Analysis
-
max time kernel
81s -
max time network
81s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
29-06-2024 04:22
Static task
static1
Behavioral task
behavioral1
Sample
BrightVPN-Setup-1.422.634-fb2e56b7_pass123.rar
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
BrightVPN-Setup-1.422.634-fb2e56b7_pass123.rar
Resource
win10v2004-20240508-en
General
-
Target
BrightVPN-Setup-1.422.634-fb2e56b7_pass123.rar
-
Size
1.6MB
-
MD5
5463655fb82c3271f41acf756fe82577
-
SHA1
4c64f4fcf1f64ac3aa4086cbccf0fdc5de0854a6
-
SHA256
77436bfe8498d733a09f07608054731d5f7ddb28e56ea7166c89fbae134fe334
-
SHA512
510316f97aee0d814aeae12fd9bfb0a484c0146ba0d4cdc6988c8a014664026ed3c41794ddbadb736fcc96fe8e83cea514ea6e1a9ce12d9848186771b8a98827
-
SSDEEP
24576:530ImfpJElqcPs3JQ8yRHAMF8Nyq0HQoiYYEPNpPkpIaGD8e71krJOqAMBDgzuis:RpmfpiZs3RwgMgyqOMYPUpIbJMcu/
Malware Config
Signatures
-
RedLine
RedLine Stealer is a malware family written in C#, first appearing in early 2020.
-
RedLine payload 2 IoCs
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\VPN.exe family_redline behavioral2/memory/4824-49-0x0000000000EF0000-0x0000000000F60000-memory.dmp family_redline -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
BrightVPN-Setup-1.422.634-fb2e56b7.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation BrightVPN-Setup-1.422.634-fb2e56b7.exe -
Executes dropped EXE 4 IoCs
Processes:
BrightVPN-Setup-1.422.634-fb2e56b7.exeVPN.exeBrightVPN-Setup-1.422.631-fb2e56b2.exebrightvpn_installer.exepid process 960 BrightVPN-Setup-1.422.634-fb2e56b7.exe 4824 VPN.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 224 brightvpn_installer.exe -
Loads dropped DLL 17 IoCs
Processes:
BrightVPN-Setup-1.422.631-fb2e56b2.exepid process 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe -
Drops file in Program Files directory 1 IoCs
Processes:
BrightVPN-Setup-1.422.631-fb2e56b2.exedescription ioc process File created C:\Program Files (x86)\Bright VPN\uninstallerIcon.ico BrightVPN-Setup-1.422.631-fb2e56b2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 2 IoCs
Processes:
cmd.exeOpenWith.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings cmd.exe Key created \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000_Classes\Local Settings OpenWith.exe -
Suspicious behavior: EnumeratesProcesses 38 IoCs
Processes:
7zFM.exeBrightVPN-Setup-1.422.631-fb2e56b2.exebrightvpn_installer.exepid process 2980 7zFM.exe 2980 7zFM.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe 224 brightvpn_installer.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
Processes:
OpenWith.exe7zFM.exepid process 228 OpenWith.exe 2980 7zFM.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
7zFM.exeVPN.exebrightvpn_installer.exedescription pid process Token: SeRestorePrivilege 2980 7zFM.exe Token: 35 2980 7zFM.exe Token: SeSecurityPrivilege 2980 7zFM.exe Token: SeDebugPrivilege 4824 VPN.exe Token: SeBackupPrivilege 4824 VPN.exe Token: SeSecurityPrivilege 4824 VPN.exe Token: SeSecurityPrivilege 4824 VPN.exe Token: SeSecurityPrivilege 4824 VPN.exe Token: SeSecurityPrivilege 4824 VPN.exe Token: SeSecurityPrivilege 4824 VPN.exe Token: SeSecurityPrivilege 4824 VPN.exe Token: SeSecurityPrivilege 4824 VPN.exe Token: SeSecurityPrivilege 4824 VPN.exe Token: SeDebugPrivilege 224 brightvpn_installer.exe Token: SeBackupPrivilege 4824 VPN.exe Token: SeSecurityPrivilege 4824 VPN.exe Token: SeSecurityPrivilege 4824 VPN.exe Token: SeSecurityPrivilege 4824 VPN.exe Token: SeSecurityPrivilege 4824 VPN.exe Token: SeSecurityPrivilege 4824 VPN.exe Token: SeSecurityPrivilege 4824 VPN.exe Token: SeSecurityPrivilege 4824 VPN.exe Token: SeSecurityPrivilege 4824 VPN.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
Processes:
7zFM.exepid process 2980 7zFM.exe 2980 7zFM.exe -
Suspicious use of SetWindowsHookEx 19 IoCs
Processes:
OpenWith.exepid process 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe 228 OpenWith.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
7zFM.exeBrightVPN-Setup-1.422.634-fb2e56b7.exeBrightVPN-Setup-1.422.631-fb2e56b2.exedescription pid process target process PID 2980 wrote to memory of 960 2980 7zFM.exe BrightVPN-Setup-1.422.634-fb2e56b7.exe PID 2980 wrote to memory of 960 2980 7zFM.exe BrightVPN-Setup-1.422.634-fb2e56b7.exe PID 2980 wrote to memory of 960 2980 7zFM.exe BrightVPN-Setup-1.422.634-fb2e56b7.exe PID 960 wrote to memory of 4824 960 BrightVPN-Setup-1.422.634-fb2e56b7.exe VPN.exe PID 960 wrote to memory of 4824 960 BrightVPN-Setup-1.422.634-fb2e56b7.exe VPN.exe PID 960 wrote to memory of 4824 960 BrightVPN-Setup-1.422.634-fb2e56b7.exe VPN.exe PID 960 wrote to memory of 1856 960 BrightVPN-Setup-1.422.634-fb2e56b7.exe BrightVPN-Setup-1.422.631-fb2e56b2.exe PID 960 wrote to memory of 1856 960 BrightVPN-Setup-1.422.634-fb2e56b7.exe BrightVPN-Setup-1.422.631-fb2e56b2.exe PID 960 wrote to memory of 1856 960 BrightVPN-Setup-1.422.634-fb2e56b7.exe BrightVPN-Setup-1.422.631-fb2e56b2.exe PID 1856 wrote to memory of 224 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe brightvpn_installer.exe PID 1856 wrote to memory of 224 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe brightvpn_installer.exe PID 1856 wrote to memory of 224 1856 BrightVPN-Setup-1.422.631-fb2e56b2.exe brightvpn_installer.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\BrightVPN-Setup-1.422.634-fb2e56b7_pass123.rar1⤵
- Modifies registry class
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\BrightVPN-Setup-1.422.634-fb2e56b7_pass123.rar"1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\7zO4AB4AAC7\BrightVPN-Setup-1.422.634-fb2e56b7.exe"C:\Users\Admin\AppData\Local\Temp\7zO4AB4AAC7\BrightVPN-Setup-1.422.634-fb2e56b7.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\VPN.exe"C:\Users\Admin\AppData\Local\Temp\VPN.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
-
C:\Users\Admin\AppData\Local\Temp\BrightVPN-Setup-1.422.631-fb2e56b2.exe"C:\Users\Admin\AppData\Local\Temp\BrightVPN-Setup-1.422.631-fb2e56b2.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in Program Files directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\nsiCDD.tmp\brightvpn_installer.exe"C:\Users\Admin\AppData\Local\Temp\nsiCDD.tmp\brightvpn_installer.exe" /pid=1856 /port=6451 /affiliate= /silent= /exe="C:\Users\Admin\AppData\Local\Temp\BrightVPN-Setup-1.422.631-fb2e56b2.exe"4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\7zO4AB4AAC7\BrightVPN-Setup-1.422.634-fb2e56b7.exeFilesize
1.8MB
MD51ca12c1ddbbc4547fef82491c23913f4
SHA1e2e057825a10e8ba97c0185f7c01da6b449f7023
SHA2562b1b91075512986f811a419c62fe115d5cc8880d8126b9f94386861f82b2c995
SHA512476a0404a1a70dd99bc4f15432c653d6734cf67f7fda8282010791430c0cc9e496f68a1b29089fbc772a6dc22cb3c63b1cf09d0a9dd9bd5edca34a051c789d81
-
C:\Users\Admin\AppData\Local\Temp\BrightVPN-Setup-1.422.631-fb2e56b2.exeFilesize
1.6MB
MD5675aa8befa9d517cc6264816d946ec73
SHA125ad029e425ffee5a38f10b5177a6d348dffcf6b
SHA256729f18179dce4ff60566c140a2eb57c1ff8675c16ec8d16bc101b579825c2489
SHA51242861d22b4218c792c64f8fd7b91399d8f10d4ca5dfbeba8b9fedc06e90611cddc79df15bd1735ca1bff62df32015745e72e9c6ff7dd4d1e9f4b7983708d4fc5
-
C:\Users\Admin\AppData\Local\Temp\VPN.exeFilesize
426KB
MD526e59e7cf9436beec765505fdd4e0d46
SHA12e1e68a4dd9204d984d7e38ad7d39a903a9325ff
SHA256e46a9e520de05d8eb717d49e9f3b9581692ec2690a5413f677aa8da435483284
SHA51299e7acd86a277b60bb266729ce6062fdbc72c96382c012ba8576b246c79b36df0ac4d5615ca77b4fb1593d3bceffc788895bd3cb7d0a41c51829d55a0cca5c1e
-
C:\Users\Admin\AppData\Local\Temp\nsiCDD.tmp\INetC.dllFilesize
238KB
MD538caa11a462b16538e0a3daeb2fc0eaf
SHA1c22a190b83f4b6dc0d6a44b98eac1a89a78de55c
SHA256ed04a4823f221e9197b8f3c3da1d6859ff5b176185bde2f1c923a442516c810a
SHA512777135e05e908ac26bfce0a9c425b57f7132c1cdb0969bbb6ef625748c868860602bacc633c61cab36d0375b94b6bcfbd8bd8c7fa781495ef7332e362f8d44d1
-
C:\Users\Admin\AppData\Local\Temp\nsiCDD.tmp\SpiderBanner.dllFilesize
9KB
MD517309e33b596ba3a5693b4d3e85cf8d7
SHA17d361836cf53df42021c7f2b148aec9458818c01
SHA256996a259e53ca18b89ec36d038c40148957c978c0fd600a268497d4c92f882a93
SHA5121abac3ce4f2d5e4a635162e16cf9125e059ba1539f70086c2d71cd00d41a6e2a54d468e6f37792e55a822d7082fb388b8dfecc79b59226bbb047b7d28d44d298
-
C:\Users\Admin\AppData\Local\Temp\nsiCDD.tmp\StdUtils.dllFilesize
100KB
MD5c6a6e03f77c313b267498515488c5740
SHA13d49fc2784b9450962ed6b82b46e9c3c957d7c15
SHA256b72e9013a6204e9f01076dc38dabbf30870d44dfc66962adbf73619d4331601e
SHA5129870c5879f7b72836805088079ad5bbafcb59fc3d9127f2160d4ec3d6e88d3cc8ebe5a9f5d20a4720fe6407c1336ef10f33b2b9621bc587e930d4cbacf337803
-
C:\Users\Admin\AppData\Local\Temp\nsiCDD.tmp\System.dllFilesize
12KB
MD50d7ad4f45dc6f5aa87f606d0331c6901
SHA148df0911f0484cbe2a8cdd5362140b63c41ee457
SHA2563eb38ae99653a7dbc724132ee240f6e5c4af4bfe7c01d31d23faf373f9f2eaca
SHA512c07de7308cb54205e8bd703001a7fe4fd7796c9ac1b4bb330c77c872bf712b093645f40b80ce7127531fe6746a5b66e18ea073ab6a644934abed9bb64126fea9
-
C:\Users\Admin\AppData\Local\Temp\nsiCDD.tmp\brightvpn_installer.exeFilesize
2.1MB
MD5ead86124e599168b695d0a189c59a09d
SHA19156448ac0e2dd8b9d2d893e581b5082678ca620
SHA256f182bb57ce37e30e532bba3114c7c96b79ae5e94872c2c05822c57d1258ac208
SHA51244fe37d8270bc2c69653aed999b563df9d4e8e099b08e126770ae3517e3ffeb4cf3cdc0568b9bc98b25e67f3b44e5393c7ef4b632fb5149c287110cde8d65246
-
C:\Users\Admin\AppData\Local\Temp\nsiCDD.tmp\nsProcess.dllFilesize
4KB
MD5f0438a894f3a7e01a4aae8d1b5dd0289
SHA1b058e3fcfb7b550041da16bf10d8837024c38bf6
SHA25630c6c3dd3cc7fcea6e6081ce821adc7b2888542dae30bf00e881c0a105eb4d11
SHA512f91fcea19cbddf8086affcb63fe599dc2b36351fc81ac144f58a80a524043ddeaa3943f36c86ebae45dd82e8faf622ea7b7c9b776e74c54b93df2963cfe66cc7
-
memory/224-67-0x00000000075C0000-0x00000000075CE000-memory.dmpFilesize
56KB
-
memory/224-66-0x00000000075E0000-0x0000000007618000-memory.dmpFilesize
224KB
-
memory/224-65-0x0000000007D50000-0x0000000007D58000-memory.dmpFilesize
32KB
-
memory/224-64-0x0000000005C20000-0x0000000005C42000-memory.dmpFilesize
136KB
-
memory/224-63-0x00000000007B0000-0x00000000009C6000-memory.dmpFilesize
2.1MB
-
memory/4824-49-0x0000000000EF0000-0x0000000000F60000-memory.dmpFilesize
448KB
-
memory/4824-58-0x0000000008CF0000-0x0000000008D3C000-memory.dmpFilesize
304KB
-
memory/4824-57-0x0000000008B80000-0x0000000008BBC000-memory.dmpFilesize
240KB
-
memory/4824-56-0x0000000008B20000-0x0000000008B32000-memory.dmpFilesize
72KB
-
memory/4824-55-0x0000000008BE0000-0x0000000008CEA000-memory.dmpFilesize
1.0MB
-
memory/4824-54-0x00000000090A0000-0x00000000096B8000-memory.dmpFilesize
6.1MB
-
memory/4824-53-0x0000000005B60000-0x0000000005B6A000-memory.dmpFilesize
40KB
-
memory/4824-52-0x00000000059D0000-0x0000000005A62000-memory.dmpFilesize
584KB
-
memory/4824-51-0x0000000005EE0000-0x0000000006484000-memory.dmpFilesize
5.6MB
-
memory/4824-50-0x0000000003320000-0x0000000003340000-memory.dmpFilesize
128KB