a6b9e7faa5c41c04f71634570959415ca36c188fc761287c69f67757d90ef277 | Triage

Submit
Reports

Overview

overview

Static

static

1

ProtonVPN_v3.2.12.exe

windows7-x64

4

ProtonVPN_v3.2.12.exe

windows10-2004-x64

Sharing

Copy URL Twitter E-mail

General

Target

ProtonVPN_v3.2.12.exe
Size

78.7MB
Sample

240726-wewjzavapk
MD5

77644d398ba4a65feef7db2a367d7f00
SHA1

3d32e639c7a256e54dceaaf0e7bacc28381b6494
SHA256

a6b9e7faa5c41c04f71634570959415ca36c188fc761287c69f67757d90ef277
SHA512

e135428843334c3146eac2dd139c65c7362bf2fa2ec7cb79ee0fe491d59f760501aa510310cc964f6f03ccbeeab6106c8c977ab6608eb515b6ef9b2c15a204af
SSDEEP

1572864:NFZRlHASWb+qwdC5x0Hv62+RncyuiQamTV+CqS8Zh1mHIt12WTfHuYL:TZbHASZC5e+Rcyh7mZsPt1FTf1

Score

10^/10

discovery persistence privilege_escalation

Static task

static1

Behavioral task

behavioral1

Sample

ProtonVPN_v3.2.12.exe

Resource

win7-20240705-en

windows7-x64

5 signatures

150 seconds

Behavioral task

behavioral2

Sample

ProtonVPN_v3.2.12.exe

Resource

win10v2004-20240709-en

discovery persistence privilege_escalation

windows10-2004-x64

24 signatures

150 seconds

Malware Config

Targets

- Target
  
  ProtonVPN_v3.2.12.exe
- Size
  
  78.7MB
- MD5
  
  77644d398ba4a65feef7db2a367d7f00
- SHA1
  
  3d32e639c7a256e54dceaaf0e7bacc28381b6494
- SHA256
  
  a6b9e7faa5c41c04f71634570959415ca36c188fc761287c69f67757d90ef277
- SHA512
  
  e135428843334c3146eac2dd139c65c7362bf2fa2ec7cb79ee0fe491d59f760501aa510310cc964f6f03ccbeeab6106c8c977ab6608eb515b6ef9b2c15a204af
- SSDEEP
  
  1572864:NFZRlHASWb+qwdC5x0Hv62+RncyuiQamTV+CqS8Zh1mHIt12WTfHuYL:TZbHASZC5e+Rcyh7mZsPt1FTf1
Score

10^/10

discovery persistence privilege_escalation
- Suspicious use of NtCreateUserProcessOtherParentProcess
- Adds Run key to start application
  persistence
- Downloads MZ/PE file
- Event Triggered Execution: Image File Execution Options Injection
  persistence
- Checks computer location settings
  Looks up country code configured in the registry, likely geofence.
- Event Triggered Execution: Component Object Model Hijacking
  Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
  persistence privilege_escalation
behavioral1 behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Image File Execution Options Injection

Privilege Escalation

Boot or Logon Autostart Execution

Registry Run Keys / Startup Folder

Event Triggered Execution

Component Object Model Hijacking

Image File Execution Options Injection

Defense Evasion

Modify Registry

Credential Access

Discovery

Browser Information Discovery

Query Registry

System Information Discovery

System Location Discovery

System Language Discovery

System Network Configuration Discovery

Internet Connection Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks

static1

behavioral1

behavioral2

discoverypersistenceprivilege_escalation

© 2018-2025

Terms | Privacy