Analysis
-
max time kernel
27s -
max time network
33s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
25-06-2023 18:51
Static task
static1
Behavioral task
behavioral1
Sample
expressvpn_windows_12.51.0.4_release.exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
expressvpn_windows_12.51.0.4_release.exe
Resource
win10v2004-20230621-en
General
-
Target
expressvpn_windows_12.51.0.4_release.exe
-
Size
62.9MB
-
MD5
c7a0290ac607dda06b5a83dc29d0dbb3
-
SHA1
627ef1672e58add4e0863d5fbd5e63b7666df489
-
SHA256
2ec6df9a41e10daed0543128f9dcc897017828c12d4e78f0c4ad2f2b37aaaff0
-
SHA512
13c079a3719b686d958f1794712ef236e33933edcaaab778b2938b0b9315527f98e514c8a7e0d3857185a40d249a11cd45fcee98c8c3eeef38b62a723ef1f012
-
SSDEEP
1572864:eA9T8BsJn5wq9hWLN4V0HjU6o5hykKjtNJJbXoilwyf:eAaB4KMKeVOho5h7K5NfoSf
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
expressvpn_windows_12.51.0.4_release.exepid process 2036 expressvpn_windows_12.51.0.4_release.exe -
Loads dropped DLL 1 IoCs
Processes:
expressvpn_windows_12.51.0.4_release.exepid process 1792 expressvpn_windows_12.51.0.4_release.exe -
Suspicious use of WriteProcessMemory 7 IoCs
Processes:
expressvpn_windows_12.51.0.4_release.exedescription pid process target process PID 1792 wrote to memory of 2036 1792 expressvpn_windows_12.51.0.4_release.exe expressvpn_windows_12.51.0.4_release.exe PID 1792 wrote to memory of 2036 1792 expressvpn_windows_12.51.0.4_release.exe expressvpn_windows_12.51.0.4_release.exe PID 1792 wrote to memory of 2036 1792 expressvpn_windows_12.51.0.4_release.exe expressvpn_windows_12.51.0.4_release.exe PID 1792 wrote to memory of 2036 1792 expressvpn_windows_12.51.0.4_release.exe expressvpn_windows_12.51.0.4_release.exe PID 1792 wrote to memory of 2036 1792 expressvpn_windows_12.51.0.4_release.exe expressvpn_windows_12.51.0.4_release.exe PID 1792 wrote to memory of 2036 1792 expressvpn_windows_12.51.0.4_release.exe expressvpn_windows_12.51.0.4_release.exe PID 1792 wrote to memory of 2036 1792 expressvpn_windows_12.51.0.4_release.exe expressvpn_windows_12.51.0.4_release.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1792 -
C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe"C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.51.0.4_release.exe" -burn.filehandle.attached=180 -burn.filehandle.self=1882⤵
- Executes dropped EXE
PID:2036
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exeFilesize
11.0MB
MD5cd663dec310c64e1e17ddfd520a572e9
SHA1c759095b8f0e2826ce099c7f1eff9ea2745b41fb
SHA2566510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe
SHA512b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3
-
C:\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exeFilesize
11.0MB
MD5cd663dec310c64e1e17ddfd520a572e9
SHA1c759095b8f0e2826ce099c7f1eff9ea2745b41fb
SHA2566510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe
SHA512b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3
-
\Windows\Temp\{CD084C39-4002-4C97-9600-BCCA17D924BA}\.cr\expressvpn_windows_12.51.0.4_release.exeFilesize
11.0MB
MD5cd663dec310c64e1e17ddfd520a572e9
SHA1c759095b8f0e2826ce099c7f1eff9ea2745b41fb
SHA2566510eb27e1b9a6910cb3dc3d002b20e599536cca0810a35d90fe84da4a6ed5fe
SHA512b9636f8239d18b778ab9c831ceaa1b059281c607df26deecf7a580f535e7bf42bc3dce7feee9063787682c27edc93622890a4d87e5b4f2db3dd8545c187d35f3