88fa1a52922482a0e80c5c410421c38e557514796a53f9e6839304fd049cd753

Resubmissions

06-04-2023 21:31

230406-1da9vshb61 7

Analysis

max time kernel
98s
max time network
129s
platform
windows10-2004_x64
resource
win10v2004-20230220-en
resource tags

arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
submitted
06-04-2023 21:31

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UrbanVPN2.exe
Size

30.9MB
MD5

401ae8a7c8a882dd7846fd4c62b99f60
SHA1

4b77e688de4234376cf18f5c9db5466cd012b945
SHA256

88fa1a52922482a0e80c5c410421c38e557514796a53f9e6839304fd049cd753
SHA512

8a018e727d1b886381ae0ab0ce8b07c1fd044d9ab3dbd79d5c3108c1bba3114341c1066bc18d9e236b61e81b029f6b5fbfcf056a6903a14ec3cdf2356a05c6f6
SSDEEP

786432:TZSM7H/daLUKzGOEViOK+LJE4K9WnbtR5IX+1Qw:T7lbi8iOKqoWbL58+z

Score

7^/10

Malware Config

Signatures

Loads dropped DLL 14 IoCs

Processes:

UrbanVPN2.exeMsiExec.exe

pid	process
1448	UrbanVPN2.exe
5032	MsiExec.exe
5032	MsiExec.exe
5032	MsiExec.exe
5032	MsiExec.exe
5032	MsiExec.exe
5032	MsiExec.exe
5032	MsiExec.exe
5032	MsiExec.exe
5032	MsiExec.exe
5032	MsiExec.exe
5032	MsiExec.exe
5032	MsiExec.exe
5032	MsiExec.exe

Enumerates connected drives 3 TTPs 48 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

UrbanVPN2.exemsiexec.exe

description	ioc	process
File opened (read-only)	\??\G:	UrbanVPN2.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\F:	UrbanVPN2.exe
File opened (read-only)	\??\H:	UrbanVPN2.exe
File opened (read-only)	\??\K:	UrbanVPN2.exe
File opened (read-only)	\??\S:	UrbanVPN2.exe
File opened (read-only)	\??\B:	UrbanVPN2.exe
File opened (read-only)	\??\Y:	UrbanVPN2.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\F:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\J:	UrbanVPN2.exe
File opened (read-only)	\??\N:	UrbanVPN2.exe
File opened (read-only)	\??\P:	UrbanVPN2.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\E:	UrbanVPN2.exe
File opened (read-only)	\??\V:	UrbanVPN2.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	UrbanVPN2.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\A:	UrbanVPN2.exe
File opened (read-only)	\??\M:	UrbanVPN2.exe
File opened (read-only)	\??\O:	UrbanVPN2.exe
File opened (read-only)	\??\W:	UrbanVPN2.exe
File opened (read-only)	\??\Z:	UrbanVPN2.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\L:	UrbanVPN2.exe
File opened (read-only)	\??\R:	UrbanVPN2.exe
File opened (read-only)	\??\T:	UrbanVPN2.exe
File opened (read-only)	\??\U:	UrbanVPN2.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	UrbanVPN2.exe
File opened (read-only)	\??\Q:	UrbanVPN2.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

NSIS installer 1 IoCs

installer

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.2.11\install\0918F48\urbanvpninstaller.x64.msi	nsis_installer_2

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1130

Modify Registry

T1112

Processes:

UrbanVPN2.exe

description	ioc	process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703086200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c14000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN2.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 5c000000010000000400000000080000190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f6200000001000000200000003e9099b5015e8f486c00bcea9d111ee721faba355a89bcf1df69561e3dc6325c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b06010505070308530000000100000040000000303e301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa604000000010000001000000087ce0b7b2a0e4900e158719b37a893722000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	UrbanVPN2.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	UrbanVPN2.exe

Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

MsiExec.exe

pid process

5032 MsiExec.exe
5032 MsiExec.exe
5032 MsiExec.exe
5032 MsiExec.exe

pid	process
5032	MsiExec.exe
5032	MsiExec.exe
5032	MsiExec.exe
5032	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

msiexec.exeUrbanVPN2.exe

description	pid	process
Token: SeSecurityPrivilege	4848	msiexec.exe
Token: SeCreateTokenPrivilege	1448	UrbanVPN2.exe
Token: SeAssignPrimaryTokenPrivilege	1448	UrbanVPN2.exe
Token: SeLockMemoryPrivilege	1448	UrbanVPN2.exe
Token: SeIncreaseQuotaPrivilege	1448	UrbanVPN2.exe
Token: SeMachineAccountPrivilege	1448	UrbanVPN2.exe
Token: SeTcbPrivilege	1448	UrbanVPN2.exe
Token: SeSecurityPrivilege	1448	UrbanVPN2.exe
Token: SeTakeOwnershipPrivilege	1448	UrbanVPN2.exe
Token: SeLoadDriverPrivilege	1448	UrbanVPN2.exe
Token: SeSystemProfilePrivilege	1448	UrbanVPN2.exe
Token: SeSystemtimePrivilege	1448	UrbanVPN2.exe
Token: SeProfSingleProcessPrivilege	1448	UrbanVPN2.exe
Token: SeIncBasePriorityPrivilege	1448	UrbanVPN2.exe
Token: SeCreatePagefilePrivilege	1448	UrbanVPN2.exe
Token: SeCreatePermanentPrivilege	1448	UrbanVPN2.exe
Token: SeBackupPrivilege	1448	UrbanVPN2.exe
Token: SeRestorePrivilege	1448	UrbanVPN2.exe
Token: SeShutdownPrivilege	1448	UrbanVPN2.exe
Token: SeDebugPrivilege	1448	UrbanVPN2.exe
Token: SeAuditPrivilege	1448	UrbanVPN2.exe
Token: SeSystemEnvironmentPrivilege	1448	UrbanVPN2.exe
Token: SeChangeNotifyPrivilege	1448	UrbanVPN2.exe
Token: SeRemoteShutdownPrivilege	1448	UrbanVPN2.exe
Token: SeUndockPrivilege	1448	UrbanVPN2.exe
Token: SeSyncAgentPrivilege	1448	UrbanVPN2.exe
Token: SeEnableDelegationPrivilege	1448	UrbanVPN2.exe
Token: SeManageVolumePrivilege	1448	UrbanVPN2.exe
Token: SeImpersonatePrivilege	1448	UrbanVPN2.exe
Token: SeCreateGlobalPrivilege	1448	UrbanVPN2.exe
Token: SeCreateTokenPrivilege	1448	UrbanVPN2.exe
Token: SeAssignPrimaryTokenPrivilege	1448	UrbanVPN2.exe
Token: SeLockMemoryPrivilege	1448	UrbanVPN2.exe
Token: SeIncreaseQuotaPrivilege	1448	UrbanVPN2.exe
Token: SeMachineAccountPrivilege	1448	UrbanVPN2.exe
Token: SeTcbPrivilege	1448	UrbanVPN2.exe
Token: SeSecurityPrivilege	1448	UrbanVPN2.exe
Token: SeTakeOwnershipPrivilege	1448	UrbanVPN2.exe
Token: SeLoadDriverPrivilege	1448	UrbanVPN2.exe
Token: SeSystemProfilePrivilege	1448	UrbanVPN2.exe
Token: SeSystemtimePrivilege	1448	UrbanVPN2.exe
Token: SeProfSingleProcessPrivilege	1448	UrbanVPN2.exe
Token: SeIncBasePriorityPrivilege	1448	UrbanVPN2.exe
Token: SeCreatePagefilePrivilege	1448	UrbanVPN2.exe
Token: SeCreatePermanentPrivilege	1448	UrbanVPN2.exe
Token: SeBackupPrivilege	1448	UrbanVPN2.exe
Token: SeRestorePrivilege	1448	UrbanVPN2.exe
Token: SeShutdownPrivilege	1448	UrbanVPN2.exe
Token: SeDebugPrivilege	1448	UrbanVPN2.exe
Token: SeAuditPrivilege	1448	UrbanVPN2.exe
Token: SeSystemEnvironmentPrivilege	1448	UrbanVPN2.exe
Token: SeChangeNotifyPrivilege	1448	UrbanVPN2.exe
Token: SeRemoteShutdownPrivilege	1448	UrbanVPN2.exe
Token: SeUndockPrivilege	1448	UrbanVPN2.exe
Token: SeSyncAgentPrivilege	1448	UrbanVPN2.exe
Token: SeEnableDelegationPrivilege	1448	UrbanVPN2.exe
Token: SeManageVolumePrivilege	1448	UrbanVPN2.exe
Token: SeImpersonatePrivilege	1448	UrbanVPN2.exe
Token: SeCreateGlobalPrivilege	1448	UrbanVPN2.exe
Token: SeCreateTokenPrivilege	1448	UrbanVPN2.exe
Token: SeAssignPrimaryTokenPrivilege	1448	UrbanVPN2.exe
Token: SeLockMemoryPrivilege	1448	UrbanVPN2.exe
Token: SeIncreaseQuotaPrivilege	1448	UrbanVPN2.exe
Token: SeMachineAccountPrivilege	1448	UrbanVPN2.exe

Suspicious use of WriteProcessMemory 3 IoCs

Processes:

msiexec.exe

description	pid	process	target process
PID 4848 wrote to memory of 5032	4848	msiexec.exe	MsiExec.exe
PID 4848 wrote to memory of 5032	4848	msiexec.exe	MsiExec.exe
PID 4848 wrote to memory of 5032	4848	msiexec.exe	MsiExec.exe

C:\Users\Admin\AppData\Local\Temp\UrbanVPN2.exe
"C:\Users\Admin\AppData\Local\Temp\UrbanVPN2.exe"
1⤵
- Loads dropped DLL
- Enumerates connected drives
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1448

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4848

C:\Windows\syswow64\MsiExec.exe
C:\Windows\syswow64\MsiExec.exe -Embedding E8F7590D27E96661D30A667C99C8C609 C
2⤵
- Loads dropped DLL
- Suspicious behavior: EnumeratesProcesses
PID:5032

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Install Root Certificate

T1130

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.2.11\tracking.ini

Filesize
84B

MD5
75543f872e89585ef9038f431c207b0f

SHA1
2282563e8649b01d4b7e26e3c1449c118e590a33

SHA256
cbd75fb452101d865ccb02b15f4926009251c918bc449c9b161c6cd2b3dfc831

SHA512
f1c46b8d2194d3b41742096d07b546bd842818cb5eeb8bbd888f12d9a496ce45d52e071a655f2a44d5ec4b52308588bffb1207d924ca803a05da88430940dab2

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.2.11\{57A13C3A-6EF1-495F-B632-3F9D5088B8BB}.session

Filesize
615B

MD5
8f4373da859c3c4bebea619f2a421a28

SHA1
a4e2b6216c05cd782b4e639c32636952c91ba837

SHA256
38025c266f18f030f91ea24966bc27fd0e9947c4f5a6836ba06d4675fcc32ed3

SHA512
b76d7e4fe63a2a3e3ff76d29121fe3e3f1758c0aab87d66d1d7ee721dd2911ef58f360990f3f98917167c6c26b1e999811e94fe75c964022489ab9b355f3bd07

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.2.11\{57A13C3A-6EF1-495F-B632-3F9D5088B8BB}.session

Filesize
5KB

MD5
d8ac6ad5f67e7a987323f2d1c166c9a2

SHA1
e9e6f3470938090fed437bdfbff202cdf32b44ea

SHA256
f5ef62a40e219aad9f889be06eb3a489e791048e83658db9ec72cbecf872a4ca

SHA512
e1312bcdb73714e33a451ecfcf94c78fbf057c65c63daae2ee03875e8474d696cb78d61e12e61bccac8c1d1501d396475546f129d57c1e525a456bc463e5b298

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1448\dialog.jpg

Filesize
21KB

MD5
81b61102f7970a8c83ecd382c4ab6def

SHA1
165795d45b6fa70661d073bb8c791114c0e6748e

SHA256
9a9ab67db52355b3d091e0bd58275e5c6633adbffc300ddb6607db7bbda88a15

SHA512
2b58f4da52cd687073cae64a0f467c3666daaca14bd95e38e544ae76319c3a9e7b5a223db6de2d92848822e23a9028d2cc97c64d7b2133aebbea5876e81e9937

Download Submit
C:\Users\Admin\AppData\Local\Temp\INA8590.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI868C.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI868C.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI87A6.tmp

Filesize
1.1MB

MD5
e136a9af7f78576b80fd9c4ca95c7217

SHA1
855791df445000ab6f6763f209a73bcfb87bad8e

SHA256
d02e575bd028557df4d4af24a271372fd05f8df351299d6fc33cef0798aec991

SHA512
1f63bc94354872aab8324821e7279b7f1fa4d99b0c5f7d4e89592fd4882b505202867478d2621642d82a3c38c6082e01968cdd7fcf590d519b7968e2e4798f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI87A6.tmp

Filesize
1.1MB

MD5
e136a9af7f78576b80fd9c4ca95c7217

SHA1
855791df445000ab6f6763f209a73bcfb87bad8e

SHA256
d02e575bd028557df4d4af24a271372fd05f8df351299d6fc33cef0798aec991

SHA512
1f63bc94354872aab8324821e7279b7f1fa4d99b0c5f7d4e89592fd4882b505202867478d2621642d82a3c38c6082e01968cdd7fcf590d519b7968e2e4798f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8B70.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8B70.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8BDE.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8BDE.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8BDE.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8C1E.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8C1E.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8CAC.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8CAC.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8E62.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8E62.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8E62.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8ED0.tmp

Filesize
703KB

MD5
ae585caebd7faece019342026b304129

SHA1
8c512e6db9b0c9547fc0a6d3f3d1216e373d924e

SHA256
92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4

SHA512
dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8ED0.tmp

Filesize
703KB

MD5
ae585caebd7faece019342026b304129

SHA1
8c512e6db9b0c9547fc0a6d3f3d1216e373d924e

SHA256
92dd2c1f1d19e1d96411d8afc81c29696d76abe6469a2d75200dd82a8fc164b4

SHA512
dbafd2b28356139f886ed7af3813bf7ee1e95709549b8bdbb3c52e17a213694af45096f369668e674a3295a1ba6ce3232dc8c213b29f24442a3c9e68e0d87313

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8F10.tmp

Filesize
1.1MB

MD5
e136a9af7f78576b80fd9c4ca95c7217

SHA1
855791df445000ab6f6763f209a73bcfb87bad8e

SHA256
d02e575bd028557df4d4af24a271372fd05f8df351299d6fc33cef0798aec991

SHA512
1f63bc94354872aab8324821e7279b7f1fa4d99b0c5f7d4e89592fd4882b505202867478d2621642d82a3c38c6082e01968cdd7fcf590d519b7968e2e4798f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI8F10.tmp

Filesize
1.1MB

MD5
e136a9af7f78576b80fd9c4ca95c7217

SHA1
855791df445000ab6f6763f209a73bcfb87bad8e

SHA256
d02e575bd028557df4d4af24a271372fd05f8df351299d6fc33cef0798aec991

SHA512
1f63bc94354872aab8324821e7279b7f1fa4d99b0c5f7d4e89592fd4882b505202867478d2621642d82a3c38c6082e01968cdd7fcf590d519b7968e2e4798f0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI92F9.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI92F9.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9358.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9358.tmp

Filesize
938KB

MD5
b316b71e1a9d16c13c7b256c0e3f4508

SHA1
68376ef79bba72e093cc265cb572cd3aa6d5aeaf

SHA256
e52f867bd41c1b8a637faed098415fd531efe605dcb76e70b51d1d96dbb5f7f9

SHA512
d26b90008919c5324ee0bc9bdb3aae0cbade6321840c276ca9b5eddd7c542ea7888f8f860d382408ba4bcf60e074aa62ca6d48a6a94168c53cbce41bef83f274

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI94A1.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI94A1.tmp

Filesize
559KB

MD5
7380aa7a4eafd17c21cf315ae35fe288

SHA1
886747c7526627898bd36ff8b85869c9bf6718fc

SHA256
dba4ba13c058f89a92ff5afb2e9c77688bce5909499238b5c396d4308071ed88

SHA512
c4976712429d715adb7b4379d6e339e76557897117df2f9a920283ece5ca5bdabbf5ce0c3cda162a0a54bfc29ec8b979195689309a47ab00d800595e290f69a1

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI953E.tmp

Filesize
203KB

MD5
6593ea498fa2721a84d6602a8c5e79e2

SHA1
520a3126bc9f7a061dcb5d42822a0187643eb546

SHA256
e5953bb102b59a342abbd5ae82ad7af4fb0018c22a7546ae142b2333ffa89c2b

SHA512
3e0f766d7e001664921ac7eed843d8ef2427124612aae6d766856ea74632d5e5a99613145bebe6f80e8f38c017f58f61c9a736927516f059fa151fcbffe2aa6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI953E.tmp

Filesize
203KB

MD5
6593ea498fa2721a84d6602a8c5e79e2

SHA1
520a3126bc9f7a061dcb5d42822a0187643eb546

SHA256
e5953bb102b59a342abbd5ae82ad7af4fb0018c22a7546ae142b2333ffa89c2b

SHA512
3e0f766d7e001664921ac7eed843d8ef2427124612aae6d766856ea74632d5e5a99613145bebe6f80e8f38c017f58f61c9a736927516f059fa151fcbffe2aa6e

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi8F18.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi8F47.tmp

Filesize
81KB

MD5
125b0f6bf378358e4f9c837ff6682d94

SHA1
8715beb626e0f4bd79a14819cc0f90b81a2e58ad

SHA256
e99eab3c75989b519f7f828373042701329acbd8ceadf4f3ff390f346ac76193

SHA512
b63bb6bfda70d42472868b5a1d3951cf9b2e00a7fadb08c1f599151a1801a19f5a75cfc3ace94c952cfd284eb261c7d6f11be0ebbcaa701b75036d3a6b442db2

Download Submit
C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.2.11\install\0918F48\urbanvpninstaller.x64.msi

Filesize
8.9MB

MD5
9751a48e1777859f060f66b3642cf766

SHA1
63730681961647c704a1dcb889c7e341d9169d0d

SHA256
9425a49da070614a9b58dfcf7bad69ff4a34addb645a15ac99b12d5603169470

SHA512
db31839ab69521b975fde691c0be0a95feecfae2ea249b89197626ac66e05f01862ffdfccbdde582e4ef9fba09cbfedd5ddc2e5e80644de4aa31d288f183e55d

Download Submit