Overview
overview
10Static
static
101.exe
windows7-x64
101.exe
windows10-2004-x64
10VPN/VyprVPN.exe
windows7-x64
10VPN/VyprVPN.exe
windows10-2004-x64
10$1/1337/VyprVPN.exe
windows7-x64
3$1/1337/VyprVPN.exe
windows10-2004-x64
3$1/1337/jo...lt.exe
windows7-x64
10$1/1337/jo...lt.exe
windows10-2004-x64
10$1/1337/1111.exe
windows7-x64
7$1/1337/1111.exe
windows10-2004-x64
7$1/1337/Clipper.exe
windows7-x64
10$1/1337/Clipper.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3VPN/xNet.dll
windows7-x64
1VPN/xNet.dll
windows10-2004-x64
12019-09-02...10.exe
windows7-x64
102019-09-02...10.exe
windows10-2004-x64
1031.exe
windows7-x64
1031.exe
windows10-2004-x64
103DMark 11 ...on.exe
windows7-x64
33DMark 11 ...on.exe
windows10-2004-x64
3Archive.zi...3e.exe
windows7-x64
8Archive.zi...3e.exe
windows10-2004-x64
8WSHSetup[1].exe
windows7-x64
3WSHSetup[1].exe
windows10-2004-x64
3DiskIntern...en.exe
windows7-x64
3DiskIntern...en.exe
windows10-2004-x64
3ForceOp 2....ce.exe
windows7-x64
7ForceOp 2....ce.exe
windows10-2004-x64
7Resubmissions
11-11-2024 03:14
241111-dreswavmgp 10Analysis
-
max time kernel
122s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 03:14
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
VPN/VyprVPN.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
VPN/VyprVPN.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$1/1337/VyprVPN.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
$1/1337/VyprVPN.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$1/1337/joinResult.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$1/1337/joinResult.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$1/1337/1111.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
$1/1337/1111.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$1/1337/Clipper.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$1/1337/Clipper.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
VPN/xNet.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
VPN/xNet.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
2019-09-02_22-41-10.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
2019-09-02_22-41-10.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
31.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
31.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
3DMark 11 Advanced Edition.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
WSHSetup[1].exe
Resource
win7-20241023-en
Behavioral task
behavioral28
Sample
WSHSetup[1].exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v2004-20241007-en
General
-
Target
$1/1337/joinResult.exe
-
Size
1.8MB
-
MD5
79022fbafee9fe740a5230f87bd33171
-
SHA1
42bf0f7bf41009fd0009535a8b1162cbe60dce6f
-
SHA256
640c30cfa519be11c02c4e51bf18979a93266887cc9ef19076b3d0f1f20528b6
-
SHA512
48e0d4a18d99dce4398de73895a157e13293115b52ee5158f9ea6fc73c4d5f4133e1cebba14ff5482b8c4f7dfeebfe3b003df1caf351314f1cc16944818df4b3
-
SSDEEP
24576:l/Fc5T6rz9SjcS4c4da17v6JS42ybaU7cryOZO4Y8qoDUsNr+k+:l9L9bS944lv6JS4AU78O4yo4sNrg
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\WinService.exe" Clipper.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\WinService.exe" Clipper.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Control Panel\International\Geo\Nation 1111.exe -
Executes dropped EXE 5 IoCs
pid Process 2360 1111.exe 1428 Clipper.exe 2580 WinService.exe 2392 WinService.exe 1708 WinService.exe -
Loads dropped DLL 3 IoCs
pid Process 1628 joinResult.exe 1628 joinResult.exe 1628 joinResult.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
pid Process 2360 1111.exe 2360 1111.exe 2360 1111.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language joinResult.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 1940 PING.EXE 2788 cmd.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 1940 PING.EXE -
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
pid Process 2832 schtasks.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
pid Process 2360 1111.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
description pid Process Token: SeDebugPrivilege 1428 Clipper.exe Token: SeDebugPrivilege 2580 WinService.exe Token: SeDebugPrivilege 2392 WinService.exe Token: SeDebugPrivilege 1708 WinService.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2360 1111.exe -
Suspicious use of WriteProcessMemory 28 IoCs
description pid Process procid_target PID 1628 wrote to memory of 2360 1628 joinResult.exe 31 PID 1628 wrote to memory of 2360 1628 joinResult.exe 31 PID 1628 wrote to memory of 2360 1628 joinResult.exe 31 PID 1628 wrote to memory of 2360 1628 joinResult.exe 31 PID 1628 wrote to memory of 1428 1628 joinResult.exe 32 PID 1628 wrote to memory of 1428 1628 joinResult.exe 32 PID 1628 wrote to memory of 1428 1628 joinResult.exe 32 PID 1628 wrote to memory of 1428 1628 joinResult.exe 32 PID 1428 wrote to memory of 2832 1428 Clipper.exe 34 PID 1428 wrote to memory of 2832 1428 Clipper.exe 34 PID 1428 wrote to memory of 2832 1428 Clipper.exe 34 PID 1428 wrote to memory of 2580 1428 Clipper.exe 36 PID 1428 wrote to memory of 2580 1428 Clipper.exe 36 PID 1428 wrote to memory of 2580 1428 Clipper.exe 36 PID 2360 wrote to memory of 2788 2360 1111.exe 38 PID 2360 wrote to memory of 2788 2360 1111.exe 38 PID 2360 wrote to memory of 2788 2360 1111.exe 38 PID 2360 wrote to memory of 2788 2360 1111.exe 38 PID 2788 wrote to memory of 1940 2788 cmd.exe 40 PID 2788 wrote to memory of 1940 2788 cmd.exe 40 PID 2788 wrote to memory of 1940 2788 cmd.exe 40 PID 2788 wrote to memory of 1940 2788 cmd.exe 40 PID 3028 wrote to memory of 2392 3028 taskeng.exe 42 PID 3028 wrote to memory of 2392 3028 taskeng.exe 42 PID 3028 wrote to memory of 2392 3028 taskeng.exe 42 PID 3028 wrote to memory of 1708 3028 taskeng.exe 44 PID 3028 wrote to memory of 1708 3028 taskeng.exe 44 PID 3028 wrote to memory of 1708 3028 taskeng.exe 44 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\$1\1337\joinResult.exe"C:\Users\Admin\AppData\Local\Temp\$1\1337\joinResult.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1628 -
C:\Users\Admin\AppData\Roaming\1337\1111.exe"C:\Users\Admin\AppData\Roaming\1337\1111.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2360 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 3 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\1337\1111.exe"3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2788 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 3 -w 30004⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:1940
-
-
-
-
C:\Users\Admin\AppData\Roaming\1337\Clipper.exe"C:\Users\Admin\AppData\Roaming\1337\Clipper.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1428 -
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Service" /tr "C:\Users\Admin\WinService.exe" /f3⤵
- Scheduled Task/Job: Scheduled Task
PID:2832
-
-
C:\Users\Admin\WinService.exe"C:\Users\Admin\WinService.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2580
-
-
-
C:\Windows\system32\taskeng.exetaskeng.exe {3FEC66A5-CEF0-41A4-BB27-C8D317BD413C} S-1-5-21-312935884-697965778-3955649944-1000:MXQFNXLT\Admin:Interactive:[1]1⤵
- Suspicious use of WriteProcessMemory
PID:3028 -
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2392
-
-
C:\Users\Admin\WinService.exeC:\Users\Admin\WinService.exe2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:1708
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5c7e43ab36c3da3371fc915de9dc5106f
SHA1f1bb12ae485853c1a28a8306604ef3eb3939068d
SHA2564ff04b9be72efe982594832d51681c08334f4d8512c3560c646c21f88fd5e532
SHA512383a02a7a338ca66077f5d577ae7f63f95cf1b711f1338e9dd11867a62d6dc298e0fd01878adc273669f5f1e8cffb0aa4ea3efa75ffb870616a0d3fef3cb454e
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
1.4MB
MD532373185ece79936dfd0fd41d2848a2e
SHA1591f92bcaeeea85e8bba6988ef0d1afcea35fbbd
SHA2565390fc20629a4a350dc8f0482472f9962f50364b7818b2d510beb4e520581ad4
SHA512443b8df46dd6009285500148d2c4e0654e20e24b897fb29a9eded1cb21da6c495feaa1df81043ed4818f6ea511813c926e9f645b3ec4c8ab5c2c79f0fb5859dc