General

  • Target

    25fc116d849d873fe7d094b20c61a0a3.zip

  • Size

    405KB

  • Sample

    240903-j4a84s1hpl

  • MD5

    f5a635026bd11e4b20d2d6f48da513ca

  • SHA1

    1b6544587dfaf43803e390efc9c5a65fde5d2ce3

  • SHA256

    85d4af45b9701060e2cf076216ada74ad5229ea6508b8d832c4935bdc6c4eafb

  • SHA512

    d7c17b227d45a903dc8da9a72f6252a6eda514dff77d41a1605b5daf8b4a568bed5589e3a68785d553db7dad3d96ab43c9995fec8379f60aed86891a3eb8b22b

  • SSDEEP

    12288:Lt9lhm5Tz/zEPMz7oOVnC2Px+ZiA5y9k6OyyvI2WwQ:LtTMnEK7oOcDZto9k6KWl

Malware Config

Targets

    • Target

      0636e2319a648568e7183e354d518dfd8033afe9fbe0f9d37cf45545a6790ff0

    • Size

      625KB

    • MD5

      25fc116d849d873fe7d094b20c61a0a3

    • SHA1

      ba11b8661fcd9fd4b0a595d4991b8aaab25f0739

    • SHA256

      0636e2319a648568e7183e354d518dfd8033afe9fbe0f9d37cf45545a6790ff0

    • SHA512

      859d7739b13f0cace8b7d5cc231d3ad250149642cef3c9bb38765771572e62011d2624f4ab4df5ec7371f3a8104784bed966374ed78f57307a9fd8e4b58a59e1

    • SSDEEP

      12288:dVt+w8wyv/m66WoJM9/Da1AtooMZlNKh6ZOmcQzpv9ymggRxcXtB:Lt+w5yWDJmbYAhG8cZOKzyQcv

    • Expiro, m0yv

      Expiro aka m0yv is a multi-functional backdoor written in C++.

    • Expiro payload

    • Disables taskbar notifications via registry modification

    • Executes dropped EXE

    • Windows security modification

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Drops file in System32 directory

MITRE ATT&CK Enterprise v15

Tasks