Overview

overview

7

Static

static

3

VPNReaperv...ed.exe

windows10-2004-x64

7

VPNReaperv...er.exe

windows10-2004-x64

7

VPNReaperv...nr.exe

windows10-2004-x64

3

Analysis

  • max time kernel
    30s
  • max time network
    33s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    15/05/2023, 18:53

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    VPNReaperv2-cracked/VPNReaperv2-cracked/VPNReaper-Cracked.exe

  • Size

    199KB

  • MD5

    ce782fb7de7261894c9af56359430010

  • SHA1

    212398778a6083e42f8ed3b1cf76d37199fffdd0

  • SHA256

    bf3a8b3291f50a88cfb4f27be8b3f3468d807c8c908c2db0716712bd86e47799

  • SHA512

    cd7958f2ae2a71d00506ae61ce77c2e5344d87cc2f112581eff317f6c635d3bf2623adc410743fbb969c62eeccfd3827a60f08617b98269c0429308dc39d74fd

  • SSDEEP

    1536:W4lMePvqi9JU8nx+B3eTD4q29nhM72h6Cg8zxJ8E/e+kN55fONQtiX+yj9C60tOF:W4lM0o6xYwkpnW706P6AlPY

Score
7/10
persistence

Malware Config

Signatures

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Drops startup file 1 IoCs
  • Executes dropped EXE 3 IoCs
  • Adds Run key to start application 2 TTPs 1 IoCs
    persistence
  • Drops file in Windows directory 9 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Program crash 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 11 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 18 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\VPNReaperv2-cracked\VPNReaperv2-cracked\VPNReaper-Cracked.exe
    "C:\Users\Admin\AppData\Local\Temp\VPNReaperv2-cracked\VPNReaperv2-cracked\VPNReaper-Cracked.exe"
    1⤵
    • Checks computer location settings
    • Suspicious use of WriteProcessMemory
    PID:1748
    • C:\Users\Admin\AppData\Local\Temp\VPNReaperv2-cracked\VPNReaperv2-cracked\dim\Launcher.exe
      "C:\Users\Admin\AppData\Local\Temp\VPNReaperv2-cracked\VPNReaperv2-cracked\dim\Launcher.exe"
      2⤵
      • Drops startup file
      • Adds Run key to start application
      • Drops file in Windows directory
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:5080
      • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
        "C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" add-mppreference -exclusionpath C:\Windows\IMF\
        3⤵
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        PID:232
      • C:\Windows\IMF\Windows Services.exe
        "C:\Windows\IMF\Windows Services.exe" {Arguments If Needed}
        3⤵
        • Checks computer location settings
        • Executes dropped EXE
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious use of AdjustPrivilegeToken
        • Suspicious use of WriteProcessMemory
        PID:464
        • C:\Windows\IMF\Secure System Shell.exe
          "C:\Windows\IMF\Secure System Shell.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2328
        • C:\Windows\IMF\Runtime Explorer.exe
          "C:\Windows\IMF\Runtime Explorer.exe"
          4⤵
          • Executes dropped EXE
          • Suspicious use of SetWindowsHookEx
          PID:2776
    • C:\Users\Admin\AppData\Local\Temp\VPNReaperv2-cracked\VPNReaperv2-cracked\dim\vpnr.exe
      "C:\Users\Admin\AppData\Local\Temp\VPNReaperv2-cracked\VPNReaperv2-cracked\dim\vpnr.exe"
      2⤵
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      PID:4652
      • C:\Windows\SysWOW64\WerFault.exe
        C:\Windows\SysWOW64\WerFault.exe -u -p 4652 -s 884
        3⤵
        • Program crash
        PID:4856
  • C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4652 -ip 4652
    1⤵
      PID:1580

    Network

          MITRE ATT&CK Enterprise v6

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_p0gcjnnx.cgz.ps1
            Filesize

            60B

            MD5

            d17fe0a3f47be24a6453e9ef58c94641

            SHA1

            6ab83620379fc69f80c0242105ddffd7d98d5d9d

            SHA256

            96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

            SHA512

            5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

            Download Submit

          • C:\Windows\IMF\Runtime Explorer.exe
            Filesize

            148KB

            MD5

            2bc7ba86d4823bb5b2cecba4f13fe223

            SHA1

            3e7d4c6f96f4cbea1022bdf017f2b550e44a6d6d

            SHA256

            9b6a2bff0f4f380db0f82a60164bc137d4eb20fa0bbcd58413180db77642fd0c

            SHA512

            975d2d3e681ab2b2b6d0366967c4a3d1b76c99e3cebf066cc603c985f06a414e1c2889b8b867ce07319473b75faa630cda5fac95414e5695e0bf05882a35a316

            Download Submit

          • C:\Windows\IMF\Runtime Explorer.exe
            Filesize

            148KB

            MD5

            2bc7ba86d4823bb5b2cecba4f13fe223

            SHA1

            3e7d4c6f96f4cbea1022bdf017f2b550e44a6d6d

            SHA256

            9b6a2bff0f4f380db0f82a60164bc137d4eb20fa0bbcd58413180db77642fd0c

            SHA512

            975d2d3e681ab2b2b6d0366967c4a3d1b76c99e3cebf066cc603c985f06a414e1c2889b8b867ce07319473b75faa630cda5fac95414e5695e0bf05882a35a316

            Download Submit

          • C:\Windows\IMF\Runtime Explorer.exe
            Filesize

            148KB

            MD5

            2bc7ba86d4823bb5b2cecba4f13fe223

            SHA1

            3e7d4c6f96f4cbea1022bdf017f2b550e44a6d6d

            SHA256

            9b6a2bff0f4f380db0f82a60164bc137d4eb20fa0bbcd58413180db77642fd0c

            SHA512

            975d2d3e681ab2b2b6d0366967c4a3d1b76c99e3cebf066cc603c985f06a414e1c2889b8b867ce07319473b75faa630cda5fac95414e5695e0bf05882a35a316

            Download Submit

          • C:\Windows\IMF\Secure System Shell.exe
            Filesize

            45KB

            MD5

            7d0c7359e5b2daa5665d01afdc98cc00

            SHA1

            c3cc830c8ffd0f53f28d89dcd9f3426be87085cb

            SHA256

            f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809

            SHA512

            a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407

            Download Submit

          • C:\Windows\IMF\Secure System Shell.exe
            Filesize

            45KB

            MD5

            7d0c7359e5b2daa5665d01afdc98cc00

            SHA1

            c3cc830c8ffd0f53f28d89dcd9f3426be87085cb

            SHA256

            f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809

            SHA512

            a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407

            Download Submit

          • C:\Windows\IMF\Secure System Shell.exe
            Filesize

            45KB

            MD5

            7d0c7359e5b2daa5665d01afdc98cc00

            SHA1

            c3cc830c8ffd0f53f28d89dcd9f3426be87085cb

            SHA256

            f1abd5ab03189e82971513e6ca04bd372fcf234d670079888f01cf4addd49809

            SHA512

            a8f82b11b045d8dd744506f4f56f3382b33a03684a6aebc91a02ea901c101b91cb43b7d0213f72f39cbb22f616ecd5de8b9e6c99fb5669f26a3ea6bcb63c8407

            Download Submit

          • C:\Windows\IMF\Windows Services.exe
            Filesize

            46KB

            MD5

            ad0ce1302147fbdfecaec58480eb9cf9

            SHA1

            874efbc76e5f91bc1425a43ea19400340f98d42b

            SHA256

            2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3

            SHA512

            adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53

            Download Submit

          • C:\Windows\IMF\Windows Services.exe
            Filesize

            46KB

            MD5

            ad0ce1302147fbdfecaec58480eb9cf9

            SHA1

            874efbc76e5f91bc1425a43ea19400340f98d42b

            SHA256

            2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3

            SHA512

            adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53

            Download Submit

          • C:\Windows\IMF\Windows Services.exe
            Filesize

            46KB

            MD5

            ad0ce1302147fbdfecaec58480eb9cf9

            SHA1

            874efbc76e5f91bc1425a43ea19400340f98d42b

            SHA256

            2c339b52b82e73b4698a0110cdfe310c00c5c69078e9e1bd6fa1308652bf82a3

            SHA512

            adccd5520e01b673c2fc5c451305fe31b1a3e74891aece558f75fefc50218adf1fb81bb8c7f19969929d3fecb0fdb2cb5b564400d51e0a5a1ad8d5bc2d4eed53

            Download Submit

          • memory/232-157-0x0000000006090000-0x00000000060F6000-memory.dmp

            Filesize

            408KB

            Download

          • memory/232-231-0x0000000007C20000-0x0000000007C2E000-memory.dmp

            Filesize

            56KB

            Download

          • memory/232-233-0x0000000007D10000-0x0000000007D18000-memory.dmp

            Filesize

            32KB

            Download

          • memory/232-148-0x0000000002E00000-0x0000000002E10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/232-232-0x0000000007D30000-0x0000000007D4A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/232-149-0x0000000002E00000-0x0000000002E10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/232-150-0x0000000005E50000-0x0000000005E72000-memory.dmp

            Filesize

            136KB

            Download

          • memory/232-151-0x0000000005EF0000-0x0000000005F56000-memory.dmp

            Filesize

            408KB

            Download

          • memory/232-143-0x0000000005160000-0x0000000005196000-memory.dmp

            Filesize

            216KB

            Download

          • memory/232-145-0x00000000057D0000-0x0000000005DF8000-memory.dmp

            Filesize

            6.2MB

            Download

          • memory/232-162-0x00000000066F0000-0x000000000670E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/232-230-0x0000000007C70000-0x0000000007D06000-memory.dmp

            Filesize

            600KB

            Download

          • memory/232-228-0x000000007F1F0000-0x000000007F200000-memory.dmp

            Filesize

            64KB

            Download

          • memory/232-227-0x0000000007A60000-0x0000000007A6A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/232-207-0x000000006F860000-0x000000006F8AC000-memory.dmp

            Filesize

            304KB

            Download

          • memory/232-206-0x00000000076A0000-0x00000000076D2000-memory.dmp

            Filesize

            200KB

            Download

          • memory/232-205-0x0000000002E00000-0x0000000002E10000-memory.dmp

            Filesize

            64KB

            Download

          • memory/232-224-0x00000000079F0000-0x0000000007A0A000-memory.dmp

            Filesize

            104KB

            Download

          • memory/232-223-0x0000000008030000-0x00000000086AA000-memory.dmp

            Filesize

            6.5MB

            Download

          • memory/232-217-0x0000000006C80000-0x0000000006C9E000-memory.dmp

            Filesize

            120KB

            Download

          • memory/464-204-0x00000000052B0000-0x00000000052C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/464-203-0x00000000009B0000-0x00000000009C2000-memory.dmp

            Filesize

            72KB

            Download

          • memory/464-236-0x00000000052B0000-0x00000000052C0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1748-134-0x0000000005990000-0x0000000005A2C000-memory.dmp

            Filesize

            624KB

            Download

          • memory/1748-138-0x0000000005B70000-0x0000000005BC6000-memory.dmp

            Filesize

            344KB

            Download

          • memory/1748-133-0x0000000000FA0000-0x0000000000FD8000-memory.dmp

            Filesize

            224KB

            Download

          • memory/1748-139-0x0000000005C10000-0x0000000005C20000-memory.dmp

            Filesize

            64KB

            Download

          • memory/1748-137-0x0000000003430000-0x000000000343A000-memory.dmp

            Filesize

            40KB

            Download

          • memory/1748-136-0x0000000005AD0000-0x0000000005B62000-memory.dmp

            Filesize

            584KB

            Download

          • memory/1748-135-0x0000000005FE0000-0x0000000006584000-memory.dmp

            Filesize

            5.6MB

            Download

          • memory/2328-222-0x0000000000770000-0x0000000000782000-memory.dmp

            Filesize

            72KB

            Download

          • memory/2328-229-0x0000000005110000-0x0000000005120000-memory.dmp

            Filesize

            64KB

            Download

          • memory/2328-237-0x0000000005110000-0x0000000005120000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4652-165-0x00000000052C0000-0x00000000052D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4652-164-0x00000000052C0000-0x00000000052D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4652-163-0x00000000052C0000-0x00000000052D0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/4652-146-0x00000000009D0000-0x00000000009F2000-memory.dmp

            Filesize

            136KB

            Download

          • memory/5080-141-0x00000000049D0000-0x00000000049E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5080-188-0x0000000005ED0000-0x0000000005EEE000-memory.dmp

            Filesize

            120KB

            Download

          • memory/5080-187-0x0000000005D10000-0x0000000005D86000-memory.dmp

            Filesize

            472KB

            Download

          • memory/5080-140-0x00000000000F0000-0x0000000000104000-memory.dmp

            Filesize

            80KB

            Download

          • memory/5080-147-0x00000000049D0000-0x00000000049E0000-memory.dmp

            Filesize

            64KB

            Download

          • memory/5080-142-0x0000000004F10000-0x0000000004F8E000-memory.dmp

            Filesize

            504KB

            Download