Overview

overview

10

Static

static

3

letsvpn3.1...ll.exe

windows7-x64

10

letsvpn3.1...ll.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows7_x64
  • resource
    win7-20240903-en
  • resource tags

    arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
  • submitted
    20-09-2024 17:13

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    letsvpn3.10.4Install.exe

  • Size

    15.3MB

  • MD5

    9e07c23a29b69024cc8cd6b0ee856b6c

  • SHA1

    c0a6c67d609c9d4adcb3b2b13f65e5eda0c9fbeb

  • SHA256

    918bc31cba93f294e71233e9b029705706175be78ca6fff523fb4b5ba87dbfce

  • SHA512

    3b45a5d1657d18c336df7c64eac1a6b365a7d881a22d6d30944c3d2a8b994e0d07c2a0a91afd6999b6d559abc0ae29d065a95c55ac7b0a74e3d77e2f257d11dc

  • SSDEEP

    393216:qE9AqYuf1pK6o217nb2LLhY8iuakhNrjcJp:3tf1ppzsLhHiEoJp

Score
10/10
discoveryevasionexecutiontrojan

Malware Config

Extracted

Credentials

  • Protocol:     ftp
  • Host:
    134.122.155.46
  • Port:
    21
  • Username:
    lz165404
  • Password:
    lz165404.

Signatures

  • UAC bypass 3 TTPs 2 IoCs
    evasiontrojan
  • Executes dropped EXE 3 IoCs
  • Loads dropped DLL 9 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 22 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Command and Scripting Interpreter: PowerShell 1 TTPs 1 IoCs

    Using powershell.exe command.

    execution
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Checks processor information in registry 2 TTPs 2 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Suspicious behavior: EnumeratesProcesses 9 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs
  • Suspicious use of WriteProcessMemory 19 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\letsvpn3.10.4Install.exe
    "C:\Users\Admin\AppData\Local\Temp\letsvpn3.10.4Install.exe"
    1⤵
    • Loads dropped DLL
    • System Location Discovery: System Language Discovery
    • Suspicious use of WriteProcessMemory
    PID:2360
    • C:\Users\Admin\AppData\Local\Temp\is-9K2R3.tmp\letsvpn3.10.4Install.tmp
      "C:\Users\Admin\AppData\Local\Temp\is-9K2R3.tmp\letsvpn3.10.4Install.tmp" /SL5="$4010A,15722891,215552,C:\Users\Admin\AppData\Local\Temp\letsvpn3.10.4Install.exe"
      2⤵
      • Executes dropped EXE
      • Loads dropped DLL
      • System Location Discovery: System Language Discovery
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of WriteProcessMemory
      PID:2232
      • C:\Users\Public\Documents\GPUChecker.exe
        "C:\Users\Public\Documents\GPUChecker.exe"
        3⤵
        • UAC bypass
        • Executes dropped EXE
        • Enumerates connected drives
        • Checks processor information in registry
        • Suspicious behavior: EnumeratesProcesses
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of SetWindowsHookEx
        • System policy modification
        PID:2560
      • C:\Users\Admin\AppData\Local\Temp\is-B0VRF.tmp\letsvpn-3.10.3.exe
        "C:\Users\Admin\AppData\Local\Temp\is-B0VRF.tmp\letsvpn-3.10.3.exe"
        3⤵
        • Executes dropped EXE
        • Loads dropped DLL
        • System Location Discovery: System Language Discovery
        • Suspicious behavior: GetForegroundWindowSpam
        • Suspicious use of WriteProcessMemory
        PID:2892
        • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
          powershell.exe -inputformat none -ExecutionPolicy Bypass -Command "If ($env:PROCESSOR_ARCHITEW6432) { $env:PROCESSOR_ARCHITEW6432 } Else { $env:PROCESSOR_ARCHITECTURE }"
          4⤵
          • Command and Scripting Interpreter: PowerShell
          • System Location Discovery: System Language Discovery
          • Suspicious behavior: EnumeratesProcesses
          • Suspicious use of AdjustPrivilegeToken
          PID:2640

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Users\Admin\AppData\Local\Temp\is-9K2R3.tmp\letsvpn3.10.4Install.tmp
    Filesize

    921KB

    MD5

    2a1ea1b44013863f7f1d92ff89f80177

    SHA1

    66a2f0c14d7692e5cec40ca54b81328519c0f10c

    SHA256

    c9c04dbc019a9d36fbba1acd0e659eaa13ee7522cc67dd9a82e887abd25b0d4a

    SHA512

    aef8e28aa281e36801d38883b9af8cfd99b764afd28df9b1f32a9688fe3369bef33af0043fd77c23a8a5a055533d57905f01646db957a6772a972f5148393099

    Download Submit

  • C:\Users\Admin\AppData\Local\Temp\is-B0VRF.tmp\letsvpn-3.10.3.exe
    Filesize

    14.5MB

    MD5

    554754b512298e76d45c17de7808e6c2

    SHA1

    d0b69dd1996cf103a15fee3e0fe1bc1277c7f412

    SHA256

    aafb3b7ff217393b7b6beba02b3bcee9c076b63bcc78e2cc273c3e6d1092f3c1

    SHA512

    430c6d9fb4616c506f1d5e510c2b2f4451f86afac43c588956e703565a4404b7a31973b2d0767eb3e27d9e9430da021af90c63dd10750ecc0459950ddf66bd9f

    Download Submit

  • C:\Users\Public\Documents\GPUChecker.exe
    Filesize

    838KB

    MD5

    d0e0461bc0a130c622013f61e35aff6d

    SHA1

    715c1c5f403d7d1a9831be878e1d2a3910bc4f3e

    SHA256

    d274787942d562893a74ebbfd28285e0c292ba50bed479038c90c0d2d21e368a

    SHA512

    98d5043162a4e6a6c6a61026c6e5367bf43ad8eba9078e4818697d3aaac4c523f73777ea7cf803a87e81794d13e89ca1a484409c0ab7d9057c4ece43fa13802f

    Download Submit

  • \Users\Admin\AppData\Local\Temp\is-B0VRF.tmp\_isetup\_shfoldr.dll
    Filesize

    22KB

    MD5

    92dc6ef532fbb4a5c3201469a5b5eb63

    SHA1

    3e89ff837147c16b4e41c30d6c796374e0b8e62c

    SHA256

    9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

    SHA512

    9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjD5F6.tmp\System.dll
    Filesize

    11KB

    MD5

    75ed96254fbf894e42058062b4b4f0d1

    SHA1

    996503f1383b49021eb3427bc28d13b5bbd11977

    SHA256

    a632d74332b3f08f834c732a103dafeb09a540823a2217ca7f49159755e8f1d7

    SHA512

    58174896db81d481947b8745dafe3a02c150f3938bb4543256e8cce1145154e016d481df9fe68dac6d48407c62cbe20753320ebd5fe5e84806d07ce78e0eb0c4

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjD5F6.tmp\nsDialogs.dll
    Filesize

    9KB

    MD5

    ca95c9da8cef7062813b989ab9486201

    SHA1

    c555af25df3de51aa18d487d47408d5245dba2d1

    SHA256

    feb6364375d0ab081e9cdf11271c40cb966af295c600903383b0730f0821c0be

    SHA512

    a30d94910204d1419c803dc12d90a9d22f63117e4709b1a131d8c4d5ead7e4121150e2c8b004a546b33c40c294df0a74567013001f55f37147d86bb847d7bbc9

    Download Submit

  • \Users\Admin\AppData\Local\Temp\nsjD5F6.tmp\nsExec.dll
    Filesize

    6KB

    MD5

    3d366250fcf8b755fce575c75f8c79e4

    SHA1

    2ebac7df78154738d41aac8e27d7a0e482845c57

    SHA256

    8bdd996ae4778c6f829e2bcb651c55efc9ec37eeea17d259e013b39528dddbb6

    SHA512

    67d2d88de625227ccd2cb406b4ac3a215d1770d385c985a44e2285490f49b45f23ce64745b24444e2a0f581335fda02e913b92781043e8dfd287844435ba9094

    Download Submit

  • memory/2232-64-0x0000000000400000-0x00000000004F9000-memory.dmp

    Filesize

    996KB

    Download

  • memory/2232-11-0x0000000000400000-0x00000000004F9000-memory.dmp

    Filesize

    996KB

    Download

  • memory/2360-2-0x0000000000401000-0x000000000040B000-memory.dmp

    Filesize

    40KB

    Download

  • memory/2360-66-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2360-0-0x0000000000400000-0x000000000043C000-memory.dmp

    Filesize

    240KB

    Download

  • memory/2560-68-0x00000000003D0000-0x00000000003D2000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2560-69-0x0000000002240000-0x00000000022AC000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2560-74-0x0000000002240000-0x00000000022AC000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2560-73-0x0000000002240000-0x00000000022AC000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2560-72-0x0000000002240000-0x00000000022AC000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2560-71-0x0000000002240000-0x00000000022AC000-memory.dmp

    Filesize

    432KB

    Download

  • memory/2560-75-0x0000000002240000-0x00000000022AC000-memory.dmp

    Filesize

    432KB

    Download