a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b

General

Target

a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
Size

8.5MB
MD5

d4572458e610e97f4642e70e5801db62
SHA1

10d45768e23b335350fe2af3fb79a0540e1c4651
SHA256

a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b
SHA512

f8e99d9adcd47bd4dc263c7b85b4b5c391f12e4c16fb824c9959b428818c6e20a466b0e13c66067686e37a5072ec4d38418f9d1de41f2223d80ec61f99e8d629

Score

9^/10

evasion

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497
Executes dropped EXE 1 IoCs

Processes:

vpnpro.exe

pid process

8 vpnpro.exe

pid	process
8	vpnpro.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

vpnpro.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	vpnpro.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	vpnpro.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

vpnpro.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine vpnpro.exe
Loads dropped DLL 1 IoCs

Processes:

a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe

pid process

4360 a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
Legitimate hosting services abused for malware hosting/C2 1 TTPs

Web Service
T1102
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

vpnpro.exe

pid process

8 vpnpro.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-2632097139-1792035885-811742494-1000\Software\Wine	vpnpro.exe

pid	process
4360	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe

pid	process
8	vpnpro.exe

Drops file in Program Files directory 52 IoCs

Processes:

a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe

description	ioc	process
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\liblzo2-2.dll	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\vpnpro.exe	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows\bin\tapinstall.exe	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows64\driver\OemWin2k.inf	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows64\driver\System64Folder\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\tap0901.sys	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\vpnpro.ITA.lng	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\japonia.ovpn	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN64\bin\openvpn-gui.exe	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN64\bin\openvpnserv.exe	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows\driver\OemVista.inf	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\countries.tsv	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\vpnpro.FIN.lng	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\libeay32.dll	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\openvpn.exe	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN64\bin\libpkcs11-helper-1.dll	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows\bin\addtap.bat	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows64\driver\tap0901.sys	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows64\driver\System64Folder\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\tap0901.cat	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\vpnpro.PTB.lng	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\vpnpro.RUS.lng	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN64\bin\ssleay32.dll	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows\bin\deltapall.bat	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows\driver\OemWin2k.inf	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows\driver\tap0901.cat	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows64\bin\deltapall.bat	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows64\driver\System64Folder\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\oemwin2k.inf	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\vpn850936802.ovpn	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN64\bin\liblzo2-2.dll	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\vpnpro.ntv.lng	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\openssl.exe	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\openvpnserv.exe	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows64\bin\addtap.bat	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows64\bin\devcon.exe	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\innoupd.exe	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\unins000.exe	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\test.ovpn	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN64\bin\openvpn.exe	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows\bin\devcon.exe	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows\driver\tap0901.sys	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows64\driver\tap0901.cat	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\unins000.dat	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\vpnpro.ROM.lng	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\libpkcs11-helper-1.dll	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\TAP-Windows64\driver\System64Folder\DriverStore\FileRepository\oemwin2k.inf_amd64_5a1fec2fbbccefcc\oemwin2k.PNF	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\stop_all.exe	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\vpnpro.exe	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\ssleay32.dll	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\superb.ovpn	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN64\bin\libeay32.dll	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN64\bin\openssl.exe	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\memmgrset.dll	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
File created	C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\openvpn-gui.exe	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe

Drops file in Windows directory 1 IoCs

Processes:

a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe

description ioc process

File created C:\Windows\INF\oem59.PNF a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

vpnpro.exe

pid process

8 vpnpro.exe
8 vpnpro.exe

description	ioc	process
File created	C:\Windows\INF\oem59.PNF	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe

pid	process
8	vpnpro.exe
8	vpnpro.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe

description	pid	process	target process
PID 4360 wrote to memory of 8	4360	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe	vpnpro.exe
PID 4360 wrote to memory of 8	4360	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe	vpnpro.exe
PID 4360 wrote to memory of 8	4360	a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe	vpnpro.exe

C:\Users\Admin\AppData\Local\Temp\a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe
"C:\Users\Admin\AppData\Local\Temp\a7d0d6a14b87d8ec445507b72307e33e4d83672e33a4c98025ae09ad4500200b.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
PID:4360

C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\vpnpro.exe
"C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\vpnpro.exe"
2⤵
- Executes dropped EXE
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:8

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Web Service

1

T1102

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Innovative Solutions\Intervpn\OpenVPN\bin\vpnpro.exe
Filesize
2.0MB

MD5
377a51a2371524d72af1e2c7ae750b49

SHA1
86d915b99dd495c6eb0c9e7926dafbce1ff2be73

SHA256
78be359f86eee66b7e94a7fe54755a89ee8aa88c3fabee65c772a9d24284db3a

SHA512
09dfdb25464e4b17eeec09dde4db0d3ebe8026e5a9f3d8095acdcf26682314bf83cace912efdafc98ddd8b6540eda3639d6d2890e95821c5481e9b1d9efc6220

Download Submit
C:\Users\Admin\AppData\Local\Temp\nsv6392.tmp\UAC.dll
Filesize
14KB

MD5
adb29e6b186daa765dc750128649b63d

SHA1
160cbdc4cb0ac2c142d361df138c537aa7e708c9

SHA256
2f7f8fc05dc4fd0d5cda501b47e4433357e887bbfed7292c028d99c73b52dc08

SHA512
b28adcccf0c33660fecd6f95f28f11f793dc9988582187617b4c113fb4e6fdad4cf7694cd8c0300a477e63536456894d119741a940dda09b7df3ff0087a7eada

Download Submit
memory/8-131-0x0000000000000000-mapping.dmp

Download
memory/8-133-0x00000000776B0000-0x0000000077853000-memory.dmp

Filesize
1.6MB

Download
memory/8-134-0x0000000000400000-0x000000000091C000-memory.dmp

Filesize
5.1MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads