Edit tour

Windows Analysis Report
VPNService.exe

Overview

General Information

Sample name:	VPNService.exe
Analysis ID:	1475751
MD5:	62147adc1c9d01e22330b9aa7a55d3e9
SHA1:	d3bdf1b775bb81f3ba7870915c2c3082a2f6fc8b
SHA256:	be0081496465113e2fde3675352c194b891296f102c6651a903d3439846a31f6
Infos:

Detection

Score:	52
Range:	0 - 100
Whitelisted:	false
Confidence:	100%

Signatures

Multi AV Scanner detection for submitted file

AI detected suspicious sample

Program does not show much activity (idle)

Uses 32bit PE files

Classification

Process Tree

System is w10x64

VPNService.exe (PID: 3560 cmdline: "C:\Users\user\Desktop\VPNService.exe" MD5: 62147ADC1C9D01E22330B9AA7A55D3E9)

cleanup

Malware Configuration

⊘No configs have been found

Yara Signatures

Initial Sample

Source	Rule	Description	Author	Strings
VPNService.exe	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Memory Dumps

Source	Rule	Description	Author	Strings
00000000.00000000.2006409566.0000000000401000.00000020.00000001.01000000.00000003.sdmp	JoeSecurity_DelphiSystemParamCount	Detected Delphi use of System.ParamCount()	Joe Security

Sigma Signatures

⊘No Sigma rule has matched

Snort Signatures

⊘No Snort rule has matched

Joe Sandbox Signatures

Click to jump to signature section

Show All Signature Results

AV Detection

Multi AV Scanner detection for submitted file

Source: VPNService.exe	ReversingLabs: Detection: 21%
Source: VPNService.exe	Virustotal: Detection: 27%			Perma Link

AI detected suspicious sample

Source: Submited Sample

Integrated Neural Analysis Model: Matched 94.5% probability

Source: VPNService.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: VPNService.exe

Static PE information: EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI

Source: classification engine

Classification label: mal52.winEXE@1/0@0/0

Source: Yara match	File source: VPNService.exe, type: SAMPLE
Source: Yara match	File source: 00000000.00000000.2006409566.0000000000401000.00000020.00000001.01000000.00000003.sdmp, type: MEMORY

Source: C:\Users\user\Desktop\VPNService.exe

Key opened: HKEY_CURRENT_USER\Software\Borland\Delphi\Locales

Jump to behavior

Source: C:\Users\user\Desktop\VPNService.exe

Key opened: HKEY_CURRENT_USER\Software\Policies\Microsoft\Windows\Safer\CodeIdentifiers

Jump to behavior

Source: VPNService.exe	ReversingLabs: Detection: 21%
Source: VPNService.exe	Virustotal: Detection: 27%

Source: C:\Users\user\Desktop\VPNService.exe	Section loaded: apphelp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VPNService.exe	Section loaded: version.dll	Jump to behavior
Source: C:\Users\user\Desktop\VPNService.exe	Section loaded: uxtheme.dll	Jump to behavior
Source: C:\Users\user\Desktop\VPNService.exe	Section loaded: wship6.dll	Jump to behavior
Source: C:\Users\user\Desktop\VPNService.exe	Section loaded: kernel.appcore.dll	Jump to behavior
Source: C:\Users\user\Desktop\VPNService.exe	Section loaded: napinsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VPNService.exe	Section loaded: pnrpnsp.dll	Jump to behavior
Source: C:\Users\user\Desktop\VPNService.exe	Section loaded: wshbth.dll	Jump to behavior
Source: C:\Users\user\Desktop\VPNService.exe	Section loaded: nlaapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VPNService.exe	Section loaded: iphlpapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VPNService.exe	Section loaded: mswsock.dll	Jump to behavior
Source: C:\Users\user\Desktop\VPNService.exe	Section loaded: dnsapi.dll	Jump to behavior
Source: C:\Users\user\Desktop\VPNService.exe	Section loaded: winrnr.dll	Jump to behavior

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Source: VPNService.exe, 00000000.00000002.2007616639.0000000000775000.00000004.00000020.00020000.00000000.sdmp

Binary or memory string: Hyper-V RAW%SystemRoot%\system32\mswsock.dllN

Source: all processes

Thread injection, dropped files, key value created, disk infection and DNS query: no activity detected

Mitre Att&ck Matrix

Reconnaissance	Resource Development	Initial Access	Execution	Persistence	Privilege Escalation	Defense Evasion	Credential Access	Discovery	Lateral Movement	Collection	Command and Control	Exfiltration	Impact
Gather Victim Identity Information	Acquire Infrastructure	Valid Accounts	Windows Management Instrumentation	1 DLL Side-Loading	1 DLL Side-Loading	1 DLL Side-Loading	OS Credential Dumping	1 Security Software Discovery	Remote Services	Data from Local System	Data Obfuscation	Exfiltration Over Other Network Medium	Abuse Accessibility Features
Credentials	Domains	Default Accounts	Scheduled Task/Job	Boot or Logon Initialization Scripts	Boot or Logon Initialization Scripts	Rootkit	LSASS Memory	1 System Information Discovery	Remote Desktop Protocol	Data from Removable Media	Junk Data	Exfiltration Over Bluetooth	Network Denial of Service

Behavior Graph

Hide Legend

Legend:

Process
Signature
Created File
DNS/IP Info
Is Dropped
Is Windows Process
Number of created Registry Values
Number of created Files
Visual Basic
Delphi
Java
.Net C# or VB.NET
C, C++ or other language
Is malicious
Internet

Source	Detection	Scanner	Label	Link
VPNService.exe	22%	ReversingLabs	Win32.Trojan.Barys
VPNService.exe	27%	Virustotal		Browse

Joe Sandbox version:	40.0.0 Tourmaline
Analysis ID:	1475751
Start date and time:	2024-07-18 09:38:51 +02:00
Joe Sandbox product:	CloudBasic
Overall analysis duration:	0h 1m 39s
Hypervisor based Inspection enabled:	false
Report type:	full
Cookbook file name:	default.jbs
Analysis system description:	Windows 10 x64 22H2 with Office Professional Plus 2019, Chrome 117, Firefox 118, Adobe Reader DC 23, Java 8 Update 381, 7zip 23.01
Number of analysed new started processes analysed:	2
Number of new started drivers analysed:	0
Number of existing processes analysed:	0
Number of existing drivers analysed:	0
Number of injected processes analysed:	0
Technologies:	EGA enabled AMSI enabled
Analysis Mode:	default
Analysis stop reason:	Timeout
Sample name:	VPNService.exe
Detection:	MAL
Classification:	mal52.winEXE@1/0@0/0
Cookbook Comments:	Found application associated with file extension: .exe Stop behavior analysis, all processes terminated

Warnings

Exclude process from analysis (whitelisted): dllhost.exe

File type:	PE32 executable (GUI) Intel 80386, for MS Windows
Entropy (8bit):	5.898689254062444
TrID:	Win32 Executable (generic) a (10002005/4) 99.81% Windows Screen Saver (13104/52) 0.13% Win16/32 Executable Delphi generic (2074/23) 0.02% Generic Win/DOS Executable (2004/3) 0.02% DOS Executable Generic (2002/1) 0.02%
File name:	VPNService.exe
File size:	933'888 bytes
MD5:	62147adc1c9d01e22330b9aa7a55d3e9
SHA1:	d3bdf1b775bb81f3ba7870915c2c3082a2f6fc8b
SHA256:	be0081496465113e2fde3675352c194b891296f102c6651a903d3439846a31f6
SHA512:	4138fdb4c9544adc10e4ea7ff98dcec819d217b3437c4c6a7fb5843d31b017ee9d506242e55971ab14018ceb16959bc719ae1f1248e7c418dab6fc2870fe78a3
SSDEEP:	12288:CBMOiH3MmnM2NfQf8JZXREvG6FIDrWqiWmQIX2MYHPoT/DQsr:CicmnM2NfQ0J7J6MrriWmQIX2pvoLn
TLSH:	97155D21F2998732D1322BBB8C5A91B454267FF12D2869067AF43D0C5F396F2BD1C297
File Content Preview:	MZP.....................@...............................................!..L.!..This program must be run under Win32..$7.......................................................................................................................................

File Icon


Icon Hash:	0dd2d4d455ae0f33

Static PE Info

General

Entrypoint:	0x49499c
Entrypoint Section:	.itext
Digitally signed:	false
Imagebase:	0x400000
Subsystem:	windows gui
Image File Characteristics:	EXECUTABLE_IMAGE, LINE_NUMS_STRIPPED, LOCAL_SYMS_STRIPPED, BYTES_REVERSED_LO, 32BIT_MACHINE, BYTES_REVERSED_HI
DLL Characteristics:
Time Stamp:	0x66604032 [Wed Jun 5 10:38:42 2024 UTC]
TLS Callbacks:
CLR (.Net) Version:
OS Version Major:	4
OS Version Minor:	0
File Version Major:	4
File Version Minor:	0
Subsystem Version Major:	4
Subsystem Version Minor:	0
Import Hash:	70e568631c0e19f87224b5df0f259a40

Entrypoint Preview

Instruction
push ebp
mov ebp, esp
add esp, FFFFFFF0h
push ebx
mov eax, 00493464h
call 00007FC7EC899F68h
mov eax, dword ptr [004970F4h]
mov eax, dword ptr [eax]
cmp byte ptr [eax+30h], 00000000h
je 00007FC7EC9274E2h
mov eax, dword ptr [004970F4h]
mov eax, dword ptr [eax]
call 00007FC7EC8F8B43h
test al, al
je 00007FC7EC9274DEh
mov eax, dword ptr [004970F4h]
mov eax, dword ptr [eax]
mov edx, dword ptr [eax]
call dword ptr [edx+34h]
mov ecx, dword ptr [00496F18h]
mov eax, dword ptr [004970F4h]
mov eax, dword ptr [eax]
mov edx, dword ptr [00492EA8h]
mov ebx, dword ptr [eax]
call dword ptr [ebx+30h]
mov eax, dword ptr [004970F4h]
mov eax, dword ptr [eax]
mov edx, dword ptr [eax]
call dword ptr [edx+38h]
pop ebx
call 00007FC7EC897A4Dh
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al
add byte ptr [eax], al

Data Directories

Name	Virtual Address	Virtual Size	Is in Section
IMAGE_DIRECTORY_ENTRY_EXPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IMPORT	0x9e000	0x2cae	.idata
IMAGE_DIRECTORY_ENTRY_RESOURCE	0xae000	0x40800	.rsrc
IMAGE_DIRECTORY_ENTRY_EXCEPTION	0x0	0x0
IMAGE_DIRECTORY_ENTRY_SECURITY	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BASERELOC	0xa3000	0xab04	.reloc
IMAGE_DIRECTORY_ENTRY_DEBUG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COPYRIGHT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_GLOBALPTR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_TLS	0xa2000	0x18	.rdata
IMAGE_DIRECTORY_ENTRY_LOAD_CONFIG	0x0	0x0
IMAGE_DIRECTORY_ENTRY_BOUND_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_IAT	0x9e838	0x6e4	.idata
IMAGE_DIRECTORY_ENTRY_DELAY_IMPORT	0x0	0x0
IMAGE_DIRECTORY_ENTRY_COM_DESCRIPTOR	0x0	0x0
IMAGE_DIRECTORY_ENTRY_RESERVED	0x0	0x0

Sections

Name	Virtual Address	Virtual Size	Raw Size	MD5	Xored PE	ZLIB Complexity	File Type	Entropy	Characteristics
.text	0x1000	0x92894	0x92a00	07c911ae7de1657ce95617026770bd78	False	0.5038263267263428	data	6.545894867325968	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.itext	0x94000	0xa00	0xa00	c92a850c3d1dbe3b57120bd535c60ad2	False	0.621875	data	6.272740824389706	IMAGE_SCN_CNT_CODE, IMAGE_SCN_MEM_EXECUTE, IMAGE_SCN_MEM_READ
.data	0x95000	0x238c	0x2400	1484f3f5833f6ba7a82f7b679c2e5647	False	0.4187282986111111	data	4.120973060954713	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.bss	0x98000	0x5120	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.idata	0x9e000	0x2cae	0x2e00	1d14a1dedcc4e4820bf8c3da41341868	False	0.30850883152173914	data	5.164456668571495	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.tls	0xa1000	0x38	0x0	d41d8cd98f00b204e9800998ecf8427e	False	0	empty	0.0	IMAGE_SCN_MEM_READ, IMAGE_SCN_MEM_WRITE
.rdata	0xa2000	0x18	0x200	d6d2c22764b26531daf73ff2e1816770	False	0.05078125	MacBinary, Mon Feb 6 07:28:16 2040 INVALID date, modified Mon Feb 6 07:28:16 2040 "J"	0.20544562813451883	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ
.reloc	0xa3000	0xab04	0xac00	96d3825212c7a80fd02b97fd0098e6e7	False	0.5858920784883721	data	6.663456226845508	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_DISCARDABLE, IMAGE_SCN_MEM_READ
.rsrc	0xae000	0x40800	0x40800	0d652a08f93b8bf75416c1e132727b30	False	0.1426159762596899	data	2.98135923879323	IMAGE_SCN_CNT_INITIALIZED_DATA, IMAGE_SCN_MEM_READ

Resources

Name	RVA	Size	Type	Language	Country	ZLIB Complexity
ANICURSOR	0xaec00	0xebb6	RIFF (little-endian) data, animated cursor "Blue-glass wait cursor with shadow fro Vista." RealWorld Graphics	Italian	Italy	0.2590401378807464
RT_CURSOR	0xbd7b8	0x1082c	data	Italian	Italy	0.027414680309930797
RT_CURSOR	0xcdfe4	0x94ac	data	Italian	Italy	0.0407514450867052
RT_CURSOR	0xd7490	0x422c	data	Italian	Italy	0.05720188902007084
RT_CURSOR	0xdb6bc	0x25ac	data	Italian	Italy	0.0742430526752385
RT_CURSOR	0xddc68	0x10ac	data	Italian	Italy	0.11504217432052484
RT_CURSOR	0xded14	0x134	data	English	United States	0.4090909090909091
RT_CURSOR	0xdee48	0x134	Targa image data - RGB 64 x 65536 x 1 +32 "\001"	English	United States	0.4967532467532468
RT_CURSOR	0xdef7c	0x25ac	data	Italian	Italy	0.49968892575694734
RT_CURSOR	0xe1528	0x134	Targa image data - Map 64 x 65536 x 1 +32 "\001"	English	United States	0.38636363636363635
RT_CURSOR	0xe165c	0x134	data	English	United States	0.4642857142857143
RT_CURSOR	0xe1790	0x134	data	English	United States	0.4805194805194805
RT_CURSOR	0xe18c4	0x134	data	English	United States	0.38311688311688313
RT_CURSOR	0xe19f8	0x134	data	English	United States	0.36038961038961037
RT_ICON	0xe1b2c	0x468	Device independent bitmap graphic, 16 x 32 x 32, image size 1088	Italian	Italy	0.29432624113475175
RT_ICON	0xe1f94	0x10a8	Device independent bitmap graphic, 32 x 64 x 32, image size 4224	Italian	Italy	0.15431519699812382
RT_ICON	0xe303c	0x25a8	Device independent bitmap graphic, 48 x 96 x 32, image size 9600	Italian	Italy	0.14927385892116182
RT_ICON	0xe55e4	0x4228	Device independent bitmap graphic, 64 x 128 x 32, image size 16896	Italian	Italy	0.061761927255550304
RT_STRING	0xe980c	0x2ac	data			0.43567251461988304
RT_STRING	0xe9ab8	0x49c	data			0.3906779661016949
RT_STRING	0xe9f54	0x3c0	data			0.4125
RT_STRING	0xea314	0x3c8	data			0.4142561983471074
RT_STRING	0xea6dc	0x468	data			0.3971631205673759
RT_STRING	0xeab44	0x328	data			0.4158415841584158
RT_STRING	0xeae6c	0x3a0	data			0.35129310344827586
RT_STRING	0xeb20c	0x254	data			0.47651006711409394
RT_STRING	0xeb460	0x440	data			0.3538602941176471
RT_STRING	0xeb8a0	0x184	data			0.5695876288659794
RT_STRING	0xeba24	0xd4	data			0.6367924528301887
RT_STRING	0xebaf8	0x1c0	data			0.5334821428571429
RT_STRING	0xebcb8	0x458	data			0.3776978417266187
RT_STRING	0xec110	0x35c	data			0.4011627906976744
RT_STRING	0xec46c	0x388	data			0.375
RT_STRING	0xec7f4	0x3f8	data			0.3661417322834646
RT_STRING	0xecbec	0xf4	data			0.5532786885245902
RT_STRING	0xecce0	0xc4	data			0.6275510204081632
RT_STRING	0xecda4	0x22c	data			0.5017985611510791
RT_STRING	0xecfd0	0x3ac	data			0.31063829787234043
RT_STRING	0xed37c	0x36c	data			0.4018264840182648
RT_STRING	0xed6e8	0x2a4	data			0.4363905325443787
RT_RCDATA	0xed98c	0x10	data			1.5
RT_RCDATA	0xed99c	0x6f0	data			0.597972972972973
RT_RCDATA	0xee08c	0x141	Delphi compiled form 'TFormVpnServiceApplication'			0.6884735202492211
RT_RCDATA	0xee1d0	0x120	Delphi compiled form 'TServiceVPNService'			0.6354166666666666
RT_GROUP_CURSOR	0xee2f0	0x4c	Targa image data - RGB 1 x 2092 x 1 +256 +32	Italian	Italy	0.8421052631578947
RT_GROUP_CURSOR	0xee33c	0x14	Lotus unknown worksheet or configuration, revision 0x1	Italian	Italy	1.3
RT_GROUP_CURSOR	0xee350	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xee364	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xee378	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xee38c	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xee3a0	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xee3b4	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_CURSOR	0xee3c8	0x14	Lotus unknown worksheet or configuration, revision 0x1	English	United States	1.3
RT_GROUP_ICON	0xee3dc	0x3e	data	Italian	Italy	0.7903225806451613
RT_MANIFEST	0xee41c	0x352	XML 1.0 document, ASCII text, with CRLF line terminators	Italian	Italy	0.4788235294117647

Imports

DLL	Import
oleaut32.dll	SysFreeString, SysReAllocStringLen, SysAllocStringLen
advapi32.dll	RegQueryValueExA, RegOpenKeyExA, RegCloseKey
user32.dll	GetKeyboardType, DestroyWindow, LoadStringA, MessageBoxA, CharNextA
kernel32.dll	GetACP, Sleep, VirtualFree, VirtualAlloc, GetCurrentThreadId, InterlockedDecrement, InterlockedIncrement, VirtualQuery, WideCharToMultiByte, MultiByteToWideChar, lstrlenA, lstrcpynA, LoadLibraryExA, GetThreadLocale, GetStartupInfoA, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLastError, GetCommandLineA, FreeLibrary, FindFirstFileA, FindClose, ExitProcess, ExitThread, CreateThread, CompareStringA, WriteFile, UnhandledExceptionFilter, SetFilePointer, SetEndOfFile, RtlUnwind, ReadFile, RaiseException, GetStdHandle, GetFileSize, GetFileType, CreateFileA, CloseHandle
kernel32.dll	TlsSetValue, TlsGetValue, LocalAlloc, GetModuleHandleA
user32.dll	CreateWindowExA, WindowFromPoint, WaitMessage, UpdateWindow, UnregisterClassA, UnhookWindowsHookEx, TranslateMessage, TranslateMDISysAccel, TrackPopupMenu, SystemParametersInfoA, ShowWindow, ShowScrollBar, ShowOwnedPopups, SetWindowsHookExA, SetWindowPos, SetWindowPlacement, SetWindowLongW, SetWindowLongA, SetTimer, SetScrollRange, SetScrollPos, SetScrollInfo, SetRect, SetPropA, SetParent, SetMenuItemInfoA, SetMenu, SetForegroundWindow, SetFocus, SetCursor, SetClipboardData, SetClassLongA, SetCapture, SetActiveWindow, SendMessageW, SendMessageA, ScrollWindow, ScreenToClient, RemovePropA, RemoveMenu, ReleaseDC, ReleaseCapture, RegisterWindowMessageA, RegisterClipboardFormatA, RegisterClassA, RedrawWindow, PtInRect, PostThreadMessageA, PostQuitMessage, PostMessageA, PeekMessageW, PeekMessageA, OpenClipboard, OffsetRect, OemToCharA, MsgWaitForMultipleObjects, MessageBoxA, MessageBeep, MapWindowPoints, MapVirtualKeyA, LoadStringA, LoadKeyboardLayoutA, LoadIconA, LoadCursorA, LoadBitmapA, KillTimer, IsZoomed, IsWindowVisible, IsWindowUnicode, IsWindowEnabled, IsWindow, IsRectEmpty, IsIconic, IsDialogMessageW, IsDialogMessageA, IsChild, InvalidateRect, IntersectRect, InsertMenuItemA, InsertMenuA, InflateRect, GetWindowThreadProcessId, GetWindowTextA, GetWindowRect, GetWindowPlacement, GetWindowLongW, GetWindowLongA, GetWindowDC, GetTopWindow, GetSystemMetrics, GetSystemMenu, GetSysColorBrush, GetSysColor, GetSubMenu, GetScrollRange, GetScrollPos, GetScrollInfo, GetPropA, GetParent, GetWindow, GetMessagePos, GetMessageA, GetMenuStringA, GetMenuState, GetMenuItemInfoA, GetMenuItemID, GetMenuItemCount, GetMenu, GetLastActivePopup, GetKeyboardState, GetKeyboardLayoutNameA, GetKeyboardLayoutList, GetKeyboardLayout, GetKeyState, GetKeyNameTextA, GetIconInfo, GetForegroundWindow, GetFocus, GetDesktopWindow, GetDCEx, GetDC, GetCursorPos, GetCursor, GetClipboardData, GetClientRect, GetClassLongA, GetClassInfoA, GetCapture, GetActiveWindow, FrameRect, FindWindowA, FillRect, EqualRect, EnumWindows, EnumThreadWindows, EnumChildWindows, EndPaint, EnableWindow, EnableScrollBar, EnableMenuItem, EmptyClipboard, DrawTextA, DrawMenuBar, DrawIconEx, DrawIcon, DrawFrameControl, DrawEdge, DispatchMessageW, DispatchMessageA, DestroyWindow, DestroyMenu, DestroyIcon, DestroyCursor, DeleteMenu, DefWindowProcA, DefMDIChildProcA, DefFrameProcA, CreatePopupMenu, CreateMenu, CreateIconFromResource, CreateIcon, CloseClipboard, ClientToScreen, CheckMenuItem, CallWindowProcA, CallNextHookEx, BeginPaint, CharNextA, CharLowerBuffA, CharLowerA, CharUpperBuffA, CharToOemA, AdjustWindowRectEx, ActivateKeyboardLayout
gdi32.dll	UnrealizeObject, StretchBlt, SetWindowOrgEx, SetWinMetaFileBits, SetViewportOrgEx, SetTextColor, SetStretchBltMode, SetROP2, SetPixel, SetEnhMetaFileBits, SetDIBColorTable, SetBrushOrgEx, SetBkMode, SetBkColor, SelectPalette, SelectObject, SaveDC, RestoreDC, Rectangle, RectVisible, RealizePalette, PlayEnhMetaFile, PatBlt, MoveToEx, MaskBlt, LineTo, IntersectClipRect, GetWindowOrgEx, GetWinMetaFileBits, GetTextMetricsA, GetTextExtentPointA, GetTextExtentPoint32A, GetSystemPaletteEntries, GetStockObject, GetRgnBox, GetPixel, GetPaletteEntries, GetObjectA, GetEnhMetaFilePaletteEntries, GetEnhMetaFileHeader, GetEnhMetaFileBits, GetDeviceCaps, GetDIBits, GetDIBColorTable, GetDCOrgEx, GetCurrentPositionEx, GetClipBox, GetBrushOrgEx, GetBitmapBits, ExcludeClipRect, DeleteObject, DeleteEnhMetaFile, DeleteDC, CreateSolidBrush, CreatePenIndirect, CreatePalette, CreateHalftonePalette, CreateFontIndirectA, CreateDIBitmap, CreateDIBSection, CreateCompatibleDC, CreateCompatibleBitmap, CreateBrushIndirect, CreateBitmap, CopyEnhMetaFileA, BitBlt
version.dll	VerQueryValueA, GetFileVersionInfoSizeA, GetFileVersionInfoA
kernel32.dll	lstrcpyA, WriteFile, WaitForSingleObject, VirtualQuery, VirtualAlloc, SuspendThread, Sleep, SizeofResource, SetThreadPriority, SetThreadLocale, SetFilePointer, SetEvent, SetErrorMode, SetEndOfFile, ResumeThread, ResetEvent, ReadFile, RaiseException, QueryPerformanceFrequency, QueryPerformanceCounter, MultiByteToWideChar, MulDiv, LockResource, LoadResource, LoadLibraryA, LeaveCriticalSection, InitializeCriticalSection, GlobalUnlock, GlobalLock, GlobalFree, GlobalFindAtomA, GlobalDeleteAtom, GlobalAlloc, GlobalAddAtomA, GetVersionExA, GetVersion, GetTickCount, GetThreadLocale, GetStdHandle, GetProcAddress, GetModuleHandleA, GetModuleFileNameA, GetLocaleInfoA, GetLocalTime, GetLastError, GetFullPathNameA, GetFileSize, GetFileAttributesA, GetExitCodeThread, GetDiskFreeSpaceA, GetDateFormatA, GetCurrentThreadId, GetCurrentProcessId, GetCPInfo, FreeResource, InterlockedIncrement, InterlockedExchange, InterlockedDecrement, FreeLibrary, FormatMessageA, FindResourceA, FindFirstFileA, FindClose, EnumCalendarInfoA, EnterCriticalSection, DeleteCriticalSection, CreateThread, CreateFileA, CreateEventA, CompareStringA, CloseHandle
advapi32.dll	ReportEventA, RegisterEventSourceA, RegSetValueExA, RegQueryValueExA, RegOpenKeyExA, RegFlushKey, RegCreateKeyExA, RegCloseKey, DeregisterEventSource
oleaut32.dll	CreateErrorInfo, GetErrorInfo, SetErrorInfo, SysFreeString
ole32.dll	CoTaskMemFree, CoTaskMemAlloc, CoCreateInstance, CoUninitialize, CoInitialize
kernel32.dll	Sleep
oleaut32.dll	SafeArrayPtrOfIndex, SafeArrayGetUBound, SafeArrayGetLBound, SafeArrayCreate, VariantChangeType, VariantCopy, VariantClear, VariantInit
comctl32.dll	_TrackMouseEvent, ImageList_SetIconSize, ImageList_GetIconSize, ImageList_Write, ImageList_Read, ImageList_DragShowNolock, ImageList_DragMove, ImageList_DragLeave, ImageList_DragEnter, ImageList_EndDrag, ImageList_BeginDrag, ImageList_Remove, ImageList_DrawEx, ImageList_Draw, ImageList_GetBkColor, ImageList_SetBkColor, ImageList_Add, ImageList_SetImageCount, ImageList_GetImageCount, ImageList_Destroy, ImageList_Create
advapi32.dll	StartServiceCtrlDispatcherA, SetServiceStatus, RegisterServiceCtrlHandlerA, OpenServiceA, OpenSCManagerA, DeleteService, CreateServiceA, CloseServiceHandle

Possible Origin

Language of compilation system	Country where language is spoken	Map
Italian	Italy
English	United States

• VPNService.exe

Click to jump to process

Memory Usage

• VPNService.exe

Click to jump to process

Target ID:	0
Start time:	03:39:37
Start date:	18/07/2024
Path:	C:\Users\user\Desktop\VPNService.exe
Wow64 process (32bit):	true
Commandline:	"C:\Users\user\Desktop\VPNService.exe"
Imagebase:	0x400000
File size:	933'888 bytes
MD5 hash:	62147ADC1C9D01E22330B9AA7A55D3E9
Has elevated privileges:	true
Has administrator privileges:	true
Programmed in:	Borland Delphi
Yara matches:	Rule: JoeSecurity_DelphiSystemParamCount, Description: Detected Delphi use of System.ParamCount(), Source: 00000000.00000000.2006409566.0000000000401000.00000020.00000001.01000000.00000003.sdmp, Author: Joe Security
Reputation:	low
Has exited:	true

Show Windows behavior

Description:	Adversaries may execute their own malicious payloads by side-loading DLLs. Similar to DLL Search Order Hijacking , side-loading involves hijacking which DLL a program loads. But rather than just planting the DLL within the search order of a program then waiting for the victim application to be invoked, adversaries may directly side-load their payloads by planting then invoking a legitimate application that executes their payload(s).
Tactics:	Defense Evasion, Persistence, Privilege Escalation
Data Sources:	File: File Creation, File: File Modification, Module: Module Load, Process: Process Creation
Platforms:	Windows
Url:	Open detailed description by Mitre

Description:	Adversaries may attempt to get a listing of security software, configurations, defensive tools, and sensors that are installed on a system or in a cloud environment. This may include things such as firewall rules and anti-virus. Adversaries may use the information from Security Software Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Firewall: Firewall Enumeration, Firewall: Firewall Metadata, Process: OS API Execution, Process: Process Creation
Platforms:	Azure AD, Google Workspace, IaaS, Linux, macOS, Office 365, SaaS, Windows
Url:	Open detailed description by Mitre

Description:	An adversary may attempt to get detailed information about the operating system and hardware, including version, patches, hotfixes, service packs, and architecture. Adversaries may use the information from System Information Discovery during automated discovery to shape follow-on behaviors, including whether or not the adversary fully infects the target and/or attempts specific actions.
Tactics:	Discovery
Data Sources:	Command: Command Execution, Process: OS API Execution, Process: Process Creation
Platforms:	IaaS, Linux, macOS, Network, Windows
Url:	Open detailed description by Mitre

Behavior Section

Behavior Chronological

Disassembly

Uncategorized

Graph

Loading Joe Sandbox Report ...

Warning!

Windows Analysis Report VPNService.exe

Overview

General Information

Detection

Signatures

Classification

Process Tree

Malware Configuration

Yara Signatures

Initial Sample

Memory Dumps

Sigma Signatures

Snort Signatures

Joe Sandbox Signatures

AV Detection

Compliance

System Summary

Malware Analysis System Evasion

Anti Debugging

Mitre Att&ck Matrix

Behavior Graph

Screenshots

Thumbnails

Antivirus, Machine Learning and Genetic Malware Detection

Initial Sample

Dropped Files

Unpacked PE Files

Domains

URLs

Domains and IPs

Contacted Domains

World Map of Contacted IPs

General Information

Warnings

Simulations

Behavior and APIs

Joe Sandbox View / Context

IPs

Domains

ASNs

JA3 Fingerprints

Dropped Files

Created / dropped Files

Static File Info

General

File Icon

Static PE Info

General

Entrypoint Preview

Data Directories

Sections

Resources

Imports

Possible Origin

Network Behavior

Statistics

CPU Usage

Memory Usage

System Behavior

Analysis Process: VPNService.exePID: 3560, Parent PID: 1028

General

File Activities

File Opened

File Attributes Queried

Volume Information Queried

Device IO

Section Activities

Sections loaded by Windows

Sections loaded by Program

Registry Activities

Key Opened

Key Value Queried

Key Monitored

Windows Analysis Report
VPNService.exe