Analysis
-
max time kernel
149s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-03-2023 08:05
Static task
static1
Behavioral task
behavioral1
Sample
expressvpn_windows_install.7z
Resource
win7-20230220-en
windows7-x64
4 signatures
150 seconds
General
-
Target
expressvpn_windows_install.7z
-
Size
45.5MB
-
MD5
453d0bcc246d8f9def6d542fd846c3d4
-
SHA1
5e35087c69cbd0425c02ce7edc5192feea82722a
-
SHA256
f6be94dd7fa4acd3775553af020ed4bd07bdd8070383926b3e2ad62c3c30a9ae
-
SHA512
e674fbd76f5919436780d9bf75918b1202dffcf279708aad0a000ae7bd489a9bdf55d6f7a2b4f7b738a66080a59b18403c702e43d58d3c764b22f848e6752c61
-
SSDEEP
786432:IOjgCSRBYxWy0WXMGMVcvPKI0+mOafSmyEXa0Lsn7kEGYEKbKjGHV7/ijz/:DkRBf6LwcKyafY+a0ukEmjGHO
Score
3/10
Malware Config
Signatures
-
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.
-
Modifies registry class 9 IoCs
Processes:
rundll32.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\ rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.7z rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.7z\ = "7z_auto_file" rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell\Read rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell\Read\command rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings rundll32.exe Key created \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file rundll32.exe Set value (str) \REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\"" rundll32.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
AcroRd32.exepid process 524 AcroRd32.exe 524 AcroRd32.exe 524 AcroRd32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
cmd.exerundll32.exedescription pid process target process PID 2028 wrote to memory of 1060 2028 cmd.exe rundll32.exe PID 2028 wrote to memory of 1060 2028 cmd.exe rundll32.exe PID 2028 wrote to memory of 1060 2028 cmd.exe rundll32.exe PID 1060 wrote to memory of 524 1060 rundll32.exe AcroRd32.exe PID 1060 wrote to memory of 524 1060 rundll32.exe AcroRd32.exe PID 1060 wrote to memory of 524 1060 rundll32.exe AcroRd32.exe PID 1060 wrote to memory of 524 1060 rundll32.exe AcroRd32.exe
Processes
-
C:\Windows\system32\cmd.execmd /c C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_install.7z1⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\system32\rundll32.exe"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_install.7z2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_install.7z"3⤵
- Suspicious use of SetWindowsHookEx