Resubmissions
20-03-2021 14:00
210320-n9nmylwvyx 10Analysis
-
max time kernel
105s -
max time network
105s -
platform
windows10_x64 -
resource
win10v20201028 -
submitted
20-03-2021 14:00
Static task
static1
Behavioral task
behavioral1
Sample
vpn.exe
Resource
win7v20201028
Behavioral task
behavioral2
Sample
vpn.exe
Resource
win10v20201028
General
-
Target
vpn.exe
-
Size
1.1MB
-
MD5
025b474dae9f402be5568f96426fe1ec
-
SHA1
c586839de389951b5048272ebe40b33902db40eb
-
SHA256
6c94ef12be12667362545a64c325e125ba3647e58276faa93c663432f07d1ab0
-
SHA512
b2f604f248f960e6a01ea3065545fa53bb43f17ef5b9077732d481acafdfb367b9ddc97beb618a067d843c7ffa9280d480b0f493f0b94d864f354e1e130100bd
Malware Config
Signatures
-
Blocklisted process makes network request 1 IoCs
Processes:
WScript.exeflow pid process 29 720 WScript.exe -
Executes dropped EXE 3 IoCs
Processes:
Sei.exe.comSei.exe.comuvfjbefrcyn.exepid process 2136 Sei.exe.com 2216 Sei.exe.com 188 uvfjbefrcyn.exe -
Legitimate hosting services abused for malware hosting/C2 1 TTPs
-
Looks up external IP address via web service 1 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
Processes:
flow ioc 14 ip-api.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
Sei.exe.comdescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Sei.exe.com Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString Sei.exe.com -
Modifies registry class 1 IoCs
Processes:
Sei.exe.comdescription ioc process Key created \REGISTRY\USER\S-1-5-21-1985363256-3005190890-1182679451-1000_Classes\Local Settings Sei.exe.com -
Processes:
Sei.exe.comdescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349 Sei.exe.com Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c0000000100000004000000000800000f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e Sei.exe.com -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
vpn.execmd.execmd.exeSei.exe.comSei.exe.comdescription pid process target process PID 1456 wrote to memory of 2680 1456 vpn.exe cmd.exe PID 1456 wrote to memory of 2680 1456 vpn.exe cmd.exe PID 1456 wrote to memory of 2680 1456 vpn.exe cmd.exe PID 2680 wrote to memory of 3560 2680 cmd.exe cmd.exe PID 2680 wrote to memory of 3560 2680 cmd.exe cmd.exe PID 2680 wrote to memory of 3560 2680 cmd.exe cmd.exe PID 3560 wrote to memory of 4068 3560 cmd.exe findstr.exe PID 3560 wrote to memory of 4068 3560 cmd.exe findstr.exe PID 3560 wrote to memory of 4068 3560 cmd.exe findstr.exe PID 3560 wrote to memory of 2136 3560 cmd.exe Sei.exe.com PID 3560 wrote to memory of 2136 3560 cmd.exe Sei.exe.com PID 3560 wrote to memory of 2136 3560 cmd.exe Sei.exe.com PID 3560 wrote to memory of 584 3560 cmd.exe PING.EXE PID 3560 wrote to memory of 584 3560 cmd.exe PING.EXE PID 3560 wrote to memory of 584 3560 cmd.exe PING.EXE PID 2136 wrote to memory of 2216 2136 Sei.exe.com Sei.exe.com PID 2136 wrote to memory of 2216 2136 Sei.exe.com Sei.exe.com PID 2136 wrote to memory of 2216 2136 Sei.exe.com Sei.exe.com PID 2216 wrote to memory of 188 2216 Sei.exe.com uvfjbefrcyn.exe PID 2216 wrote to memory of 188 2216 Sei.exe.com uvfjbefrcyn.exe PID 2216 wrote to memory of 188 2216 Sei.exe.com uvfjbefrcyn.exe PID 2216 wrote to memory of 2668 2216 Sei.exe.com WScript.exe PID 2216 wrote to memory of 2668 2216 Sei.exe.com WScript.exe PID 2216 wrote to memory of 2668 2216 Sei.exe.com WScript.exe PID 2216 wrote to memory of 720 2216 Sei.exe.com WScript.exe PID 2216 wrote to memory of 720 2216 Sei.exe.com WScript.exe PID 2216 wrote to memory of 720 2216 Sei.exe.com WScript.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\vpn.exe"C:\Users\Admin\AppData\Local\Temp\vpn.exe"1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /c CmD < Muto.ppsx2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exeCmD3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\findstr.exefindstr /V /R "^vajPQtXXzHEBktaqYJxMbcgAtBjRfvlcZbbEMXGsnfobkQPlvBBmZopqrMKgSuHXbpCNGOhwerhihRghLexOUKcRgbAqjsmaIkZegeDIgAvVUwNjbvCPLTrMOLnp$" Settala.ppsx4⤵
-
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Sei.exe.comSei.exe.com R4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Sei.exe.comC:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Sei.exe.com R5⤵
- Executes dropped EXE
- Checks processor information in registry
- Modifies registry class
- Modifies system certificate store
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\uvfjbefrcyn.exe"C:\Users\Admin\AppData\Local\Temp\uvfjbefrcyn.exe"6⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\huqvcjtnyim.vbs"6⤵
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\rpdshkxcd.vbs"6⤵
- Blocklisted process makes network request
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 304⤵
- Runs ping.exe
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
b63eb2568d0b7558d1c9f0b67ec8406e
SHA1ff2099aceb959ded8054e22e92791481f8415acb
SHA2565dd0d417d323f8989ef8bb77347977a3b507d31a805dc05bd3ee0a0a4f4c02d8
SHA512296a2936ef9f0bbffb61d18637b3eb708de24dc033dfe83b9a98c30eabeeba6ff0687184a194a1fd55e732c45041c1f95cc049c6c3eb394998d379baba7c7937
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\5EE9003E3DC4134E8CF26DC55FD926FAMD5
8f7b603e746e4cbe1ea09d21b3b5691b
SHA16d412f5e38710c70472e326a5af314c7908709a0
SHA256fd486c32c6aa9bcb6aa028c03c2b4b6b0e13b88fcf90d38788f7620c8a53fae8
SHA512f9606513716073b3c2d20b9b8b4067f9306b51a8966bea7d9057dd85b37b875ea7cb42b03822b3d7280be0900512e5031a18c245dbbb984575fc76af130d5487
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
1af85805af0d70f3bfb55ebebec82f96
SHA1c7e9a36e08617e78fca06639596f3fa294f504d2
SHA2566883f304bace5a47ac9924cb9caca2c0de34b829b16c69ab0352c599aa5acefa
SHA51212b9d94093cfab3ae30e38eba7f3f7f30d1cfce5c20c8d2cd1bb638197256f7a4c460c9667c3e0aa0869f73a8591517ba462f47c385363d3fad5dfd062c78f8e
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\07CEF2F654E3ED6050FFC9B6EB844250_3431D4C539FB2CFCB781821E9902850DMD5
53ff27f3165cb3b2a2983ed316bfdcad
SHA1925f3c2200ca42744a8b129243bca0b59c5102c0
SHA2562085b8b869703c5a661786ad7934a0dad605ac424c0c9643fce96603f8cc1640
SHA5128e99576014c83166b242f9db013296879aa690c7dbd6f04a9942ec4d18407f96dc7d3d926ee9451f30a41603d5dc19531ad5fc664cad7a427111a6cc0743f911
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\5EE9003E3DC4134E8CF26DC55FD926FAMD5
076ae7041945de67da484ee93be7c5ea
SHA1b2af14d3c413ddc9182ef78bbd8bff2a5a07184a
SHA2564964600c1f86e3b1b8d2001f858bc69ac5e76532725299cd2c062aa0042fb383
SHA5125fd87bcf2c0efc5a59effe25ba4ba5f1b64f795af2e94a5d793b1ab4387659edf15132719f7cf918df1321834efcc0e28c13e9b3e764bff908dd7b8ca55d7fe6
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B2FAF7692FD9FFBD64EDE317E42334BA_D7393C8F62BDE4D4CB606228BC7A711EMD5
64cf556f1ad28f4b90be06b4bc196f0c
SHA18bb60e56976bcf1b0681eaae1ee911188d3923bc
SHA2560540f63ed7f53ca6ac4b03a5687ab6439dcefd2a8be894bc40008b64ee2c4318
SHA51242d8a8d188fdc02d1877e77ada2d96947b1f73f4d972fa3e47f5d6962b906623b18e119c280f521dd32fd835bf7ff12ef25811efa5e46d33dd7e39de41ce4583
-
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCookies\IM2CIJWM.cookieMD5
e1a3f4d2ad62de3857b3ebd8289249bc
SHA1fe84075e974fbccb6bd21df57df3421eb8468033
SHA256c7921281e2d37e34762750d08f11bbd00a35c7b383099e27db17f9210a337dd5
SHA51242ca8f344e0fbcb6ef5873a4d6bb02c9a6440f74d0de1ef0caf35bdc5d6e96d4dd2301257a22f0621e9e90fdcda02b2aa21f869578d186306a43a5202fed3afd
-
C:\Users\Admin\AppData\Local\Temp\huqvcjtnyim.vbsMD5
09cfb522bed0438c87ac8764008faac9
SHA1e54ae85e035f4aba9818e060c0159fe2f16d1301
SHA25678b0f0e9792b93e8edb359739053b07f622b155827386f9457f0e21d2274d8cd
SHA512971ce9e87ddf716911a9c9bc6bb9218eb58465b1c50f2cb4cf3b33b0e4edefb5901f3b41458513eea4c59a50ab3139540e14e0608f9200b11325393bede6752d
-
C:\Users\Admin\AppData\Local\Temp\rpdshkxcd.vbsMD5
a2409d0b659004461cdb5ac64162a16e
SHA12111464c4e2533f738387c5a014121626dcb2dc9
SHA256b4c48d83fd68915e8b4f83f4ff1d55193f238aa01959a229b7c7dd0c3f124fb7
SHA512a70f760b921f0333e2b7604239706cea7c29df030693054df9a1c768ff438ffcf84bedac9bdc841e1ece7b089e3760a5ff57ddc9234d48ea843fbaa1e40160c7
-
C:\Users\Admin\AppData\Local\Temp\uvfjbefrcyn.exeMD5
5794875a894c319563b8fe923f0063a2
SHA1d8ffeef5315fd61df3e9cda4c1446b7b7e24f765
SHA25655a488e69b8d887aaf0bd9cdaad7314c42ef387174a9a09be3e5724c1b8da07c
SHA512029622b22d8584ad860aafd236c381fbd9be6b9b67e28635e164bd71326a2ff6014ff18f6c18126dc1be42f9befbc9adf7f853c98556f2fe1e7e578003076d3b
-
C:\Users\Admin\AppData\Local\Temp\uvfjbefrcyn.exeMD5
5794875a894c319563b8fe923f0063a2
SHA1d8ffeef5315fd61df3e9cda4c1446b7b7e24f765
SHA25655a488e69b8d887aaf0bd9cdaad7314c42ef387174a9a09be3e5724c1b8da07c
SHA512029622b22d8584ad860aafd236c381fbd9be6b9b67e28635e164bd71326a2ff6014ff18f6c18126dc1be42f9befbc9adf7f853c98556f2fe1e7e578003076d3b
-
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Arrossendo.ppsxMD5
6564b65095baeea2cb63bed24cc1850a
SHA1b4b46e41da33d2e45b8682610bb889202596be78
SHA25658822a2314d5fa32d323b67df0ffdc8854b73cc7d3e63d6c867b02ad1cb2de57
SHA512814e0863874b874c8c225d4ba7d32e5395d59268df1c0f11a9bf6a4c70b0c3a21b82f8dd8da5e8a2c3a3b0e1942679680bc653e5db3e9f73f9eb5d334e33b555
-
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Dov.ppsxMD5
5c716b5c5a0f0acdee592e37de828747
SHA17bf8666655cc417adfc8603d42bccaedc9dd02d7
SHA2569cb5ec6461309e5df60984802a0ac776c9998046367f4f5ac16a1b6677a75faf
SHA51261ce4e30d06f3a8ee10dadda076c94eaab42cbd8268cd8add18083df4c426fac9ede98206717e92187f5ddb53c15c60313a0b40b32d3d42e00f902f2c94aa061
-
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Muto.ppsxMD5
be2686eaeb2ddb9aa58d46e3092f8a67
SHA1b0d2f08593de8e4531007cbceeee213013ae1428
SHA256f3e010e9cc18db185e2ad285334d0c37d453693c2ab1cd5dd3e48b7bc914e7b4
SHA5123d6eacc7a8f1d74d47c75fd67bb50932715482510fdb493fc08192180ed629fc72cc1eee01410c655343c3cc35d9895d60882dca1419393518a259cad5952199
-
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\RMD5
6564b65095baeea2cb63bed24cc1850a
SHA1b4b46e41da33d2e45b8682610bb889202596be78
SHA25658822a2314d5fa32d323b67df0ffdc8854b73cc7d3e63d6c867b02ad1cb2de57
SHA512814e0863874b874c8c225d4ba7d32e5395d59268df1c0f11a9bf6a4c70b0c3a21b82f8dd8da5e8a2c3a3b0e1942679680bc653e5db3e9f73f9eb5d334e33b555
-
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Sei.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Sei.exe.comMD5
78ba0653a340bac5ff152b21a83626cc
SHA1b12da9cb5d024555405040e65ad89d16ae749502
SHA25605d8cf394190f3a707abfb25fb44d7da9d5f533d7d2063b23c00cc11253c8be7
SHA512efb75e4c1e0057ffb47613fd5aae8ce3912b1558a4b74dbf5284c942eac78ecd9aca98f7c1e0e96ec38e8177e58ffdf54f2eb0385e73eef39e8a2ce611237317
-
C:\Users\Admin\AppData\Roaming\WGUAWTcGiA\Settala.ppsxMD5
db3c5fbd6832bcb620a393ad09a4d31c
SHA195ba32b54c8ab0e6df40af139d659e776ec6a6cb
SHA25651dae8e5e7b84b5426cb6e4ee22f6d532783a566b1f7542df611b995ec281ee8
SHA512f4526d330bea1eb7aa8e688936c3a2b6ac6e59e045e66c15f865011f5de604824b6811928f75d84c3f7ad95665556c6ad7ef984c1b2e02a0a12c238b6d0e4d54
-
memory/188-16-0x0000000000000000-mapping.dmp
-
memory/188-21-0x0000000003A90000-0x0000000003A91000-memory.dmpFilesize
4KB
-
memory/188-22-0x0000000003A90000-0x0000000004187000-memory.dmpFilesize
7.0MB
-
memory/188-24-0x0000000003320000-0x0000000003321000-memory.dmpFilesize
4KB
-
memory/188-23-0x0000000000400000-0x0000000000B02000-memory.dmpFilesize
7.0MB
-
memory/584-11-0x0000000000000000-mapping.dmp
-
memory/720-25-0x0000000000000000-mapping.dmp
-
memory/2136-8-0x0000000000000000-mapping.dmp
-
memory/2216-12-0x0000000000000000-mapping.dmp
-
memory/2216-15-0x00000000012B0000-0x00000000012B1000-memory.dmpFilesize
4KB
-
memory/2668-19-0x0000000000000000-mapping.dmp
-
memory/2680-2-0x0000000000000000-mapping.dmp
-
memory/3560-4-0x0000000000000000-mapping.dmp
-
memory/4068-5-0x0000000000000000-mapping.dmp