Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240802-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-09-2024 19:40

General

  • Target

    3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe

  • Size

    816KB

  • MD5

    aeacd6bfb480546d0ee3e14f0bb46f8c

  • SHA1

    05574783017260e4d3dc0ca831161b5cabf51c30

  • SHA256

    3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325

  • SHA512

    6aa7e58beb9923690918de0c3634bc6ec170dff647fe5a381604b3e28c6f74ff5e12424175acecee21bf419f66060fd562d48a47ba72703c39e2b4aa0906e6f9

  • SSDEEP

    24576:BJW2KjJ4Td3kJnbsPhnzqpKZdhRcloe4Mmz5:BInJ4Td3mbsPhnepYhRclkd

Malware Config

Signatures

  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

  • Expiro payload 10 IoCs
  • Disables taskbar notifications via registry modification
  • Executes dropped EXE 7 IoCs
  • Windows security modification 2 TTPs 2 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

  • Modifies data under HKEY_USERS 5 IoCs
  • Suspicious behavior: EnumeratesProcesses 42 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 5 IoCs
  • System policy modification 1 TTPs 2 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe
    "C:\Users\Admin\AppData\Local\Temp\3b6c6c2a764d8fef59455935fa43ac30fe7db543d13f6119a62c5b14faa87325.exe"
    1⤵
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    PID:3120
  • C:\Windows\System32\alg.exe
    C:\Windows\System32\alg.exe
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:1032
  • C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    C:\Windows\system32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe
    1⤵
    • Executes dropped EXE
    PID:1260
  • C:\Windows\System32\svchost.exe
    C:\Windows\System32\svchost.exe -k NetworkService -p -s TapiSrv
    1⤵
      PID:1692
    • C:\Windows\system32\fxssvc.exe
      C:\Windows\system32\fxssvc.exe
      1⤵
      • Executes dropped EXE
      • Modifies data under HKEY_USERS
      • Suspicious use of AdjustPrivilegeToken
      PID:1812
    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
      "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:2380
    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
      "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
      1⤵
      • Executes dropped EXE
      PID:1820
    • C:\Windows\System32\msdtc.exe
      C:\Windows\System32\msdtc.exe
      1⤵
      • Executes dropped EXE
      • Drops file in Windows directory
      PID:884
    • C:\Windows\system32\msiexec.exe
      C:\Windows\system32\msiexec.exe /V
      1⤵
      • Executes dropped EXE
      • Suspicious use of AdjustPrivilegeToken
      PID:2152

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

      Filesize

      1.9MB

      MD5

      e906beb5456ec406b130c6699c5d5e63

      SHA1

      042b55fb2f2f1125ecbd988691ed886feba1747b

      SHA256

      650534cf6b40b39bde1a8429a9af7349ceaff5f0c54d5b2232882068c1b552f2

      SHA512

      24d44ac2b37e2c2fbf680dd2522e6caa39394ca346eb32b2c42a568965940da492efbdb292df991caefe5cf8da03d7bdf09477bcf325d71393b998768e4259a1

    • C:\Program Files (x86)\Mozilla Maintenance Service\jfapaeog.tmp

      Filesize

      621KB

      MD5

      789cc1513b7f6a2b57d5d4ba94bd590c

      SHA1

      ab5ef5ace329b553f23b6f96dff7516802d60fbd

      SHA256

      2138ee2aa423b4e1e84340232538bf3f782c452d8f7047dc76a9c381139c7d8f

      SHA512

      e63e666abc37243474e2f906b4696cbe8d56fc2e37c166eb76f98e4f8996dbd4a540fb4f9386255b674261ab1161c4c99089eb781c5d107044472c0962fef135

    • C:\Program Files\7-Zip\7z.exe

      Filesize

      940KB

      MD5

      3fbaf757b462f6e60fe8126d139385f4

      SHA1

      6cb81cae948838bf5a1bdf922c7c79c5c7792d28

      SHA256

      6ba9d2521978722af9d4ec824eca4806d01ed383bb38a4fcd95532524227daa8

      SHA512

      4be174a9801c4e0c2f69f9c93026d44095988e1fabfba6bc629c31bf4a7aa05bdb15ddf6d490b092321e339acbf4ffa6aa72c6ccaca136c21e8020eacfcc9982

    • C:\Program Files\7-Zip\7zFM.exe

      Filesize

      1.3MB

      MD5

      ad8bd45b86f6817deb0ddcc4b3791185

      SHA1

      870e54dea305d566e8865641dca531b1e563a266

      SHA256

      82eb5d98babc682db8be79331055e5d930ca04e1f1563e5a8cb91ba0ff4774bf

      SHA512

      62a066ada95fc3656fb2e10b0eebc2a90e263489ca958e66d6c63f378415f7777a2564301610c1a6f94c1628c87fb93fc2902ea9fbb7805c60884c2c2a4ba98f

    • C:\Program Files\7-Zip\7zG.exe

      Filesize

      1.1MB

      MD5

      2376f2de2b1b70324cfbfc94b51781d0

      SHA1

      9066aafd306aa95920529639fcc1bc16ee7f98db

      SHA256

      284c7d2f2623c9d5f578f971a47e6a111ae545a75650c2ad66e89ffe0d649f8b

      SHA512

      501f8e2a2ebdd3534e360146302e89f1581d3c1058dd185d92faa6052f637695c8c2a33189a3851608e343bd3527a9e1fa05d2c6b88dabc0e0914ab06bbfc796

    • C:\Program Files\7-Zip\Uninstall.exe

      Filesize

      410KB

      MD5

      3d70580d4d9d99e27ac3b9bb5b7c42b6

      SHA1

      28361530988a7fa8d7c0f03ecffe3ab1bb4d10c4

      SHA256

      38912be802ec8218c9c04fe12b7b0c6eb1ce34c07dcdef94994a7201ed3fbc32

      SHA512

      7e6c58716d63933a70c3337b6f71ec35cd7ed0368c9f96f9cef175bba616e8f8b7cd52927d4fc0b35e1e680834a411351b1b4cb004d63be3f23de5e7347f9a20

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe

      Filesize

      672KB

      MD5

      7fd72275b4b7d896ccb7c1e442b1ef3f

      SHA1

      dcdf05514301a151053cdaa565979325b56d194d

      SHA256

      24c12c323792571b44dc06d49751f6b4b3f5969cea300c1617087e2673593251

      SHA512

      942cae18a22419890d51f4b940163d034e4360e11f1462e84ceaadf1d306859d855b6c9b15dd5fde622089bfe8f0378968c2357e1316925ca222a1252f3444c6

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe

      Filesize

      4.5MB

      MD5

      dd96d5815b973e85f39844939c276111

      SHA1

      f302d7ebedcb14ee94ffdd37efd61cfb93c41804

      SHA256

      6ae5a5a613c27e9db624ba97c44b9ffc5ec310af1c6237057bbdeb4dd704239c

      SHA512

      92ecae0fb2bfb565fe372776c03931e1a1acd7cf52ed4c7faa5ab4f1c9f6008c30abf1039fcac2e3491b3282632f877f72bb7caa6e546af59833887049860e7c

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe

      Filesize

      738KB

      MD5

      3f8e2b7f5a4877ada549b478f7cb2a68

      SHA1

      e737caaa33d156ffbe03c14b3eaea06a5fb1fbd6

      SHA256

      dddc7d6ed82a8d0cb02ce01d66a619fb1c55dada25d87172937368816fb2bc60

      SHA512

      686577335d620628f47c3470f2f22be22d604bb972151be0a2c453706bcc10facc4d45754fc55be50a02507a8e2483b6ccd1a8127a07368dc0ae0e73d07e7071

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe

      Filesize

      23.8MB

      MD5

      a204cae6f07d98a62acf4448e0653a98

      SHA1

      7cc6dd1ddaac04bdf782cb87c8a3e66fc2893815

      SHA256

      8bde9f66d43c82266d346039d3aca415205a23b5be415073a786d570cdacf0da

      SHA512

      691e08b57f6dd54c19af07922d8f59fcc568d2e51b0f87984b356198ddb7e470d9acd26489970813a240a4835be3670d786fa3e2e2463815daa79132fb0871c0

    • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe

      Filesize

      2.5MB

      MD5

      8694be26700cca2d83e3989b0ca03ae1

      SHA1

      8c5a60c21750400ffe1d6f256908de6c1be0aa80

      SHA256

      dbddd6e696b0cabd915346e1aa480ff479b69ba7c357637b2f239814f006f9fc

      SHA512

      c66b43ab5c45e8787adcb226d4e5eab4b9f664c4b9edba181c6cdfc26c66a36f2a5ce593c554c6ad7a8770c7660f7746faf48a153efad4cfecd8cdc3fe06db03

    • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

      Filesize

      2.0MB

      MD5

      3d843ed236617f0cd29c7ac4c4275b28

      SHA1

      5800f2c985808c2ed66849c68e00851405cc35f5

      SHA256

      c6c3e9cbf78bbb22bf7d0b4b5077cedd3f75ba843adc376ad9fc426966e9600b

      SHA512

      4e68c914ecde00c5462042c798039870da518187df7e21ac18796add4334d143ab4b9e0a9284da8c98bd8a5f8c89576ba02fcafca98e7bcdd0f453069063548e

    • C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_2oxf2tdq.so4.ps1

      Filesize

      60B

      MD5

      d17fe0a3f47be24a6453e9ef58c94641

      SHA1

      6ab83620379fc69f80c0242105ddffd7d98d5d9d

      SHA256

      96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7

      SHA512

      5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82

    • C:\Users\Admin\AppData\Local\cbkdajfk\koedcnpc.tmp

      Filesize

      625KB

      MD5

      d9c78ddeec29842d7676b22e2d6e650d

      SHA1

      a1d70968d7a2e08d3644ae203e099d1685bcaa26

      SHA256

      bee620f6f8047e46a4e653f0053350d5dcd68d1aecf0d7700d8017b9f71a9a64

      SHA512

      71b7f7dd4c02cf51f83542df74564c4bae81bef883266665cda294197707f4e9753a0a3a00d82508ca971d6da05b0603b390770639bbcf10db8210ad091bc2c2

    • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

      Filesize

      818KB

      MD5

      043836adca7e2a07dcbc402e677795f0

      SHA1

      a48d36b506ae08e195deb20590205deedff75ef2

      SHA256

      4c5c5ffaa3557ce2cdd4dca3a7e1b09807c69257ffa99dc27c29e96eb56f3b4c

      SHA512

      a6d0376bd4506b2af8e3ae116fb05537fa6247c8234d82bc426a801f8475ab42ce6175dcb37a11925aa69b56d7a2397fc41056e9008d658fe8b11111327c6789

    • C:\Windows\System32\DiagSvcs\DiagnosticsHub.StandardCollector.Service.exe

      Filesize

      487KB

      MD5

      2b28d81fe09db32dda8d8049db5c614f

      SHA1

      ab7279857d7b966333de2cd414c502e98c00da00

      SHA256

      9b337e59214fa3823eac729aef1d03a8de71aa046a9fda00a3107418495f4e9e

      SHA512

      d276f8421befb3b2ac39d1c4bc89331088f4a2e4041ca4b2777cc1736d0de977c683dde84bddf8415f67f17bccc99eaa56590d657d91ebccef8da64ad15eec03

    • C:\Windows\System32\FXSSVC.exe

      Filesize

      1.0MB

      MD5

      6012c6eae885ba507939a4966e2ee74e

      SHA1

      02e6118c7646c6e1a461ca161c514901f6d355cb

      SHA256

      a52dacb83db7f54d3d31633ba38e8918c7b669667b2840e7c5b7a3270d80abfa

      SHA512

      26515afab8454fbf017eed949dc083b95599920902fdfe668117cd884e71b019760ca43062fc77f691ce5939f15c103b3f0d3dd0edd6a3f1018464d346c4282e

    • C:\Windows\System32\alg.exe

      Filesize

      489KB

      MD5

      b3e6116f4a6d17f72b5e6d7d41ac70f1

      SHA1

      0db192f9adc6ccc4001fd71c20e908d360eb99b6

      SHA256

      39dd5575ed5e2732a827f141d6863f16ec883157d2b1e16d55eab83ca49ad07a

      SHA512

      61f5210ac6c61e29433dca2b714ac0a0bc333b6d0733a077a1baf322df044f0278c74785f1bc569c1368180b467f596136bfa76c0cca027e5c98b201f4a86aa4

    • C:\Windows\System32\msdtc.exe

      Filesize

      540KB

      MD5

      904db4660edbe4243dce97d9e81d3f5f

      SHA1

      d3574d4cbee71cd2fb6a0936cbef4a355362f379

      SHA256

      550203e4043cb5748ebaa5db506e07cd237c032321344de9155b25ac0a053707

      SHA512

      42bc4bee25ebdc7c8e8686cf99b537b5d28aba05b2a8f8bc9c9858396854273df26a6763988a2a33ccf205d5f207398a29d5498e8e4e466bf9d1f402d59b6831

    • C:\Windows\system32\msiexec.exe

      Filesize

      463KB

      MD5

      5f76624bcc21a72e93ce22170ff093ff

      SHA1

      5acbc8daa95eb8ab598afa40882bd8012a296d7c

      SHA256

      35a8747943ca670c14b2b86fad269f1b51bff57822f4e4d654dc868d6957a0c6

      SHA512

      977ce3cf41ce493520f1b9f5e2d99f379e358aad9fa61d67fcf4263b58c3f73c5c0993fafb4192f28867e3eda297be47e1e0725ce3554156a2833541f933d30e

    • \??\c:\program files\common files\microsoft shared\source engine\ose.exe

      Filesize

      637KB

      MD5

      d3c884029e2c59df60fea782637ddd3d

      SHA1

      b5b69df34afd482f54832b7186867c9fdcf6853d

      SHA256

      3aaee9f0e94587691e89d86eea1f6b593d6b87d3710dbb6b903fd3b1b6376dfa

      SHA512

      8b77059ded491cd1113218c660151fdb277f071f058455be333c10fbaee2a73f627e2993f099cf3754c828f891a7575aa2d4e865cb0dc0b4fab42952bc792676

    • \??\c:\windows\system32\Appvclient.exe

      Filesize

      1.1MB

      MD5

      0e0d6a3e97df9ae2756fd59f964de0ae

      SHA1

      2e82222753890fa5dde561e64e92c894a033c27c

      SHA256

      d236e5e83ec4e4a89f34255a27acef6f9220ca256c716355684c425de70337c6

      SHA512

      48c8e039bc177a61e99a85ff75b60ad4475eac671f0b2b0051d75ea4f95a863cb13619e22cbc00214891eb1de2cf17cebb31abff6d6e85ea5fce8efff6cc2d43

    • memory/1032-85-0x0000000140000000-0x0000000140136000-memory.dmp

      Filesize

      1.2MB

    • memory/1032-51-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

    • memory/1032-84-0x000000014000D000-0x000000014001C000-memory.dmp

      Filesize

      60KB

    • memory/1260-116-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

    • memory/1260-68-0x0000000140000000-0x0000000140135000-memory.dmp

      Filesize

      1.2MB

    • memory/1812-75-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

    • memory/1812-77-0x0000000140000000-0x00000001401C2000-memory.dmp

      Filesize

      1.8MB

    • memory/3120-24-0x00000000085D0000-0x00000000085EA000-memory.dmp

      Filesize

      104KB

    • memory/3120-27-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

    • memory/3120-22-0x0000000007C20000-0x0000000007C96000-memory.dmp

      Filesize

      472KB

    • memory/3120-26-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

    • memory/3120-0-0x00000000004CF000-0x0000000000562000-memory.dmp

      Filesize

      588KB

    • memory/3120-25-0x00000000004CF000-0x0000000000562000-memory.dmp

      Filesize

      588KB

    • memory/3120-21-0x00000000070A0000-0x00000000070E4000-memory.dmp

      Filesize

      272KB

    • memory/3120-20-0x0000000006C70000-0x0000000006CBC000-memory.dmp

      Filesize

      304KB

    • memory/3120-31-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

    • memory/3120-30-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

    • memory/3120-28-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

    • memory/3120-23-0x0000000007F40000-0x00000000085BA000-memory.dmp

      Filesize

      6.5MB

    • memory/3120-19-0x0000000006910000-0x000000000692E000-memory.dmp

      Filesize

      120KB

    • memory/3120-18-0x00000000064E0000-0x0000000006834000-memory.dmp

      Filesize

      3.3MB

    • memory/3120-8-0x0000000005F40000-0x0000000005FA6000-memory.dmp

      Filesize

      408KB

    • memory/3120-7-0x0000000005E70000-0x0000000005ED6000-memory.dmp

      Filesize

      408KB

    • memory/3120-6-0x0000000005E00000-0x0000000005E22000-memory.dmp

      Filesize

      136KB

    • memory/3120-5-0x0000000004EF0000-0x0000000005518000-memory.dmp

      Filesize

      6.2MB

    • memory/3120-4-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

    • memory/3120-3-0x0000000002800000-0x0000000002836000-memory.dmp

      Filesize

      216KB

    • memory/3120-2-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB

    • memory/3120-1-0x0000000000400000-0x0000000000562000-memory.dmp

      Filesize

      1.4MB