f715fd70ffa8bae01641ab0954dddfb4604586b63361b49f681801e68252eee3

Analysis

max time kernel
148s
max time network
155s
platform
windows10-2004_x64
resource
win10v2004-20220812-en
resource tags

arch:x64arch:x86image:win10v2004-20220812-enlocale:en-usos:windows10-2004-x64system
submitted
28/12/2022, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UrbanVPN2.exe
Size

30.9MB
MD5

87d504827ef7eb568d6dcecfad38d1f9
SHA1

e7b8e8bfd973a932b3a32422b1d5e58924ea1955
SHA256

f715fd70ffa8bae01641ab0954dddfb4604586b63361b49f681801e68252eee3
SHA512

1134bfd74c43b6a110c6536e9e542c5b8c2379ecb380ccc33475aba7f7ee4f328a6d1986d781955c26523f5bb2726af56fb796a147fdb6fd74d1223da187df41
SSDEEP

786432:fmT7jot5Kn402EbWJyMSt8NAi0KoK0PYuQM:fYmQ402qWJ6t8OJKol

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 14 IoCs

pid	Process
4920	UrbanVPN2.exe
2088	MsiExec.exe
2088	MsiExec.exe
2088	MsiExec.exe
2088	MsiExec.exe
2088	MsiExec.exe
2088	MsiExec.exe
2088	MsiExec.exe
2088	MsiExec.exe
2088	MsiExec.exe
2088	MsiExec.exe
2088	MsiExec.exe
2088	MsiExec.exe
2088	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\U:	UrbanVPN2.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\A:	UrbanVPN2.exe
File opened (read-only)	\??\B:	UrbanVPN2.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\I:	UrbanVPN2.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\W:	UrbanVPN2.exe
File opened (read-only)	\??\Y:	UrbanVPN2.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\G:	UrbanVPN2.exe
File opened (read-only)	\??\H:	UrbanVPN2.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\P:	UrbanVPN2.exe
File opened (read-only)	\??\R:	UrbanVPN2.exe
File opened (read-only)	\??\X:	UrbanVPN2.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\K:	UrbanVPN2.exe
File opened (read-only)	\??\M:	UrbanVPN2.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\O:	UrbanVPN2.exe
File opened (read-only)	\??\Q:	UrbanVPN2.exe
File opened (read-only)	\??\Z:	UrbanVPN2.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\E:	UrbanVPN2.exe
File opened (read-only)	\??\N:	UrbanVPN2.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\J:	UrbanVPN2.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\S:	UrbanVPN2.exe
File opened (read-only)	\??\T:	UrbanVPN2.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\F:	UrbanVPN2.exe
File opened (read-only)	\??\L:	UrbanVPN2.exe
File opened (read-only)	\??\V:	UrbanVPN2.exe
File opened (read-only)	\??\J:	msiexec.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\dialog.jpg	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\InstallerHelperDLL.dll_1	UrbanVPN2.exe
File opened for modification	C:\Windows\SystemTemp\shi9D4E.tmp	MsiExec.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\info	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\banner.jpg	UrbanVPN2.exe
File opened for modification	C:\Windows\SystemTemp\shi9BA9.tmp	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\repairic	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\tempFiles.dll	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\Button2.jpg	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\Privacy.png	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\ShortcutFlags.dll	UrbanVPN2.exe
File opened for modification	C:\Windows\SystemTemp\shi9D9D.tmp	MsiExec.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\New	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\tabback	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\cmdlinkarrow	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\InstallerHelperDLL.dll	UrbanVPN2.exe
File opened for modification	C:\Windows\SystemTemp\INA9B3B.tmp	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\custicon	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\Up	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\Permission.png	UrbanVPN2.exe
File opened for modification	C:\Windows\SystemTemp\shiA34B.tmp	MsiExec.exe
File opened for modification	C:\Windows\SystemTemp\shiA37B.tmp	MsiExec.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\insticon	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\removico	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\completi	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\Access.png	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\Button1.jpg	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\WhiteBack.png	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\viewer.exe	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\exclamic	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\NetFirewall.dll	UrbanVPN2.exe
File created	C:\Windows\SystemTemp\AI_EXTUI_BIN_4920\lzmaextractor.dll	UrbanVPN2.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	UrbanVPN2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
2088	MsiExec.exe
2088	MsiExec.exe
2088	MsiExec.exe
2088	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	4932	msiexec.exe
Token: SeCreateTokenPrivilege	4920	UrbanVPN2.exe
Token: SeAssignPrimaryTokenPrivilege	4920	UrbanVPN2.exe
Token: SeLockMemoryPrivilege	4920	UrbanVPN2.exe
Token: SeIncreaseQuotaPrivilege	4920	UrbanVPN2.exe
Token: SeMachineAccountPrivilege	4920	UrbanVPN2.exe
Token: SeTcbPrivilege	4920	UrbanVPN2.exe
Token: SeSecurityPrivilege	4920	UrbanVPN2.exe
Token: SeTakeOwnershipPrivilege	4920	UrbanVPN2.exe
Token: SeLoadDriverPrivilege	4920	UrbanVPN2.exe
Token: SeSystemProfilePrivilege	4920	UrbanVPN2.exe
Token: SeSystemtimePrivilege	4920	UrbanVPN2.exe
Token: SeProfSingleProcessPrivilege	4920	UrbanVPN2.exe
Token: SeIncBasePriorityPrivilege	4920	UrbanVPN2.exe
Token: SeCreatePagefilePrivilege	4920	UrbanVPN2.exe
Token: SeCreatePermanentPrivilege	4920	UrbanVPN2.exe
Token: SeBackupPrivilege	4920	UrbanVPN2.exe
Token: SeRestorePrivilege	4920	UrbanVPN2.exe
Token: SeShutdownPrivilege	4920	UrbanVPN2.exe
Token: SeDebugPrivilege	4920	UrbanVPN2.exe
Token: SeAuditPrivilege	4920	UrbanVPN2.exe
Token: SeSystemEnvironmentPrivilege	4920	UrbanVPN2.exe
Token: SeChangeNotifyPrivilege	4920	UrbanVPN2.exe
Token: SeRemoteShutdownPrivilege	4920	UrbanVPN2.exe
Token: SeUndockPrivilege	4920	UrbanVPN2.exe
Token: SeSyncAgentPrivilege	4920	UrbanVPN2.exe
Token: SeEnableDelegationPrivilege	4920	UrbanVPN2.exe
Token: SeManageVolumePrivilege	4920	UrbanVPN2.exe
Token: SeImpersonatePrivilege	4920	UrbanVPN2.exe
Token: SeCreateGlobalPrivilege	4920	UrbanVPN2.exe
Token: SeCreateTokenPrivilege	4920	UrbanVPN2.exe
Token: SeAssignPrimaryTokenPrivilege	4920	UrbanVPN2.exe
Token: SeLockMemoryPrivilege	4920	UrbanVPN2.exe
Token: SeIncreaseQuotaPrivilege	4920	UrbanVPN2.exe
Token: SeMachineAccountPrivilege	4920	UrbanVPN2.exe
Token: SeTcbPrivilege	4920	UrbanVPN2.exe
Token: SeSecurityPrivilege	4920	UrbanVPN2.exe
Token: SeTakeOwnershipPrivilege	4920	UrbanVPN2.exe
Token: SeLoadDriverPrivilege	4920	UrbanVPN2.exe
Token: SeSystemProfilePrivilege	4920	UrbanVPN2.exe
Token: SeSystemtimePrivilege	4920	UrbanVPN2.exe
Token: SeProfSingleProcessPrivilege	4920	UrbanVPN2.exe
Token: SeIncBasePriorityPrivilege	4920	UrbanVPN2.exe
Token: SeCreatePagefilePrivilege	4920	UrbanVPN2.exe
Token: SeCreatePermanentPrivilege	4920	UrbanVPN2.exe
Token: SeBackupPrivilege	4920	UrbanVPN2.exe
Token: SeRestorePrivilege	4920	UrbanVPN2.exe
Token: SeShutdownPrivilege	4920	UrbanVPN2.exe
Token: SeDebugPrivilege	4920	UrbanVPN2.exe
Token: SeAuditPrivilege	4920	UrbanVPN2.exe
Token: SeSystemEnvironmentPrivilege	4920	UrbanVPN2.exe
Token: SeChangeNotifyPrivilege	4920	UrbanVPN2.exe
Token: SeRemoteShutdownPrivilege	4920	UrbanVPN2.exe
Token: SeUndockPrivilege	4920	UrbanVPN2.exe
Token: SeSyncAgentPrivilege	4920	UrbanVPN2.exe
Token: SeEnableDelegationPrivilege	4920	UrbanVPN2.exe
Token: SeManageVolumePrivilege	4920	UrbanVPN2.exe
Token: SeImpersonatePrivilege	4920	UrbanVPN2.exe
Token: SeCreateGlobalPrivilege	4920	UrbanVPN2.exe
Token: SeCreateTokenPrivilege	4920	UrbanVPN2.exe
Token: SeAssignPrimaryTokenPrivilege	4920	UrbanVPN2.exe
Token: SeLockMemoryPrivilege	4920	UrbanVPN2.exe
Token: SeIncreaseQuotaPrivilege	4920	UrbanVPN2.exe
Token: SeMachineAccountPrivilege	4920	UrbanVPN2.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 4932 wrote to memory of 2088	4932	msiexec.exe	84
PID 4932 wrote to memory of 2088	4932	msiexec.exe	84
PID 4932 wrote to memory of 2088	4932	msiexec.exe	84

C:\Users\Admin\AppData\Local\Temp\UrbanVPN2.exe
"C:\Users\Admin\AppData\Local\Temp\UrbanVPN2.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:4920

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4932
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 0DC9456E7B1B49944F0A2740C00BAFE2 C
  2⤵
  - Loads dropped DLL
  - Drops file in Windows directory
  - Suspicious behavior: EnumeratesProcesses
  PID:2088

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.2.10\tracking.ini

Filesize
84B

MD5
72129aaca86f0c675177ce52ecd5275e

SHA1
819274ee7f2451e17d25c5f58a78acd1eb0c4e57

SHA256
5a96c999eb82fd69e737f59918d0defcf98832ad69537194e30574fee29c897e

SHA512
bcb548438cb7bde2f1de4d91cd08e36a160c66bacc9be7a828fe25a204def6089c92b1d9f087252e87e2765b3787c8eac4eb62c4136a2dcc705e10a394a0f45c

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.2.10\{5E041EA6-26FE-4B0D-B8EF-30C08E14828B}.session

Filesize
2KB

MD5
9d80c42648269d5676f6335b9f218d64

SHA1
2952c28c95b8a1b0c23b70a0b6995f5bccbe5085

SHA256
1253bc7569feaf37f2940d46619eb4abc8630fa4902599443e5cdc4aa6f5e4ca

SHA512
6d2ba3849836f9789c605efcf9bf9dd7ef6b987a6824bc8d1e30d5800525e7ebdde6c438c073e9ae760f9ecf9a36cc4528770846b8bd839ebb60ff36c4c5e252

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9BE9.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9BE9.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9C86.tmp

Filesize
1.0MB

MD5
5566149fc623f29d55ca72018369c780

SHA1
8ae947ab0ae9182f1c09bd266ff360c0e8b88326

SHA256
a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608

SHA512
f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9C86.tmp

Filesize
1.0MB

MD5
5566149fc623f29d55ca72018369c780

SHA1
8ae947ab0ae9182f1c09bd266ff360c0e8b88326

SHA256
a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608

SHA512
f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9F27.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9F27.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9F47.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9F47.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA004.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA004.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA043.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA043.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA1BB.tmp

Filesize
934KB

MD5
146d4071d7b48f3edbebab0079801397

SHA1
253ce37191ad8768884a43c4e84e8b7f93a9dd4b

SHA256
b1d2cbc86f7bd2c8a0fc4d078ffe9f474781b77fa2865f35973003f24cbd7afa

SHA512
2031c63ea3671e63f5bd6ef230abd459dae521730bd09a5ef10639f43521af22c6eae11ce1ebf02a6fdb4dc3fb75e042abf347f69fe0ee8dcee80e7f858678ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA1BB.tmp

Filesize
934KB

MD5
146d4071d7b48f3edbebab0079801397

SHA1
253ce37191ad8768884a43c4e84e8b7f93a9dd4b

SHA256
b1d2cbc86f7bd2c8a0fc4d078ffe9f474781b77fa2865f35973003f24cbd7afa

SHA512
2031c63ea3671e63f5bd6ef230abd459dae521730bd09a5ef10639f43521af22c6eae11ce1ebf02a6fdb4dc3fb75e042abf347f69fe0ee8dcee80e7f858678ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA258.tmp

Filesize
703KB

MD5
59f4b7e8b960987b68b311660c99957a

SHA1
3ba452e27d4bf53e72bf28cde68240290e72e46f

SHA256
3b43d469e1f3656f948eabbd9e1ed99570a7962118fcfc9ccaa309eb657502bf

SHA512
64bd1ddbc90dfae6a7b34b67eaa32a0fd03e5ccff7e25f997dfb488f56b7ab2c7fab867915d05ba40f215216f87942d035e740edd64db7cb6df049a589dde27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA258.tmp

Filesize
703KB

MD5
59f4b7e8b960987b68b311660c99957a

SHA1
3ba452e27d4bf53e72bf28cde68240290e72e46f

SHA256
3b43d469e1f3656f948eabbd9e1ed99570a7962118fcfc9ccaa309eb657502bf

SHA512
64bd1ddbc90dfae6a7b34b67eaa32a0fd03e5ccff7e25f997dfb488f56b7ab2c7fab867915d05ba40f215216f87942d035e740edd64db7cb6df049a589dde27b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA2C7.tmp

Filesize
1.0MB

MD5
5566149fc623f29d55ca72018369c780

SHA1
8ae947ab0ae9182f1c09bd266ff360c0e8b88326

SHA256
a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608

SHA512
f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA2C7.tmp

Filesize
1.0MB

MD5
5566149fc623f29d55ca72018369c780

SHA1
8ae947ab0ae9182f1c09bd266ff360c0e8b88326

SHA256
a8c8ff2a0e754059b1f44ef69df492ef3cd582f3750f8c374037c9621069c608

SHA512
f9f49c930c3ead40f208482ab6f70a21a8495fd1c50b56a3f689eb53e8e7b8ca9a642bae2199fc80b6099bd3fdd3c4cfcd0d3a8cada47ebf23c7fcef87064cb5

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA410.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA410.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA46F.tmp

Filesize
934KB

MD5
146d4071d7b48f3edbebab0079801397

SHA1
253ce37191ad8768884a43c4e84e8b7f93a9dd4b

SHA256
b1d2cbc86f7bd2c8a0fc4d078ffe9f474781b77fa2865f35973003f24cbd7afa

SHA512
2031c63ea3671e63f5bd6ef230abd459dae521730bd09a5ef10639f43521af22c6eae11ce1ebf02a6fdb4dc3fb75e042abf347f69fe0ee8dcee80e7f858678ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA46F.tmp

Filesize
934KB

MD5
146d4071d7b48f3edbebab0079801397

SHA1
253ce37191ad8768884a43c4e84e8b7f93a9dd4b

SHA256
b1d2cbc86f7bd2c8a0fc4d078ffe9f474781b77fa2865f35973003f24cbd7afa

SHA512
2031c63ea3671e63f5bd6ef230abd459dae521730bd09a5ef10639f43521af22c6eae11ce1ebf02a6fdb4dc3fb75e042abf347f69fe0ee8dcee80e7f858678ae

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA53B.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA53B.tmp

Filesize
557KB

MD5
e1423fc5ddaedc0152a09f4796243e31

SHA1
c92cec1fb6093d6922fe64719e583048fca12153

SHA256
3042d947f0e3accd3307d4d983aba352c4b01f6ca10aa45dbe660ca0a0a107de

SHA512
fc21fadb5b86dc0c4fc8fea5d166b9b8a500df2b662c201626a8bcf6d3f7bd590b8ec3bae31f2f558b74ccb49ca74f51ee48b19bd047a27ef0c794b21cc84b39

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA5A9.tmp

Filesize
203KB

MD5
83ab902128343371bd2a659a6a068338

SHA1
f30df8094d3058fb621dd4ca602c8e9aa296599f

SHA256
0b3276d71ef9a69802e43f40764f4b2cfe80de36ef6a8ea324274740099c324d

SHA512
f71d6efddf39cdd13fc543d2c717a9c4f631f92e033345c5d97704cbdd1b84f9524df51b7c6898a7d9156b0c9333ce23d483b95ddc2b3cec2b35538ad26e182f

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA5A9.tmp

Filesize
203KB

MD5
83ab902128343371bd2a659a6a068338

SHA1
f30df8094d3058fb621dd4ca602c8e9aa296599f

SHA256
0b3276d71ef9a69802e43f40764f4b2cfe80de36ef6a8ea324274740099c324d

SHA512
f71d6efddf39cdd13fc543d2c717a9c4f631f92e033345c5d97704cbdd1b84f9524df51b7c6898a7d9156b0c9333ce23d483b95ddc2b3cec2b35538ad26e182f

Download Submit
C:\Windows\SystemTemp\INA9B3B.tmp

Filesize
934KB

MD5
146d4071d7b48f3edbebab0079801397

SHA1
253ce37191ad8768884a43c4e84e8b7f93a9dd4b

SHA256
b1d2cbc86f7bd2c8a0fc4d078ffe9f474781b77fa2865f35973003f24cbd7afa

SHA512
2031c63ea3671e63f5bd6ef230abd459dae521730bd09a5ef10639f43521af22c6eae11ce1ebf02a6fdb4dc3fb75e042abf347f69fe0ee8dcee80e7f858678ae

Download Submit