Overview
overview
10Static
static
101.exe
windows7-x64
101.exe
windows10-2004-x64
10VPN/VyprVPN.exe
windows7-x64
10VPN/VyprVPN.exe
windows10-2004-x64
10$1/1337/VyprVPN.exe
windows7-x64
3$1/1337/VyprVPN.exe
windows10-2004-x64
3$1/1337/jo...lt.exe
windows7-x64
10$1/1337/jo...lt.exe
windows10-2004-x64
10$1/1337/1111.exe
windows7-x64
7$1/1337/1111.exe
windows10-2004-x64
7$1/1337/Clipper.exe
windows7-x64
10$1/1337/Clipper.exe
windows10-2004-x64
10$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3$PLUGINSDI...em.dll
windows7-x64
3$PLUGINSDI...em.dll
windows10-2004-x64
3VPN/xNet.dll
windows7-x64
1VPN/xNet.dll
windows10-2004-x64
12019-09-02...10.exe
windows7-x64
102019-09-02...10.exe
windows10-2004-x64
1031.exe
windows7-x64
1031.exe
windows10-2004-x64
103DMark 11 ...on.exe
windows7-x64
33DMark 11 ...on.exe
windows10-2004-x64
3Archive.zi...3e.exe
windows7-x64
8Archive.zi...3e.exe
windows10-2004-x64
8WSHSetup[1].exe
windows7-x64
3WSHSetup[1].exe
windows10-2004-x64
3DiskIntern...en.exe
windows7-x64
3DiskIntern...en.exe
windows10-2004-x64
3ForceOp 2....ce.exe
windows7-x64
7ForceOp 2....ce.exe
windows10-2004-x64
7Resubmissions
11-11-2024 03:14
241111-dreswavmgp 10Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
11-11-2024 03:14
Behavioral task
behavioral1
Sample
1.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
1.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral3
Sample
VPN/VyprVPN.exe
Resource
win7-20240903-en
Behavioral task
behavioral4
Sample
VPN/VyprVPN.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral5
Sample
$1/1337/VyprVPN.exe
Resource
win7-20240708-en
Behavioral task
behavioral6
Sample
$1/1337/VyprVPN.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral7
Sample
$1/1337/joinResult.exe
Resource
win7-20240903-en
Behavioral task
behavioral8
Sample
$1/1337/joinResult.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral9
Sample
$1/1337/1111.exe
Resource
win7-20240729-en
Behavioral task
behavioral10
Sample
$1/1337/1111.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral11
Sample
$1/1337/Clipper.exe
Resource
win7-20240903-en
Behavioral task
behavioral12
Sample
$1/1337/Clipper.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral13
Sample
$PLUGINSDIR/System.dll
Resource
win7-20241023-en
Behavioral task
behavioral14
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral15
Sample
$PLUGINSDIR/System.dll
Resource
win7-20240903-en
Behavioral task
behavioral16
Sample
$PLUGINSDIR/System.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral17
Sample
VPN/xNet.dll
Resource
win7-20240903-en
Behavioral task
behavioral18
Sample
VPN/xNet.dll
Resource
win10v2004-20241007-en
Behavioral task
behavioral19
Sample
2019-09-02_22-41-10.exe
Resource
win7-20241010-en
Behavioral task
behavioral20
Sample
2019-09-02_22-41-10.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral21
Sample
31.exe
Resource
win7-20240903-en
Behavioral task
behavioral22
Sample
31.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral23
Sample
3DMark 11 Advanced Edition.exe
Resource
win7-20240903-en
Behavioral task
behavioral24
Sample
3DMark 11 Advanced Edition.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral25
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win7-20240903-en
Behavioral task
behavioral26
Sample
Archive.zip__ccacaxs2tbz2t6ob3e.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral27
Sample
WSHSetup[1].exe
Resource
win7-20241023-en
Behavioral task
behavioral28
Sample
WSHSetup[1].exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral29
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win7-20240708-en
Behavioral task
behavioral30
Sample
DiskInternals_Uneraser_v5_keygen.exe
Resource
win10v2004-20241007-en
Behavioral task
behavioral31
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win7-20241010-en
Behavioral task
behavioral32
Sample
ForceOp 2.8.7 - By RaiSence.exe
Resource
win10v2004-20241007-en
General
-
Target
$1/1337/1111.exe
-
Size
1.4MB
-
MD5
32373185ece79936dfd0fd41d2848a2e
-
SHA1
591f92bcaeeea85e8bba6988ef0d1afcea35fbbd
-
SHA256
5390fc20629a4a350dc8f0482472f9962f50364b7818b2d510beb4e520581ad4
-
SHA512
443b8df46dd6009285500148d2c4e0654e20e24b897fb29a9eded1cb21da6c495feaa1df81043ed4818f6ea511813c926e9f645b3ec4c8ab5c2c79f0fb5859dc
-
SSDEEP
24576:odLgKtbMn52LmBs9MGfof321RnkcRWiZES8bLg8iPznpJy5OfH3bOn+BYSYu:odUrnow4gG1XWj7OpJy5OPrOnE
Malware Config
Signatures
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1111.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Control Panel\International\Geo\Nation 1111.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2792 cmd.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs
Processes:
1111.exepid process 2264 1111.exe 2264 1111.exe 2264 1111.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
PING.EXE1111.execmd.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1111.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
Processes:
cmd.exePING.EXEpid process 2792 cmd.exe 2632 PING.EXE -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
1111.exepid process 2264 1111.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
1111.exepid process 2264 1111.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
1111.execmd.exedescription pid process target process PID 2264 wrote to memory of 2792 2264 1111.exe cmd.exe PID 2264 wrote to memory of 2792 2264 1111.exe cmd.exe PID 2264 wrote to memory of 2792 2264 1111.exe cmd.exe PID 2264 wrote to memory of 2792 2264 1111.exe cmd.exe PID 2792 wrote to memory of 2632 2792 cmd.exe PING.EXE PID 2792 wrote to memory of 2632 2792 cmd.exe PING.EXE PID 2792 wrote to memory of 2632 2792 cmd.exe PING.EXE PID 2792 wrote to memory of 2632 2792 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\$1\1337\1111.exe"C:\Users\Admin\AppData\Local\Temp\$1\1337\1111.exe"1⤵
- Checks computer location settings
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 3 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Local\Temp\$1\1337\1111.exe"2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 3 -w 30003⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2632
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1