Analysis

  • max time kernel
    150s
  • max time network
    152s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    09-04-2024 19:31

General

  • Target

    48cfb10b88080f7bc8f30d6390781f0b.exe

  • Size

    629KB

  • MD5

    48cfb10b88080f7bc8f30d6390781f0b

  • SHA1

    7cc45fe067b15648dcf58508d540e97b49a408d1

  • SHA256

    a5189a7fc6e08c9a0a833d27e158a67b582ebb842d254c03d5c84186c9f78ea7

  • SHA512

    8b3b79dbb2524b09f0943ee7b08077f15421bc0e65e532baad88df0ff7657164705fdfc575615cbb05a166be4903ff11eab56f6e237809e2145d9b0104e0a1d3

  • SSDEEP

    12288:TkozRSDSNunH1kFj/gI12rJ7rxnzGQD0KMX016zfR:wozRS+QVkItXNl12es

Malware Config

Signatures

  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

  • Expiro payload 5 IoCs
  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 5 IoCs
  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\48cfb10b88080f7bc8f30d6390781f0b.exe
    "C:\Users\Admin\AppData\Local\Temp\48cfb10b88080f7bc8f30d6390781f0b.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:4612
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:2532
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:2324
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:536
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:4828
    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2080
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:400
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:2164
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2444

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

      Filesize

      1.9MB

      MD5

      5677a5cab11dd0ec60124a62b0b7cf6f

      SHA1

      47852c0398c0fd3c3cf1395b1664e85547af8966

      SHA256

      9736f1c269a1de191c3a26dd11f4817ccb34bd8f8720bc392b349a40f832d2ac

      SHA512

      d982145de4b2a31fa73539af1ab20c1b2d8ab5b568caf68600a68d3e7aa831a1cb6b008ffceec971263fa7271ee796cdc5db073f02cb176e021a1427605ad31d

    • C:\Program Files (x86)\Mozilla Maintenance Service\cacljkfp.tmp

      Filesize

      613KB

      MD5

      d296149f6607a6d4c59f5996ba5f6bc1

      SHA1

      1b23348c2fd438ffb505095ab86fb5b0599e02bc

      SHA256

      366bec7290dfd151622651823ca5172a9316cd3004107ae5987d121f93152dd2

      SHA512

      b7dbe88168cf7a6fd44f03682ac2f8b4382bfe0903060e792e324bff69af8754406d2c1599c1468b2d1c3863374f87c5d57d61a076bca696f8d8ae209e8a2588

    • C:\Program Files\7-Zip\7zFM.exe

      Filesize

      1.3MB

      MD5

      1da9140fe46dbf02aeeadbef122ac293

      SHA1

      946aea98c22242da115e797136d339119e01e5cf

      SHA256

      060b4ebd79937d0390f782806ccc8270366e9f5beb85ff07d7977cc484d4e8eb

      SHA512

      a9a3951b196010b4a73390b7bae247e892e0ff6a6f528ad7f58259feb5198fdbf3592a924d37c7f20feaabf58c343e3599ec131648b478b87e738c00399f3e0a

    • C:\Program Files\7-Zip\Uninstall.exe

      Filesize

      410KB

      MD5

      6127dff5242fd478d743418c7a1d2fe3

      SHA1

      dab39ca14e6720568040439144e6920c0f82586e

      SHA256

      327e3edec344e57f0097f76f259bb219dce116605baf0226724c67ed43154b6a

      SHA512

      080a49fcfa5ff0065a066334b66345cce1e60001764e8af8a6bbce454869a5c6c0a50840006173ce4ef67e7a7283307fb6e83f2726df9c8ba7aeba127d0c73ab

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

      Filesize

      672KB

      MD5

      345d36c7c99e8fb08bec29a7a0be528e

      SHA1

      21d55e037f39a95fc5627f01b61b6cf21550f907

      SHA256

      7c2c0f6f96e277a5a66ffa0e80daafbc165b88818149e3dce98ebe340f18ee95

      SHA512

      1db84a1976cf4e00cdcecd994390279d76406fb759cc989ce26851dd0686906e3a8d266f6e4266dc7a30cb80a120afc03c9940f30a2210e459659f0a46824750

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

      Filesize

      4.5MB

      MD5

      45e87e143eea0b06c72a715629f63219

      SHA1

      3e6ca3422e4e1ae2b155e35f139f7e7d82fd0013

      SHA256

      0f8bb44c3e5ec4547c6942e2f4d663bb86b95f5762fb73362b2f968d455f39d1

      SHA512

      d1e1f44beaf5284022d7eca7a9956c6fd1a46863290b19db4548c35c7c2ade1c7f3ff21841c2f515eb92d2d7713c717c2d44ada3e0a3eb18662ca8405c0995f2

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

      Filesize

      742KB

      MD5

      0b61ed805e778138e4a1b775d77da2fb

      SHA1

      e86cc0ffde93299792fb9ee5ef32f7afdbe04ebd

      SHA256

      66ee4ab7fa88576d64c5d6448dded0d4f96e58d05b34fd2dfb9b07010ca91c35

      SHA512

      b169c5d5b738aecc459f56aea0a2e7096ef8ea9557f5b78500468a7fbfc1c65a94ca28b39ed7431057eb01eb3dfa70de3f45e438f383e7d410f411389944472f

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

      Filesize

      23.8MB

      MD5

      483110b314b12b1e05f7611a712407e1

      SHA1

      6e086f9bd875e0985f852eb2f1a4c108048ea2b3

      SHA256

      d6020a9a6f2e6809e03d37d101a03703c205e42b99d82f838c6227769180ca40

      SHA512

      4ad78b29c957dbaee04362f71854a0af07898f3dc19a0792c5c377f48f92141e17836e90edbdcc3601c6360911a4f50c22b610dff5fddf4e41d2e7252c616b8a

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

      Filesize

      2.5MB

      MD5

      0c0e50e2be48b8323447dcad1504f82a

      SHA1

      0352a624b41669c79c4fb054f8d4c9e1ca3f599d

      SHA256

      193f540bf5fe489abe2891ece5b6b8a58874ffad0b93b74dc93fa276befd88a6

      SHA512

      a11a8def9be48f245694c3829cf8cbf59e3d1928110ac3740cadee5172b33c36e300291c75b8bb4eb9b28b803c378fe6e5ed08c4407d3a181d42da30c0e61905

    • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe

      Filesize

      2.0MB

      MD5

      03a4e5b085b98905dd705e22fe4af694

      SHA1

      2349a9bb74617eb0a2a904e6e992ea8326441ab0

      SHA256

      547efa996f879f6437dbf015174da160195d42fc4184907d274002b01a003b85

      SHA512

      6552626f2469b82a29903598876cbf698084395f52f947fdc30585bbf04a8e775bd42d2ecd9d575863ced708cdc9de177bb53d32ffe37810956686a1e1bf0fea

    • C:\Users\Admin\AppData\Local\imkmmonk\lljkhlkl.tmp

      Filesize

      629KB

      MD5

      1ee4cfd6cbfeb91870fe13cc625f05aa

      SHA1

      903701ec16ef43bac028fa6042aa2792441cde24

      SHA256

      e377c08fb278a7fd6ccf6ab717c2965ba20d2f17ad0be65484205aaea99b76af

      SHA512

      9aeb933906110d0d9d2c01adb945edd6c2db608e027ff2159a708b06bb548ad987d5781c9618890109632e76edabae0bffc0927110fd993fc87c181bbee8855a

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

      Filesize

      822KB

      MD5

      0c4193f6c6b6fb93efb756190809ea91

      SHA1

      586a0eaaa6b9ac8fdbf4522e214dfebcbf20016a

      SHA256

      be928a9a4ff9f1399cf9218b62070b0f0fdfc98af6f4e55b1186ff0bee370c09

      SHA512

      304ee5e69de5644881988a5720faa796ddbb2b37d7bc5479a1f02c9db98bf330cc868dbbe068fa8ce084de1fa39d959337d034c0e9a560911f44b8a2d8783417

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

      Filesize

      491KB

      MD5

      2c778e8dd83a250b37cac3cf6acbd578

      SHA1

      1467c5e32e1676017dfd83abe98f9496e7c24093

      SHA256

      694dea37385b75963b87a9f676789c2ed465b33c5aa5eefbfc543039ad94bd91

      SHA512

      b3e1cef82dccbba2ca2ad1ae0437844ba54ede71ced52aafd52ef90a3625234dbe059b1e2a9fc052cf819c9474d695b214f3b6171c1bff52fb38cdacc42b9342

    • C:\Windows\System32\FXSSVC.exe

      Filesize

      1.0MB

      MD5

      030164fae7fe1e6a2e2ebb645360a35d

      SHA1

      31d64d514b377b34c7be08b8bf8a007ef6f17874

      SHA256

      852616c2092f6b1b7f6cdb11ab55d875b5c17d4d9b5f6e48def8ce4561d8fcb0

      SHA512

      fb8a34b4d40758c4717d0f22ce55d04ce839a89c8ae67861bd7f52a31f396be87617537797269d6ecadc5bc3ee00c93793624c2fd5d0fd7bf18304109fc06750

    • C:\Windows\System32\alg.exe

      Filesize

      493KB

      MD5

      a9ba811684bd2f956a55b47b3ab268b7

      SHA1

      0fdbf1b38908d152c83837f29dae93f84864555b

      SHA256

      44ff45cb7682f37b312d2cb337ddf51c2786c939f20df9f8946565f2348ac3fc

      SHA512

      acdb7a36a9127f3acdeeaf9c4a43d30ce6a1d4d0f47bb2c1cef8780718402ea082ca2b211b5a19bae197e278d8e94800f1a324ecadbfec11cbba6c73de7c4410

    • C:\Windows\System32\msdtc.exe

      Filesize

      544KB

      MD5

      9a1ad88b6deb75b55bf60c6c5926c652

      SHA1

      e5f7aa50220c923362f3a8e7595ecba23c82ee98

      SHA256

      09b4ae39f0d7b4acdd9460faa32c8774e7461aac9ec084d6fd3a5066b6be27e2

      SHA512

      eeefe0a3ef11905dccaccd9ab23c8051eff791d1bf73ad77f335b10519bcc1ce22f026b6d5fbdea8fd3891207a2eefb3447193b9b8447aed736fd224a97a85da

    • C:\Windows\System32\msiexec.exe

      Filesize

      467KB

      MD5

      d2f88567c8ee1984b5880e2ebcb0ae4b

      SHA1

      e514fa75f729019f0d368f4b9af056ca0a1d6e07

      SHA256

      1841f6ad80b8324529944341cf8e5b767d8ed36cc7c112297c8ddb9f67d6bf0d

      SHA512

      56ebea4a4ee3f9fa45fc3946e9d4187e3292b6ee66b437566b2c7ac4b5d93fa8ce816bd8cc6068c59049a37a8331035e380d0f21cf046632c77db718c9b44904

    • C:\odt\office2016setup.exe

      Filesize

      5.4MB

      MD5

      15c9ce4ceca3281e4b2a3a54c1c4b95c

      SHA1

      ac664fcceca11fd7d7d106701e8f2dc90117f105

      SHA256

      6a34976a801f26fc5def7b8fbead4b2a2cadacfcb5dcc1c541f764d2e1513baa

      SHA512

      7fa7e977377bca6fbca0f2a0c4ea5a3e842e776c084a1ffb0da9a702cbc989a1328829582164be01b66837d9b95568d18bb4f2357dca18566f685887df251ba9

    • \??\c:\program files\common files\microsoft shared\source engine\ose.exe

      Filesize

      637KB

      MD5

      ab657ee4352840849b7dd1d4d06eb8e3

      SHA1

      929823d2e25a80b694d494ff74bd03f94ebb2d32

      SHA256

      fea1afe9d96b11e423d2cb35aa28a0c1b0cfcc9236d8d2ff3fe0f2d10ca34c98

      SHA512

      d870ddc3fcc47fbe14681b19eac9034a6709750dfb2c3b4565ae9f033b8460e18a1ea9d973c9b8d02965d185f8a9cdea437d0284bb7cbf3f66bd808d2f926c4b

    • \??\c:\windows\system32\Appvclient.exe

      Filesize

      1.1MB

      MD5

      50aaf2a15f9eaf6fea3f224e026b84f8

      SHA1

      4ec8be6ddeb10b2798a639be88aa04665816a5a2

      SHA256

      4ddf5bf789dd5256f58dccb68c1d0e9b809bc51fdb377af49393827c0b84d672

      SHA512

      392eac224e5b6b451d1db7754360721a32f8075fc89aec0cad5a4e3b8a4c96de6d0d2a2db9c448b13c955fd2180f57d68774468ea49944ba50a6873da41ee7bf

    • memory/2164-193-0x0000000140000000-0x00000001400E4000-memory.dmp

      Filesize

      912KB

    • memory/2164-82-0x0000000140000000-0x00000001400E4000-memory.dmp

      Filesize

      912KB

    • memory/2324-40-0x0000000140000000-0x00000001400D4000-memory.dmp

      Filesize

      848KB

    • memory/2324-167-0x0000000140000000-0x00000001400D4000-memory.dmp

      Filesize

      848KB

    • memory/2444-199-0x0000000140000000-0x00000001400D0000-memory.dmp

      Filesize

      832KB

    • memory/2444-98-0x0000000140000000-0x00000001400D0000-memory.dmp

      Filesize

      832KB

    • memory/2532-151-0x0000000140000000-0x00000001400D5000-memory.dmp

      Filesize

      852KB

    • memory/2532-23-0x0000000140000000-0x00000001400D5000-memory.dmp

      Filesize

      852KB

    • memory/2532-49-0x0000000140000000-0x00000001400D5000-memory.dmp

      Filesize

      852KB

    • memory/4612-0-0x0000000000400000-0x00000000004ED000-memory.dmp

      Filesize

      948KB

    • memory/4612-120-0x0000000000400000-0x00000000004ED000-memory.dmp

      Filesize

      948KB

    • memory/4612-3-0x0000000000400000-0x00000000004ED000-memory.dmp

      Filesize

      948KB

    • memory/4612-1-0x0000000000400000-0x00000000004ED000-memory.dmp

      Filesize

      948KB

    • memory/4828-47-0x0000000140000000-0x0000000140160000-memory.dmp

      Filesize

      1.4MB

    • memory/4828-48-0x0000000140000000-0x0000000140160000-memory.dmp

      Filesize

      1.4MB