Overview

overview

10

Static

static

8

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

3

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

8

ฺฺฺK...ฺฺ

windows10_x64

1

ฺฺฺK...ฺฺ

windows10_x64

10

ฺฺฺK...ฺฺ

windows10_x64

10

Resubmissions

12-11-2021 18:04

211112-wnzb8aahhm 10

19-11-2020 10:08

201119-rhwlt38jrx 10

18-11-2020 17:26

201118-htd4fq29va 10

Analysis

  • max time kernel
    1781s
  • max time network
    1584s
  • platform
    windows10_x64
  • resource
    win10v20201028
  • submitted
    19-11-2020 10:08

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    VyprVPN.exe

Score
10/10
persistencespywarestealer

Malware Config

Signatures

  • Modifies WinLogon for persistence 2 TTPs 2 IoCs
    persistence
  • Executes dropped EXE 35 IoCs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • NSIS installer 4 IoCs
    installer
  • Creates scheduled task(s) 1 TTPs 1 IoCs

    Schtasks is often used by malware for persistence or to perform post-infection execution.

    persistence
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 32 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 21 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VyprVPN.exe
    "C:\Users\Admin\AppData\Local\Temp\VyprVPN.exe"
    1⤵
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:732
    • C:\Users\Admin\AppData\Roaming\1337\joinResult.exe
      "C:\Users\Admin\AppData\Roaming\1337\joinResult.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • Suspicious use of WriteProcessMemory
      PID:1896
      • C:\Users\Admin\AppData\Roaming\1337\1111.exe
        "C:\Users\Admin\AppData\Roaming\1337\1111.exe"
        3⤵
        • Executes dropped EXE
        • Checks computer location settings
        • Suspicious use of NtSetInformationThreadHideFromDebugger
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of SetWindowsHookEx
        • Suspicious use of WriteProcessMemory
        PID:2532
        • C:\Windows\SysWOW64\cmd.exe
          cmd.exe /C ping 1.1.1.1 -n 3 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\1337\1111.exe"
          4⤵
          • Suspicious use of WriteProcessMemory
          PID:3952
          • C:\Windows\SysWOW64\PING.EXE
            ping 1.1.1.1 -n 3 -w 3000
            5⤵
            • Runs ping.exe
            PID:3164
      • C:\Users\Admin\AppData\Roaming\1337\Clipper.exe
        "C:\Users\Admin\AppData\Roaming\1337\Clipper.exe"
        3⤵
        • Modifies WinLogon for persistence
        • Executes dropped EXE
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:2620
        • C:\Windows\System32\schtasks.exe
          "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Service" /tr "C:\Users\Admin\WinService.exe" /f
          4⤵
          • Creates scheduled task(s)
          PID:3688
        • C:\Users\Admin\WinService.exe
          "C:\Users\Admin\WinService.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of AdjustPrivilegeToken
          PID:4056
    • C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe
      "C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe"
      2⤵
      • Executes dropped EXE
      PID:4068
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:976
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2024
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2628
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3468
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:4048
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:840
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3140
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1164
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2748
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2176
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2468
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:976
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1160
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3008
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3768
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1196
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2280
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:748
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1768
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:308
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3268
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2228
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2168
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:3908
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2632
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1020
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1472
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1860
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:1996
  • C:\Users\Admin\WinService.exe
    C:\Users\Admin\WinService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2836

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scheduled Task

1
T1053

Persistence

Winlogon Helper DLL

1
T1004

Scheduled Task

1
T1053

Privilege Escalation

Scheduled Task

1
T1053

Defense Evasion

Modify Registry

1
T1112

Credential Access

Credentials in Files

1
T1081

Discovery

Query Registry

1
T1012

System Information Discovery

2
T1082

Remote System Discovery

1
T1018

Lateral Movement

Collection

Data from Local System

1
T1005

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Roaming\1337\1111.exe
    Download Submit
  • C:\Users\Admin\AppData\Roaming\1337\1111.exe
    Download Submit
  • C:\Users\Admin\AppData\Roaming\1337\Clipper.exe
    Download Submit
  • C:\Users\Admin\AppData\Roaming\1337\Clipper.exe
    Download Submit
  • C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe
    Download Submit
  • C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe
    Download Submit
  • C:\Users\Admin\AppData\Roaming\1337\joinResult.exe
    MD5

    79022fbafee9fe740a5230f87bd33171

    SHA1

    42bf0f7bf41009fd0009535a8b1162cbe60dce6f

    SHA256

    640c30cfa519be11c02c4e51bf18979a93266887cc9ef19076b3d0f1f20528b6

    SHA512

    48e0d4a18d99dce4398de73895a157e13293115b52ee5158f9ea6fc73c4d5f4133e1cebba14ff5482b8c4f7dfeebfe3b003df1caf351314f1cc16944818df4b3

    Download Submit
  • C:\Users\Admin\AppData\Roaming\1337\joinResult.exe
    MD5

    79022fbafee9fe740a5230f87bd33171

    SHA1

    42bf0f7bf41009fd0009535a8b1162cbe60dce6f

    SHA256

    640c30cfa519be11c02c4e51bf18979a93266887cc9ef19076b3d0f1f20528b6

    SHA512

    48e0d4a18d99dce4398de73895a157e13293115b52ee5158f9ea6fc73c4d5f4133e1cebba14ff5482b8c4f7dfeebfe3b003df1caf351314f1cc16944818df4b3

    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • C:\Users\Admin\WinService.exe
    Download Submit
  • \Users\Admin\AppData\Local\Temp\nshCA9B.tmp\System.dll
    Download Submit
  • \Users\Admin\AppData\Local\Temp\nsiCD0C.tmp\System.dll
    Download Submit
  • memory/308-114-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/748-106-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/840-58-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/976-38-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/976-82-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1020-138-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1160-86-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1164-66-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1196-98-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1472-142-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1768-110-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1860-146-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/1896-1-0x0000000000000000-mapping.dmp
    Download
  • memory/1996-150-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2024-42-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2168-126-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2176-74-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2228-122-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2280-102-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2468-78-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2532-16-0x0000000003120000-0x0000000003121000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2532-15-0x0000000003120000-0x0000000003121000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2532-17-0x0000000003220000-0x0000000003221000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2532-8-0x0000000000000000-mapping.dmp
    Download
  • memory/2620-10-0x0000000000000000-mapping.dmp
    Download
  • memory/2620-18-0x0000000000400000-0x0000000000401000-memory.dmp
    Filesize

    4KB

    Download
  • memory/2620-14-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2628-46-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2632-134-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2748-70-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/2836-154-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3008-90-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3140-62-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3164-36-0x0000000000000000-mapping.dmp
    Download
  • memory/3268-118-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3468-50-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3688-23-0x0000000000000000-mapping.dmp
    Download
  • memory/3768-94-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3908-130-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/3952-33-0x0000000000000000-mapping.dmp
    Download
  • memory/4048-54-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/4056-25-0x0000000000000000-mapping.dmp
    Download
  • memory/4056-28-0x00007FFD71840000-0x00007FFD7222C000-memory.dmp
    Filesize

    9.9MB

    Download
  • memory/4068-20-0x0000000073BF0000-0x00000000742DE000-memory.dmp
    Filesize

    6.9MB

    Download
  • memory/4068-21-0x0000000000990000-0x0000000000991000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4068-24-0x0000000005550000-0x0000000005551000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4068-29-0x0000000005B40000-0x0000000005B41000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4068-32-0x0000000005640000-0x0000000005641000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4068-3-0x0000000000000000-mapping.dmp
    Download
  • memory/4068-34-0x00000000054C0000-0x00000000054C1000-memory.dmp
    Filesize

    4KB

    Download
  • memory/4068-35-0x0000000005810000-0x0000000005811000-memory.dmp
    Filesize

    4KB

    Download