Analysis
-
max time kernel
29s -
max time network
35s -
platform
windows7_x64 -
resource
win7-20230621-en -
resource tags
arch:x64arch:x86image:win7-20230621-enlocale:en-usos:windows7-x64system -
submitted
28-06-2023 06:50
Static task
static1
Behavioral task
behavioral1
Sample
expressvpn_windows_12.49.0.4_release [pesktop.com].exe
Resource
win7-20230621-en
Behavioral task
behavioral2
Sample
expressvpn_windows_12.49.0.4_release [pesktop.com].exe
Resource
win10v2004-20230621-en
General
-
Target
expressvpn_windows_12.49.0.4_release [pesktop.com].exe
-
Size
62.9MB
-
MD5
18533e6820766306144e432b9616ecbf
-
SHA1
ed5470f3b31853ac2fc80f4d1646db3b6cb09276
-
SHA256
6713695798164eeef13de43bffb24f47b82e58a68c12b92bcee41d45f864e931
-
SHA512
26f29dbf8f522ea909c477f2ded551dadf1626ed9707efc58759c8a8f8b17ebff0d0ea79feb6067db01c8983bd5c1ad7b9385b539574b868ca0d047b8cd3e4f0
-
SSDEEP
1572864:yJ+g8ROZq79HMryExyFbqDXA6kZ/EJLV5+LFQ1TJbezilwOb:yD8RO+BTbkw4J5+LFAwzub
Malware Config
Signatures
-
Executes dropped EXE 1 IoCs
pid Process 1316 expressvpn_windows_12.49.0.4_release [pesktop.com].exe -
Loads dropped DLL 1 IoCs
pid Process 1156 expressvpn_windows_12.49.0.4_release [pesktop.com].exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1156 wrote to memory of 1316 1156 expressvpn_windows_12.49.0.4_release [pesktop.com].exe 27 PID 1156 wrote to memory of 1316 1156 expressvpn_windows_12.49.0.4_release [pesktop.com].exe 27 PID 1156 wrote to memory of 1316 1156 expressvpn_windows_12.49.0.4_release [pesktop.com].exe 27 PID 1156 wrote to memory of 1316 1156 expressvpn_windows_12.49.0.4_release [pesktop.com].exe 27 PID 1156 wrote to memory of 1316 1156 expressvpn_windows_12.49.0.4_release [pesktop.com].exe 27 PID 1156 wrote to memory of 1316 1156 expressvpn_windows_12.49.0.4_release [pesktop.com].exe 27 PID 1156 wrote to memory of 1316 1156 expressvpn_windows_12.49.0.4_release [pesktop.com].exe 27
Processes
-
C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe"C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1156 -
C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe"C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe" -burn.clean.room="C:\Users\Admin\AppData\Local\Temp\expressvpn_windows_12.49.0.4_release [pesktop.com].exe" -burn.filehandle.attached=180 -burn.filehandle.self=1882⤵
- Executes dropped EXE
PID:1316
-
Network
MITRE ATT&CK Matrix
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
Filesize11.0MB
MD56a25e359c5876cbb2695abb2f0242e76
SHA1bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224
SHA256f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8
SHA512c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619
-
C:\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
Filesize11.0MB
MD56a25e359c5876cbb2695abb2f0242e76
SHA1bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224
SHA256f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8
SHA512c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619
-
\Windows\Temp\{367A1371-EF0C-4B84-AFD0-FE7E626366BC}\.cr\expressvpn_windows_12.49.0.4_release [pesktop.com].exe
Filesize11.0MB
MD56a25e359c5876cbb2695abb2f0242e76
SHA1bd21c4a5cab80ddba00aa7ab6b99c8fccb71e224
SHA256f9fc679723956eb5b005164c6bc2fb81fe29879a94365437b2073c293966adc8
SHA512c05d39c25858279fb2e2349f223d839f8cd6ac310b1a74f9b4dd930480be64089d9d4e666dca38d063f63466ca2474f41c5d6964c7717cc28e8ea87d5597e619