General

  • Target

    9ba0dda8caa62e0b27cb373f38095ddf4291086f24f8a2a9bb3ad0a89b05b6b5

  • Size

    405KB

  • Sample

    240901-xna53azdlh

  • MD5

    937de6a7004ee40a65b654d1c1df70e5

  • SHA1

    c3031e5b2a161ac0c400e5b94b8d712c9d25e70d

  • SHA256

    9ba0dda8caa62e0b27cb373f38095ddf4291086f24f8a2a9bb3ad0a89b05b6b5

  • SHA512

    d6f8ed341a24086bea106b7469ea3578697569ee2545667ba078f3d4c53b6f4a78c6edd5899cbd11118fd8836b3acd10665dfab37a129adf218d2d52284b85d4

  • SSDEEP

    6144:9E7wQ6wQZ83ObLa4g1n7xh4HMm8YlEvpq8RTgTnnFs9Caggs0u2ATBm6522DNqk:9EX13cLCZdasQlGJtgznFECir2sj6NX

Malware Config

Targets

    • Target

      39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf

    • Size

      625KB

    • MD5

      90180f284c1a5dc94ac94cae1dbdbfcc

    • SHA1

      dbeb50c4cf66722a01bc391c225bb930354a3fc4

    • SHA256

      39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf

    • SHA512

      4109c76b5d8c5cbe1a096e6ecdba4ff4813991d8471c85c0ff75f70be7aa20afe35f83bbc4d2019a9ea100dd5d2654d773b637f84c1ba66d0144223f9fd50a04

    • SSDEEP

      12288:KVt+w8wyv/f66WoJMDMz+jEcRm0gVVbXI4cvsnFiOk3CwgQ51:It+w5yvDJB+jXm0a5TnFiOk3BV5

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

    • Expiro payload

    • Disables taskbar notifications via registry modification

    • Executes dropped EXE

    • Windows security modification

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks