38bc13ef112b2f17d4d1a80243fac6a521b5d58228984aae0752d79487fa3b66

Resubmissions

01/03/2025, 18:58

250301-xmhhrayp15 10

Analysis

max time kernel
186s
max time network
206s
platform
windows11-21h2_x64
resource
win11-20241007-en
resource tags

arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
submitted
04/12/2024, 11:40

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

VyprVPN.exe
Size

1.6MB
MD5

f1d5f022e71b8bc9e3241fbb72e87be2
SHA1

1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c
SHA256

08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d
SHA512

f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f
SSDEEP

24576:nTadGsNY1i8fWCsSpqq5M0bOk61uyG2CWm3U9X+Y0ttcN0sH2U9:nsGsm1qSp/MzRuI19X+Y0w39

Score

10^/10

discovery persistence spyware stealer

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-556537508-2730415644-482548075-1000\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\WinService.exe"	Clipper.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "explorer.exe, C:\\Users\\Admin\\WinService.exe"	Clipper.exe

Executes dropped EXE 6 IoCs

pid	Process
796	joinResult.exe
3132	VyprVPN.exe
3404	1111.exe
1948	Clipper.exe
3572	WinService.exe
2824	WinService.exe

Loads dropped DLL 2 IoCs

pid	Process
2584	VyprVPN.exe
796	joinResult.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

pid	Process
3404	1111.exe
3404	1111.exe
3404	1111.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 6 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VyprVPN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	joinResult.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	VyprVPN.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1111.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
3684	cmd.exe
4104	PING.EXE

NSIS installer 2 IoCs

installer

resource	yara_rule
behavioral6/files/0x001900000002abdf-9.dat	nsis_installer_1
behavioral6/files/0x001900000002abdf-9.dat	nsis_installer_2

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
4104	PING.EXE

Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs

Schtasks is often used by malware for persistence or to perform post-infection execution.

persistence execution

Scheduled Task

T1053.005

pid	Process
3548	schtasks.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3404	1111.exe
3404	1111.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1948	Clipper.exe
Token: SeDebugPrivilege	3572	WinService.exe
Token: SeDebugPrivilege	2824	WinService.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3404	1111.exe

Suspicious use of WriteProcessMemory 21 IoCs

description	pid	Process	procid_target
PID 2584 wrote to memory of 796	2584	VyprVPN.exe	77
PID 2584 wrote to memory of 796	2584	VyprVPN.exe	77
PID 2584 wrote to memory of 796	2584	VyprVPN.exe	77
PID 2584 wrote to memory of 3132	2584	VyprVPN.exe	78
PID 2584 wrote to memory of 3132	2584	VyprVPN.exe	78
PID 2584 wrote to memory of 3132	2584	VyprVPN.exe	78
PID 796 wrote to memory of 3404	796	joinResult.exe	79
PID 796 wrote to memory of 3404	796	joinResult.exe	79
PID 796 wrote to memory of 3404	796	joinResult.exe	79
PID 796 wrote to memory of 1948	796	joinResult.exe	80
PID 796 wrote to memory of 1948	796	joinResult.exe	80
PID 1948 wrote to memory of 3548	1948	Clipper.exe	82
PID 1948 wrote to memory of 3548	1948	Clipper.exe	82
PID 1948 wrote to memory of 3572	1948	Clipper.exe	84
PID 1948 wrote to memory of 3572	1948	Clipper.exe	84
PID 3404 wrote to memory of 3684	3404	1111.exe	85
PID 3404 wrote to memory of 3684	3404	1111.exe	85
PID 3404 wrote to memory of 3684	3404	1111.exe	85
PID 3684 wrote to memory of 4104	3684	cmd.exe	87
PID 3684 wrote to memory of 4104	3684	cmd.exe	87
PID 3684 wrote to memory of 4104	3684	cmd.exe	87

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\VyprVPN.exe
"C:\Users\Admin\AppData\Local\Temp\VyprVPN.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2584
- C:\Users\Admin\AppData\Roaming\1337\joinResult.exe
  "C:\Users\Admin\AppData\Roaming\1337\joinResult.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:796
- - C:\Users\Admin\AppData\Roaming\1337\1111.exe
    "C:\Users\Admin\AppData\Roaming\1337\1111.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of NtSetInformationThreadHideFromDebugger
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3404
  - - C:\Windows\SysWOW64\cmd.exe
      cmd.exe /C ping 1.1.1.1 -n 3 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\1337\1111.exe"
      4⤵
      System Location Discovery: System Language Discovery
      System Network Configuration Discovery: Internet Connection Discovery
      Suspicious use of WriteProcessMemory
      PID:3684
    - - C:\Windows\SysWOW64\PING.EXE
        
        ping 1.1.1.1 -n 3 -w 3000
        5⤵
        System Location Discovery: System Language Discovery
        System Network Configuration Discovery: Internet Connection Discovery
        Runs ping.exe
        
        PID:4104
- - C:\Users\Admin\AppData\Roaming\1337\Clipper.exe
    "C:\Users\Admin\AppData\Roaming\1337\Clipper.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1948
  - - C:\Windows\System32\schtasks.exe
      "C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Service" /tr "C:\Users\Admin\WinService.exe" /f
      4⤵
      Scheduled Task/Job: Scheduled Task
      PID:3548
  - - C:\Users\Admin\WinService.exe
      "C:\Users\Admin\WinService.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of AdjustPrivilegeToken
      PID:3572
- C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe
  "C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:3132

C:\Users\Admin\WinService.exe
C:\Users\Admin\WinService.exe
1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
PID:2824

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Persistence

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Winlogon Helper DLL

T1547.004

Scheduled Task/Job

T1053

Scheduled Task

T1053.005

Defense Evasion

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\nsvADA7.tmp\System.dll

Filesize
11KB

MD5
2ae993a2ffec0c137eb51c8832691bcb

SHA1
98e0b37b7c14890f8a599f35678af5e9435906e1

SHA256
681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59

SHA512
2501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9

Download Submit
C:\Users\Admin\AppData\Roaming\1337\1111.exe

Filesize
1.4MB

MD5
32373185ece79936dfd0fd41d2848a2e

SHA1
591f92bcaeeea85e8bba6988ef0d1afcea35fbbd

SHA256
5390fc20629a4a350dc8f0482472f9962f50364b7818b2d510beb4e520581ad4

SHA512
443b8df46dd6009285500148d2c4e0654e20e24b897fb29a9eded1cb21da6c495feaa1df81043ed4818f6ea511813c926e9f645b3ec4c8ab5c2c79f0fb5859dc

Download Submit
C:\Users\Admin\AppData\Roaming\1337\Clipper.exe

Filesize
18KB

MD5
c7e43ab36c3da3371fc915de9dc5106f

SHA1
f1bb12ae485853c1a28a8306604ef3eb3939068d

SHA256
4ff04b9be72efe982594832d51681c08334f4d8512c3560c646c21f88fd5e532

SHA512
383a02a7a338ca66077f5d577ae7f63f95cf1b711f1338e9dd11867a62d6dc298e0fd01878adc273669f5f1e8cffb0aa4ea3efa75ffb870616a0d3fef3cb454e

Download Submit
C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe

Filesize
3.2MB

MD5
25e9776bb3965060ac5d9234fd25a11d

SHA1
5df6e261a930c0068c94542ef5180722a513e4fb

SHA256
8321b2785893442efeedddc40f0979563e8e2fc1a51cc3e4ee93d6f36d4e154d

SHA512
8735acb4bad98ad06b9cee96cda9a3c5026e5f584bd4efb782cf9a8a6f3ea9e39f7d280497dabbb5f6662a6a63bb9a6674c4c020bc73669517b05d0e708d0d7c

Download Submit
C:\Users\Admin\AppData\Roaming\1337\joinResult.exe

Filesize
1.8MB

MD5
79022fbafee9fe740a5230f87bd33171

SHA1
42bf0f7bf41009fd0009535a8b1162cbe60dce6f

SHA256
640c30cfa519be11c02c4e51bf18979a93266887cc9ef19076b3d0f1f20528b6

SHA512
48e0d4a18d99dce4398de73895a157e13293115b52ee5158f9ea6fc73c4d5f4133e1cebba14ff5482b8c4f7dfeebfe3b003df1caf351314f1cc16944818df4b3

Download Submit
memory/1948-60-0x0000000000740000-0x000000000074A000-memory.dmp

Filesize
40KB

Download
memory/3132-132-0x00000000737BE000-0x00000000737BF000-memory.dmp

Filesize
4KB

Download
memory/3132-135-0x00000000737B0000-0x0000000073F61000-memory.dmp

Filesize
7.7MB

Download
memory/3132-38-0x0000000005C60000-0x0000000006206000-memory.dmp

Filesize
5.6MB

Download
memory/3132-35-0x0000000005610000-0x00000000056AC000-memory.dmp

Filesize
624KB

Download
memory/3132-43-0x0000000005750000-0x00000000057E2000-memory.dmp

Filesize
584KB

Download
memory/3132-34-0x0000000000970000-0x0000000000CA0000-memory.dmp

Filesize
3.2MB

Download
memory/3132-63-0x0000000005910000-0x0000000005966000-memory.dmp

Filesize
344KB

Download
memory/3132-62-0x0000000005600000-0x000000000560A000-memory.dmp

Filesize
40KB

Download
memory/3132-64-0x00000000737B0000-0x0000000073F61000-memory.dmp

Filesize
7.7MB

Download
memory/3132-33-0x00000000737BE000-0x00000000737BF000-memory.dmp

Filesize
4KB

Download
memory/3404-61-0x0000000000300000-0x00000000006F9000-memory.dmp

Filesize
4.0MB

Download
memory/3404-134-0x0000000000300000-0x00000000006F9000-memory.dmp

Filesize
4.0MB

Download
memory/3404-133-0x0000000000300000-0x00000000006F9000-memory.dmp

Filesize
4.0MB

Download
memory/3404-136-0x0000000000300000-0x00000000006F9000-memory.dmp

Filesize
4.0MB

Download
memory/3404-137-0x0000000000300000-0x00000000006F9000-memory.dmp

Filesize
4.0MB

Download