Analysis

  • max time kernel
    150s
  • max time network
    153s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    31-08-2024 15:27

General

  • Target

    3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe

  • Size

    625KB

  • MD5

    d0880ec1ab1627d23202ee86d33b7356

  • SHA1

    a8dae933bdf12ccdd8f1c763d3be932186fe8966

  • SHA256

    3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af

  • SHA512

    1d833b5f77b8cbb66224effe69daaa78e2b3fcfd2bde89c6d3bced4dcef83687b1cbeacd22f0055003ed0935a3cc83972f5b16a1fc476a896beae7d620c50549

  • SSDEEP

    12288:bVt+w8wyv/566WoJMOYeRqmyfq5M7I4XbDhyGdPiMbSLJj2xshdFSRO:ht+w5yJDJGeRMhjdudaKh

Malware Config

Signatures

  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

  • Expiro payload 5 IoCs
  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 40 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 30 IoCs
  • Suspicious use of WriteProcessMemory 4 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe
    "C:\Users\Admin\AppData\Local\Temp\3a6316319ad822be021d48242dfece7f9b8668bae7d19db466b7d514eeae41af.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2808
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:696
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:2248
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:2608
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1144
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:1572
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2600
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:2144
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2580
    • C:\Windows\system32\SearchIndexer.exe
      C:\Windows\system32\SearchIndexer.exe /Embedding
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of WriteProcessMemory
      PID:2092
      • C:\Windows\system32\SearchProtocolHost.exe
        "C:\Windows\system32\SearchProtocolHost.exe" Global\UsGthrFltPipeMssGthrPipe1_ Global\UsGthrCtrlFltPipeMssGthrPipe1 1 -2147483646 "Software\Microsoft\Windows Search" "Mozilla/4.0 (compatible; MSIE 6.0; Windows NT; MS Search 4.0 Robot)" "C:\ProgramData\Microsoft\Search\Data\Temp\usgthrsvc" "DownLevelDaemon"
        2⤵
        • Modifies data under HKEY_USERS
        PID:2952
      • C:\Windows\system32\SearchFilterHost.exe
        "C:\Windows\system32\SearchFilterHost.exe" 0 804 808 816 8192 812 788
        2⤵
        • Modifies data under HKEY_USERS
        PID:2488

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

      Filesize

      1.9MB

      MD5

      7d0b74452b5b82e0fe2e28e2c1fd2029

      SHA1

      4cca205c74ccba317461a0445a96685e8089a775

      SHA256

      5a9709e68aabce988c8d95e2ece4bb55eb29497c2052fd6e605ca0d231d78816

      SHA512

      f24895a21c5059fb3e1f0d868cf661584c21f5f82fc57af6f6095f326f0f3479edf4ca700ed65f59039df94f4db069032f202e3c4349dd15c51b2c1e82637bd1

    • C:\Program Files (x86)\Mozilla Maintenance Service\iihbqpbl.tmp

      Filesize

      621KB

      MD5

      394bd4f3344fedac858e3b3e930f615e

      SHA1

      4073b6b6f08e515c4efdb2c3be235c52e51563c5

      SHA256

      c1beeea028eeba2670dfd6f8484c0973120e734f1e65000931bc62e5933eb764

      SHA512

      66fc9703e034212b640fc8fcecbb9e8b91af7a1ab5d3007e3da5d77a4d3012419befbe616e10ec4530d4ea94dac31b2407bcfcae848dfce966f588205b0deb4b

    • C:\Program Files\7-Zip\7z.exe

      Filesize

      940KB

      MD5

      04aeac909638aee43acddb5833fc4207

      SHA1

      7c0096ef3ea0cf44b09eb0f68195b42affa10742

      SHA256

      cfa2841d5733044b25bb8b680ee41e412ee645ee5f4b7d87fead672fed0e3551

      SHA512

      2113a05de97738be2a0721ff53360e31c8a2258d9078639ce0a20a763a2fad6ee26365824eaa57e435108c8891428a8904636ec4851271a2e40556f57354c006

    • C:\Program Files\7-Zip\7zFM.exe

      Filesize

      1.3MB

      MD5

      205cb92b74171f11a46bf5d625af1aa0

      SHA1

      7654ceccc5d9220eea1ddf663d18b2a48c65f863

      SHA256

      c9a28e50d2b57896e185063f215bba980304ea23cda9b83d84f82878e756241f

      SHA512

      54f7b81b2909352182b28c469b4817fce830ce34df0b2e9b446de00317f7f4d509fe28e0e2794ff9e397b658e4ddc689c361a916c5d02d13618bf7dd345f599c

    • C:\Program Files\7-Zip\7zG.exe

      Filesize

      1.1MB

      MD5

      dea09547ba96de90d61b37adf0b4fc67

      SHA1

      ba9be74b45649f9a812eb9402169918170607577

      SHA256

      da10496491cc0ff8faa1f0e35c616672533a1cabde7d68dbfda809a080773da6

      SHA512

      8cf851bd1407f176432cca16e39b3c6d94e22e984ea41c8039f93318c5e5472511ceb27a434670078bdce68f460074bf384b786af6eeb75f8eff6ed2800b0954

    • C:\Program Files\7-Zip\Uninstall.exe

      Filesize

      410KB

      MD5

      7776832995b3e30f757beb5d66433f38

      SHA1

      128acb25bf1d2919179930edf9b75b6d940ea9f3

      SHA256

      41b1081c1efa486136d91e0d10b17f52eddf12e425aa9b17a0490dacc5041044

      SHA512

      8e87993512124110ca6f5fc256f8a645c5ea16bdad57c621e0e56d2ca1415ae17ea57eb552cf5b2366d530d1b44c920845a5b7ad310d5e9f00861099440972be

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

      Filesize

      672KB

      MD5

      8748b307e297382f5fa5eb44ebb2a971

      SHA1

      a521155634a5f8b05c32b96edee41b52031e342a

      SHA256

      81a80f827eebc82aaf174af86e773cd0bef6e5726776ac360fde5a4cc1ec02b2

      SHA512

      67efccbf9c73fe517614983a32b1da39a38314c15b151909f1fa94f910203a2ccc769cbc631b493f9d90390698509b10deeaeb63209d18fcd1d523b5c4c3cee2

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

      Filesize

      4.5MB

      MD5

      c5c148ea805961f1b3f92e4f662142af

      SHA1

      594f3c81e9047c47676cb4387114a66080b920eb

      SHA256

      26b525d0f45c10a23bf4c3487a2c4a1d8ebe16115a9d16a0ba0ec7705e835838

      SHA512

      1df40ce6754694bda85dbe84f8ab9d5e26d571de3107ec1e81313e1bc0d7fa79e655711ef6a7b8fea9928d01441d6caf0188d7e562b4a9582e5fd15f51a7f385

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

      Filesize

      738KB

      MD5

      2c85e12bf48cd47f0f7603a46a649a66

      SHA1

      d594947d16d029cdd8e8fd0a98dcff1eb00b9938

      SHA256

      8190c49e50d5fdddb6e253edda5b408f60cf1bc54c7e754504fbf1455dfa8a23

      SHA512

      b1ac1d870c61346906a2f59dc14d55d54a11091421c061b1f7c3f19c8db49d9fb21dbf0848f90fa518edbd98951ec412f923b70084d9787589fad6bccbddae01

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

      Filesize

      23.8MB

      MD5

      5d6800283fc0a339b9dcaf17168a7ed5

      SHA1

      aee8ffcabc943b6135008b0c7febcb4bc95e49e4

      SHA256

      e7d6495c99ca67d737463f8c251d5b7abe7f829cdb0dc0d7d33b029a935ad12d

      SHA512

      47a3f03a31a6cc3239bc24f1c8543270129e69a425093676e515eba57417d5a963d1373935b4f3b8b8e29686d425d737cf18761a2488dc1d7b57b4629bbf3a59

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

      Filesize

      2.5MB

      MD5

      ac0897d022d3c27248370685370ae1ec

      SHA1

      24bf22db804346de25d32f4eaf0a34ce2f583e4c

      SHA256

      143f6a0d9e2e73ea44fd8eb1e55dde308c7c90bdb9cff88bc16bb65be2ee683d

      SHA512

      42dda251364cc78866c2f1746d907be2256774d5b3430d6f6d582d51a7f222a46cc57b4ce6ba4113c756cf51cb71fa097a350476f40b5f558a1e00a204a67987

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

      Filesize

      2.0MB

      MD5

      a9b87b127961bffb729578b7e3a41375

      SHA1

      e43418e1bee7971fa535c67b0caf1b8caf8ed79d

      SHA256

      fbad2ded5111b67b5c92d2cbbfda1ea0a18eadbe6091df9b50dfd1d019d887be

      SHA512

      2a61aa23bd176b90fa3f6955d457f50c095f050fb5d511c55c0dd94add6b21454d06856bc5905ecd31d7617820f6bf17b335b5191c22504030392d413218e418

    • C:\Users\Admin\AppData\Local\rdmopcjb\kaclenfi.tmp

      Filesize

      625KB

      MD5

      bc4c920812a5c6adda5e824c5186119b

      SHA1

      9fd94462f5319ec6bfd83ef0ba373f9f56d49f73

      SHA256

      065bc6d48047c3e2a37efd894e66d2a127b024b9cda05c13a77ba4270d281a72

      SHA512

      3369210915b62cfd9f9076d95c7e2eb26b51524b1dd8e5c3b5a3b0453cef91fd5a6c18772538b9948b01ad17d0d2b6d3468fa7d8ceefc8c504e865ae1685af42

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

      Filesize

      818KB

      MD5

      bdbb786bfbaac43d6ad1d5127c53b723

      SHA1

      83b5878593d4050914edec3e6c32311fee196635

      SHA256

      2c06128e9f551b4b61257e19d605af9f32b76aef17178e6d353235ee41c90d5a

      SHA512

      304e979d6fbccab74614542ebe3e85b33f6af40866758b4cf570a43746ce3c81784b0d789b8a5bcfbbfd67ae12f93de27ca352eda08eba6bf4aacac4768be808

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

      Filesize

      487KB

      MD5

      20e878859fc9f023b26ad656e69301c4

      SHA1

      f0c25d98a2a052809b59b0bb46d285eb6f8f01d5

      SHA256

      814ad5c2f5635962c5c6c6765b489d116e116df357cf70429e3bde5fa10b4c4d

      SHA512

      b5d5cd7d6980da62368aa0788e85599db041e7407e3ea5570956c235c28d3e071cd76851c23ea349ac7732e081e0f00b4d66926bff6b338fba0e2a3651a829b7

    • C:\Windows\System32\FXSSVC.exe

      Filesize

      1.0MB

      MD5

      b9bc05f0fae4a3ba4c63a60e93a28ac2

      SHA1

      791f9c640903fc411627936e103e072f4a76d3dc

      SHA256

      22c212c69876196d117f543df3263f3b9b39fe379493741b262d1667745a927e

      SHA512

      9665292c63e0ae36465d0f61c2b1ffdcdeabd6803be0e9beefe16569a10eef43103a354b8b62a2129f4cd391570af32fb12cd48e805673c7a0d7a70c6bdbd858

    • C:\Windows\System32\SearchIndexer.exe

      Filesize

      1.3MB

      MD5

      fdb90b061d9db265d0f3570cada5b2a9

      SHA1

      5627d7934101fce9b3b0e497c4bf5c79a699e649

      SHA256

      37bb254012a27f32ea8892afe4194b90232021e17c3db52faf348bd534e6544a

      SHA512

      65eae1526b2f07f1686d6b2194ae94d497e08545fd1e18a18d0922a421108141fecbc5eab798df74571479d316b13ab89a26fa9175f1e1fb10b2713b2c62764d

    • C:\Windows\System32\alg.exe

      Filesize

      489KB

      MD5

      fd9f5d8b1fbf9be94a640c346bafcd38

      SHA1

      28f90561cd1cf966af7826bea4604870179bb719

      SHA256

      ca25d0890a9dfbc683a6f07650701e91765cea4e118e5c9e70fd1a20481981aa

      SHA512

      0a24351d33c6faf48b07c8f957158f43e2af3b0a1d20946a2f01401e8347b6501ecb1d5450a361923e9176cf5e5b1f878223bbd1701e198a27ffc47055bd5378

    • C:\Windows\System32\msdtc.exe

      Filesize

      540KB

      MD5

      b8b5e6a643c8069d37fe3fa68db485e7

      SHA1

      5844e976bf42bc90cbcc2e2954adaac92b2f710b

      SHA256

      5e95f41f0a0738e03a8fdcb8aba713f8190703e584ef177650b94d4b4313c6a7

      SHA512

      c7aaa8f63f079d40d623ceeef75d0bb60295c26dc482c2054ce2d9ffbb0071987b012156f4b1ac93baa0bcfa69a35c5edad15a922a4049b51a5ad3712f2cc29f

    • C:\Windows\System32\msiexec.exe

      Filesize

      463KB

      MD5

      c6b0750173859425708c0a356fb74377

      SHA1

      1087c8eade1af80be55df01d8dc7141e3aad090d

      SHA256

      aa0d4880d42e29f8ec2a597136b9d6f27080543c49fac73bc228d37a38fa747d

      SHA512

      b0a46347d2c828d7bcf27c6bb77d7c1625d2fbf26a5ce154dc7e8445a50fee717671b19f9289daea9d0a926805abfe9a169039f0ba49785c9d863b795afd7913

    • \??\c:\program files\common files\microsoft shared\source engine\ose.exe

      Filesize

      637KB

      MD5

      113741dd913ba16272df427ca7680d3a

      SHA1

      994d13cad760f05c50241c1d6a926afcb0888cd1

      SHA256

      2f0d454a5be3edea590fb5bca7e5846fc72508177d29c21c598288b3dbbbfab6

      SHA512

      ae56289c5dfce89d78be98c93cab377c95a83ce47b4a4a22deca3ed987737c42841321823c0fca41268e739b522b10acee71b9ed659c1c74481a4d604fc953e8

    • \??\c:\windows\system32\Appvclient.exe

      Filesize

      1.1MB

      MD5

      51c63fbc53ec639ce19309376fcd8f40

      SHA1

      2299ef2f99ab7754872e0c26e517a51cac4ff5b7

      SHA256

      c1094cd63b7f24d515379204b06c27788729f35dc06a537ed344300e419eef61

      SHA512

      42aee4599b183f41de8d6d3f78f85cd5f93dc36801da330cfee24cbbffb65937b7c7a668758a5c4033b18eda8b93f22121deacd685a83f6e8ce0d6dc40f0bff1

    • memory/696-58-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

    • memory/696-57-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

    • memory/696-23-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

    • memory/1144-50-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

    • memory/1144-48-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

    • memory/2092-215-0x0000000002780000-0x0000000002790000-memory.dmp

      Filesize

      64KB

    • memory/2092-199-0x0000000002500000-0x0000000002510000-memory.dmp

      Filesize

      64KB

    • memory/2092-231-0x0000000006DF0000-0x0000000006DF8000-memory.dmp

      Filesize

      32KB

    • memory/2248-86-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

    • memory/2248-40-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

    • memory/2488-271-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-285-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-272-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-274-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-275-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-273-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-277-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-279-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-281-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-280-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-278-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-276-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-282-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-283-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-284-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-286-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-287-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-269-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-294-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-293-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-292-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-291-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-290-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-289-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-288-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-266-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-270-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-268-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2488-267-0x0000016E2FD80000-0x0000016E2FD90000-memory.dmp

      Filesize

      64KB

    • memory/2808-0-0x00000000004BC000-0x000000000054F000-memory.dmp

      Filesize

      588KB

    • memory/2808-49-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

    • memory/2808-47-0x00000000004BC000-0x000000000054F000-memory.dmp

      Filesize

      588KB

    • memory/2808-3-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

    • memory/2808-1-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB