Overview

overview

10

Static

static

3

0e151bf158...cs.exe

windows7-x64

10

0e151bf158...cs.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    150s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system
  • submitted
    11-06-2024 23:47

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe

  • Size

    875KB

  • MD5

    0e151bf158cee4eb0de5c8dc297b09a0

  • SHA1

    382d97c653365402dc7b88703f01c22950a5e37f

  • SHA256

    9b5362142a7a4cbb8fdd1f2d947ebedbde5289f245e3777601ff964672a1d700

  • SHA512

    0e41168f3c4d757ac67ee4d03460d4b710d86115c04d9b04a8eb9550d17d52f8cc7fbeb91d29b8353ee594c545e8cc1542cf3804579751a2cc696d7b64da12df

  • SSDEEP

    12288:GQWN/7YkrWBfWhvRhQUAIUfezD/LoN/MhVl1cJ6Q5joTeRH6R:GQWN/7DSBfWhA030Nc1ujo616

Score
10/10
expirobackdoorspywarestealer

Malware Config

Signatures

  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 1 IoCs
    backdoor
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Drops Chrome extension 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 61 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe
    "C:\Users\Admin\AppData\Local\Temp\0e151bf158cee4eb0de5c8dc297b09a0_NeikiAnalytics.exe"
    1⤵
    • Drops Chrome extension
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2964
  • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:8
  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:1036
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    PID:3384
  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    PID:4004
  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    C:\Windows\System32\OpenSSH\ssh-agent.exe
    1⤵
    • Executes dropped EXE
    PID:2748

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    Filesize

    2.0MB

    MD5

    4cafc1a8e48df58261715971f0541f36

    SHA1

    3182b9b838ef30e3578e968650092b578b7051d0

    SHA256

    5be8979dfe1349eda329be19380a3e52c0476277cdc9bc7319eb5d651ec14333

    SHA512

    71eb14716ab62de8223cf47a2fd323cc9d0bde06abbe462a565db8405a80d5f9cc34408534bedcde5525b542c27b6f2bcfa87655c10496b888e9ef9c386256a0

    Download Submit

  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    Filesize

    727KB

    MD5

    db065dcd5704bbe1f37396978ef6cf59

    SHA1

    a3d9beb81f69c0a6d9a077786faf9a95142de865

    SHA256

    e86ea905781ce022ce6b20d33a07080a85164f3cfe26ec1d21d1ba6e7153e9e3

    SHA512

    85d96a634a8c63c973f2a0e88465e5243adb92b6a4dfc3c721b25f96c7b500f7d413bbfaa1290379d61d03eac424d0e37e3eee399ef3b5ab07d46be7a0e7a74f

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
    Filesize

    736KB

    MD5

    2357ebc758a8af52246f46e9bfb9d06a

    SHA1

    0a0def5fd86f42b832386eddd8b6fb7968299e75

    SHA256

    ae34bd055bff347ebdbb3a4dba005c61a43fab7303dd87266e531342c8189be1

    SHA512

    5ea0b374d947f1cfca066a235a40433de1d3f8eba4e71ca8ebeabd05e1fbbf4528f2e9edeafa9b95935efef796243aa2307cba4f331e0798a41e306699281212

    Download Submit

  • C:\Program Files\Google\Chrome\Application\110.0.5481.104\Installer\setup.vir
    Filesize

    5.3MB

    MD5

    188982750fba34b33f39ee427a952f91

    SHA1

    90ec6a7f563fb86d62486a79e3b8a5b5d750a93d

    SHA256

    fdc16c2c6e9c2a7774bc00d1b3e2b7b3f725e7deb18573a549d41586eb4fb0b7

    SHA512

    8bdc112591eb0bac988fe6b98647e8bdb1fa9d3eb2b61a0ef2e73ea87cf2dcbcaa9a52e2aef3688488eaa23515b2f0bcd995e83dcf7b97cf6067b597a945c689

    Download Submit

  • C:\Program Files\Google\Chrome\Application\110.0.5481.104\elevation_service.exe
    Filesize

    2.1MB

    MD5

    c4317c51d54a4b9fbf05d7dc5457331e

    SHA1

    e18a9b7e1785cdb633a48a94f4de031975ff08b0

    SHA256

    52f230295206938dd89585d5e56afdad87b7c9e5dda2b3980e1005e1029ed8f0

    SHA512

    d1fab77e7e345737f84bbc4c82407c53e04996bad2e6a2b57230368b1567a80e5aad093e84fa98f231609dede622777dbb7c683b37bd09dd49643c5200ffaaee

    Download Submit

  • C:\Program Files\Internet Explorer\iexplore.exe
    Filesize

    1.3MB

    MD5

    294974f5765823ed6d795648b16ddbdc

    SHA1

    1534ed61b2413fa9399ba1de9833d73bf7c45439

    SHA256

    e8d8b7711882763d876562c664755f33c4fa8bdfb33c1268523a7e94282cf760

    SHA512

    d721a6b534e2b7110cc0ca683955baf342eaff75c5ce50136a9408196e00071ae6492ca04e20171a8f8a5417cc3831f7145e198cd49581d8a875621ef4468beb

    Download Submit

  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Filesize

    919KB

    MD5

    68e1eb120293650f652cbf436293ae02

    SHA1

    43c7d9a2e2b491e8d8024afb503e5170141580ed

    SHA256

    750403146ebab9354d8f0ae3e5087bc0053494313953e9edb6c5afb3c7e1ace7

    SHA512

    9dc1b4113c6f902b683cc185f54696d7c9ecc5d6ec4ac27ea16eb8a61c3383ce7ad12a928ea0558ae305ac78c9147da883b57207a672e944ce97e660182ee94b

    Download Submit

  • C:\Windows\System32\Appvclient.vir
    Filesize

    1.2MB

    MD5

    a2311b03bedf9534da3196a22093f05d

    SHA1

    9b440ed5b9335f9676164ec53cfcc7dedf4ec253

    SHA256

    d592b707a51827e65254efc0e3bf1642171636ab41a048c8b7a52977db0b526d

    SHA512

    0607be5106eaa038c10f6356be7258f3292110adbe0cfb8b96d44ef2e5d6ff655e39bca85076c8ccd89bbff5156b19fe88dcd4f6dd5c880b17aaec9150ac97c3

    Download Submit

  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    Filesize

    870KB

    MD5

    3a71fd0ab8a5efec3e32a57c3bfce078

    SHA1

    48ce22f53222f2039395dab6d10dbd346aa3aec1

    SHA256

    92066d62e59ce1fe128df98845c56bb9d51122716da0cdc71a6aa0d27646a08d

    SHA512

    91c68d5faf252996ac135416c86668a59ffc08efc5561251e21b8533bea273434f57d6133eea46e19da0b617917ce470100f4fc8e984b6b17fc8ffd7aa11d382

    Download Submit

  • memory/8-19-0x0000000140000000-0x000000014038B000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/8-20-0x00000001400B5000-0x00000001400B6000-memory.dmp

    Filesize

    4KB

    Download

  • memory/8-131-0x0000000140000000-0x000000014038B000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/1036-27-0x0000000140000000-0x000000014036B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1036-130-0x0000000140000000-0x000000014036B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1036-28-0x0000000140000000-0x000000014036B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/1036-129-0x0000000140000000-0x000000014036B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/2748-76-0x0000000140000000-0x0000000140242000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2748-75-0x0000000140000000-0x0000000140242000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2748-143-0x0000000140000000-0x0000000140242000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/2964-35-0x000000004AD00000-0x000000004AEFF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2964-0-0x000000004AD00000-0x000000004AEFF000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/2964-1-0x000000004AD05000-0x000000004AD06000-memory.dmp

    Filesize

    4KB

    Download

  • memory/3384-60-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3384-36-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3384-37-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4004-62-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4004-61-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/4004-137-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download