56c0ae02c993971bc1a2fa42abec9b65e9ad0bac1e7d275caf2bc544088c5a10

Analysis

max time kernel
149s
max time network
157s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
02-09-2024 00:55

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

UrbanVPN.exe
Size

30.1MB
MD5

39089b4b80b37ef22a1759321fa6e750
SHA1

b9cecc18cfea029e24f738714e130ea60ac8e667
SHA256

56c0ae02c993971bc1a2fa42abec9b65e9ad0bac1e7d275caf2bc544088c5a10
SHA512

410225daf33cac294479b396ee39988decf0eedcd23d12e9b158e2f56cd42644d53031b38ca105b9401aadd80b707dc109eb2ae411c8c13f3f1ec54efd46a97f
SSDEEP

786432:VtNW0n30THCFjF/iL2hR1CfSyLjuvVMk15mqVC4x+CRQK:YokTHC1R1C1KX5m6C4x+CB

Score

6^/10

discovery

Malware Config

Signatures

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\G:	UrbanVPN.exe
File opened (read-only)	\??\M:	UrbanVPN.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\E:	UrbanVPN.exe
File opened (read-only)	\??\I:	UrbanVPN.exe
File opened (read-only)	\??\N:	UrbanVPN.exe
File opened (read-only)	\??\P:	UrbanVPN.exe
File opened (read-only)	\??\S:	UrbanVPN.exe
File opened (read-only)	\??\Y:	UrbanVPN.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\X:	UrbanVPN.exe
File opened (read-only)	\??\Z:	UrbanVPN.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\B:	UrbanVPN.exe
File opened (read-only)	\??\R:	UrbanVPN.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\L:	UrbanVPN.exe
File opened (read-only)	\??\Q:	UrbanVPN.exe
File opened (read-only)	\??\T:	UrbanVPN.exe
File opened (read-only)	\??\U:	UrbanVPN.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\K:	UrbanVPN.exe
File opened (read-only)	\??\V:	UrbanVPN.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\A:	UrbanVPN.exe
File opened (read-only)	\??\H:	UrbanVPN.exe
File opened (read-only)	\??\O:	UrbanVPN.exe
File opened (read-only)	\??\W:	UrbanVPN.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\J:	UrbanVPN.exe
File opened (read-only)	\??\H:	msiexec.exe

Loads dropped DLL 16 IoCs

pid	Process
612	UrbanVPN.exe
612	UrbanVPN.exe
612	UrbanVPN.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	UrbanVPN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe

NSIS installer 1 IoCs

installer

resource	yara_rule
behavioral2/files/0x00070000000234bd-12.dat	nsis_installer_2

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe
1880	MsiExec.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeSecurityPrivilege	5032	msiexec.exe
Token: SeCreateTokenPrivilege	612	UrbanVPN.exe
Token: SeAssignPrimaryTokenPrivilege	612	UrbanVPN.exe
Token: SeLockMemoryPrivilege	612	UrbanVPN.exe
Token: SeIncreaseQuotaPrivilege	612	UrbanVPN.exe
Token: SeMachineAccountPrivilege	612	UrbanVPN.exe
Token: SeTcbPrivilege	612	UrbanVPN.exe
Token: SeSecurityPrivilege	612	UrbanVPN.exe
Token: SeTakeOwnershipPrivilege	612	UrbanVPN.exe
Token: SeLoadDriverPrivilege	612	UrbanVPN.exe
Token: SeSystemProfilePrivilege	612	UrbanVPN.exe
Token: SeSystemtimePrivilege	612	UrbanVPN.exe
Token: SeProfSingleProcessPrivilege	612	UrbanVPN.exe
Token: SeIncBasePriorityPrivilege	612	UrbanVPN.exe
Token: SeCreatePagefilePrivilege	612	UrbanVPN.exe
Token: SeCreatePermanentPrivilege	612	UrbanVPN.exe
Token: SeBackupPrivilege	612	UrbanVPN.exe
Token: SeRestorePrivilege	612	UrbanVPN.exe
Token: SeShutdownPrivilege	612	UrbanVPN.exe
Token: SeDebugPrivilege	612	UrbanVPN.exe
Token: SeAuditPrivilege	612	UrbanVPN.exe
Token: SeSystemEnvironmentPrivilege	612	UrbanVPN.exe
Token: SeChangeNotifyPrivilege	612	UrbanVPN.exe
Token: SeRemoteShutdownPrivilege	612	UrbanVPN.exe
Token: SeUndockPrivilege	612	UrbanVPN.exe
Token: SeSyncAgentPrivilege	612	UrbanVPN.exe
Token: SeEnableDelegationPrivilege	612	UrbanVPN.exe
Token: SeManageVolumePrivilege	612	UrbanVPN.exe
Token: SeImpersonatePrivilege	612	UrbanVPN.exe
Token: SeCreateGlobalPrivilege	612	UrbanVPN.exe
Token: SeCreateTokenPrivilege	612	UrbanVPN.exe
Token: SeAssignPrimaryTokenPrivilege	612	UrbanVPN.exe
Token: SeLockMemoryPrivilege	612	UrbanVPN.exe
Token: SeIncreaseQuotaPrivilege	612	UrbanVPN.exe
Token: SeMachineAccountPrivilege	612	UrbanVPN.exe
Token: SeTcbPrivilege	612	UrbanVPN.exe
Token: SeSecurityPrivilege	612	UrbanVPN.exe
Token: SeTakeOwnershipPrivilege	612	UrbanVPN.exe
Token: SeLoadDriverPrivilege	612	UrbanVPN.exe
Token: SeSystemProfilePrivilege	612	UrbanVPN.exe
Token: SeSystemtimePrivilege	612	UrbanVPN.exe
Token: SeProfSingleProcessPrivilege	612	UrbanVPN.exe
Token: SeIncBasePriorityPrivilege	612	UrbanVPN.exe
Token: SeCreatePagefilePrivilege	612	UrbanVPN.exe
Token: SeCreatePermanentPrivilege	612	UrbanVPN.exe
Token: SeBackupPrivilege	612	UrbanVPN.exe
Token: SeRestorePrivilege	612	UrbanVPN.exe
Token: SeShutdownPrivilege	612	UrbanVPN.exe
Token: SeDebugPrivilege	612	UrbanVPN.exe
Token: SeAuditPrivilege	612	UrbanVPN.exe
Token: SeSystemEnvironmentPrivilege	612	UrbanVPN.exe
Token: SeChangeNotifyPrivilege	612	UrbanVPN.exe
Token: SeRemoteShutdownPrivilege	612	UrbanVPN.exe
Token: SeUndockPrivilege	612	UrbanVPN.exe
Token: SeSyncAgentPrivilege	612	UrbanVPN.exe
Token: SeEnableDelegationPrivilege	612	UrbanVPN.exe
Token: SeManageVolumePrivilege	612	UrbanVPN.exe
Token: SeImpersonatePrivilege	612	UrbanVPN.exe
Token: SeCreateGlobalPrivilege	612	UrbanVPN.exe
Token: SeCreateTokenPrivilege	612	UrbanVPN.exe
Token: SeAssignPrimaryTokenPrivilege	612	UrbanVPN.exe
Token: SeLockMemoryPrivilege	612	UrbanVPN.exe
Token: SeIncreaseQuotaPrivilege	612	UrbanVPN.exe
Token: SeMachineAccountPrivilege	612	UrbanVPN.exe

Suspicious use of WriteProcessMemory 3 IoCs

description	pid	Process	procid_target
PID 5032 wrote to memory of 1880	5032	msiexec.exe	88
PID 5032 wrote to memory of 1880	5032	msiexec.exe	88
PID 5032 wrote to memory of 1880	5032	msiexec.exe	88

C:\Users\Admin\AppData\Local\Temp\UrbanVPN.exe
"C:\Users\Admin\AppData\Local\Temp\UrbanVPN.exe"
1⤵
- Enumerates connected drives
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:612

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5032
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding A754FBC52B21D81F4C76163133050921 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  PID:1880

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.3.0.3\tracking.ini

Filesize
84B

MD5
1f99d3c3a63c67cc9837d555f46a0769

SHA1
f5ee306839669c93a28248f7a0cb0c215afd9dde

SHA256
1310fca3be906fb9c81447bdc96fc40869729a1f0f44566e7d439a9f62411fe5

SHA512
827cf51b02464576f6aaa22b70295237758f2c2e43be8b0dbd26c0192d03f2df29f6239389c7e2f7c62d1ecf4b77be0bda8e66e868b77f1469fc6f590cc36253

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.3.0.3\{790C29D1-BA56-4955-B099-B8C4DB60E291}.session

Filesize
10KB

MD5
897eb0a203f707a88f96f8c6353b3a98

SHA1
e0974380a9eadb0ea6948d6646be5be990ed8e81

SHA256
3f409f25bcb937b8dd3dbf1f235bdeb5701f5ae6451a8ba85d9eb57498f6a9a1

SHA512
1d8d7a0ffa355d7686e1b833794c86b0019fb73779499bfa89773fc7d2aab672f4da12ac05d2e463a158935198752d0da24f98f99be1f8cd87cf061d642954c3

Download Submit
C:\Users\Admin\AppData\Local\AdvinstAnalytics\632040a71cb8de62c9f15f5a\2.3.0.3\{790C29D1-BA56-4955-B099-B8C4DB60E291}.session

Filesize
13KB

MD5
0ad866e275f8a39c91a8b368f07a1f42

SHA1
c28fd3459b2a9924c4210741960de9cb99593f1e

SHA256
c17d75fea13a9187f3b78c37fba4bc4c72dee237fe377f974fcfb8c86be4b6f3

SHA512
543828c1d3607c3dea6c973efd7116c82516f241125d1cff9f4b5840b1ff91594d472e18a9915c9e385cbf28bbfc1439f0d847cc82b1de1669df2a9579235e00

Download Submit
C:\Users\Admin\AppData\Local\Temp\AI_EXTUI_BIN_612\dialog.jpg

Filesize
21KB

MD5
81b61102f7970a8c83ecd382c4ab6def

SHA1
165795d45b6fa70661d073bb8c791114c0e6748e

SHA256
9a9ab67db52355b3d091e0bd58275e5c6633adbffc300ddb6607db7bbda88a15

SHA512
2b58f4da52cd687073cae64a0f467c3666daaca14bd95e38e544ae76319c3a9e7b5a223db6de2d92848822e23a9028d2cc97c64d7b2133aebbea5876e81e9937

Download Submit
C:\Users\Admin\AppData\Local\Temp\INA9A8A.tmp

Filesize
782KB

MD5
175d9b039177b405ee04c81f4c9aa4af

SHA1
6b523f7652761f4a24cf12ce08a32479ed03e8cf

SHA256
34a742397244bd2848291f7d1087eb43462a69272f22249e24c2aa71e79d14f3

SHA512
80f39a82a12899601da3dfc3092ba7465554b360a741fe26c0e4fbe3fac9b62ddde1f8c50f972eabf982427ac0b120edd67e8be31161a4ce4e2f8ef0dd53b26a

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9ADA.tmp

Filesize
495KB

MD5
cfab78ac0d042a1d8ad7085a94328ef6

SHA1
b3070cc847ba2739450dc9bd05040df83e7d85d2

SHA256
17b10df05b4b92735b673914fe2bf0c0d7bbda5b4a8f9a7fc81a0efaa4380168

SHA512
647b909f1e833dd08d99aaa29a3404e64c58356dfa0a3abeb788768d74abb0948d2b612a6da62f2617270cd85110e8aa2b26e5e4558af0d0b84f920c40533438

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9B39.tmp

Filesize
912KB

MD5
b15dbf4b35cd1460ba283795e24878c8

SHA1
327812be4bfdce7a87cb00fab432ecc0d8c38c1e

SHA256
0ac07db6140408e9586d46727eb32af8f8048cad535eca9052b6ef1149e63147

SHA512
95edc60c9658e0e8631604459969a406414902f297b7a14f2be6d3bc18878636167d202530d4ee3b4d7af189a9139a2183929250920196c48c08eda3d6dfdca4

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSI9F19.tmp

Filesize
602KB

MD5
78b793e3f44b2c7849ffe70083c500c0

SHA1
9dcbb160c9f606bcdbee9ad572aaab1ad1b24d61

SHA256
fbcf7c3645d90621bfbbf38e660a510dd0731b02b6e7820b075116e944301174

SHA512
36d0fadd2a55231ce159519ca4bfb56fee038ee82bfbafa375faee17e11e2149ffffb4b364bc80e4ed950325e0c31e6a02244c591a0b983c7ccc039e94a3e9c8

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSIA0B3.tmp

Filesize
196KB

MD5
efa1291d4eb0ff2050967dd63bfdbdc8

SHA1
54ba41d5a6fb192267b36127ff573cb112413fd8

SHA256
da78931d835e91c59cadaebc95fbae56020ce5031523a6a175fefa4582334ac4

SHA512
5fcce6422b0ee6827a57c5d0c476e36a5e75a880550b8041a0f3db42b630f483654508a797421ff4316fd84db549c8c78536a25d5da2de9eb60365720517d5e6

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi9F4F.tmp

Filesize
4.3MB

MD5
6c7cdd25c2cb0073306eb22aebfc663f

SHA1
a1eba8ab49272b9852fe6a543677e8af36271248

SHA256
58280e3572333f97a7cf9f33e8d31dc26a98b6535965ebd0bde82249fc9bf705

SHA512
17344e07b9e9b2cd6ae4237d7f310732462f9cbb8656883607d7a1a4090e869265f92a6da1718dee50b1375b91583de60c6bd9e7e8db6b6e45e33f4b894365d6

Download Submit
C:\Users\Admin\AppData\Local\Temp\shi9F7F.tmp

Filesize
81KB

MD5
125b0f6bf378358e4f9c837ff6682d94

SHA1
8715beb626e0f4bd79a14819cc0f90b81a2e58ad

SHA256
e99eab3c75989b519f7f828373042701329acbd8ceadf4f3ff390f346ac76193

SHA512
b63bb6bfda70d42472868b5a1d3951cf9b2e00a7fadb08c1f599151a1801a19f5a75cfc3ace94c952cfd284eb261c7d6f11be0ebbcaa701b75036d3a6b442db2

Download Submit
C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.3.0.3\install\A28FC47\urbanvpninstaller.x64.msi

Filesize
8.1MB

MD5
294de258dc51e42bafb53d624f443750

SHA1
f58b37153659caf3f2993b3c7a901fc93d0f179a

SHA256
d032ccbc60bc15be75a3a22d0d2bfd7920d73b162aff059d6bd3b672978df6c9

SHA512
d9d80018b1ab6a3e0e6634b09c23f91b9543dfc1051101528f30f4b9d12aaaceec31486b7e372156c45fab84d719d14347d72799473ef60139e3806180117e7f

Download Submit
C:\Users\Admin\AppData\Roaming\Urban Security\UrbanVPN 2.3.0.3\install\decoder.dll

Filesize
206KB

MD5
899944fb96ccc34cfbd2ccb9134367c5

SHA1
7c46aa3f84ba5da95ceff39cd49185672f963538

SHA256
780d10eda2b9a0a10bf844a7c8b6b350aa541c5bbd24022ff34f99201f9e9259

SHA512
2c41181f9af540b4637f418fc148d41d7c38202fb691b56650085fe5a9bdba068275ff07e002e1044760754876c62d7b4fc856452af80a02c5f5a9a7dc75b5e0

Download Submit