Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-01-2025 13:44
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe
Resource
win7-20240903-en
windows7-x64
35 signatures
150 seconds
Behavioral task
behavioral2
Sample
e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe
Resource
win10v2004-20241007-en
windows10-2004-x64
38 signatures
150 seconds
General
-
Target
e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe
-
Size
15.7MB
-
MD5
2d0371c18b29b3555551a59af80cc093
-
SHA1
de647e80fc291500d104e8534c862d23ab2b5db7
-
SHA256
e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d
-
SHA512
c7ecf9a0063da74562a0897d0b37d0cb091b3743dddd33f7586fc110705fff46286912ebeba27cf3e8758da0ea8c767ec6d296c62ac704aeec0fdb66d44ca870
-
SSDEEP
393216:f9lCKlon+UNPc5bSXy3v0zs8yj6BHuKrrT4wV9Sr9SwzS:f2+UNk5bhfG5HuKrrT4wVESYS
Malware Config
Signatures
-
resource yara_rule behavioral1/memory/2756-39-0x0000000010000000-0x000000001019E000-memory.dmp purplefox_rootkit behavioral1/memory/2780-50-0x0000000010000000-0x000000001019E000-memory.dmp purplefox_rootkit -
Gh0st RAT payload 2 IoCs
resource yara_rule behavioral1/memory/2756-39-0x0000000010000000-0x000000001019E000-memory.dmp family_gh0strat behavioral1/memory/2780-50-0x0000000010000000-0x000000001019E000-memory.dmp family_gh0strat -
Gh0strat family
-
Purplefox family
-
Drops file in Drivers directory 4 IoCs
description ioc Process File created C:\Windows\system32\drivers\QAssist.sys Phxph.exe File opened for modification C:\Windows\system32\DRIVERS\SET588C.tmp DrvInst.exe File created C:\Windows\system32\DRIVERS\SET588C.tmp DrvInst.exe File opened for modification C:\Windows\system32\DRIVERS\tap0901.sys DrvInst.exe -
Modifies Windows Firewall 2 TTPs 5 IoCs
pid Process 580 netsh.exe 1188 netsh.exe 2884 netsh.exe 2896 netsh.exe 2624 netsh.exe -
Sets service image path in registry 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\QAssist\ImagePath = "system32\\DRIVERS\\QAssist.sys" Phxph.exe -
Executes dropped EXE 10 IoCs
pid Process 2700 letsvpn-latest.exe 2756 svchost.exe 2780 Phxph.exe 2244 tapinstall.exe 1816 tapinstall.exe 2056 tapinstall.exe 2916 LetsPRO.exe 2820 LetsPRO.exe 2080 LetsPRO.exe 1624 LetsPRO.exe -
Loads dropped DLL 64 IoCs
pid Process 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2756 svchost.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2916 LetsPRO.exe 2820 LetsPRO.exe 2820 LetsPRO.exe 2820 LetsPRO.exe 2820 LetsPRO.exe 2820 LetsPRO.exe 2820 LetsPRO.exe 2820 LetsPRO.exe 2820 LetsPRO.exe 2820 LetsPRO.exe 2820 LetsPRO.exe 2820 LetsPRO.exe 2820 LetsPRO.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2080 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\LetsPRO = "\"C:\\Program Files (x86)\\letsvpn\\app-3.12.0\\LetsPRO.exe\" /silent" LetsPRO.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Enumerates connected drives 3 TTPs 22 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\O: Phxph.exe File opened (read-only) \??\R: Phxph.exe File opened (read-only) \??\U: Phxph.exe File opened (read-only) \??\V: Phxph.exe File opened (read-only) \??\Y: Phxph.exe File opened (read-only) \??\Z: Phxph.exe File opened (read-only) \??\H: Phxph.exe File opened (read-only) \??\M: Phxph.exe File opened (read-only) \??\T: Phxph.exe File opened (read-only) \??\E: Phxph.exe File opened (read-only) \??\I: Phxph.exe File opened (read-only) \??\J: Phxph.exe File opened (read-only) \??\K: Phxph.exe File opened (read-only) \??\N: Phxph.exe File opened (read-only) \??\S: Phxph.exe File opened (read-only) \??\X: Phxph.exe File opened (read-only) \??\G: Phxph.exe File opened (read-only) \??\L: Phxph.exe File opened (read-only) \??\P: Phxph.exe File opened (read-only) \??\Q: Phxph.exe File opened (read-only) \??\W: Phxph.exe File opened (read-only) \??\B: Phxph.exe -
pid Process 1752 ARP.EXE 860 cmd.exe -
Drops file in System32 directory 21 IoCs
description ioc Process File opened for modification C:\Windows\System32\DriverStore\infpub.dat tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{10740768-3196-63c9-28b4-a45099f6577b}\SET27DC.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File created C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF DrvInst.exe File created C:\Windows\System32\DriverStore\INFCACHE.0 DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{10740768-3196-63c9-28b4-a45099f6577b} DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{10740768-3196-63c9-28b4-a45099f6577b}\oemvista.inf DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{10740768-3196-63c9-28b4-a45099f6577b}\SET27DD.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infpub.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{10740768-3196-63c9-28b4-a45099f6577b}\tap0901.cat DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{10740768-3196-63c9-28b4-a45099f6577b}\SET27DD.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{10740768-3196-63c9-28b4-a45099f6577b}\SET27DC.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{10740768-3196-63c9-28b4-a45099f6577b}\tap0901.sys DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstor.dat DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF DrvInst.exe File opened for modification C:\Windows\System32\CatRoot2\dberr.txt tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\Temp\{10740768-3196-63c9-28b4-a45099f6577b}\SET27DB.tmp DrvInst.exe File created C:\Windows\System32\DriverStore\Temp\{10740768-3196-63c9-28b4-a45099f6577b}\SET27DB.tmp DrvInst.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat tapinstall.exe File opened for modification C:\Windows\System32\DriverStore\infstrng.dat DrvInst.exe -
Drops file in Program Files directory 64 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\FontAwesome.WPF.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\LetsVPNDomainModel.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\Mono.Cecil.Rocks.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Buffers.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\zh-Hant\System.Web.Services.Description.resources.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.PerformanceCounter.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.InteropServices.RuntimeInformation.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Encoding.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.ReaderWriter.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XmlDocument.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\zh-HK letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\LetsGoogleAnalytics.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Web.WebView2.WinForms.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.Pipes.AccessControl.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.AccessControl.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Permissions.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\tr letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Process.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\arm64\WebView2Loader.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\SharpCompress.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.FileSystem.DriveInfo.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\tr\System.Web.Services.Description.resources.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\ICSharpCode.AvalonEdit.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe.config letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Extensions.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XDocument.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\WebSocket4Net.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\LetsPRO.exe letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\LetsGoogleAnalytics.exe letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\Microsoft.Web.WebView2.Core.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Cng.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\log4net.config letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\runtimes\win-x86 letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\driver\tapinstall.exe letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Globalization.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\runtimes\win-arm\native\e_sqlite3.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Reflection.Primitives.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Serialization.Formatters.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\de\System.Web.Services.Description.resources.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\SQLitePCLRaw.batteries_v2.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\Squirrel.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Console.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.IO.FileSystem.Primitives.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\WpfAnimatedGif.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\.check_result letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Collections.Specialized.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Linq.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Primitives.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\driver\tap0901.cat letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\System.Xml.XPath.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\ru\System.Web.Services.Description.resources.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\log4net.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn-latest.exe e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Drawing.Primitives.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Resources.Writer.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\cs\System.Web.Services.Description.resources.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Runtime.Handles.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Security.Cryptography.Pkcs.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\arm64\WebView2Loader.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\zh-TW letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Diagnostics.Tools.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\System.Net.Primitives.dll letsvpn-latest.exe File opened for modification C:\Program Files (x86)\letsvpn\app-3.12.0\x64\WebView2Loader.dll letsvpn-latest.exe File created C:\Program Files (x86)\letsvpn\app-3.12.0\zh-Hant\System.Web.Services.Description.resources.dll letsvpn-latest.exe -
Drops file in Windows directory 13 IoCs
description ioc Process File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev1 DrvInst.exe File created C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File opened for modification C:\Windows\INF\oem2.inf DrvInst.exe File opened for modification C:\Windows\INF\setupapi.dev.log DrvInst.exe File created C:\Windows\INF\oem2.PNF DrvInst.exe File opened for modification C:\Windows\INF\setupapi.ev2 DrvInst.exe File opened for modification C:\Windows\INF\setupapi.app.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.dev.log tapinstall.exe File opened for modification C:\Windows\INF\setupapi.ev3 DrvInst.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Event Triggered Execution: Netsh Helper DLL 1 TTPs 21 IoCs
Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.
description ioc Process Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key opened \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key queried \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe Key value enumerated \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh netsh.exe -
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language PING.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language LetsPRO.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language letsvpn-latest.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ROUTE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Phxph.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ARP.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language netsh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
pid Process 2628 cmd.exe 2660 PING.EXE -
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
description ioc Process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 Phxph.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz Phxph.exe -
Gathers network information 2 TTPs 1 IoCs
Uses commandline utility to view network configuration.
pid Process 2288 ipconfig.exe -
Modifies data under HKEY_USERS 64 IoCs
description ioc Process Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\WinTrust\Trust Providers\Software Publishing DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\sstpsvc.dll,-203 = "Allows you to securely connect to a private network using the Internet." DrvInst.exe Set value (data) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\LanguageList = 65006e002d0055005300000065006e0000000000 DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Disallowed DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\tcpipcfg.dll,-50001 = "Transmission Control Protocol/Internet Protocol. The default wide area network protocol that provides communication across diverse interconnected networks." DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@netcfgx.dll,-50002 = "Allows your computer to access resources on a Microsoft network." DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\system32\lltdres.dll,-3 = "Allows this PC to be discovered and located on the network." DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CTLs DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%SystemRoot%\System32\drivers\pacer.sys,-100 = "Quality of Service Packet Scheduler. This component provides network traffic control, including rate-of-flow and prioritization services." DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\My DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\Root DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\Certificates DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@netcfgx.dll,-50003 = "Allows other computers to access resources on your computer using a Microsoft network." DrvInst.exe Set value (str) \REGISTRY\USER\.DEFAULT\SOFTWARE\Classes\Local Settings\MuiCache\2D\52C64B7E\@%systemroot%\system32\rascfg.dll,-32009 = "Allows you to securely connect to a private network using the Internet." DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\CA\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Policies\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\CA DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\Disallowed\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Disallowed\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\SmartCardRoot\Certificates DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\trust DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\Root\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CTLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Policies\Microsoft\SystemCertificates\trust\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\Software\Microsoft\SystemCertificates\TrustedPeople DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\TrustedPeople\CRLs DrvInst.exe Key created \REGISTRY\USER\.DEFAULT\SOFTWARE\Microsoft\SystemCertificates\CA\CRLs DrvInst.exe -
Modifies registry class 9 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\URL Protocol = "C:\\Program Files (x86)\\letsvpn\\app-3.12.0\\LetsPRO.exe" LetsPRO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\DefaultIcon\ = "\"C:\\Program Files (x86)\\letsvpn\\app-3.12.0\\LetsPRO.exe\",1" LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open\command LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open LetsPRO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\shell\open\command\ = "\"C:\\Program Files (x86)\\letsvpn\\app-3.12.0\\LetsPRO.exe\" \"%1\"" LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2 LetsPRO.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\ = "letsvpn2Protocol" LetsPRO.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\letsvpn2\DefaultIcon LetsPRO.exe -
description ioc Process Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc252000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 190000000100000010000000ba4f3972e7aed9dccdc210db59da13c90300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc251d00000001000000100000008f76b981d528ad4770088245e2031b630b0000000100000012000000440069006700690043006500720074000000140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc35300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a82000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2 tapinstall.exe Set value (data) \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5FB7EE0633E259DBAD0C4C9AE6D38F1A61C7DC25\Blob = 040000000100000010000000d474de575c39b2d39c8583c5c065498a0f0000000100000014000000e35ef08d884f0a0ade2f75e96301ce6230f213a8090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703085300000001000000230000003021301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0140000000100000014000000b13ec36903f8bf4701d498261a0802ef63642bc30b00000001000000120000004400690067006900430065007200740000001d00000001000000100000008f76b981d528ad4770088245e2031b630300000001000000140000005fb7ee0633e259dbad0c4c9ae6d38f1a61c7dc25190000000100000010000000ba4f3972e7aed9dccdc210db59da13c92000000001000000c9030000308203c5308202ada003020102021002ac5c266a0b409b8f0b79f2ae462577300d06092a864886f70d0101050500306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a306c310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312b30290603550403132244696769436572742048696768204173737572616e636520455620526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100c6cce573e6fbd4bbe52d2d32a6dfe5813fc9cd2549b6712ac3d5943467a20a1cb05f69a640b1c4b7b28fd098a4a941593ad3dc94d63cdb7438a44acc4d2582f74aa5531238eef3496d71917e63b6aba65fc3a484f84f6251bef8c5ecdb3892e306e508910cc4284155fbcb5a89157e71e835bf4d72093dbe3a38505b77311b8db3c724459aa7ac6d00145a04b7ba13eb510a984141224e656187814150a6795c89de194a57d52ee65d1c532c7e98cd1a0616a46873d03404135ca171d35a7c55db5e64e13787305604e511b4298012f1793988a202117c2766b788b778f2ca0aa838ab0a64c2bf665d9584c1a1251e875d1a500b2012cc41bb6e0b5138b84bcb0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e04160414b13ec36903f8bf4701d498261a0802ef63642bc3301f0603551d23041830168014b13ec36903f8bf4701d498261a0802ef63642bc3300d06092a864886f70d010105050003820101001c1a0697dcd79c9f3c886606085721db2147f82a67aabf183276401057c18af37ad911658e35fa9efc45b59ed94c314bb891e8432c8eb378cedbe3537971d6e5219401da55879a2464f68a66ccde9c37cda834b1699b23c89e78222b7043e35547316119ef58c5852f4e30f6a0311623c8e7e2651633cbbf1a1ba03df8ca5e8b318b6008892d0c065c52b7c4f90a98d1155f9f12be7c366338bd44a47fe4262b0ac497690de98ce2c01057b8c876129155f24869d8bc2a025b0f44d42031dbf4ba70265d90609ebc4b17092fb4cb1e4368c90727c1d25cf7ea21b968129c3c9cbf9efc805c9b63cdec47aa252767a037f300827d54d7a9f8e92e13a377e81f4a tapinstall.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43 tapinstall.exe -
Runs ping.exe 1 TTPs 1 IoCs
pid Process 2660 PING.EXE -
Suspicious behavior: EnumeratesProcesses 54 IoCs
pid Process 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2780 Phxph.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 2700 letsvpn-latest.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe -
Suspicious behavior: LoadsDriver 3 IoCs
pid Process 2780 Phxph.exe 476 Process not Found 476 Process not Found -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncBasePriorityPrivilege 2756 svchost.exe Token: SeLoadDriverPrivilege 2780 Phxph.exe Token: SeRestorePrivilege 1816 tapinstall.exe Token: SeRestorePrivilege 1816 tapinstall.exe Token: SeRestorePrivilege 1816 tapinstall.exe Token: SeRestorePrivilege 1816 tapinstall.exe Token: SeRestorePrivilege 1816 tapinstall.exe Token: SeRestorePrivilege 1816 tapinstall.exe Token: SeRestorePrivilege 1816 tapinstall.exe Token: SeRestorePrivilege 1816 tapinstall.exe Token: SeRestorePrivilege 1816 tapinstall.exe Token: SeRestorePrivilege 1816 tapinstall.exe Token: SeRestorePrivilege 1816 tapinstall.exe Token: SeRestorePrivilege 1816 tapinstall.exe Token: SeRestorePrivilege 1816 tapinstall.exe Token: SeRestorePrivilege 1816 tapinstall.exe Token: SeRestorePrivilege 1792 DrvInst.exe Token: SeRestorePrivilege 1792 DrvInst.exe Token: SeRestorePrivilege 1792 DrvInst.exe Token: SeRestorePrivilege 1792 DrvInst.exe Token: SeRestorePrivilege 1792 DrvInst.exe Token: SeRestorePrivilege 1792 DrvInst.exe Token: SeRestorePrivilege 1792 DrvInst.exe Token: SeRestorePrivilege 1792 DrvInst.exe Token: SeRestorePrivilege 1792 DrvInst.exe Token: SeRestorePrivilege 1792 DrvInst.exe Token: SeRestorePrivilege 1792 DrvInst.exe Token: SeRestorePrivilege 1792 DrvInst.exe Token: SeRestorePrivilege 1792 DrvInst.exe Token: SeRestorePrivilege 1792 DrvInst.exe Token: SeRestorePrivilege 2972 rundll32.exe Token: SeRestorePrivilege 2972 rundll32.exe Token: SeRestorePrivilege 2972 rundll32.exe Token: SeRestorePrivilege 2972 rundll32.exe Token: SeRestorePrivilege 2972 rundll32.exe Token: SeRestorePrivilege 2972 rundll32.exe Token: SeRestorePrivilege 2972 rundll32.exe Token: SeBackupPrivilege 2708 vssvc.exe Token: SeRestorePrivilege 2708 vssvc.exe Token: SeAuditPrivilege 2708 vssvc.exe Token: SeBackupPrivilege 1792 DrvInst.exe Token: SeRestorePrivilege 1792 DrvInst.exe Token: SeRestorePrivilege 1612 DrvInst.exe Token: SeRestorePrivilege 1612 DrvInst.exe Token: SeRestorePrivilege 1612 DrvInst.exe Token: SeRestorePrivilege 1612 DrvInst.exe Token: SeRestorePrivilege 1612 DrvInst.exe Token: SeRestorePrivilege 1612 DrvInst.exe Token: SeRestorePrivilege 1612 DrvInst.exe Token: SeLoadDriverPrivilege 1612 DrvInst.exe Token: SeLoadDriverPrivilege 1612 DrvInst.exe Token: SeLoadDriverPrivilege 1612 DrvInst.exe Token: SeRestorePrivilege 1816 tapinstall.exe Token: SeLoadDriverPrivilege 1816 tapinstall.exe Token: SeRestorePrivilege 1140 DrvInst.exe Token: SeRestorePrivilege 1140 DrvInst.exe Token: SeRestorePrivilege 1140 DrvInst.exe Token: SeRestorePrivilege 1140 DrvInst.exe Token: SeRestorePrivilege 1140 DrvInst.exe Token: SeRestorePrivilege 1140 DrvInst.exe Token: SeRestorePrivilege 1140 DrvInst.exe Token: SeRestorePrivilege 1140 DrvInst.exe Token: SeLoadDriverPrivilege 1140 DrvInst.exe Token: SeDebugPrivilege 1624 LetsPRO.exe -
Suspicious use of FindShellTrayWindow 5 IoCs
pid Process 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe -
Suspicious use of SendNotifyMessage 5 IoCs
pid Process 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe 1624 LetsPRO.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2216 wrote to memory of 2700 2216 e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe 31 PID 2216 wrote to memory of 2700 2216 e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe 31 PID 2216 wrote to memory of 2700 2216 e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe 31 PID 2216 wrote to memory of 2700 2216 e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe 31 PID 2216 wrote to memory of 2700 2216 e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe 31 PID 2216 wrote to memory of 2700 2216 e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe 31 PID 2216 wrote to memory of 2700 2216 e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe 31 PID 2216 wrote to memory of 2756 2216 e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe 32 PID 2216 wrote to memory of 2756 2216 e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe 32 PID 2216 wrote to memory of 2756 2216 e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe 32 PID 2216 wrote to memory of 2756 2216 e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe 32 PID 2756 wrote to memory of 2780 2756 svchost.exe 33 PID 2756 wrote to memory of 2780 2756 svchost.exe 33 PID 2756 wrote to memory of 2780 2756 svchost.exe 33 PID 2756 wrote to memory of 2780 2756 svchost.exe 33 PID 2756 wrote to memory of 2628 2756 svchost.exe 34 PID 2756 wrote to memory of 2628 2756 svchost.exe 34 PID 2756 wrote to memory of 2628 2756 svchost.exe 34 PID 2756 wrote to memory of 2628 2756 svchost.exe 34 PID 2628 wrote to memory of 2660 2628 cmd.exe 36 PID 2628 wrote to memory of 2660 2628 cmd.exe 36 PID 2628 wrote to memory of 2660 2628 cmd.exe 36 PID 2628 wrote to memory of 2660 2628 cmd.exe 36 PID 2700 wrote to memory of 2244 2700 letsvpn-latest.exe 37 PID 2700 wrote to memory of 2244 2700 letsvpn-latest.exe 37 PID 2700 wrote to memory of 2244 2700 letsvpn-latest.exe 37 PID 2700 wrote to memory of 2244 2700 letsvpn-latest.exe 37 PID 2700 wrote to memory of 1816 2700 letsvpn-latest.exe 39 PID 2700 wrote to memory of 1816 2700 letsvpn-latest.exe 39 PID 2700 wrote to memory of 1816 2700 letsvpn-latest.exe 39 PID 2700 wrote to memory of 1816 2700 letsvpn-latest.exe 39 PID 1792 wrote to memory of 2972 1792 DrvInst.exe 42 PID 1792 wrote to memory of 2972 1792 DrvInst.exe 42 PID 1792 wrote to memory of 2972 1792 DrvInst.exe 42 PID 2700 wrote to memory of 2056 2700 letsvpn-latest.exe 48 PID 2700 wrote to memory of 2056 2700 letsvpn-latest.exe 48 PID 2700 wrote to memory of 2056 2700 letsvpn-latest.exe 48 PID 2700 wrote to memory of 2056 2700 letsvpn-latest.exe 48 PID 2700 wrote to memory of 1940 2700 letsvpn-latest.exe 50 PID 2700 wrote to memory of 1940 2700 letsvpn-latest.exe 50 PID 2700 wrote to memory of 1940 2700 letsvpn-latest.exe 50 PID 2700 wrote to memory of 1940 2700 letsvpn-latest.exe 50 PID 1940 wrote to memory of 580 1940 cmd.exe 52 PID 1940 wrote to memory of 580 1940 cmd.exe 52 PID 1940 wrote to memory of 580 1940 cmd.exe 52 PID 1940 wrote to memory of 580 1940 cmd.exe 52 PID 2700 wrote to memory of 2692 2700 letsvpn-latest.exe 53 PID 2700 wrote to memory of 2692 2700 letsvpn-latest.exe 53 PID 2700 wrote to memory of 2692 2700 letsvpn-latest.exe 53 PID 2700 wrote to memory of 2692 2700 letsvpn-latest.exe 53 PID 2692 wrote to memory of 1188 2692 cmd.exe 55 PID 2692 wrote to memory of 1188 2692 cmd.exe 55 PID 2692 wrote to memory of 1188 2692 cmd.exe 55 PID 2692 wrote to memory of 1188 2692 cmd.exe 55 PID 2700 wrote to memory of 2712 2700 letsvpn-latest.exe 56 PID 2700 wrote to memory of 2712 2700 letsvpn-latest.exe 56 PID 2700 wrote to memory of 2712 2700 letsvpn-latest.exe 56 PID 2700 wrote to memory of 2712 2700 letsvpn-latest.exe 56 PID 2712 wrote to memory of 2884 2712 cmd.exe 58 PID 2712 wrote to memory of 2884 2712 cmd.exe 58 PID 2712 wrote to memory of 2884 2712 cmd.exe 58 PID 2712 wrote to memory of 2884 2712 cmd.exe 58 PID 2700 wrote to memory of 3056 2700 letsvpn-latest.exe 59 PID 2700 wrote to memory of 3056 2700 letsvpn-latest.exe 59 -
Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
Processes
-
C:\Users\Admin\AppData\Local\Temp\e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe"C:\Users\Admin\AppData\Local\Temp\e6805ec6deaff537ccfa9cc7b77fd282c5b506e1f12e4bbb01ebf36719ab0f7d.exe"1⤵
- Drops file in Program Files directory
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Program Files (x86)\letsvpn-latest.exe"C:\Program Files (x86)\letsvpn-latest.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2700 -
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap09013⤵
- Executes dropped EXE
PID:2244
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" install "C:\Program Files (x86)\letsvpn\driver\OemVista.inf" tap09013⤵
- Executes dropped EXE
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1816
-
-
C:\Program Files (x86)\letsvpn\driver\tapinstall.exe"C:\Program Files (x86)\letsvpn\driver\tapinstall.exe" findall tap09013⤵
- Executes dropped EXE
PID:2056
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=lets3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1940 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=lets4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:580
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=lets.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2692 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=lets.exe4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:1188
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsPRO.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2712 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsPRO.exe4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2884
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsPRO3⤵
- System Location Discovery: System Language Discovery
PID:3056 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsPRO4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2896
-
-
-
C:\Windows\SysWOW64\cmd.execmd /c netsh advfirewall firewall Delete rule name=LetsVPN3⤵
- System Location Discovery: System Language Discovery
PID:2620 -
C:\Windows\SysWOW64\netsh.exenetsh advfirewall firewall Delete rule name=LetsVPN4⤵
- Modifies Windows Firewall
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2624
-
-
-
C:\Program Files (x86)\letsvpn\LetsPRO.exe"C:\Program Files (x86)\letsvpn\LetsPRO.exe" checkNetFramework3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2916 -
C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe"C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe" checkNetFramework4⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2820
-
-
-
C:\Program Files (x86)\letsvpn\LetsPRO.exe"C:\Program Files (x86)\letsvpn\LetsPRO.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
PID:2080 -
C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe"C:\Program Files (x86)\letsvpn\app-3.12.0\LetsPRO.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:1624 -
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C ipconfig /all5⤵
- System Location Discovery: System Language Discovery
PID:2460 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /all6⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2288
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C route print5⤵
- System Location Discovery: System Language Discovery
PID:1192 -
C:\Windows\SysWOW64\ROUTE.EXEroute print6⤵
- System Location Discovery: System Language Discovery
PID:2472
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C netsh interface ipv4 set interface LetsTAP metric=15⤵
- System Location Discovery: System Language Discovery
PID:560 -
C:\Windows\SysWOW64\netsh.exenetsh interface ipv4 set interface LetsTAP metric=16⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2500
-
-
-
C:\Windows\SysWOW64\cmd.exe"cmd.exe" /C arp -a5⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:860 -
C:\Windows\SysWOW64\ARP.EXEarp -a6⤵
- Network Service Discovery
- System Location Discovery: System Language Discovery
PID:1752
-
-
-
C:\Windows\SysWOW64\netsh.exeC:\Windows\System32\netsh interface ipv4 set dnsservers \"LetsTAP\" source=dhcp validate=no5⤵
- Event Triggered Execution: Netsh Helper DLL
- System Location Discovery: System Language Discovery
PID:2092
-
-
-
-
-
C:\Program Files (x86)\svchost.exe"C:\Program Files (x86)\svchost.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2756 -
C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phxph.exe"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\Phxph.exe"3⤵
- Drops file in Drivers directory
- Sets service image path in registry
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Checks processor information in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: LoadsDriver
- Suspicious use of AdjustPrivilegeToken
PID:2780
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ping -n 2 127.0.0.1 > nul && del C:\PROGRA~2\svchost.exe > nul3⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\PING.EXEping -n 2 127.0.0.14⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
PID:2660
-
-
-
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "4" "0" "C:\Users\Admin\AppData\Local\Temp\{1eabc76c-14c9-5b16-d519-1f27722fc277}\oemvista.inf" "9" "6d14a44ff" "00000000000003A8" "WinSta0\Default" "0000000000000310" "208" "c:\program files (x86)\letsvpn\driver"1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\system32\rundll32.exerundll32.exe C:\Windows\system32\pnpui.dll,InstallSecurityPromptRunDllW 20 Global\{15dd1319-1440-143d-fea7-747687383902} Global\{5417191d-5ca6-7d25-6446-fb05ed7ee505} C:\Windows\System32\DriverStore\Temp\{10740768-3196-63c9-28b4-a45099f6577b}\oemvista.inf C:\Windows\System32\DriverStore\Temp\{10740768-3196-63c9-28b4-a45099f6577b}\tap0901.cat2⤵
- Suspicious use of AdjustPrivilegeToken
PID:2972
-
-
C:\Windows\system32\vssvc.exeC:\Windows\system32\vssvc.exe1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2708
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "1" "200" "STORAGE\VolumeSnapshot\HarddiskVolumeSnapshot19" "" "" "61530dda3" "0000000000000000" "00000000000005F0" "00000000000005EC"1⤵
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1612
-
C:\Windows\system32\DrvInst.exeDrvInst.exe "2" "211" "ROOT\NET\0000" "C:\Windows\INF\oem2.inf" "oemvista.inf:tap0901.NTamd64:tap0901.ndi:9.24.6.601:tap0901" "6d14a44ff" "00000000000003A8" "00000000000005E8" "00000000000005EC"1⤵
- Drops file in Drivers directory
- Drops file in System32 directory
- Drops file in Windows directory
- Modifies data under HKEY_USERS
- Suspicious use of AdjustPrivilegeToken
PID:1140
-
C:\Windows\system32\wbem\WmiApSrv.exeC:\Windows\system32\wbem\WmiApSrv.exe1⤵PID:3064
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
2Create or Modify System Process
1Windows Service
1Event Triggered Execution
1Netsh Helper DLL
1Defense Evasion
Impair Defenses
1Disable or Modify System Firewall
1Modify Registry
3Subvert Trust Controls
1Install Root Certificate
1Discovery
Network Service Discovery
1Peripheral Device Discovery
1Query Registry
3Remote System Discovery
1System Information Discovery
4System Location Discovery
1System Language Discovery
1System Network Configuration Discovery
1Internet Connection Discovery
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
14.8MB
MD59f5f358aa1a85d222ad967f4538bc753
SHA1567404faec3641f4df889c2c92164cee92723741
SHA256eb11627e59757105bddb884540854d56b173fe42417878de4e7d246cac92c932
SHA512d5a4c4b343704b96c98183d13d90e37065c8be0d0ed053696fb28b5e29f1432175d5e9f63c2d2879c3eb3541e4822a64ae7bfa2230c0c00b5c3ada0a1ac82bed
-
Filesize
33B
MD5862d9ed729f9bd1209a13c49c8388cfc
SHA118c5c6faaec66d790893dd34d6a415879e36e92c
SHA256a21ed21b8c02ad37840fb4374873858f650a7ebe9c29789d2562b51f30c2922b
SHA51233c78de82c4b449b59beba7bc7f700f5a9e271007b7d79a95c99f994cc15c151fd25471dd8682beb06c55d4bb282e7890282947c8cd16419311e911900005fe5
-
Filesize
1.5MB
MD556162a01d3de7cb90eb9a2222c6b8f24
SHA1c4c10199b5f7d50d641d115f9d049832ec836785
SHA256a41077ed210d8d454d627d15663b7523c33e6f7386cd920a56fbcfbb0a37547d
SHA51223c4aac046ffdecaa64acbee9579634c419202be43463927dfabf9798ded17b1b7a1199f1db54e247d28d82f39f3f352ac3acbade2118c67717fd37260bd8b4f
-
Filesize
26KB
MD511752aa56f176fbbbf36420ec8db613a
SHA10affc2837cee71750450911d11968e0692947f13
SHA256d66328eb01118a727e919b52318562094f2ff593bd33e5d3aab5e73602388dfa
SHA512ed78045e4b6b85a1a0557c2ccd85a27e90defc48e50d2833d3d8d23526dc8d1040a64e883cb42aea3052d499ea4c95e775384ae710b1222191ead6f8b0e0b560
-
Filesize
695KB
MD53b3f8e087fc13a4b7bc9cf7dbba4ed9b
SHA1321e0d0c5c275f2f57af78bc465535a923d2427c
SHA256ae71f96b5316a5b8eff90f2da4c9b55c57fb6a74193f380deb38e49fe1010dde
SHA512f823d1460eb52fd039c248e6353587adb2b78ca9ef988aa9ec7402c428fc3f178d099d5ecd106fdd9e2e051d87db4a799cd3de51c402e5c79e5014e6c8c6a6b5
-
Filesize
1KB
MD57a7521bc7f838610905ce0286324ce39
SHA18ab90dd0c4b6edb79a6af2233340d0f59e9ac195
SHA2562a322178557c88cc3c608101e8fc84bfd2f8fa9b81483a443bb3d09779de218d
SHA512b25dfdce0977eaf7159df5eabe4b147a6c0adac39c84d1c7a9fe748446a10c8d2e20d04cf36221057aa210633df65f2a460821c8c79a2db16c912ec53a714d83
-
Filesize
275KB
MD5c5098ff401b766e6e554499d37d0b716
SHA1fd4c3df050ec2b30740e2d62b27a9e375401f190
SHA256b015c62c09b4033d0a4caae36f3a9804a8cee2549145e199ada5a9bf51095e0d
SHA51204f3261ed8d59e5e8455d868cb7ceef97466fb4fc57a98544024f53c4ba9d935e9441169f0705877cf3578f2ef4fc1b54921e9e15ecc70003c67452ae1393f01
-
Filesize
7KB
MD526009f092ba352c1a64322268b47e0e3
SHA1e1b2220cd8dcaef6f7411a527705bd90a5922099
SHA256150ef8eb07532146f833dc020c02238161043260b8a565c3cfcb2365bad980d9
SHA512c18111982ca233a7fc5d1e893f9bd8a3ed739756a47651e0638debb0704066af6b25942c7961cdeedf953a206eb159fe50e0e10055c40b68eb0d22f6064bb363
-
Filesize
1.7MB
MD52b703c5c00841d1439afd2bfd7cb4a7e
SHA1c013b484287fc793cf06bc1b9d3a9016b7d7cb01
SHA2569b04fd775ed3e774d7a649d7332087efce818f011387d948b47b1af9da99fd04
SHA5125a77690bd9fa9c48ac3119f61463f61ebfe0d8d3a34076387abfb45f350fa3d00d4ff68071032bbffaf681cd9a79b99297a73987e7bd088b70f536791fe6be83
-
Filesize
70KB
MD549aebf8cbd62d92ac215b2923fb1b9f5
SHA11723be06719828dda65ad804298d0431f6aff976
SHA256b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b
-
Filesize
181KB
MD54ea6026cf93ec6338144661bf1202cd1
SHA1a1dec9044f750ad887935a01430bf49322fbdcb7
SHA2568efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA5126c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b
-
Filesize
51KB
MD57f8e1969b0874c8fb9ab44fc36575380
SHA13057c9ce90a23d29f7d0854472f9f44e87b0f09a
SHA256076221b4527ff13c3e1557abbbd48b0cb8e5f7d724c6b9171c6aadadb80561dd
SHA5127aa65cfadc2738c0186ef459d0f5f7f770ba0f6da4ccd55a2ceca23627b7f13ba258136bab88f4eee5d9bb70ed0e8eb8ba8e1874b0280d2b08b69fc9bdd81555
-
C:\Windows\System32\DriverStore\FileRepository\oemvista.inf_amd64_neutral_662fd96dfdced4ae\oemvista.PNF
Filesize8KB
MD562261bc1e473e251bd5387a35ad862ee
SHA1667a6f8bb11061be7a9b8089366d695bcccf8abf
SHA2561eb3a27f37ab15361c838752632b45f772a021cb53841caff59b7225f5bc2318
SHA512bd87af571a2c07157992e3045c9579c0d5df7ea61e73e232eadbf5ae151063a64c3f67ee4b4b2f0c676040b583af7243913247600fe9842cfae478fde2ebaf3c
-
Filesize
1.4MB
MD5ce6f659d33ff8f1508025e2b5b792d89
SHA1dbaf5e18e52ed46aa93b4f3c4014348b902b7cac
SHA2564946c05933fce3402fc9bdf48ae0b46eaaf2a2b7abc8275b93e5d211fb8f7b0c
SHA512e410e7ba955a66d9ba3b6f0286a47c25939a0d9c59a051e5c9cf658eb94360da1f38cadf5bb7d0e90285125c7dae25359cc2674f5a161fdf4f514067ebd69aba
-
Filesize
29KB
MD5d59a6b36c5a94916241a3ead50222b6f
SHA1e274e9486d318c383bc4b9812844ba56f0cff3c6
SHA256a38d01d3f024e626d579cf052ac3bd4260bb00c34bc6085977a5f4135ab09b53
SHA51217012307955fef045e7c13bf0613bd40df27c29778ba6572640b76c18d379e02dc478e855c9276737363d0ad09b9a94f2adaa85da9c77ebb3c2d427aa68e2489
-
Filesize
81KB
MD5b13f51572f55a2d31ed9f266d581e9ea
SHA17eef3111b878e159e520f34410ad87adecf0ca92
SHA256725980edc240c928bec5a5f743fdabeee1692144da7091cf836dc7d0997cef15
SHA512f437202723b2817f2fef64b53d4eb67f782bdc61884c0c1890b46deca7ca63313ee2ad093428481f94edfcecd9c77da6e72b604998f7d551af959dbd6915809c
-
Filesize
8KB
MD55cb82b107f3712552d591190d2ea386f
SHA1df0c2ae31124e8298269c17e75e8a2fbd551b19b
SHA2561d5269476b1ff5d14ec617eb30f612b18cba028fa719444a61e56a83e573a03b
SHA5120d12b6522754be86c7ba33c4d73791a244ba40089cd5690c3b68e647a0fe63f1862813f8f3704f5108b566a4fc71ee4be6250a3a2ece4eab3ea7759e72bb95df
-
Filesize
30KB
MD5b1c405ed0434695d6fc893c0ae94770c
SHA179ecacd11a5f2b7e2d3f0461eef97b7b91181c46
SHA2564c474ea37a98899e2997591a5e963f10f7d89d620c74c8ee099d3490f5213246
SHA512635421879cd4c7c069489033afaf7db1641615bfd84e237264acfe3f2d67668ecfe8a9b9edd0e9d35b44dec7d6ba0197ed7048dfb8ec3dba87ccdc88be9acfb7
-
Filesize
9KB
MD54fee2548578cd9f1719f84d2cb456dbf
SHA13070ed53d0e9c965bf1ffea82c259567a51f5d5f
SHA256baecd78253fb6fbcfb521131e3570bf655aa9a05bb5610ce8bb4bddccf599b24
SHA5126bc0c8c3757d1e226218a9485a4f9cdbae7ca40b56c35b9ff28c373be9bd6fbd7b1846ddf5680edb2e910d31912791afe2f9f2207b3880b56adb55426fc3fd49
-
Filesize
242KB
MD53530cb1b45ff13ba4456e4ffbcae6379
SHA15be7b8e19418212a5a93e900c12830facfd6ba54
SHA256e0669b6312baaef6a3c86f3142b333eab48494511405398bb09cc464881a43c9
SHA51223baae23815fc946203be6d93cef84ff23fde8ed88017179c65b7de1f3b6114bc8343c277b8ae5a1d85aa59f25b5f146c1d827b7e4617bfd0aa0ff20359f49b5
-
Filesize
22KB
MD54fb031cb8840ee01cb6aa90696557143
SHA1b009c8c975929b73dd977969e6816066d57f39c6
SHA25664b09932ef5b25f5c2c185fe955c7784ab23cdf7d12fdad77fe05947e20006ba
SHA51203731c0f6423f2fa3d6710b86c7cc41aa970058b818ab724321040984841dc451109638c813d564cb89dd00af3962e84811aed5a3b37ae9a1b9c1febeb85ae60
-
Filesize
127KB
MD50e444739d07678a3f6ea4202c4237832
SHA10689c9cdad379b4b0952674a7bf75a5a1f2f33a9
SHA256a3aab8ca7b0747242207d1223e241e602b45ba69f25ba5b611a12eeacd19ec1a
SHA51285f6d4920d93f8ee2bb7a384424c9eea25cc5591bf7a7301bdc31170944549b3860a90c5694f194ee0f9cd85f0ea053e89039f95ff806b735e526d583ee7e0bf
-
Filesize
99KB
MD51e3cf83b17891aee98c3e30012f0b034
SHA1824f299e8efd95beca7dd531a1067bfd5f03b646
SHA2569f45a39015774eeaa2a6218793edc8e6273eb9f764f3aedee5cf9e9ccacdb53f
SHA512fa5cf687eefd7a85b60c32542f5cb3186e1e835c01063681204b195542105e8718da2f42f3e1f84df6b0d49d7eebad6cb9855666301e9a1c5573455e25138a8b
-
Filesize
12KB
MD5192639861e3dc2dc5c08bb8f8c7260d5
SHA158d30e460609e22fa0098bc27d928b689ef9af78
SHA25623d618a0293c78ce00f7c6e6dd8b8923621da7dd1f63a070163ef4c0ec3033d6
SHA5126e573d8b2ef6ed719e271fd0b2fd9cd451f61fc9a9459330108d6d7a65a0f64016303318cad787aa1d5334ba670d8f1c7c13074e1be550b4a316963ecc465cdc
-
Filesize
9KB
MD5b7d61f3f56abf7b7ff0d4e7da3ad783d
SHA115ab5219c0e77fd9652bc62ff390b8e6846c8e3e
SHA25689a82c4849c21dfe765052681e1fad02d2d7b13c8b5075880c52423dca72a912
SHA5126467c0de680fadb8078bdaa0d560d2b228f5a22d4d8358a1c7d564c6ebceface5d377b870eaf8985fbee727001da569867554154d568e3b37f674096bbafafb8
-
Filesize
7KB
MD511092c1d3fbb449a60695c44f9f3d183
SHA1b89d614755f2e943df4d510d87a7fc1a3bcf5a33
SHA2562cd3a2d4053954db1196e2526545c36dfc138c6de9b81f6264632f3132843c77
SHA512c182e0a1f0044b67b4b9fb66cef9c4955629f6811d98bbffa99225b03c43c33b1e85cacabb39f2c45ead81cd85e98b201d5f9da4ee0038423b1ad947270c134a
-
Filesize
4KB
MD5f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
