660000-0x0000000005661000-memory.dmpFilesize
4KB
-
memory/4288-18-0x0000000005070000-0x0000000005071000-memory.dmpFilesize
4KB
-
memory/4288-8-0x0000000073100000-0x00000000737EE000-memory.dmpFilesize
6.9MB
-
memory/4288-3-0x0000000000000000-mapping.dmp
-
memory/4464-29-0x0000000000000000-mapping.dmp
-
memory/4464-32-0x00007FFBE38F0000-0x00007FFBE42DC000-memory.dmpFilesize
9.9MB
-
memory/4528-28-0x0000000000000000-mapping.dmp