Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Analysis

  • max time kernel
    117s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20240704-en
  • resource tags

    arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
  • submitted
    02/09/2024, 00:55

General

  • Target

    UrbanVPN.exe

  • Size

    30.1MB

  • MD5

    39089b4b80b37ef22a1759321fa6e750

  • SHA1

    b9cecc18cfea029e24f738714e130ea60ac8e667

  • SHA256

    56c0ae02c993971bc1a2fa42abec9b65e9ad0bac1e7d275caf2bc544088c5a10

  • SHA512

    410225daf33cac294479b396ee39988decf0eedcd23d12e9b158e2f56cd42644d53031b38ca105b9401aadd80b707dc109eb2ae411c8c13f3f1ec54efd46a97f

  • SSDEEP

    786432:VtNW0n30THCFjF/iL2hR1CfSyLjuvVMk15mqVC4x+CRQK:YokTHC1R1C1KX5m6C4x+CB

Score
6/10

Malware Config

Signatures

  • Enumerates connected drives 3 TTPs 46 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Loads dropped DLL 15 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • NSIS installer 1 IoCs
  • Modifies system certificate store 2 TTPs 4 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 7 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\UrbanVPN.exe
    "C:\Users\Admin\AppData\Local\Temp\UrbanVPN.exe"
    1⤵
    • Enumerates connected drives
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Modifies system certificate store
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    PID:2484
  • C:\Windows\system32\msiexec.exe
    C:\Windows\system32\msiexec.exe /V
    1⤵
    • Enumerates connected drives
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of WriteProcessMemory
    PID:2776
    • C:\Windows\syswow64\MsiExec.exe
      C:\Windows\syswow64\MsiExec.exe -Embedding 99B2AD3822540E3285D8E94DDCBBCF52 C
      2⤵
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      PID:2968

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.3.0.3\tracking.ini

    Filesize

    69B

    MD5

    df50f06951b2c815665ddf0c7cf5b926

    SHA1

    5349600487fc2fb0cb66113178fdae5460c99504

    SHA256

    5bb6105255196da94f477ae8024b9651209fa76fd7553034d8570443fe55ef39

    SHA512

    e07371ef02f9b06b789a36b312ed3dfaf3afa6cce8bc4959eac2283cfebee13ae1849bfa18ac1159ddd872e4188fb98d6fe04878935ff77f1afac2791dce0817

  • C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.3.0.3\{1FB4707C-8298-44A3-A26D-D55D540C1925}.session

    Filesize

    309B

    MD5

    1e10ef42a7487e4d3fa02441008d4404

    SHA1

    abffa79389be706cfd6d82103fc931590bc5088c

    SHA256

    072d4d487d6e0b22b6c0f32a3424c8651fffe90b4c33441160e80bd97293e873

    SHA512

    60261f879aa514f065098841c8ad33a7cc563c42060b2cb4cbb770ab003fcf1b842cd22a399ddd333c8d492a3c6343edd9290dd29b38d69f6495cdaaea7d058f

  • C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.3.0.3\{1FB4707C-8298-44A3-A26D-D55D540C1925}.session

    Filesize

    5KB

    MD5

    e68df44bee47784f68cba4e80688a742

    SHA1

    9657ecacd76cdc4463ea0317659a56dd4832e217

    SHA256

    d83252bd8794d7cc572cd273ee35f32b722bc26304d32b2d86a2d9b5782cdfa7

    SHA512

    fe5457c8a21321729710074c9f57b0c669f2a1f0bd6deb65f732d1ae6620ef7336464ef81f914abe1630e7a81041e99a8f386869f9a4b26203dc3be0a79217c7

  • C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_2484\dialog.jpg

    Filesize

    21KB

    MD5

    81b61102f7970a8c83ecd382c4ab6def

    SHA1

    165795d45b6fa70661d073bb8c791114c0e6748e

    SHA256

    9a9ab67db52355b3d091e0bd58275e5c6633adbffc300ddb6607db7bbda88a15

    SHA512

    2b58f4da52cd687073cae64a0f467c3666daaca14bd95e38e544ae76319c3a9e7b5a223db6de2d92848822e23a9028d2cc97c64d7b2133aebbea5876e81e9937

  • C:\Users\Admin\AppData\Local\Temp\CabE6B9.tmp

    Filesize

    70KB

    MD5

    49aebf8cbd62d92ac215b2923fb1b9f5

    SHA1

    1723be06719828dda65ad804298d0431f6aff976

    SHA256

    b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

    SHA512

    bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

  • C:\Users\Admin\AppData\Local\Temp\MSIE99D.tmp

    Filesize

    495KB

    MD5

    cfab78ac0d042a1d8ad7085a94328ef6

    SHA1

    b3070cc847ba2739450dc9bd05040df83e7d85d2

    SHA256

    17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

    SHA512

    647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

  • C:\Users\Admin\AppData\Local\Temp\MSIEA1B.tmp

    Filesize

    912KB

    MD5

    b15dbf4b35cd1460ba283795e24878c8

    SHA1

    327812be4bfdce7a87cb00fab432ecc0d8c38c1e

    SHA256

    0ac07db6140408e9586d46727eb32af8f8048cad535eca9052b6ef1149e63147

    SHA512

    95edc60c9658e0e8631604459969a406414902f297b7a14f2be6d3bc18878636167d202530d4ee3b4d7af189a9139a2183929250920196c48c08eda3d6dfdca4

  • C:\Users\Admin\AppData\Local\Temp\MSIEC62.tmp

    Filesize

    602KB

    MD5

    78b793e3f44b2c7849ffe70083c500c0

    SHA1

    9dcbb160c9f606bcdbee9ad572aaab1ad1b24d61

    SHA256

    fbcf7c3645d90621bfbbf38e660a510dd0731b02b6e7820b075116e944301174

    SHA512

    36d0fadd2a55231ce159519ca4bfb56fee038ee82bfbafa375faee17e11e2149ffffb4b364bc80e4ed950325e0c31e6a02244c591a0b983c7ccc039e94a3e9c8

  • C:\Users\Admin\AppData\Local\Temp\MSIEDCD.tmp

    Filesize

    196KB

    MD5

    efa1291d4eb0ff2050967dd63bfdbdc8

    SHA1

    54ba41d5a6fb192267b36127ff573cb112413fd8

    SHA256

    da78931d835e91c59cadaebc95fbae56020ce5031523a6a175fefa4582334ac4

    SHA512

    5fcce6422b0ee6827a57c5d0c476e36a5e75a880550b8041a0f3db42b630f483654508a797421ff4316fd84db549c8c78536a25d5da2de9eb60365720517d5e6

  • C:\Users\Admin\AppData\Local\Temp\TarE787.tmp

    Filesize

    181KB

    MD5

    4ea6026cf93ec6338144661bf1202cd1

    SHA1

    a1dec9044f750ad887935a01430bf49322fbdcb7

    SHA256

    8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

    SHA512

    6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

  • C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.3.0.3\install\A28FC47\urbanvpninstaller.x64.msi

    Filesize

    8.1MB

    MD5

    294de258dc51e42bafb53d624f443750

    SHA1

    f58b37153659caf3f2993b3c7a901fc93d0f179a

    SHA256

    d032ccbc60bc15be75a3a22d0d2bfd7920d73b162aff059d6bd3b672978df6c9

    SHA512

    d9d80018b1ab6a3e0e6634b09c23f91b9543dfc1051101528f30f4b9d12aaaceec31486b7e372156c45fab84d719d14347d72799473ef60139e3806180117e7f

  • C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.3.0.3\install\decoder.dll

    Filesize

    206KB

    MD5

    899944fb96ccc34cfbd2ccb9134367c5

    SHA1

    7c46aa3f84ba5da95ceff39cd49185672f963538

    SHA256

    780d10eda2b9a0a10bf844a7c8b6b350aa541c5bbd24022ff34f99201f9e9259

    SHA512

    2c41181f9af540b4637f418fc148d41d7c38202fb691b56650085fe5a9bdba068275ff07e002e1044760754876c62d7b4fc856452af80a02c5f5a9a7dc75b5e0

  • \Users\Admin\AppData\Local\Temp\INAE97D.tmp

    Filesize

    782KB

    MD5

    175d9b039177b405ee04c81f4c9aa4af

    SHA1

    6b523f7652761f4a24cf12ce08a32479ed03e8cf

    SHA256

    34a742397244bd2848291f7d1087eb43462a69272f22249e24c2aa71e79d14f3

    SHA512

    80f39a82a12899601da3dfc3092ba7465554b360a741fe26c0e4fbe3fac9b62ddde1f8c50f972eabf982427ac0b120edd67e8be31161a4ce4e2f8ef0dd53b26a