General

  • Target

    48cfb10b88080f7bc8f30d6390781f0b

  • Size

    629KB

  • Sample

    240409-x8ptysfg23

  • MD5

    48cfb10b88080f7bc8f30d6390781f0b

  • SHA1

    7cc45fe067b15648dcf58508d540e97b49a408d1

  • SHA256

    a5189a7fc6e08c9a0a833d27e158a67b582ebb842d254c03d5c84186c9f78ea7

  • SHA512

    8b3b79dbb2524b09f0943ee7b08077f15421bc0e65e532baad88df0ff7657164705fdfc575615cbb05a166be4903ff11eab56f6e237809e2145d9b0104e0a1d3

  • SSDEEP

    12288:TkozRSDSNunH1kFj/gI12rJ7rxnzGQD0KMX016zfR:wozRS+QVkItXNl12es

Malware Config

Targets

    • Target

      48cfb10b88080f7bc8f30d6390781f0b

    • Size

      629KB

    • MD5

      48cfb10b88080f7bc8f30d6390781f0b

    • SHA1

      7cc45fe067b15648dcf58508d540e97b49a408d1

    • SHA256

      a5189a7fc6e08c9a0a833d27e158a67b582ebb842d254c03d5c84186c9f78ea7

    • SHA512

      8b3b79dbb2524b09f0943ee7b08077f15421bc0e65e532baad88df0ff7657164705fdfc575615cbb05a166be4903ff11eab56f6e237809e2145d9b0104e0a1d3

    • SSDEEP

      12288:TkozRSDSNunH1kFj/gI12rJ7rxnzGQD0KMX016zfR:wozRS+QVkItXNl12es

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

    • Expiro payload

    • Disables taskbar notifications via registry modification

    • Executes dropped EXE

    • Windows security modification

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks