Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

8

Static

static

1

ProtonVPN_....1.exe

windows7-x64

7

ProtonVPN_....1.exe

windows10-2004-x64

8

Resubmissions

13/04/2023, 14:27

230413-rsqtesdc9s 8

Analysis

  • max time kernel
    150s
  • max time network
    154s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    13/04/2023, 14:27

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ProtonVPN_win_v2.4.1.exe

  • Size

    29.9MB

  • MD5

    ee2d7372817a833beda001a35d3693a1

  • SHA1

    695251a2628c95a6fd9e2b7f3092593723d09594

  • SHA256

    c95cf2af65dd0b1556c02cd17952462f02314cf532eec06ebca08328549790ae

  • SHA512

    18a6a92e460312b3ee7b76e9bc2be98f47f19cdf84dbbf64d73b5fe70aaec19a22de89ffa73c2b416230f1f91e0b6f929663d3e01bcf59bea978b565390b1dcc

  • SSDEEP

    786432:0/e+t2cVTdFIdoTVayXIKbUP/FQUnEIK1/r3:0/es2cRd2+aHKb+dK1/L

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 4 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

  • Suspicious behavior: EnumeratesProcesses 1 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 2 IoCs
  • Suspicious use of WriteProcessMemory 55 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ProtonVPN_win_v2.4.1.exe
    "C:\Users\Admin\AppData\Local\Temp\ProtonVPN_win_v2.4.1.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1808
    • C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\check-KB2992611.bat" "
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:1096
      • C:\Windows\SysWOW64\Wbem\WMIC.exe
        wmic qfe get hotfixid
        3⤵
          PID:920
        • C:\Windows\SysWOW64\findstr.exe
          FindStr "KB2992611"
          3⤵
            PID:924
        • C:\Windows\SysWOW64\cmd.exe
          cmd /c ""C:\Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\check-KB3033929.bat" "
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:1116
          • C:\Windows\SysWOW64\Wbem\WMIC.exe
            wmic qfe get hotfixid
            3⤵
              PID:552
            • C:\Windows\SysWOW64\findstr.exe
              FindStr "KB3033929 KB4019264 KB4022719 KB4025341 KB4034664 KB4038777 KB4041681 KB4343900 KB4457144 KB4462923 KB4467107 KB4471318 KB4480970 KB4486563 KB4489878 KB4474419 KB4493472 KB4499164 KB4499175 KB4503292 KB4503269 KB4507449 KB4507456 KB4512506 KB4516065 KB4519976 KB4524157 KB4015549 KB3197868 KB3185330"
              3⤵
                PID:1852
            • C:\Windows\SysWOW64\cmd.exe
              cmd /c ""C:\Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\check-KB3063858.bat" "
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:1400
              • C:\Windows\SysWOW64\Wbem\WMIC.exe
                wmic qfe get hotfixid
                3⤵
                  PID:608
                • C:\Windows\SysWOW64\findstr.exe
                  FindStr "KB3063858 KB2533623 KB4457144 KB3126587 KB3126593 KB3146706 KB4014793"
                  3⤵
                    PID:1928
                • C:\Windows\SysWOW64\cmd.exe
                  cmd /c ""C:\Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\check-KB2921916.bat" "
                  2⤵
                  • Suspicious use of WriteProcessMemory
                  PID:1692
                  • C:\Windows\SysWOW64\Wbem\WMIC.exe
                    wmic qfe get hotfixid
                    3⤵
                      PID:1040
                    • C:\Windows\SysWOW64\findstr.exe
                      FindStr "KB2921916"
                      3⤵
                        PID:792
                  • C:\Windows\system32\msiexec.exe
                    C:\Windows\system32\msiexec.exe /V
                    1⤵
                    • Enumerates connected drives
                    • Suspicious use of AdjustPrivilegeToken
                    • Suspicious use of WriteProcessMemory
                    PID:1688
                    • C:\Windows\syswow64\MsiExec.exe
                      C:\Windows\syswow64\MsiExec.exe -Embedding 46B2B78981819FA5CEF181A0035FD222 C
                      2⤵
                      • Loads dropped DLL
                      • Suspicious behavior: EnumeratesProcesses
                      PID:1904

                  Network

                  MITRE ATT&CK Enterprise v6

                  Replay Monitor

                  Loading Replay Monitor...

                  Downloads

                  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
                    Filesize

                    61KB

                    MD5

                    e71c8443ae0bc2e282c73faead0a6dd3

                    SHA1

                    0c110c1b01e68edfacaeae64781a37b1995fa94b

                    SHA256

                    95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

                    SHA512

                    b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1808\BannerBitmap.bmp
                    Filesize

                    29KB

                    MD5

                    6ec754fca420b9e088e7b906e63d22a9

                    SHA1

                    913a8c7cc9203eca2b311aa21aa6c5fe144b43e0

                    SHA256

                    61899173fbfff0f8023731913390545ba8fad6dd42cdc7dc89b5c3c4f61272fd

                    SHA512

                    ed20cc879dc6f51934b75948b0f543012e9cc7894eb906946ba87451b3bc4b1c8c83d4f7afcab4644fdd14151776c2b5fb9eb67f13c0e1964ad06e771634ab8b

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1808\DialogBitmap.bmp
                    Filesize

                    152KB

                    MD5

                    19e61f2dfd494cd64a9cfba3d4afe964

                    SHA1

                    1ba29dafa629be32ac85dd68a4c5bac261c46a88

                    SHA256

                    f7c03fa72a65dd9f9fd2abce0510d75933db3355ada0733f71ecaf7caae74f97

                    SHA512

                    392aeda85bbc0a5c69178cd44866408fda2bc4607348b6779124473a7099446359eaf8b2ee1e8121dfd0b7a0da6e8cf6f383729da94fb1a3ed3767dc3a6e15eb

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Cab15C6.tmp
                    Filesize

                    61KB

                    MD5

                    fc4666cbca561e864e7fdf883a9e6661

                    SHA1

                    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

                    SHA256

                    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

                    SHA512

                    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\MSI1DB4.tmp
                    Filesize

                    554KB

                    MD5

                    3b171ce087bb799aafcbbd93bab27f71

                    SHA1

                    7bd69efbc7797bdff5510830ca2cc817c8b86d08

                    SHA256

                    bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

                    SHA512

                    7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\MSI2093.tmp
                    Filesize

                    945KB

                    MD5

                    a6f0a2eac5b934fac5d1d9e445d277df

                    SHA1

                    219870701fc2014f5a00b29116570b69f4f8045f

                    SHA256

                    f31f648f39602e725161eafe87d3bb41355d835740e7e2c972bef8ec29122cab

                    SHA512

                    b380977f18fcb677622707362c3309d37ecd7a4fd90e269157f7aa958aabcb5164318b0b455e2f7f5b5a4451aa71ae9bb0a6a07da1d79a75b7f9ab02a47b1c63

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Tar15E8.tmp
                    Filesize

                    161KB

                    MD5

                    73b4b714b42fc9a6aaefd0ae59adb009

                    SHA1

                    efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

                    SHA256

                    c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

                    SHA512

                    73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\Tar1B7E.tmp
                    Filesize

                    161KB

                    MD5

                    be2bec6e8c5653136d3e72fe53c98aa3

                    SHA1

                    a8182d6db17c14671c3d5766c72e58d87c0810de

                    SHA256

                    1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

                    SHA512

                    0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\287E6BC\ProtonVPN_win_v2.4.1.msi
                    Filesize

                    20.2MB

                    MD5

                    23f000183642d33695a4bb6e1826cd6c

                    SHA1

                    1a2d193046f1cb079f1cf993f30d93275ccecac6

                    SHA256

                    b5dbdd619c1acb41382b1d4515f2e2bb30afde3e091bdfb2b76f4d0ceaefce7f

                    SHA512

                    4249fae7682f4b7276e096f7c713890e40748bb2a68002559cd46345421a363f1d36e6aba01e32fd535049d45b5d608c748c191d82a7ec2f636f23d9dbcc4b45

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\check-KB2921916.bat
                    Filesize

                    138B

                    MD5

                    7201a54b363705c2be8dd58aca8b1376

                    SHA1

                    fb8528da7d5b54c3c42aec8db75218ad00005ec0

                    SHA256

                    1c7abbfee3e941c6e042fee20ff84582bc8d0a8424606a0e7e7ff74e81b3561f

                    SHA512

                    436095290c2de26184ad75e999cf399c22e1c6923d733bb37cf552591ab539052f1343314b37fe719a219766c1b9ecd7165bd6b88efc1c0fba9a4a5267beefff

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\check-KB2921916.bat
                    Filesize

                    138B

                    MD5

                    7201a54b363705c2be8dd58aca8b1376

                    SHA1

                    fb8528da7d5b54c3c42aec8db75218ad00005ec0

                    SHA256

                    1c7abbfee3e941c6e042fee20ff84582bc8d0a8424606a0e7e7ff74e81b3561f

                    SHA512

                    436095290c2de26184ad75e999cf399c22e1c6923d733bb37cf552591ab539052f1343314b37fe719a219766c1b9ecd7165bd6b88efc1c0fba9a4a5267beefff

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\check-KB2992611.bat
                    Filesize

                    138B

                    MD5

                    c0b9a9e270106987f3fe23676159a6ab

                    SHA1

                    051c692fcaf8d0b7e98db8bce31eccc9bbec27b9

                    SHA256

                    afd7d5bc31c774a85e833872c57b1d00eda31dc42fef6973efe81a8888036748

                    SHA512

                    0492a02850c268ae8103583f038fc98c969537fccb47c56f083e30d1c8301a8617d40b93841d1442d5d361cc06da8ed955b0cb6dfe733d6b4fafdda8b4159281

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\check-KB2992611.bat
                    Filesize

                    138B

                    MD5

                    c0b9a9e270106987f3fe23676159a6ab

                    SHA1

                    051c692fcaf8d0b7e98db8bce31eccc9bbec27b9

                    SHA256

                    afd7d5bc31c774a85e833872c57b1d00eda31dc42fef6973efe81a8888036748

                    SHA512

                    0492a02850c268ae8103583f038fc98c969537fccb47c56f083e30d1c8301a8617d40b93841d1442d5d361cc06da8ed955b0cb6dfe733d6b4fafdda8b4159281

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\check-KB3033929.bat
                    Filesize

                    428B

                    MD5

                    7893b5b760e59d9ced1c5166ffbcc5c4

                    SHA1

                    b6a6855e7d5fe1dbd31f8e07ebf3c630fc7400e6

                    SHA256

                    5116abaa632d180c1615bad2b026432c5a6577054cea5c8d7a636bcab04c0ab3

                    SHA512

                    889c0fef067f2e5f06132670284a1882f20311b9eaac5dc9b08919a4f69aa4c64ab0edc2f96e9f43e35696b71d7001cba8af57654ab851de5b6192619ae8a5e4

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\check-KB3033929.bat
                    Filesize

                    428B

                    MD5

                    7893b5b760e59d9ced1c5166ffbcc5c4

                    SHA1

                    b6a6855e7d5fe1dbd31f8e07ebf3c630fc7400e6

                    SHA256

                    5116abaa632d180c1615bad2b026432c5a6577054cea5c8d7a636bcab04c0ab3

                    SHA512

                    889c0fef067f2e5f06132670284a1882f20311b9eaac5dc9b08919a4f69aa4c64ab0edc2f96e9f43e35696b71d7001cba8af57654ab851de5b6192619ae8a5e4

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\check-KB3063858.bat
                    Filesize

                    198B

                    MD5

                    3fbc0ae551a37e2c10fa4f06c1a5c6d8

                    SHA1

                    1b525225150c355f0ed62a55e094b062740043f0

                    SHA256

                    ab642527c2f7d96a34442f9004990d7229d850a913b22e540168976371122e85

                    SHA512

                    db0514c24ba52e6b02982caf13891c0d3d9683236d60198866d608bd60e7daef03aac9879cf3dcdf984cd80a521a4ea4fe7eafef24892da86b5772a40694a3b5

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\check-KB3063858.bat
                    Filesize

                    198B

                    MD5

                    3fbc0ae551a37e2c10fa4f06c1a5c6d8

                    SHA1

                    1b525225150c355f0ed62a55e094b062740043f0

                    SHA256

                    ab642527c2f7d96a34442f9004990d7229d850a913b22e540168976371122e85

                    SHA512

                    db0514c24ba52e6b02982caf13891c0d3d9683236d60198866d608bd60e7daef03aac9879cf3dcdf984cd80a521a4ea4fe7eafef24892da86b5772a40694a3b5

                    Download Submit

                  • C:\Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\decoder.dll
                    Filesize

                    215KB

                    MD5

                    7117e33f9b1dc041b477060f8f8c3a0c

                    SHA1

                    97fbcb6676bfb43d36701805c86eac3567f61bca

                    SHA256

                    a350f06808b517dd2b7f363dca6119c072d08d1677e379ce48267bc7d95f1517

                    SHA512

                    31f484d210e575dc8f522d1b3c16d2a77601be172287d8f7ff009a5700820e028c9c1366d543872edaec002a7e2e5fe5880ad303cde8d28a60fe0359db4307fe

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\MSI1DB4.tmp
                    Filesize

                    554KB

                    MD5

                    3b171ce087bb799aafcbbd93bab27f71

                    SHA1

                    7bd69efbc7797bdff5510830ca2cc817c8b86d08

                    SHA256

                    bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

                    SHA512

                    7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\MSI2093.tmp
                    Filesize

                    945KB

                    MD5

                    a6f0a2eac5b934fac5d1d9e445d277df

                    SHA1

                    219870701fc2014f5a00b29116570b69f4f8045f

                    SHA256

                    f31f648f39602e725161eafe87d3bb41355d835740e7e2c972bef8ec29122cab

                    SHA512

                    b380977f18fcb677622707362c3309d37ecd7a4fd90e269157f7aa958aabcb5164318b0b455e2f7f5b5a4451aa71ae9bb0a6a07da1d79a75b7f9ab02a47b1c63

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\decoder.dll
                    Filesize

                    215KB

                    MD5

                    7117e33f9b1dc041b477060f8f8c3a0c

                    SHA1

                    97fbcb6676bfb43d36701805c86eac3567f61bca

                    SHA256

                    a350f06808b517dd2b7f363dca6119c072d08d1677e379ce48267bc7d95f1517

                    SHA512

                    31f484d210e575dc8f522d1b3c16d2a77601be172287d8f7ff009a5700820e028c9c1366d543872edaec002a7e2e5fe5880ad303cde8d28a60fe0359db4307fe

                    Download Submit

                  • \Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\decoder.dll
                    Filesize

                    215KB

                    MD5

                    7117e33f9b1dc041b477060f8f8c3a0c

                    SHA1

                    97fbcb6676bfb43d36701805c86eac3567f61bca

                    SHA256

                    a350f06808b517dd2b7f363dca6119c072d08d1677e379ce48267bc7d95f1517

                    SHA512

                    31f484d210e575dc8f522d1b3c16d2a77601be172287d8f7ff009a5700820e028c9c1366d543872edaec002a7e2e5fe5880ad303cde8d28a60fe0359db4307fe

                    Download Submit

                  • memory/1808-200-0x00000000001D0000-0x00000000001D1000-memory.dmp

                    Filesize

                    4KB

                    Download

                  • memory/1808-67-0x00000000001D0000-0x00000000001D1000-memory.dmp

                    Filesize

                    4KB

                    Download