Analysis
-
max time kernel
27s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
15-06-2023 11:49
Static task
static1
Behavioral task
behavioral1
Sample
expressvpn_windows_12.43.0.0_release.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
expressvpn_windows_12.43.0.0_release.exe
Resource
win10v2004-20230220-en
General
-
Target
expressvpn_windows_12.43.0.0_release.exe
-
Size
58.4MB
-
MD5
a15d6e20d0107f59af14bfe1bfee8a5a
-
SHA1
a16c498932a3c2851f255bf355f12076159afba7
-
SHA256
301ee3fb48efa7dc3d15c8e434b93ae36bd9953d7d62efcc85e054a8720595c7
-
SHA512
02ed872a21f838422881fb2e6099ee3bb3b5e6c22a9ea4439de54cac0fc1aa7cadbf4f1e601cff50bd300941c529313e844c3547f8b3a5bdd4f7b7f47bb6e21e
-
SSDEEP
1572864:gDG8e0q6S1HeWXgyzRT//W87ghVzJNUXhhgTO0GsrVRUZUcf8E:KMMi++9XWDX+0rrVRTE
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
expressvpn_windows_12.43.0.0_release.exepid process 1252 expressvpn_windows_12.43.0.0_release.exe -
Loads dropped DLL 1 IoCs
Processes:
expressvpn_windows_12.43.0.0_release.exepid process 1184 expressvpn_windows_12.43.0.0_release.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
expressvpn_windows_12.43.0.0_release.exedescription pid process target process PID 1184 wrote to memory of 1252 1184 expressvpn_windows_12.43.0.0_release.exe expressvpn_windows_12.43.0.0_release.exe PID 1184 wrote to memory of 1252 1184 expressvpn_windows_12.43.0.0_release.exe expressvpn_windows_12.43.0.0_release.exe PID 1184 wrote to memory of 1252 1184 expressvpn_windows_12.43.0.0_release.exe expressvpn_windows_12.43.0.0_release.exe PID 1184 wrote to memory of 1252 1184 expressvpn_windows_12.43.0.0_release.exe expressvpn_windows_12.43.0.0_release.exe PID 1184 wrote to memory of 1252 1184 expressvpn_windows_12.43.0.0_release.exe expressvpn_windows_12.43.0.0_release.exe PID 1184 wrote to memory of 1252 1184 expressvpn_windows_12.43.0.0_release.exe expressvpn_windows_12.43.0.0_release.exe PID 1184 wrote to memory of 1252 1184 expressvpn_windows_12.43.0.0_release.exe expressvpn_windows_12.43.0.0_release.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
-
C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe"C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.43.0.0_release.exe" -burn.filehandle.attached=180 -burn.filehandle.self=1882⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exeFilesize
10.3MB
MD53b2354b92f91a4383b867b594196cd1c
SHA143c830cfa6b873b66a323e3747a199365cb18b50
SHA2562600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA5127421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da
-
C:\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exeFilesize
10.3MB
MD53b2354b92f91a4383b867b594196cd1c
SHA143c830cfa6b873b66a323e3747a199365cb18b50
SHA2562600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA5127421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da
-
\Windows\Temp\{B0896D90-9A8C-4367-80EC-B6AAFD9FCB42}\.cr\expressvpn_windows_12.43.0.0_release.exeFilesize
10.3MB
MD53b2354b92f91a4383b867b594196cd1c
SHA143c830cfa6b873b66a323e3747a199365cb18b50
SHA2562600f1e1b62070d15018ee507d9f91dd13ed93b775c4c62ffbfda85f601d85e7
SHA5127421cc4f7254099f87c49a201f8816fa1adacd14333818bd85bed941c82932656159da3aaac1e7d2246874068020bfd5947f6d157882f8703408adce8ce288da