Analysis
-
max time kernel
25s -
max time network
30s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
13-06-2023 18:00
Static task
static1
Behavioral task
behavioral1
Sample
expressvpn_windows_12.38.0.60_release.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
expressvpn_windows_12.38.0.60_release.exe
Resource
win10v2004-20230220-en
General
-
Target
expressvpn_windows_12.38.0.60_release.exe
-
Size
57.9MB
-
MD5
c2f43c3bd04b18b42538f21d5c35769c
-
SHA1
c82bd94359c17d96d7e6195fb3350e5944747fa0
-
SHA256
6569fcc8ecc5e6dbc85dd0ebca9d248454446a7f6ff806c34c598303fc989060
-
SHA512
e220f439900da7058b430e0ee98eaf92b7063143071026ddb1234f1800978c4a3a4ca55252811d45ef8339a5cddcbd2a1f5deeb7036c8b23f4f09f207a6bf6a4
-
SSDEEP
1572864:dKaNvbJ8xod7dyy6KsEcOEhn8Oi2dLLflzBfaAThAz80FcaTT2uqGN:dKYCxod7dDHHUVvdL7LSTSgT2uT
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
expressvpn_windows_12.38.0.60_release.exepid process 924 expressvpn_windows_12.38.0.60_release.exe -
Loads dropped DLL 1 IoCs
Processes:
expressvpn_windows_12.38.0.60_release.exepid process 1724 expressvpn_windows_12.38.0.60_release.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
expressvpn_windows_12.38.0.60_release.exedescription pid process target process PID 1724 wrote to memory of 924 1724 expressvpn_windows_12.38.0.60_release.exe expressvpn_windows_12.38.0.60_release.exe PID 1724 wrote to memory of 924 1724 expressvpn_windows_12.38.0.60_release.exe expressvpn_windows_12.38.0.60_release.exe PID 1724 wrote to memory of 924 1724 expressvpn_windows_12.38.0.60_release.exe expressvpn_windows_12.38.0.60_release.exe PID 1724 wrote to memory of 924 1724 expressvpn_windows_12.38.0.60_release.exe expressvpn_windows_12.38.0.60_release.exe PID 1724 wrote to memory of 924 1724 expressvpn_windows_12.38.0.60_release.exe expressvpn_windows_12.38.0.60_release.exe PID 1724 wrote to memory of 924 1724 expressvpn_windows_12.38.0.60_release.exe expressvpn_windows_12.38.0.60_release.exe PID 1724 wrote to memory of 924 1724 expressvpn_windows_12.38.0.60_release.exe expressvpn_windows_12.38.0.60_release.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1724 -
C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe"C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.38.0.60_release.exe" -burn.filehandle.attached=180 -burn.filehandle.self=1882⤵
- Executes dropped EXE
PID:924
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exeFilesize
10.3MB
MD507c7857ac0338fdc449755eddac67c94
SHA1db057f68b70c981978855a2b02d8a8a397c79b0a
SHA256efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a
SHA512842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d
-
C:\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exeFilesize
10.3MB
MD507c7857ac0338fdc449755eddac67c94
SHA1db057f68b70c981978855a2b02d8a8a397c79b0a
SHA256efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a
SHA512842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d
-
\Windows\Temp\{58967484-6AE7-4ACF-BF6C-A8760D67870C}\.cr\expressvpn_windows_12.38.0.60_release.exeFilesize
10.3MB
MD507c7857ac0338fdc449755eddac67c94
SHA1db057f68b70c981978855a2b02d8a8a397c79b0a
SHA256efde80da6ad11fdcd949c24ea07338a4ed1bd1dac31bc9753ac776607e9cd23a
SHA512842e01b17306e3f6250d685d27ac67855b5db2cb79f0efc1118f33aff5029fe761941b81bbebf5294794664ee7490eba562a71cf1ab558de708555cf85166e9d