Analysis

  • max time kernel
    150s
  • max time network
    102s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-09-2024 18:59

General

  • Target

    39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe

  • Size

    625KB

  • MD5

    90180f284c1a5dc94ac94cae1dbdbfcc

  • SHA1

    dbeb50c4cf66722a01bc391c225bb930354a3fc4

  • SHA256

    39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf

  • SHA512

    4109c76b5d8c5cbe1a096e6ecdba4ff4813991d8471c85c0ff75f70be7aa20afe35f83bbc4d2019a9ea100dd5d2654d773b637f84c1ba66d0144223f9fd50a04

  • SSDEEP

    12288:KVt+w8wyv/f66WoJMDMz+jEcRm0gVVbXI4cvsnFiOk3CwgQ51:It+w5yvDJB+jXm0a5TnFiOk3BV5

Malware Config

Signatures

  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

  • Expiro payload 5 IoCs
  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 8 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 4 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe
    "C:\Users\Admin\AppData\Local\Temp\39220b8c922e8a4554f747a0cb822f1af7c7a85c7cd5385b3406bed1a8e397cf.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:972
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:4888
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:316
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:4040
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1900
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3804
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:3048
    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
      "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
      1⤵
      • Executes dropped EXE
      PID:2520
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in System32 directory
      • Drops file in Windows directory
      PID:840
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:3564

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

      Filesize

      1.9MB

      MD5

      c7484b53c2f612117135d65a68440996

      SHA1

      737f2b726f6380a7597076fa05adf60329195286

      SHA256

      002f846ae2de90463eb2da648e113957ed0a2f0b53fec4b8d49bc1103966d59c

      SHA512

      1c5e7eb200b350d2777786abb4cf367fcf1ba844489be020d0c5f489bed61d27c53611c5c2ee26457947e8b3b1d50a594d696ede8e5fc1c1a5ef0da8744b829a

    • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

      Filesize

      621KB

      MD5

      468e5777165bb15a98fd4365632da5e9

      SHA1

      0133691bf824d987acaeeb5e3ff2100bea5342e7

      SHA256

      a3261fc9684c43585139c479114a114f9f167d736a2687a818e35cdcd4c92a37

      SHA512

      3f3275d97a25f7ec3e61f11003b10fc418662413310ac4686322a7b32229ebfb4e0670ca3c69524f693e350d5d0f2e7e2914b272bcb32cf727290dba300c3939

    • C:\Program Files\7-Zip\7z.exe

      Filesize

      940KB

      MD5

      d37b4746a153abe6008218dec220f462

      SHA1

      a473b1701862c1c79207d7bb39291f3e37ce0db6

      SHA256

      592b2864c29fab1a80d6789ce9e647c59b23809a4323499a43e63682dc3c25e7

      SHA512

      5d64373cb70fe1acace04ffd8ab279ac74e28f0c415ba0355534082abbd9cb7609f537fab249a2af4e11ead0968e461c6fcfd2082a0220cebeba1f4ab873b714

    • C:\Program Files\7-Zip\7zFM.exe

      Filesize

      1.3MB

      MD5

      ae644316de57b0c8bf380100fdf6201b

      SHA1

      8e0ed2070e0a948993a6a80a58d5ad2913430d06

      SHA256

      e8d59b85e7a5efaafc9a5dfeb62f0e876567650acc11d8925635379268b6d651

      SHA512

      d254be661526154c2c2e028371e53759d8ab674945124015408b6878e207c35293f222a8edc50384b7baf8ee1c026810d6fb42cb6aae761175138fcf5a8bb182

    • C:\Program Files\7-Zip\7zG.exe

      Filesize

      1.1MB

      MD5

      cf4b2a7fec07e59a61682fda102494a9

      SHA1

      8888ac4294f0e4299df1453aa02928261dd597dd

      SHA256

      3b25dbb38185eb6501a47022e579e9a63befbbf9217aa7a27b78e068bf50d868

      SHA512

      69f14a52e396cec44cd499041a80f14cf305a5a2405242d09846881e179dd1e86c9a8201eccd45d177a408641162c9599fdcfc102998247f832cb9b4ca36ec8e

    • C:\Program Files\7-Zip\Uninstall.exe

      Filesize

      410KB

      MD5

      4e3d1b52c0977001b717300355b600cf

      SHA1

      e3615160362af023a082b00f68ae9981437cea10

      SHA256

      f7cd9fe1474a7e96cdf8029043d1641d76478b6caecb27253546e01d1e8e396f

      SHA512

      855c4cc6eb21293b02e1f44a8e46855497054e5d4af3b8279d9eaec89f3d2c9e8ee93267634d97ff7ea85f6be00a04019906f4b58a104c630338997ae5ceadf4

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

      Filesize

      672KB

      MD5

      ebaf6ab801a8bec40079f34477886c85

      SHA1

      36eea4c2c5bbb26327f4ec0f4c0c05831f167134

      SHA256

      59742c6b75db910ede74740bbd1f4acdb92e6a1b9e85197c21ec96609fd44011

      SHA512

      eceb94773f02f466141e9563fb00bd6d5c4bc3261e7097b3f20386700d5b279bd438ad74fc807d3ed75040acdd2ff6292207e16a50badbf4a59bcabac41bab5f

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

      Filesize

      4.5MB

      MD5

      29d58cfec058511f5c97e5342d8aac13

      SHA1

      e8bfce0354a518e444c2397abe4700855515b676

      SHA256

      a477d3fedbb1cf10a251e05e7c2a9538fceffa463b430cc8faff19ee4bb9d691

      SHA512

      ad6f3edf5cbbd92a711c0fcc465056b6a7e66389a68df81e33f71958d8cd470ac69e81e582aa350ae676cb07e428babbf2f8e9763fc186d8dec79561081eff10

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

      Filesize

      738KB

      MD5

      b95a3115be79e0a681e206df9d2a70f0

      SHA1

      646946a39585c2f6b2234edd60dcc8e2fcf512d8

      SHA256

      9661f8b126bb3e8f7450f6a41da24f5958cc48a44bc6c5ffeb40742a929c701a

      SHA512

      5081618735bf94cbc9eb5f47e49101aa9d534c8958fd1d4a6a7a363df46c0ce10b89ec73c47e60d1ffe5e6aeaaff1883f942f716cbd00790f0dfcf95f2663602

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

      Filesize

      23.8MB

      MD5

      a14df0b641a9d2b9941d492749fa4744

      SHA1

      a126c239d21f0478ff61a601039faa868e1d4a04

      SHA256

      c147e846f372f5b696ced2bea6d03beb1210b04b890a54781f25b387cbafabcd

      SHA512

      b995a37bc8dc313bda8af0f174cc2d6f97340661d1b35a4169420dc1a3bf4ef61553a8734ef8da419865d65e1a84394082fba43843b4da9372c2c7cfaf9f7d54

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

      Filesize

      2.5MB

      MD5

      cd98bf3cf0569b3979037e8460f89245

      SHA1

      9ef80255655214f32685c42aefa33c39737237cd

      SHA256

      ae8d09070e85210d7d0382d6ed2b3c375d1c0eb80c0b75c4752db5aafea94ab9

      SHA512

      0760868de032a8c64497988e47b59061895e74e9dbb21ad57fba6f33d3602f344f3b1602df0937a6fda9572b7e86fcf68e3e5d95f3e2656bb51392d7f8ec49ff

    • C:\Program Files\Common Files\microsoft shared\Source Engine\leoneddm.tmp

      Filesize

      637KB

      MD5

      dc21b692eb3f8a6f74b3f68c31acb949

      SHA1

      722a6515c9a8669196346bb42a40bed6565bbafe

      SHA256

      69137bc01b05e045b4d0bc10fc7d579ed502a41b8aac1bc560581425599838e4

      SHA512

      045f7d9ef94e2ae643669db37b789cd521af0e6e8618f0719ec0eb176694a04bec0ce6ea3145bbd64922225d6eeffb43ccdf01249ff640b7c0ca5307d18bcb4e

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

      Filesize

      2.0MB

      MD5

      fbafcf56e1c3ab25053ff26136c81758

      SHA1

      439974bcdf9041d55fe73207cb3dc8436509bcdd

      SHA256

      255dc54ebd6ad4cc6379d73e916eecf6e9eead33b97fc9f43b5cebd47a8895c9

      SHA512

      b5846bf7c321d4d847734c47697a517df2a98e05de3f8a309dcd6ec92f2fa017d58fa631b0fa9ae2ed736ec7848cfe6ba96abd06306e0e85ccc8a4363f6ac9a5

    • C:\Users\Admin\AppData\Local\jafkljjl\cmd.exe

      Filesize

      625KB

      MD5

      172d8147daaa10e1e3e482fea73b4fba

      SHA1

      9827b8f1c20556ddbb116e0fae70fa56007c0f49

      SHA256

      1f594ec3013d8299fcb8142ad5b2c687b4e2be3746f1718b515f5385886fe604

      SHA512

      55a2b18deb980236fe085d1ea01a17800cbe551942a99a83cc2e2a005f30895a3a3534eda3c18863b53fbe1a06ccfaa6466e4c53e1b25d10f6a18ea6fab9ae52

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

      Filesize

      818KB

      MD5

      f7bdfb38a548d55eb6f15b1e6ef2869e

      SHA1

      a20f606eaeb62d70863064a544493b8253cdbf02

      SHA256

      ae750850fc981e0cc332792849294cd08c481de4dfab0974a3388770a1f4550b

      SHA512

      c15990d7b8ad9993679f35d0621bd927398ca1260e1cb3614a02c292c1f645d8c4339fb96c2f29914b4cab6cb699584b732d72d2218db70289f0fac0dd08e564

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

      Filesize

      487KB

      MD5

      0a4caf2ee8c2e8f943bae206cab5536d

      SHA1

      74e0624d222b1776d8ea41f209b5182935e105ad

      SHA256

      8f3af88fe5a3841eb1e6c60ed5487d9ddf4fe32819f960abd6a903343f40ec55

      SHA512

      9d90232895c49764a1f93a626dc03ebf2b1891a619ff9f556fd05e2b778a7ca81c7490e8fb2a7c6b21e7d7c64c1e818a99e3fd098213219b253b9c8e7921d9b5

    • C:\Windows\System32\FXSSVC.exe

      Filesize

      1.0MB

      MD5

      9bfdcc5bf25c8969b99faddf253f53ef

      SHA1

      aa2a77769f580a6b003d1a8dad3be78803a28f5e

      SHA256

      f69e1758ab7ef2c8ba606fb8f7f38f15f83b67fbfd77f516a32796ffb5eb3849

      SHA512

      89aac02bcf15a3de309ebc50a6df73dff0ae2deca1c688323e2d8889d847c2730bc3b8e23d5876b8cb3d669c820d3334c24b4a07ae23481e730b924f2ae788be

    • C:\Windows\System32\alg.exe

      Filesize

      489KB

      MD5

      52683298861598d7bcca7729f7c7564b

      SHA1

      6e1bb44178b78b4d880e4a4bbfe6c489e54dbabf

      SHA256

      886a608d539d6ec674be52b08192c2cc2591bb28e4781ca9bb7de81c81c14a1d

      SHA512

      39f9f88f8b6379b82f64d169d61ff949fe52de291551bc88b756b380bed2ba8e8b29574da18b2a602d16d526d310f968d1e8e0b537f00334214fb39baca15e21

    • C:\Windows\System32\msdtc.exe

      Filesize

      540KB

      MD5

      fde7f88e7b378845b7e48b8c4096c3dd

      SHA1

      1256a13c28e02a7cf29a879e98df4d05f3437cf7

      SHA256

      ef0e192a5500e4a4e44a9e74e5e56dd6835c2b7271e173e5e16496b74757d39b

      SHA512

      5b242812c0fd6e4f7fe4259a871cdebf5f3700c5934fe61d4c7db9f19a793378363935171c6ea7f7b829ac8aa290c92d6a4a8f54116ba013d19a9b131ac14d1f

    • C:\Windows\System32\msiexec.exe

      Filesize

      463KB

      MD5

      93e7080798f92e30187898c0dc1d093e

      SHA1

      844e46ba6c2fccba550c63b63f9bf33f5460fbde

      SHA256

      8b3eff4829665387cfaf1ea5b9feaaeb7029d487a8f229e22b4f2751823d77b7

      SHA512

      9a297fd797d3ae7e75af8e4433e6e75c02890b36be56f2bf2d1fd71cb73a9fb78d4cf76b1bc683acd1cd8b78acb42283455246efbe002a3a975a5c2b094c29ed

    • \??\c:\windows\system32\Appvclient.exe

      Filesize

      1.1MB

      MD5

      3bba852b4ee81c2ce1bcd27d5b225a63

      SHA1

      20e647e515afaed3be756fab294b18566b9c01cd

      SHA256

      bbdd09f76cc7cbd434de322a27935372d824740996ae671e9db81f04401f9e76

      SHA512

      8e3b8edaadcc4092050ef925370bbb9016affa3c655029a99548e85a1d98049bc64c38f15da70ae963fd8f76c24c8003f4d52d88a1a7f01d0c9d1e7008485cca

    • memory/316-75-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

    • memory/316-40-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

    • memory/972-47-0x00000000004BC000-0x000000000054F000-memory.dmp

      Filesize

      588KB

    • memory/972-49-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

    • memory/972-0-0x00000000004BC000-0x000000000054F000-memory.dmp

      Filesize

      588KB

    • memory/972-3-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

    • memory/972-1-0x0000000000400000-0x000000000054F000-memory.dmp

      Filesize

      1.3MB

    • memory/1900-50-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

    • memory/1900-48-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

    • memory/4888-57-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

    • memory/4888-23-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

    • memory/4888-58-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB