25bedb839070a35a6195fec683ca363d031fb265e10ddc9d5537199be60c4fab

Analysis

max time kernel
149s
max time network
34s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
22-03-2023 08:05

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

expressvpn_windows_install.7z
Size

45.5MB
MD5

453d0bcc246d8f9def6d542fd846c3d4
SHA1

5e35087c69cbd0425c02ce7edc5192feea82722a
SHA256

f6be94dd7fa4acd3775553af020ed4bd07bdd8070383926b3e2ad62c3c30a9ae
SHA512

e674fbd76f5919436780d9bf75918b1202dffcf279708aad0a000ae7bd489a9bdf55d6f7a2b4f7b738a66080a59b18403c702e43d58d3c764b22f848e6752c61
SSDEEP

786432:IOjgCSRBYxWy0WXMGMVcvPKI0+mOafSmyEXa0Lsn7kEGYEKbKjGHV7/ijz/:DkRBf6LwcKyafY+a0ukEmjGHO

Score

3^/10

Malware Config

Signatures

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Modifies registry class 9 IoCs

Processes:

rundll32.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.7z	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\.7z\ = "7z_auto_file"	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell\Read	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell\Read\command	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_Classes\Local Settings	rundll32.exe
Key created	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file	rundll32.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1563773381-2037468142-1146002597-1000_CLASSES\7z_auto_file\shell\Read\command\ = "\"C:\\Program Files (x86)\\Adobe\\Reader 9.0\\Reader\\AcroRd32.exe\" \"%1\""	rundll32.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

AcroRd32.exe

pid process

524 AcroRd32.exe
524 AcroRd32.exe
524 AcroRd32.exe

pid	process
524	AcroRd32.exe
524	AcroRd32.exe
524	AcroRd32.exe

Suspicious use of WriteProcessMemory 7 IoCs

Processes:

cmd.exerundll32.exe

description	pid	process	target process
PID 2028 wrote to memory of 1060	2028	cmd.exe	rundll32.exe
PID 2028 wrote to memory of 1060	2028	cmd.exe	rundll32.exe
PID 2028 wrote to memory of 1060	2028	cmd.exe	rundll32.exe
PID 1060 wrote to memory of 524	1060	rundll32.exe	AcroRd32.exe
PID 1060 wrote to memory of 524	1060	rundll32.exe	AcroRd32.exe
PID 1060 wrote to memory of 524	1060	rundll32.exe	AcroRd32.exe
PID 1060 wrote to memory of 524	1060	rundll32.exe	AcroRd32.exe

C:\Windows\system32\cmd.exe
cmd /c C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_install.7z
1⤵
- Suspicious use of WriteProcessMemory
PID:2028

C:\Windows\system32\rundll32.exe
"C:\Windows\system32\rundll32.exe" C:\Windows\system32\shell32.dll,OpenAs_RunDLL C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_install.7z
2⤵
- Modifies registry class
- Suspicious use of WriteProcessMemory
PID:1060

C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe
"C:\Program Files (x86)\Adobe\Reader 9.0\Reader\AcroRd32.exe" "C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_install.7z"
3⤵
- Suspicious use of SetWindowsHookEx
PID:524

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads