Windows 7 deprecation
Windows 7 will be removed from tria.ge on 2025-03-31
Analysis
-
max time kernel
256s -
max time network
227s -
platform
windows10-ltsc 2021_x64 -
resource
win10ltsc2021-20250113-en -
resource tags
-
submitted
17/01/2025, 10:48
General
-
Target
VyprVPN.exe
-
Size
1.6MB
-
MD5
f1d5f022e71b8bc9e3241fbb72e87be2
-
SHA1
1b8abac6f9ffc3571b14c68ae1bc5e7568b4106c
-
SHA256
08fb58bfaee81d99cbb71bf71ba8f2ab4f107563c5b0c3f20484d096b337e50d
-
SHA512
f16130958a3ff33b21623881cbdeec018dd031b4aeb01bbb676c4bdeb1ec1d4f7d312efab48b4125eaaf6ea1c8b0aa4e037b1959af1f10c2a55fbc2da9f3924f
-
SSDEEP
24576:nTadGsNY1i8fWCsSpqq5M0bOk61uyG2CWm3U9X+Y0ttcN0sH2U9:nsGsm1qSp/MzRuI19X+Y0w39
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
-
Checks computer location settings 2 TTPs 4 IoCs
Looks up country code configured in the registry, likely geofence.
-
Executes dropped EXE 6 IoCs
-
Loads dropped DLL 2 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Suspicious use of NtSetInformationThreadHideFromDebugger 4 IoCs
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 2 IoCs
Adversaries may check for Internet connectivity on compromised systems.
-
NSIS installer 2 IoCs
-
Modifies registry class 64 IoCs
-
Runs ping.exe 1 TTPs 1 IoCs
-
Scheduled Task/Job: Scheduled Task 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
-
Suspicious behavior: EnumeratesProcesses 2 IoCs
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 3 IoCs
-
Suspicious use of FindShellTrayWindow 1 IoCs
-
Suspicious use of SetWindowsHookEx 6 IoCs
-
Suspicious use of WriteProcessMemory 21 IoCs
-
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\VyprVPN.exe"C:\Users\Admin\AppData\Local\Temp\VyprVPN.exe"1⤵
- Checks computer location settings
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1337\joinResult.exe"C:\Users\Admin\AppData\Roaming\1337\joinResult.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\1337\1111.exe"C:\Users\Admin\AppData\Roaming\1337\1111.exe"3⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of NtSetInformationThreadHideFromDebugger
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.execmd.exe /C ping 1.1.1.1 -n 3 -w 3000 > Nul & Del /f /q "C:\Users\Admin\AppData\Roaming\1337\1111.exe"4⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 1.1.1.1 -n 3 -w 30005⤵
- System Location Discovery: System Language Discovery
- System Network Configuration Discovery: Internet Connection Discovery
- Runs ping.exe
-
-
-
-
C:\Users\Admin\AppData\Roaming\1337\Clipper.exe"C:\Users\Admin\AppData\Roaming\1337\Clipper.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\System32\schtasks.exe"C:\Windows\System32\schtasks.exe" /create /sc MINUTE /mo 1 /tn "Windows Service" /tr "C:\Users\Admin\WinService.exe" /f4⤵
- Scheduled Task/Job: Scheduled Task
-
-
C:\Users\Admin\WinService.exe"C:\Users\Admin\WinService.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
-
-
-
C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe"C:\Users\Admin\AppData\Roaming\1337\VyprVPN.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1888 -s 21043⤵
- Program crash
-
-
-
C:\Users\Admin\WinService.exe"C:\Users\Admin\WinService.exe"1⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document.txt1⤵
-
C:\Windows\system32\NOTEPAD.EXE"C:\Windows\system32\NOTEPAD.EXE" C:\Users\Admin\Desktop\New Text Document (2).txt1⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 420 -p 1888 -ip 18881⤵
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Privilege Escalation
Boot or Logon Autostart Execution
1Winlogon Helper DLL
1Scheduled Task/Job
1Scheduled Task
1Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
11KB
MD52ae993a2ffec0c137eb51c8832691bcb
SHA198e0b37b7c14890f8a599f35678af5e9435906e1
SHA256681382f3134de5c6272a49dd13651c8c201b89c247b471191496e7335702fa59
SHA5122501371eb09c01746119305ba080f3b8c41e64535ff09cee4f51322530366d0bd5322ea5290a466356598027e6cda8ab360caef62dcaf560d630742e2dd9bcd9
-
Filesize
1.4MB
MD532373185ece79936dfd0fd41d2848a2e
SHA1591f92bcaeeea85e8bba6988ef0d1afcea35fbbd
SHA2565390fc20629a4a350dc8f0482472f9962f50364b7818b2d510beb4e520581ad4
SHA512443b8df46dd6009285500148d2c4e0654e20e24b897fb29a9eded1cb21da6c495feaa1df81043ed4818f6ea511813c926e9f645b3ec4c8ab5c2c79f0fb5859dc
-
Filesize
18KB
MD5c7e43ab36c3da3371fc915de9dc5106f
SHA1f1bb12ae485853c1a28a8306604ef3eb3939068d
SHA2564ff04b9be72efe982594832d51681c08334f4d8512c3560c646c21f88fd5e532
SHA512383a02a7a338ca66077f5d577ae7f63f95cf1b711f1338e9dd11867a62d6dc298e0fd01878adc273669f5f1e8cffb0aa4ea3efa75ffb870616a0d3fef3cb454e
-
Filesize
3.2MB
MD525e9776bb3965060ac5d9234fd25a11d
SHA15df6e261a930c0068c94542ef5180722a513e4fb
SHA2568321b2785893442efeedddc40f0979563e8e2fc1a51cc3e4ee93d6f36d4e154d
SHA5128735acb4bad98ad06b9cee96cda9a3c5026e5f584bd4efb782cf9a8a6f3ea9e39f7d280497dabbb5f6662a6a63bb9a6674c4c020bc73669517b05d0e708d0d7c
-
Filesize
1.8MB
MD579022fbafee9fe740a5230f87bd33171
SHA142bf0f7bf41009fd0009535a8b1162cbe60dce6f
SHA256640c30cfa519be11c02c4e51bf18979a93266887cc9ef19076b3d0f1f20528b6
SHA51248e0d4a18d99dce4398de73895a157e13293115b52ee5158f9ea6fc73c4d5f4133e1cebba14ff5482b8c4f7dfeebfe3b003df1caf351314f1cc16944818df4b3
-
Filesize
14B
MD5d8cd923a222d15e85fdfd277723e11a5
SHA19644523455c770ee27e1a713ad2c10835a9050f7
SHA256ecce2a59ca77d543e9d9352a7f1a59e297ac22a770b55ad8b35902753bae3a24
SHA512ae0c99c31240a1d15317f1dde1f009ae288f7dc3a9b69373ae1e7ca37d9a288f0f5f4ede39db36624fc6862bb0485841b3f070122d03459300878d2b960ec21a
-
Filesize
20B
MD517a30faeb07000ffe2dfe165d93a306d
SHA1e8c7fd20e9e496a55949eaac19628b6ce06c6521
SHA2565f440b0dccefdb33ea19cb76edc1fbcf4831c044d58b3e32898f8ebbca95bbf3
SHA51236ef65f6c8d4405b50ffbe82060467047e10895a96328a05a4ddb226877d4e8badf7ff94e3b01f943533deba11a9d596d8ca75d67ca4289895c2c3e95c1ed4ac
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
4.0MB
-
Filesize
584KB
-
Filesize
344KB
-
Filesize
4KB
-
Filesize
624KB
-
Filesize
40KB
-
Filesize
5.6MB
-
Filesize
3.2MB
-
Filesize
4KB
-
Filesize
40KB