Overview

overview

7

Static

static

1

ProtonVPN_....1.exe

windows7-x64

7

ProtonVPN_....1.exe

windows10-2004-x64

7

Analysis

  • max time kernel
    1621s
  • max time network
    1627s
  • platform
    windows7_x64
  • resource
    win7-20230220-en
  • resource tags

    arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
  • submitted
    23/04/2023, 13:37

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ProtonVPN_win_v2.4.1.exe

  • Size

    29.9MB

  • MD5

    ee2d7372817a833beda001a35d3693a1

  • SHA1

    695251a2628c95a6fd9e2b7f3092593723d09594

  • SHA256

    c95cf2af65dd0b1556c02cd17952462f02314cf532eec06ebca08328549790ae

  • SHA512

    18a6a92e460312b3ee7b76e9bc2be98f47f19cdf84dbbf64d73b5fe70aaec19a22de89ffa73c2b416230f1f91e0b6f929663d3e01bcf59bea978b565390b1dcc

  • SSDEEP

    786432:0/e+t2cVTdFIdoTVayXIKbUP/FQUnEIK1/r3:0/es2cRd2+aHKb+dK1/L

Score
7/10

Malware Config

Signatures

  • Loads dropped DLL 3 IoCs
  • Enumerates connected drives 3 TTPs 48 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ProtonVPN_win_v2.4.1.exe
    "C:\Users\Admin\AppData\Local\Temp\ProtonVPN_win_v2.4.1.exe"
    1⤵
    • Loads dropped DLL
    • Enumerates connected drives
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    PID:1712
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:1564
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 27D081A80349FC43B685A7DC2733B724 C
      2⤵
      • Loads dropped DLL
      PID:1620

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015
    Filesize

    61KB

    MD5

    e71c8443ae0bc2e282c73faead0a6dd3

    SHA1

    0c110c1b01e68edfacaeae64781a37b1995fa94b

    SHA256

    95b0a5acc5bf70d3abdfd091d0c9f9063aa4fde65bd34dbf16786082e1992e72

    SHA512

    b38458c7fa2825afb72794f374827403d5946b1132e136a0ce075dfd351277cf7d957c88dc8a1e4adc3bcae1fa8010dae3831e268e910d517691de24326391a6

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_1712\DialogBitmap.bmp
    Filesize

    152KB

    MD5

    19e61f2dfd494cd64a9cfba3d4afe964

    SHA1

    1ba29dafa629be32ac85dd68a4c5bac261c46a88

    SHA256

    f7c03fa72a65dd9f9fd2abce0510d75933db3355ada0733f71ecaf7caae74f97

    SHA512

    392aeda85bbc0a5c69178cd44866408fda2bc4607348b6779124473a7099446359eaf8b2ee1e8121dfd0b7a0da6e8cf6f383729da94fb1a3ed3767dc3a6e15eb

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Cab5A06.tmp
    Filesize

    61KB

    MD5

    fc4666cbca561e864e7fdf883a9e6661

    SHA1

    2f8d6094c7a34bf12ea0bbf0d51ee9c5bb7939a5

    SHA256

    10f3deb6c452d749a7451b5d065f4c0449737e5ee8a44f4d15844b503141e65b

    SHA512

    c71f54b571e01f247f072be4bbebdf5d8410b67eb79a61e7e0d9853fe857ab9bd12f53e6af3394b935560178107291fc4be351b27deb388eba90ba949633d57d

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\MSI6ED0.tmp
    Filesize

    554KB

    MD5

    3b171ce087bb799aafcbbd93bab27f71

    SHA1

    7bd69efbc7797bdff5510830ca2cc817c8b86d08

    SHA256

    bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

    SHA512

    7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar5A28.tmp
    Filesize

    161KB

    MD5

    73b4b714b42fc9a6aaefd0ae59adb009

    SHA1

    efdaffd5b0ad21913d22001d91bf6c19ecb4ac41

    SHA256

    c0cf8cc04c34b5b80a2d86ad0eafb2dd71436f070c86b0321fba0201879625fd

    SHA512

    73af3c51b15f89237552b1718bef21fd80788fa416bab2cb2e7fb3a60d56249a716eda0d2dd68ab643752272640e7eaaaf57ce64bcb38373ddc3d035fb8d57cd

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\Tar63E3.tmp
    Filesize

    161KB

    MD5

    be2bec6e8c5653136d3e72fe53c98aa3

    SHA1

    a8182d6db17c14671c3d5766c72e58d87c0810de

    SHA256

    1919aab2a820642490169bdc4e88bd1189e22f83e7498bf8ebdfb62ec7d843fd

    SHA512

    0d1424ccdf0d53faf3f4e13d534e12f22388648aa4c23edbc503801e3c96b7f73c7999b760b5bef4b5e9dd923dffe21a21889b1ce836dd428420bf0f4f5327ff

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\287E6BC\ProtonVPN_win_v2.4.1.msi
    Filesize

    20.2MB

    MD5

    23f000183642d33695a4bb6e1826cd6c

    SHA1

    1a2d193046f1cb079f1cf993f30d93275ccecac6

    SHA256

    b5dbdd619c1acb41382b1d4515f2e2bb30afde3e091bdfb2b76f4d0ceaefce7f

    SHA512

    4249fae7682f4b7276e096f7c713890e40748bb2a68002559cd46345421a363f1d36e6aba01e32fd535049d45b5d608c748c191d82a7ec2f636f23d9dbcc4b45

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\decoder.dll
    Filesize

    215KB

    MD5

    7117e33f9b1dc041b477060f8f8c3a0c

    SHA1

    97fbcb6676bfb43d36701805c86eac3567f61bca

    SHA256

    a350f06808b517dd2b7f363dca6119c072d08d1677e379ce48267bc7d95f1517

    SHA512

    31f484d210e575dc8f522d1b3c16d2a77601be172287d8f7ff009a5700820e028c9c1366d543872edaec002a7e2e5fe5880ad303cde8d28a60fe0359db4307fe

    Download Submit

  • \Users\Admin\AppData\Local\Temp\MSI6ED0.tmp
    Filesize

    554KB

    MD5

    3b171ce087bb799aafcbbd93bab27f71

    SHA1

    7bd69efbc7797bdff5510830ca2cc817c8b86d08

    SHA256

    bb9a3c8972d89ad03c1dee3e91f03a13aca8d370185ac521b8c48040cc285ef4

    SHA512

    7700d86f6f2c6798bed1be6cd651805376d545f48f0a89c08f7032066431cb4df980688a360c44275b8d7f8010769dc236fbdaa0184125d016acdf158989ee38

    Download Submit

  • \Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\decoder.dll
    Filesize

    215KB

    MD5

    7117e33f9b1dc041b477060f8f8c3a0c

    SHA1

    97fbcb6676bfb43d36701805c86eac3567f61bca

    SHA256

    a350f06808b517dd2b7f363dca6119c072d08d1677e379ce48267bc7d95f1517

    SHA512

    31f484d210e575dc8f522d1b3c16d2a77601be172287d8f7ff009a5700820e028c9c1366d543872edaec002a7e2e5fe5880ad303cde8d28a60fe0359db4307fe

    Download Submit

  • \Users\Admin\AppData\Local\Temp\{47D5ABCD-76F6-412A-84BB-9022A287E6BC}\decoder.dll
    Filesize

    215KB

    MD5

    7117e33f9b1dc041b477060f8f8c3a0c

    SHA1

    97fbcb6676bfb43d36701805c86eac3567f61bca

    SHA256

    a350f06808b517dd2b7f363dca6119c072d08d1677e379ce48267bc7d95f1517

    SHA512

    31f484d210e575dc8f522d1b3c16d2a77601be172287d8f7ff009a5700820e028c9c1366d543872edaec002a7e2e5fe5880ad303cde8d28a60fe0359db4307fe

    Download Submit

  • memory/1712-61-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1712-200-0x00000000001D0000-0x00000000001D1000-memory.dmp

    Filesize

    4KB

    Download