Overview

overview

10

Static

static

vpn.exe

windows7_x64

10

vpn.exe

windows10_x64

10

Analysis

  • max time kernel
    67s
  • max time network
    78s
  • platform
    windows10_x64
  • resource
    win10v20210408
  • submitted
    24-05-2021 05:40

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    vpn.exe

  • Size

    1.3MB

  • MD5

    bdbb82acdd6ea587bb10ca6b2e41fa6e

  • SHA1

    e3a3795234acc91a711ecfe5e171777fe9a79458

  • SHA256

    bc0ded251a44cc8a1240e278143cd6071904eb1d0fe12d8e6f8d8879f85762f5

  • SHA512

    268862c7d1e7917b7a919781c381ca9b3177c8168de2fb1eb2c8c02d2bfa9eb86bf514713ef5695efd49c28f7bb2d74c3bc60075a1332239171b244d6ed4e1b6

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateProcessExOtherParentProcess 1 IoCs
  • Executes dropped EXE 2 IoCs
  • Suspicious use of SetThreadContext 1 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Program crash 1 IoCs
  • Runs ping.exe 1 TTPs 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 14 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 23 IoCs
  • Views/modifies file attributes 1 TTPs 1 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\vpn.exe
    "C:\Users\Admin\AppData\Local\Temp\vpn.exe"
    1⤵
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:996
    • C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\system32\cmd.exe" /c C:\Windows\system32\cmd < Mani.tiff
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:648
      • C:\Windows\SysWOW64\cmd.exe
        C:\Windows\system32\cmd
        3⤵
        • Suspicious use of WriteProcessMemory
        PID:2988
        • C:\Windows\SysWOW64\findstr.exe
          findstr /V /R "^evPBaEfWQqyNKZLtKkIKaOhysWAewfstsPVxTRBcMnTIddqdSDRELSGhpKpvtjVBJqvVrskTKhYTVEPwWppbbMznoHloItdmDsYfTtjBaYUnUMsEUimVrbrWHYMvuelFWndEGmiRXHtmSVDvfFhA$" Tramonto.tiff
          4⤵
            PID:576
          • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Finita.exe.com
            Finita.exe.com c
            4⤵
            • Executes dropped EXE
            • Suspicious use of WriteProcessMemory
            PID:416
            • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Finita.exe.com
              C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Finita.exe.com c
              5⤵
              • Executes dropped EXE
              • Suspicious use of SetThreadContext
              • Suspicious use of WriteProcessMemory
              PID:2060
              • C:\Windows\SysWOW64\attrib.exe
                C:\Windows\SysWOW64\attrib.exe
                6⤵
                • Views/modifies file attributes
                PID:2276
                • C:\Windows\SysWOW64\WerFault.exe
                  C:\Windows\SysWOW64\WerFault.exe -u -p 2276 -s 456
                  7⤵
                  • Suspicious use of NtCreateProcessExOtherParentProcess
                  • Program crash
                  • Suspicious behavior: EnumeratesProcesses
                  • Suspicious use of AdjustPrivilegeToken
                  PID:3012
          • C:\Windows\SysWOW64\PING.EXE
            ping 127.0.0.1 -n 30
            4⤵
            • Runs ping.exe
            PID:1244

    Network

    MITRE ATT&CK Enterprise v6

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Care.tiff
      MD5

      4b87a8d6577a8af9c1f9f5afa00ba5bc

      SHA1

      dee965fd0a9d0a42412ca0b0baa13a4978d87190

      SHA256

      52349ced213bce059c6e174e59f2825336928f83df8165fe1e39cb1dee408048

      SHA512

      fdb3410a3e8758cff8c6f0ed141442f8e6592afcae4554a5db1136029814fa6e36a3390ce3222526aeec9c55b7e03eca7b6c07388c5c54f7664fe165705e74e9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Far.tiff
      MD5

      b78443b62765c7b88e4391dffe7bd63a

      SHA1

      5dd4495ed4c00d3254afa5f26ed52030ad4c824b

      SHA256

      39a761a58e7b9b712c23e3c1431cd1916ad9168d6fff1f3ab04f4279794d5804

      SHA512

      83dadfcb8647db3854e3c9f3e1b56f131876901d0ace16c03cf125be16b8969c87fc1674e2e86d0972eb2a177a7793b06f0d7467c1e434cab07f2612fd1c45f9

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Finita.exe.com
      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Finita.exe.com
      MD5

      c56b5f0201a3b3de53e561fe76912bfd

      SHA1

      2a4062e10a5de813f5688221dbeb3f3ff33eb417

      SHA256

      237d1bca6e056df5bb16a1216a434634109478f882d3b1d58344c801d184f95d

      SHA512

      195b98245bb820085ae9203cdb6d470b749d1f228908093e8606453b027b7d7681ccd7952e30c2f5dd40f8f0b999ccfc60ebb03419b574c08de6816e75710d2c

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Mani.tiff
      MD5

      bc6c8dbac052de9c2ce0e66910428cf2

      SHA1

      a62a8bee593cfc3794793240fc1f90bae69062cd

      SHA256

      33b0d20127be2c9af6257c04f0fb94f56becf1b3d1bad8e8b8956de6b4ef5940

      SHA512

      039df1d2328c3166f9755ac005a8830134ea807b66bc98accb463072987638944d3ed66fd83681b45313d1d65f3bc6b9573985476bd413bdaee664331365628a

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\Tramonto.tiff
      MD5

      9228f312c71f220ffc4bc19ca5e3cd40

      SHA1

      7ed0fb24ae15537837a22b098d02df701cbb8652

      SHA256

      e9e0a7d479dd1c1d95131b2a25d30c515d3038a291766172f7bc6670275c42e9

      SHA512

      39047987104bd70d56e009470064fca9d0b5511ec427d3668b0f472516a4dd120b59b0953e421137151e34e424ac0c1aac81f2a71ffd24df43e2c99a4c5ba1a6

      Download Submit

    • C:\Users\Admin\AppData\Local\Temp\7ZipSfx.000\c
      MD5

      4b87a8d6577a8af9c1f9f5afa00ba5bc

      SHA1

      dee965fd0a9d0a42412ca0b0baa13a4978d87190

      SHA256

      52349ced213bce059c6e174e59f2825336928f83df8165fe1e39cb1dee408048

      SHA512

      fdb3410a3e8758cff8c6f0ed141442f8e6592afcae4554a5db1136029814fa6e36a3390ce3222526aeec9c55b7e03eca7b6c07388c5c54f7664fe165705e74e9

      Download Submit

    • memory/416-120-0x0000000000000000-mapping.dmp

      Download

    • memory/576-117-0x0000000000000000-mapping.dmp

      Download

    • memory/648-114-0x0000000000000000-mapping.dmp

      Download

    • memory/1244-122-0x0000000000000000-mapping.dmp

      Download

    • memory/2060-124-0x0000000000000000-mapping.dmp

      Download

    • memory/2060-127-0x0000000000C50000-0x0000000000C51000-memory.dmp

      Filesize

      4KB

      Download

    • memory/2276-128-0x00000000009D0000-0x00000000009F7000-memory.dmp

      Filesize

      156KB

      Download

    • memory/2276-129-0x00000000009D591E-mapping.dmp

      Download

    • memory/2988-116-0x0000000000000000-mapping.dmp

      Download