cryptbot | dc1338766ff9398ff8d68c77e43143a4028ff389ff0231bd941869add11241b0

Analysis

max time kernel
150s
max time network
152s
platform
windows7_x64
resource
win7v20201028
submitted
16-01-2021 19:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

intervpnmix2_1.exe
Size

9.0MB
MD5

aa1515279a03f6726d34f9f97ad3ecce
SHA1

4a73a63691bbdf15af411ca1bd9c7bfc85110f32
SHA256

dc1338766ff9398ff8d68c77e43143a4028ff389ff0231bd941869add11241b0
SHA512

157e283e27613601c84692f85125d62c6301db16447eccc72a5118e11913689ab4194d140f0dd99ad0d7776618c8ea301c13e304491ba4277142ebcb36ed8153

Score

10^/10

cryptbot discovery evasion spyware stealer

Malware Config

Signatures

CryptBot
A C++ stealer distributed widely in bundle with other software.
spyware stealer cryptbot
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 2 IoCs

Processes:

vruns.exeintervpnmix2.exe

pid process

2036 vruns.exe
1228 intervpnmix2.exe

pid	process
2036	vruns.exe
1228	intervpnmix2.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

intervpnmix2.exevruns.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	intervpnmix2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	intervpnmix2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vruns.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vruns.exe

Identifies Wine through registry keys 2 TTPs 2 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

intervpnmix2.exevruns.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Wine	intervpnmix2.exe
Key opened	\REGISTRY\USER\S-1-5-21-293278959-2699126792-324916226-1000\Software\Wine	vruns.exe

Loads dropped DLL 7 IoCs

Processes:

intervpnmix2_1.exevruns.exeintervpnmix2.exe

pid process

1036 intervpnmix2_1.exe
1036 intervpnmix2_1.exe
2036 vruns.exe
2036 vruns.exe
1036 intervpnmix2_1.exe
1228 intervpnmix2.exe
1228 intervpnmix2.exe
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Accesses cryptocurrency files/wallets, possible credential harvesting 2 TTPs
spyware

Data from Local System
T1005

Credentials in Files
T1081
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.

Processes:

flow ioc

12 ip-api.com
Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

Processes:

intervpnmix2.exevruns.exe

pid process

1228 intervpnmix2.exe
2036 vruns.exe

pid	process
1036	intervpnmix2_1.exe
1036	intervpnmix2_1.exe
2036	vruns.exe
2036	vruns.exe
1036	intervpnmix2_1.exe
1228	intervpnmix2.exe
1228	intervpnmix2.exe

flow	ioc
12	ip-api.com

pid	process
1228	intervpnmix2.exe
2036	vruns.exe

Drops file in Program Files directory 44 IoCs

Processes:

intervpnmix2_1.exe

description	ioc	process
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows64\bin\deltapall.bat	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows64\bin\devcon.exe	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\unins000.exe	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\japonia.ovpn	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\OpenVPN64\bin\openvpn.exe	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows\driver\OemVista.inf	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows\driver\tap0901.sys	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\vpnpro.exe	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\openssl.exe	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\openvpn-gui.exe	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows\bin\deltapall.bat	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows64\driver\tap0901.sys	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\openvpnserv.exe	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\OpenVPN64\bin\openvpnserv.exe	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows\bin\addtap.bat	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows64\driver\System64Folder\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\tap0901.cat	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\stop_all.exe	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\libpkcs11-helper-1.dll	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\test.ovpn	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows\bin\devcon.exe	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows\driver\OemWin2k.inf	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows64\driver\tap0901.cat	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\liblzo2-2.dll	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\superb.ovpn	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\intervpnmix2.exe	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\OpenVPN64\bin\openssl.exe	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\OpenVPN64\bin\openvpn-gui.exe	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows64\bin\addtap.bat	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\countries.tsv	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\memmgrset.dll	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\vpn850936802.ovpn	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\vruns.exe	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\OpenVPN64\bin\ssleay32.dll	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows64\driver\System64Folder\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\oemwin2k.inf	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows64\driver\System64Folder\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\tap0901.sys	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\unins000.dat	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\OpenVPN64\bin\libeay32.dll	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\OpenVPN64\bin\liblzo2-2.dll	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows\bin\tapinstall.exe	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows64\driver\OemWin2k.inf	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\openvpn.exe	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\OpenVPN64\bin\libpkcs11-helper-1.dll	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows\driver\tap0901.cat	intervpnmix2_1.exe
File created	C:\Program Files (x86)\InterVpn\InterVpn\TAP-Windows64\driver\System64Folder\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\oemwin2k.PNF	intervpnmix2_1.exe

Drops file in Windows directory 1 IoCs

Processes:

intervpnmix2_1.exe

description ioc process

File created C:\Windows\INF\oem59.PNF intervpnmix2_1.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

description	ioc	process
File created	C:\Windows\INF\oem59.PNF	intervpnmix2_1.exe

Checks processor information in registry 2 TTPs 4 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

intervpnmix2.exevruns.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	intervpnmix2.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	intervpnmix2.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	vruns.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	vruns.exe

Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

2112 timeout.exe

pid	process
2112	timeout.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

vruns.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	vruns.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	vruns.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	vruns.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	vruns.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	vruns.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vruns.exeintervpnmix2.exe

pid process

2036 vruns.exe
1228 intervpnmix2.exe
Suspicious use of FindShellTrayWindow 1 IoCs

Processes:

vruns.exe

pid process

2036 vruns.exe

pid	process
2036	vruns.exe
1228	intervpnmix2.exe

pid	process
2036	vruns.exe

Suspicious use of WriteProcessMemory 28 IoCs

Processes:

intervpnmix2_1.exevruns.execmd.exe

description	pid	process	target process
PID 1036 wrote to memory of 2036	1036	intervpnmix2_1.exe	vruns.exe
PID 1036 wrote to memory of 2036	1036	intervpnmix2_1.exe	vruns.exe
PID 1036 wrote to memory of 2036	1036	intervpnmix2_1.exe	vruns.exe
PID 1036 wrote to memory of 2036	1036	intervpnmix2_1.exe	vruns.exe
PID 1036 wrote to memory of 2036	1036	intervpnmix2_1.exe	vruns.exe
PID 1036 wrote to memory of 2036	1036	intervpnmix2_1.exe	vruns.exe
PID 1036 wrote to memory of 2036	1036	intervpnmix2_1.exe	vruns.exe
PID 1036 wrote to memory of 1228	1036	intervpnmix2_1.exe	intervpnmix2.exe
PID 1036 wrote to memory of 1228	1036	intervpnmix2_1.exe	intervpnmix2.exe
PID 1036 wrote to memory of 1228	1036	intervpnmix2_1.exe	intervpnmix2.exe
PID 1036 wrote to memory of 1228	1036	intervpnmix2_1.exe	intervpnmix2.exe
PID 1036 wrote to memory of 1228	1036	intervpnmix2_1.exe	intervpnmix2.exe
PID 1036 wrote to memory of 1228	1036	intervpnmix2_1.exe	intervpnmix2.exe
PID 1036 wrote to memory of 1228	1036	intervpnmix2_1.exe	intervpnmix2.exe
PID 2036 wrote to memory of 1372	2036	vruns.exe	cmd.exe
PID 2036 wrote to memory of 1372	2036	vruns.exe	cmd.exe
PID 2036 wrote to memory of 1372	2036	vruns.exe	cmd.exe
PID 2036 wrote to memory of 1372	2036	vruns.exe	cmd.exe
PID 2036 wrote to memory of 1372	2036	vruns.exe	cmd.exe
PID 2036 wrote to memory of 1372	2036	vruns.exe	cmd.exe
PID 2036 wrote to memory of 1372	2036	vruns.exe	cmd.exe
PID 1372 wrote to memory of 2112	1372	cmd.exe	timeout.exe
PID 1372 wrote to memory of 2112	1372	cmd.exe	timeout.exe
PID 1372 wrote to memory of 2112	1372	cmd.exe	timeout.exe
PID 1372 wrote to memory of 2112	1372	cmd.exe	timeout.exe
PID 1372 wrote to memory of 2112	1372	cmd.exe	timeout.exe
PID 1372 wrote to memory of 2112	1372	cmd.exe	timeout.exe
PID 1372 wrote to memory of 2112	1372	cmd.exe	timeout.exe

C:\Users\Admin\AppData\Local\Temp\intervpnmix2_1.exe
"C:\Users\Admin\AppData\Local\Temp\intervpnmix2_1.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:1036

C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\vruns.exe
"C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\vruns.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Modifies system certificate store
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
PID:2036

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\system32\cmd.exe" /c rd /s /q C:\ProgramData\INUoNVHx & timeout 1 & del /f /q "C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\vruns.exe"
3⤵
- Suspicious use of WriteProcessMemory
PID:1372

C:\Windows\SysWOW64\timeout.exe
timeout 1
4⤵
- Delays execution with timeout.exe
PID:2112

C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\intervpnmix2.exe
"C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\intervpnmix2.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
PID:1228

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Virtualization/Sandbox Evasion

T1497

Web Service

T1102

Credential Access

Credentials in Files

T1081

Discovery

Query Registry

T1012

System Information Discovery

T1082

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\intervpnmix2.exe
MD5
f26dc42b3ce20aaaff3bc059ad1ee51d

SHA1
1bdd627c3804ec84c70c514590da0b1f09513a46

SHA256
493c3a5440c0025f8f1154bcc002f109872f2dab955a43169583594dcab485e3

SHA512
2e6c7832db631be5717e246f1d5f6677c0344109fa35f7a88f8955f0fa437184fa09961ac94b8e55b45a3b9da30f3aa6251c0be94e6a391d69cb0a5c81ba8601

Download Submit
C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\intervpnmix2.exe
MD5
f26dc42b3ce20aaaff3bc059ad1ee51d

SHA1
1bdd627c3804ec84c70c514590da0b1f09513a46

SHA256
493c3a5440c0025f8f1154bcc002f109872f2dab955a43169583594dcab485e3

SHA512
2e6c7832db631be5717e246f1d5f6677c0344109fa35f7a88f8955f0fa437184fa09961ac94b8e55b45a3b9da30f3aa6251c0be94e6a391d69cb0a5c81ba8601

Download Submit
C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\vruns.exe
MD5
08b6bafe40b9d0a5a3663567dfaf67fe

SHA1
b1496d662a9178fa6cdba42d3639ccb148b3d015

SHA256
e310096e361a558c51ff56f42c2639aba9027c02030888604e0f1c51afb06573

SHA512
27e38e1ef087bc543c51bf3fad3f4e3ada0297ecedac988d60e677fd813669cc64b1c950e9cbdce4e69a3158554f9e5d63c5e16755c042b7d2fe283bd0f00b59

Download Submit
C:\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\vruns.exe
MD5
08b6bafe40b9d0a5a3663567dfaf67fe

SHA1
b1496d662a9178fa6cdba42d3639ccb148b3d015

SHA256
e310096e361a558c51ff56f42c2639aba9027c02030888604e0f1c51afb06573

SHA512
27e38e1ef087bc543c51bf3fad3f4e3ada0297ecedac988d60e677fd813669cc64b1c950e9cbdce4e69a3158554f9e5d63c5e16755c042b7d2fe283bd0f00b59

Download Submit
C:\ProgramData\INUoNVHx\172773~1.TXT
MD5
550cc6486c1ac1d65c8f1b14517a8294

SHA1
6f7b60b1f5b90ac815ab56c78cd7a5de05311fe1

SHA256
176bf49d4a7f854a30e1fb19acc33650ad5531a95bba23a9b7108b0129d15e9b

SHA512
eb29aefebe6d2ce5d06082c9ea8750de5cf5141e51ecc39457362bd4e8c1ec0313801f805b8b7ef6eaaf24d3e6b5d3ed2912216728ed5308165c00b17dc6f726

Download Submit
C:\ProgramData\INUoNVHx\Files\Browsers\Cookies\MOZILL~1.TXT
MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\INUoNVHx\Files\Browsers\_FILEC~1.TXT
MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\INUoNVHx\Files\Browsers\_FILEF~1.TXT
MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\INUoNVHx\Files\Browsers\_FILEP~1.TXT
MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\INUoNVHx\Files\_FILEP~1.TXT
MD5
ecaa88f7fa0bf610a5a26cf545dcd3aa

SHA1
57218c316b6921e2cd61027a2387edc31a2d9471

SHA256
f1945cd6c19e56b3c1c78943ef5ec18116907a4ca1efc40a57d48ab1db7adfc5

SHA512
37c783b80b1d458b89e712c2dfe2777050eff0aefc9f6d8beedee77807d9aeb2e27d14815cf4f0229b1d36c186bb5f2b5ef55e632b108cc41e9fb964c39b42a5

Download Submit
C:\ProgramData\INUoNVHx\Files\_Info.txt
MD5
e3681c5ee5c422919c59efa2e53e4006

SHA1
1f050d0963b1b6f7b7a39977768ebe506a7c69bb

SHA256
cb88f681994a90492b260fbeb1569f67032922a73b566818611358fbfb8aca52

SHA512
914d20ae1acd9f49167358463211400845ae5a0b1f28c0ad8018649f134a9d176ee1c306d46e36fd09bed4be6719a8228c94d3a84208f550875074841ec3d4e3

Download Submit
C:\ProgramData\INUoNVHx\Files\_Screen.jpg
MD5
13dd30d38720a80b7acc752b5c48a5b1

SHA1
9bb9dcba7cf8a897308a43a4c44331f1d3df9114

SHA256
acdd5986098ac64ee259aae86d0399ab8dbc53b56fa93c8989a088d82035022b

SHA512
0155b252737a4c445b5a60f3c01898ecfaf5864ef4805e8eb77414f7990ffccc0cece9a0bb323e835d6b4e792552cb4863d012eb5106da46ff149187d7b65a60

Download Submit
C:\ProgramData\INUoNVHx\YQNGDC~1.ZIP
MD5
ea821a80062daaecf75b51e72d365c58

SHA1
1f8a3ee74b4feaf99b3fcf9b1d93d99d24a1e93c

SHA256
1228d2c5b9e144ec2bf5d3977b94591f2afb1a979d3d288675366460c5da1ffc

SHA512
be4ffd927ce64aca33a9e9d779f4ac1da3c73109f727590ac8147e0d076fa755761a9c460a2bf528d0fa6a5e28165cd37e319ef61eb766eba4cb2f06c8d15b0f

Download Submit
C:\ProgramData\INUoNVHx\mocc.db
MD5
89d4b62651fa5c864b12f3ea6b1521cb

SHA1
570d48367b6b66ade9900a9f22d67d67a8fb2081

SHA256
22f1159db346d2cc8f4fa544796cc9d243a5737110a17d8e3755a2448404ce70

SHA512
e6d3109c5e2aef98a63f42eebe3b10feedb1a8c81d7823380553f84d2d6585f328c18f02e72c3e5c98ace7ffedfb6214a4ea6c87e85cefceada8e630f8df61ff

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
MD5
67a631ff50d2208193abe32f52c71492

SHA1
687af1a9233f544b1813256e1f901f5412f274a8

SHA256
64c6475bb4e983b6938115ffc65197a6c1ab42c56b62c9e5b8788d9b14ecca29

SHA512
f1c234c5d07068a55e3ebd08a2421b3472c08be0582ae9e101692f9a49237e4fa562aeffce063252a927f56876df653f8ecf47bbf76e66d09f9323d456e69306

Download Submit
\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\intervpnmix2.exe
MD5
f26dc42b3ce20aaaff3bc059ad1ee51d

SHA1
1bdd627c3804ec84c70c514590da0b1f09513a46

SHA256
493c3a5440c0025f8f1154bcc002f109872f2dab955a43169583594dcab485e3

SHA512
2e6c7832db631be5717e246f1d5f6677c0344109fa35f7a88f8955f0fa437184fa09961ac94b8e55b45a3b9da30f3aa6251c0be94e6a391d69cb0a5c81ba8601

Download Submit
\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\intervpnmix2.exe
MD5
f26dc42b3ce20aaaff3bc059ad1ee51d

SHA1
1bdd627c3804ec84c70c514590da0b1f09513a46

SHA256
493c3a5440c0025f8f1154bcc002f109872f2dab955a43169583594dcab485e3

SHA512
2e6c7832db631be5717e246f1d5f6677c0344109fa35f7a88f8955f0fa437184fa09961ac94b8e55b45a3b9da30f3aa6251c0be94e6a391d69cb0a5c81ba8601

Download Submit
\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\intervpnmix2.exe
MD5
f26dc42b3ce20aaaff3bc059ad1ee51d

SHA1
1bdd627c3804ec84c70c514590da0b1f09513a46

SHA256
493c3a5440c0025f8f1154bcc002f109872f2dab955a43169583594dcab485e3

SHA512
2e6c7832db631be5717e246f1d5f6677c0344109fa35f7a88f8955f0fa437184fa09961ac94b8e55b45a3b9da30f3aa6251c0be94e6a391d69cb0a5c81ba8601

Download Submit
\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\vruns.exe
MD5
08b6bafe40b9d0a5a3663567dfaf67fe

SHA1
b1496d662a9178fa6cdba42d3639ccb148b3d015

SHA256
e310096e361a558c51ff56f42c2639aba9027c02030888604e0f1c51afb06573

SHA512
27e38e1ef087bc543c51bf3fad3f4e3ada0297ecedac988d60e677fd813669cc64b1c950e9cbdce4e69a3158554f9e5d63c5e16755c042b7d2fe283bd0f00b59

Download Submit
\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\vruns.exe
MD5
08b6bafe40b9d0a5a3663567dfaf67fe

SHA1
b1496d662a9178fa6cdba42d3639ccb148b3d015

SHA256
e310096e361a558c51ff56f42c2639aba9027c02030888604e0f1c51afb06573

SHA512
27e38e1ef087bc543c51bf3fad3f4e3ada0297ecedac988d60e677fd813669cc64b1c950e9cbdce4e69a3158554f9e5d63c5e16755c042b7d2fe283bd0f00b59

Download Submit
\Program Files (x86)\InterVpn\InterVpn\InterVpn\bin\InterVpn\vruns.exe
MD5
08b6bafe40b9d0a5a3663567dfaf67fe

SHA1
b1496d662a9178fa6cdba42d3639ccb148b3d015

SHA256
e310096e361a558c51ff56f42c2639aba9027c02030888604e0f1c51afb06573

SHA512
27e38e1ef087bc543c51bf3fad3f4e3ada0297ecedac988d60e677fd813669cc64b1c950e9cbdce4e69a3158554f9e5d63c5e16755c042b7d2fe283bd0f00b59

Download Submit
\Users\Admin\AppData\Local\Temp\nsi4423.tmp\UAC.dll
MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/696-19-0x000007FEF7880000-0x000007FEF7AFA000-memory.dmp

Filesize
2.5MB

Download
memory/1228-18-0x0000000009320000-0x0000000009331000-memory.dmp

Filesize
68KB

Download
memory/1228-10-0x0000000000000000-mapping.dmp

Download
memory/1228-16-0x0000000008F10000-0x0000000008F21000-memory.dmp

Filesize
68KB

Download
memory/1372-21-0x0000000000000000-mapping.dmp

Download
memory/2036-15-0x00000000040C0000-0x00000000040D1000-memory.dmp

Filesize
68KB

Download
memory/2036-17-0x00000000044D0000-0x00000000044E1000-memory.dmp

Filesize
68KB

Download
memory/2036-4-0x0000000000000000-mapping.dmp

Download
memory/2112-32-0x0000000000000000-mapping.dmp

Download