7b92f545797f26c7113bbaeb3df0df7b735b65f25b2316658610e20a4db98bc6

Analysis

max time kernel
140s
max time network
120s
platform
windows7_x64
resource
win7-20231215-en
resource tags

arch:x64arch:x86image:win7-20231215-enlocale:en-usos:windows7-x64system
submitted
26/01/2024, 23:51

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

78b8e523bec99b9ed30727020896bbb3.exe
Size

48KB
MD5

78b8e523bec99b9ed30727020896bbb3
SHA1

3c28f4b5f180532c9b6f48fe6a89b814e3d19a7a
SHA256

7b92f545797f26c7113bbaeb3df0df7b735b65f25b2316658610e20a4db98bc6
SHA512

b0ef052e2b7b61b99fef7c2415a2ca4cd1e6f37dc465ebd98f16f64dcff327693b6f22d8e1a115f9661536f00f76152693e7bbaa2f669d7dedc9c8c24f0a03da
SSDEEP

768:NaKbmM09qIeRiimC4VrvG5S0bQWl/eVXBrADgVAt/r+iSDhC:NaKba93aiiGNuNfl/qx0DUE/rAhC

Score

7^/10

persistence spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	expolrer.exe

Executes dropped EXE 1 IoCs

pid	Process
2992	expolrer.exe

Loads dropped DLL 2 IoCs

pid	Process
1696	78b8e523bec99b9ed30727020896bbb3.exe
1696	78b8e523bec99b9ed30727020896bbb3.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3818056530-936619650-3554021955-1000\Software\Microsoft\Windows\CurrentVersion\Run\datacrypt = "C:\\Windows\\system32\\expolrer.exe"	78b8e523bec99b9ed30727020896bbb3.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\cryptdatadisc = "C:\\Windows\\system32\\expolrer.exe"	78b8e523bec99b9ed30727020896bbb3.exe

Drops desktop.ini file(s) 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Microsoft Games\Chess\desktop.ini	expolrer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	expolrer.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	expolrer.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\desktop.ini	expolrer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\desktop.ini	expolrer.exe
File opened for modification	C:\Windows\Downloaded Program Files\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\HO2824L9\desktop.ini	expolrer.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	expolrer.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Startup\desktop.ini	expolrer.exe
File opened for modification	C:\Program Files\Microsoft Games\Solitaire\desktop.ini	expolrer.exe
File opened for modification	C:\Program Files (x86)\desktop.ini	expolrer.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	expolrer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	expolrer.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-AU\Wallpaper\desktop.ini	expolrer.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Wallpaper\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\Favorites\Links for United States\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	expolrer.exe
File opened for modification	C:\Users\Public\Documents\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Public\Pictures\desktop.ini	expolrer.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-GB\Link\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Public\Libraries\desktop.ini	expolrer.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-CA\Wallpaper\desktop.ini	expolrer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Windows PowerShell\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\desktop.ini	expolrer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Games\Desktop.ini	expolrer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\SendTo\Desktop.ini	expolrer.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\IJKL5Z6W\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Burn\Burn\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\M6IEN5C8\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Accessories\Accessibility\Desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\Contacts\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Public\Videos\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\3CFCJL8M\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Public\Recorded TV\desktop.ini	expolrer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Feeds Cache\15TVJ6R0\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\desktop.ini	expolrer.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Start Menu\Programs\Administrative Tools\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Public\Pictures\Sample Pictures\desktop.ini	expolrer.exe
File opened for modification	C:\Program Files\desktop.ini	expolrer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\Tablet PC\Desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows\History\History.IE5\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\Desktop\desktop.ini	expolrer.exe
File opened for modification	C:\Users\All Users\Microsoft\Windows\Ringtones\desktop.ini	expolrer.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Maintenance\Desktop.ini	expolrer.exe
File opened for modification	C:\Windows\Fonts\desktop.ini	expolrer.exe
File opened for modification	C:\Program Files\Microsoft Games\Hearts\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\Videos\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\Links\desktop.ini	expolrer.exe
File opened for modification	C:\Program Files\Microsoft Games\Mahjong\desktop.ini	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\1033\DataServices\DESKTOP.INI	expolrer.exe
File opened for modification	C:\Users\Public\Videos\Sample Videos\desktop.ini	expolrer.exe
File opened for modification	C:\Program Files\Microsoft Games\FreeCell\desktop.ini	expolrer.exe
File opened for modification	C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Accessories\System Tools\Desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\AppData\Local\Microsoft\Windows Mail\Stationery\Desktop.ini	expolrer.exe
File opened for modification	C:\Users\Admin\Music\desktop.ini	expolrer.exe
File opened for modification	C:\Users\Default\AppData\Roaming\Microsoft\Internet Explorer\Quick Launch\desktop.ini	expolrer.exe

Drops file in System32 directory 16 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\cvqaikxt.apk	expolrer.exe
File opened for modification	C:\Windows\SysWOW64\xdatxzap.zxp	expolrer.exe
File opened for modification	C:\Windows\SysWOW64\cvqaikxt.apk	78b8e523bec99b9ed30727020896bbb3.exe
File opened for modification	C:\Windows\SysWOW64\expolrer.exe	78b8e523bec99b9ed30727020896bbb3.exe
File opened for modification	C:\Windows\SysWOW64\bcegfds.lll	expolrer.exe
File opened for modification	C:\Windows\SysWOW64\zhcarxxi.vvx	expolrer.exe
File opened for modification	C:\Windows\SysWOW64\expolrer.exe	expolrer.exe
File opened for modification	C:\Windows\SysWOW64\zhcarxxi.vvx	78b8e523bec99b9ed30727020896bbb3.exe
File opened for modification	C:\Windows\SysWOW64\datsobex.wwr	78b8e523bec99b9ed30727020896bbb3.exe
File opened for modification	C:\Windows\SysWOW64\wincheck32.dats	expolrer.exe
File opened for modification	C:\Windows\SysWOW64\winzweier.dats	expolrer.exe
File opened for modification	C:\Windows\SysWOW64\bcegfds.lll	78b8e523bec99b9ed30727020896bbb3.exe
File opened for modification	C:\Windows\SysWOW64\winexpoder.dats	expolrer.exe
File opened for modification	C:\Windows\SysWOW64\datsobex.wwr	expolrer.exe
File opened for modification	C:\Windows\SysWOW64\xdatxzap.zxp	78b8e523bec99b9ed30727020896bbb3.exe
File opened for modification	C:\Windows\SysWOW64\NoSpam.readme	78b8e523bec99b9ed30727020896bbb3.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\VideoLAN\VLC\lua\http\dialogs\error_window.html	expolrer.exe
File opened for modification	C:\Program Files (x86)\Common Files\microsoft shared\OFFICE14\Office Setup Controller\Access.en-us\AccessMUISet.XML	expolrer.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\CPU.Gadget\ja-JP\cpu.html	expolrer.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\Stationery\Garden.htm	expolrer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-core-execution.xml	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Aspect.xml	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\utilityfunctions.js	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.COM.XML	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL020.XML	expolrer.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Currency.Gadget\es-ES\js\service.js	expolrer.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Weather.Gadget\de-DE\js\localizedStrings.js	expolrer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\update_tracking\com-sun-tools-visualvm-modules-startup.xml	expolrer.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\RSSFeeds.Gadget\en-US\js\settings.js	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL086.XML	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN102.XML	expolrer.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\base_kor.xml	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\OutlookAutoDiscover\YAHOO.ES.XML	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL107.XML	expolrer.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Currency.Gadget\it-IT\js\service.js	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Apex.xml	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessData.xml	expolrer.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\de-DE\js\settings.js	expolrer.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\en-US\gadget.xml	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\ToolData\groove.net\GrooveForms\FormsHomePageScript.js	expolrer.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\symbols\ea-sym.xml	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGLBL002.XML	expolrer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\features\org.eclipse.ecf.filetransfer.httpclient4.ssl.feature_1.0.0.v20140827-1444\feature.xml	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PAGESIZE\PGMN105.XML	expolrer.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\SlideShow.Gadget\it-IT\js\slideShow.js	expolrer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\tk.txt	expolrer.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipssrb.xml	expolrer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\update_tracking\org-netbeans-modules-sendopts.xml	expolrer.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\flyout.html	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\POST.CFG	expolrer.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\RSSFeeds.html	expolrer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-threaddump.xml	expolrer.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\settings.html	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\DGWEBHD.XML	expolrer.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\ja-JP\gadget.xml	expolrer.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\ja-JP\gadget.xml	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Groove\XML Files\StarterApplicationDescriptors.xml	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Stationery\1033\JUDGESCH.HTM	expolrer.exe
File opened for modification	C:\Program Files\Windows Media Player\Network Sharing\ContentDirectory.xml	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\RESEND.CFG	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\Microsoft.Office.BusinessApplications.RuntimeUi.xml	expolrer.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html	expolrer.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\PicturePuzzle.Gadget\it-IT\js\settings.js	expolrer.exe
File opened for modification	C:\Program Files (x86)\Windows Sidebar\Gadgets\RSSFeeds.Gadget\fr-FR\settings.html	expolrer.exe
File opened for modification	C:\Program Files\7-Zip\Lang\vi.txt	expolrer.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Weather.Gadget\en-US\js\weather.js	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Colors\Technic.xml	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\FORMS\1033\CNFRES.CFG	expolrer.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\fsdefinitions\main\zh-phonetic.xml	expolrer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\missioncontrol\plugins\org.eclipse.equinox.launcher.win32.win32.x86_64_1.1.200.v20141007-2033\META-INF\MANIFEST.MF	expolrer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-queries.xml	expolrer.exe
File opened for modification	C:\Program Files\Mozilla Firefox\install.log	expolrer.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ipsdan.xml	expolrer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\platform\config\Modules\org-netbeans-modules-editor-mimelookup.xml	expolrer.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Calendar.Gadget\es-ES\calendar.html	expolrer.exe
File opened for modification	C:\Program Files\Windows Sidebar\Gadgets\Clock.Gadget\fr-FR\js\clock.js	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\PUBWIZ\WITHCOMP.XML	expolrer.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\lib\visualvm\visualvm\config\Modules\com-sun-tools-visualvm-jmx.xml	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Document Themes 14\Theme Fonts\Executive.xml	expolrer.exe
File opened for modification	C:\Program Files (x86)\Microsoft Office\Office14\IPIRMV.XML	expolrer.exe

Drops file in Windows directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_ja_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml	expolrer.exe
File opened for modification	C:\Windows\debug\sammui.log	expolrer.exe
File opened for modification	C:\Windows\diagnostics\index\SearchDiagnostic.xml	expolrer.exe
File opened for modification	C:\Windows\inf\rdyboost\0C0A\ReadyBoostPerfCounters.ini	expolrer.exe
File opened for modification	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0409\_ServiceModelEndpointPerfCounters_D.ini	expolrer.exe
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\0009\_SMSvcHostPerfCounters.ini	expolrer.exe
File opened for modification	C:\Windows\inf\.NETFramework\0407\corperfmonsymbols_D.ini	expolrer.exe
File opened for modification	C:\Windows\inf\aspnet_state\000D\aspnet_state_perf.ini	expolrer.exe
File opened for modification	C:\Windows\inf\rdyboost\0409\ReadyBoostPerfCounters.ini	expolrer.exe
File opened for modification	C:\Windows\inf\rdyboost\ReadyBoostPerfCounters.h	expolrer.exe
File opened for modification	C:\Windows\inf\TAPISRV\perfctr.h	expolrer.exe
File opened for modification	C:\Windows\inf\UGTHRSVC\040C\gthrctr.ini	expolrer.exe
File opened for modification	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0013\PerfCounters.ini	expolrer.exe
File opened for modification	C:\Windows\ehome\it-IT\playready_eula.txt	expolrer.exe
File opened for modification	C:\Windows\Globalization\MCT\MCT-US\Link\desktop.ini	expolrer.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking\0411\_Networkingperfcounters_D.ini	expolrer.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking 4.0.0.0\0015\_Networkingperfcounters.ini	expolrer.exe
File opened for modification	C:\Windows\inf\wsearchidxpi\0411\idxcntrs.ini	expolrer.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking\_NetworkingPerfCounters.h	expolrer.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\000E\aspnet_perf.ini	expolrer.exe
File opened for modification	C:\Windows\inf\ServiceModelOperation 3.0.0.0\0410\_ServiceModelOperationPerfCounters_D.ini	expolrer.exe
File opened for modification	C:\Windows\inf\.NET Data Provider for Oracle\0407\_DataOracleClientPerfCounters_shared12_neutral_D.ini	expolrer.exe
File opened for modification	C:\Windows\inf\ASP.NET\0009\aspnet_perf2.ini	expolrer.exe
File opened for modification	C:\Windows\inf\ASP.NET\0019\aspnet_perf2.ini	expolrer.exe
File opened for modification	C:\Windows\inf\MSDTC Bridge 4.0.0.0\0007\_TransactionBridgePerfCounters.ini	expolrer.exe
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\0010\_SMSvcHostPerfCounters.ini	expolrer.exe
File opened for modification	C:\Windows\inf\wsearchidxpi\040C\idxcntrs.ini	expolrer.exe
File opened for modification	C:\Windows\assembly\GAC\mscomctl\10.0.4504.0__31bf3856ad364e35\__AssemblyInfo__.ini	expolrer.exe
File opened for modification	C:\Windows\diagnostics\index\AeroDiagnostic.xml	expolrer.exe
File opened for modification	C:\Windows\inf\ASP.NET\0005\aspnet_perf2.ini	expolrer.exe
File opened for modification	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0411\_ServiceModelEndpointPerfCounters_D.ini	expolrer.exe
File opened for modification	C:\Windows\assembly\GAC_MSIL\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.Resources\6.1.0.0_fr_31bf3856ad364e35\Microsoft.Security.ApplicationId.PolicyManagement.Cmdlets.dll-Help.xml	expolrer.exe
File opened for modification	C:\Windows\ehome\en-US\playready_eula.txt	expolrer.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking\040C\_Networkingperfcounters_D.ini	expolrer.exe
File opened for modification	C:\Windows\inf\ASP.NET\001D\aspnet_perf2.ini	expolrer.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\aspnet_perf.h	expolrer.exe
File opened for modification	C:\Windows\inf\Windows Workflow Foundation 4.0.0.0\0006\PerfCounters.ini	expolrer.exe
File opened for modification	C:\Windows\inf\.NET Data Provider for SqlServer\0411\_dataperfcounters_shared12_neutral_D.ini	expolrer.exe
File opened for modification	C:\Windows\inf\ASP.NET\0804\aspnet_perf2.ini	expolrer.exe
File opened for modification	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0407\_ServiceModelEndpointPerfCounters_D.ini	expolrer.exe
File opened for modification	C:\Windows\inf\.NET CLR Networking 4.0.0.0\000D\_Networkingperfcounters.ini	expolrer.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\0012\aspnet_perf.ini	expolrer.exe
File opened for modification	C:\Windows\inf\setupapi.dev.log	expolrer.exe
File opened for modification	C:\Windows\inf\SMSvcHost 3.0.0.0\_SMSvcHostPerfCounters.ini	expolrer.exe
File opened for modification	C:\Windows\inf\TermService\0000\tslabels.ini	expolrer.exe
File opened for modification	C:\Windows\inf\UGatherer\0C0A\gsrvctr.ini	expolrer.exe
File opened for modification	C:\Windows\inf\MSDTC\msdtcprf.h	expolrer.exe
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\0011\_SMSvcHostPerfCounters.ini	expolrer.exe
File opened for modification	C:\Windows\ehome\es-ES\epgtos.txt	expolrer.exe
File opened for modification	C:\Windows\inf\.NET CLR Data\0411\_DataPerfCounters_D.ini	expolrer.exe
File opened for modification	C:\Windows\inf\aspnet_state\0014\aspnet_state_perf.ini	expolrer.exe
File opened for modification	C:\Windows\inf\rdyboost\0407\ReadyBoostPerfCounters.ini	expolrer.exe
File opened for modification	C:\Windows\inf\ServiceModelEndpoint 3.0.0.0\0410\_ServiceModelEndpointPerfCounters_D.ini	expolrer.exe
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\000B\_SMSvcHostPerfCounters.ini	expolrer.exe
File opened for modification	C:\Windows\inf\SMSvcHost 4.0.0.0\0804\_SMSvcHostPerfCounters.ini	expolrer.exe
File opened for modification	C:\Windows\Fonts\fms_metadata.xml	expolrer.exe
File opened for modification	C:\Windows\inf\aspnet_state\0009\aspnet_state_perf.ini	expolrer.exe
File opened for modification	C:\Windows\inf\.NET Data Provider for SqlServer\0C0A\_dataperfcounters_shared12_neutral_D.ini	expolrer.exe
File opened for modification	C:\Windows\inf\ASP.NET\0008\aspnet_perf2.ini	expolrer.exe
File opened for modification	C:\Windows\inf\MSDTC\0410\msdtcprf.ini	expolrer.exe
File opened for modification	C:\Windows\inf\.NET Data Provider for Oracle\0410\_DataOracleClientPerfCounters_shared12_neutral_D.ini	expolrer.exe
File opened for modification	C:\Windows\inf\ASP.NET_4.0.30319\0005\aspnet_perf.ini	expolrer.exe
File opened for modification	C:\Windows\inf\TermService\040C\tslabels.ini	expolrer.exe
File opened for modification	C:\Windows\inf\UGatherer\gsrvctr.h	expolrer.exe

Opens file in notepad (likely ransom note) 1 IoCs

ransomware

pid	Process
736	notepad.exe

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1696	78b8e523bec99b9ed30727020896bbb3.exe
2992	expolrer.exe

Suspicious use of WriteProcessMemory 8 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 2992	1696	78b8e523bec99b9ed30727020896bbb3.exe	28
PID 1696 wrote to memory of 2992	1696	78b8e523bec99b9ed30727020896bbb3.exe	28
PID 1696 wrote to memory of 2992	1696	78b8e523bec99b9ed30727020896bbb3.exe	28
PID 1696 wrote to memory of 2992	1696	78b8e523bec99b9ed30727020896bbb3.exe	28
PID 1696 wrote to memory of 736	1696	78b8e523bec99b9ed30727020896bbb3.exe	29
PID 1696 wrote to memory of 736	1696	78b8e523bec99b9ed30727020896bbb3.exe	29
PID 1696 wrote to memory of 736	1696	78b8e523bec99b9ed30727020896bbb3.exe	29
PID 1696 wrote to memory of 736	1696	78b8e523bec99b9ed30727020896bbb3.exe	29

C:\Users\Admin\AppData\Local\Temp\78b8e523bec99b9ed30727020896bbb3.exe
"C:\Users\Admin\AppData\Local\Temp\78b8e523bec99b9ed30727020896bbb3.exe"
1⤵
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Windows\SysWOW64\expolrer.exe
  C:\Windows\system32\expolrer.exe
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in System32 directory
  - Drops file in Program Files directory
  - Drops file in Windows directory
  - Suspicious use of SetWindowsHookEx
  PID:2992
- C:\Windows\SysWOW64\notepad.exe
  notepad C:\Users\Admin\AppData\Local\Temp\Converted_78b8e523bec99b9ed30727020896bbb3.txt
  2⤵
  - Opens file in notepad (likely ransom note)
  PID:736

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Converted_78b8e523bec99b9ed30727020896bbb3.txt

Filesize
50KB

MD5
f21ac006548b1879369f00cc743e2968

SHA1
96860a75ef687cbce8883b7a6ce3bec05e33f46f

SHA256
7fdde9261fb75146f2980dcf3c6b9987012aafde8e8faa126cbf4618838a7d91

SHA512
1f7824fe91b2f7142b0683ce8051074ef575993bdd0bc08972bde2ecf7d30b0fb42e795c7cac2afdb8f8808225efae7c2fc5f3abfeeae313aa3f3894e7a71c8b

Download Submit
C:\Windows\SysWOW64\datsobex.wwr

Filesize
66KB

MD5
2c0ed3ae042d74d45d83a79c445e24ca

SHA1
f97c62cd4c4afecb61be638b4af585789015b27a

SHA256
3c4bbcbfe91100d826a1a6446f079ab19631816b216e4de6438bef0218d1d482

SHA512
2c0f86c5cf792ecda9aff1cf3e8c1af0d7233b6e1319eab44ffb44f8952c9ed2553b96ca34e183d01d05b429819b100f9213a7859342b06f712ac915a67c23fc

Download Submit
C:\Windows\SysWOW64\xdatxzap.zxp

Filesize
66KB

MD5
3e6b53b852c299d0471b8ab348f62651

SHA1
0deb6f73e4997eb0a7cd2b68865eca8c0fcd52bc

SHA256
7bfbe64c4779c065ae7d4df9fef8e1cb87f7ae68f280a86617cdb41e4a427223

SHA512
4d5c75636c4f83d069efb3028fec7a5b383da0c225f9265263cb3bf578c3a754c7b239643761aa34dd43eaba0fefef234aa426d4d7569d2042ad38308f36fbb2

Download Submit
\Windows\SysWOW64\expolrer.exe

Filesize
48KB

MD5
c7468c3d181444c4be997e785c0a7dc6

SHA1
2d15b83dcc087243b17d2bc9dd508bfea8091369

SHA256
56ee4fdeef95e57c0a864fba868426858cf0f152449644036e89f7f7a6474c15

SHA512
9f0b0909c887eb2883365a5bcd6e40296d09685086baabd8f6915c3dd1b919305b61aedb6fb6773809d62bec4bb89b52fb1b0f4a323f06ff4f2e6ab26a1c8108

Download Submit
memory/1696-24-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/1696-8-0x0000000000390000-0x00000000003C0000-memory.dmp

Filesize
192KB

Download
memory/1696-15-0x0000000000390000-0x00000000003C0000-memory.dmp

Filesize
192KB

Download
memory/1696-0-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2992-26-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2992-31-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2992-17-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2992-27-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2992-28-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2992-29-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2992-30-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2992-25-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2992-32-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2992-33-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2992-34-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2992-35-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2992-36-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2992-37-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download
memory/2992-38-0x0000000000400000-0x0000000000430000-memory.dmp

Filesize
192KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads