expiro | 4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974

General

Target

4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974N.exe
Size

593KB
MD5

37e9395fb51958c6fa65c8ed3b6748f0
SHA1

3d939495657a5144455f2baaf7602242a8b1814b
SHA256

4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974
SHA512

d9dac76c3e1680ba8294969e3d39040ef9b856d3dc9371fb6d30e0dd1962d2ab09acb642c1cf9c0066454a3865f8eaa906fa557fc96ce1d1fb6e4a61d0748ba9
SSDEEP

6144:1RjDh4C6OTCSEijJ/IV5CWLAk0PlyD7mm8BktdtU8Waw5B9hhdPAFAEtmM9psA4Q:1zDxTgijJ/yD7sSdt1/OvxCtsHbU2g9

Score

10^/10

expiro backdoor discovery

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 2 IoCs

backdoor

resource	yara_rule
behavioral1/memory/2948-50-0x0000000010000000-0x00000000101A9000-memory.dmp	family_expiro1
behavioral1/memory/2580-47-0x0000000100000000-0x00000001001DB000-memory.dmp	family_expiro1

Executes dropped EXE 4 IoCs

pid	Process
2948	mscorsvw.exe
464	Process not Found
2924	mscorsvw.exe
2680	mscorsvw.exe

Loads dropped DLL 1 IoCs

pid	Process
464	Process not Found

Drops file in System32 directory 3 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\svchost.exe	4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974N.exe
File opened for modification	\??\c:\windows\system32\alg.exe	4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974N.exe
File created	\??\c:\windows\system32\alg.vir	4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974N.exe

Drops file in Windows directory 15 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Debug\WIA\wiatrace.log	4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974N.exe
File created	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.vir	4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974N.exe
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File created	C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974N.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974N.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974N.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974N.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974N.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.vir	4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974N.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2580	4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974N.exe

C:\Users\Admin\AppData\Local\Temp\4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974N.exe
"C:\Users\Admin\AppData\Local\Temp\4ac5b8eadc4f8a93f73e638ca3cf8cba83717061462fef44fdb1043c3eff0974N.exe"
1⤵
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
PID:2580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2948

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:2924

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2680

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log

Filesize
872KB

MD5
56dae433547221b6722fee7a0e0f22f1

SHA1
c1b718e7f65939aab7f45b7f93c258dd24e0902b

SHA256
f3f0c4a542d42ceedf490af60f15a95332ff5dea7ec1c5cdf37b7dcb46c8bf04

SHA512
7dac2d0d1d43bb5f973efa78dfb2af631d84e2d71045b2567f970dd9bc6eab1b14239d4bf4ae99495bed3b49cae3766578c8019a093c34d4e1b00cb875c7965a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
567KB

MD5
e0b3c8c591a6c8f5b662d3f20ae7e15f

SHA1
5b052fecf34bed1048377af62f779de4e56a2f94

SHA256
046d957739e52b78453047aa38b5818dfbd675a765f1d7c7bdcdc3e21aeeba47

SHA512
214d891a96bd89b01307ebf9b07f8ef998b242e60d97c6e4f2a886f88a94ab6c7c0fbd6759adc4bac3592091a77aefd0fced47d7f46de78c2e1e62c14f635d3d

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
1f1cb7420054164489ee4659d32920a1

SHA1
5ebf125fc16c4b3e5bb30ee2db00653fffe20db7

SHA256
ad589a90a29fcb5bbfb1e33469387f0e4f731b6e297f2084ceb3651fab810313

SHA512
dcd48fbb34fa96101634cc53b028963648e1d73706960b58f0b9cbe814cd95693b4b67eda9b394936ba0af9b4476c78f15fff9094ced120ac34e95307e109a55

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
598KB

MD5
75b3194df0bb51c9a82c3c2953b773aa

SHA1
d39b6016c9530bc2b415921d8504a18b54548cab

SHA256
cd513d92101e7df3a39448baabb886091043430698b0b21b46c223a0b88d35d5

SHA512
4ac7bdf9d4eaedee2ce736f65827b4d4fb789354118944bee76b1c714ea37c04ddb9cdd6202e169ed42351632509d27d4054805d0e07f66b7bd3205dda4ca952

Download Submit
\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe

Filesize
590KB

MD5
8fa790a893d786a773f7166c041674b1

SHA1
c080dbf35ca3da37ac1ace589551323c7edd74cc

SHA256
ab88736955b9cc2868b86e0c207a34b952aac6e8608b7329abc293966e4ac323

SHA512
262e30673545c2583b6f5a8525ea4c98e78320fb347de1e9ba3df9620084530256892892c773189dfb3f8989951389b9cb2fd9cf5db4135e151a6446cee03c92

Download Submit
memory/2580-4-0x0000000100000000-0x00000001001DB000-memory.dmp

Filesize
1.9MB

Download
memory/2580-3-0x0000000100000000-0x00000001001DB000-memory.dmp

Filesize
1.9MB

Download
memory/2580-19-0x0000000100000000-0x00000001001DB000-memory.dmp

Filesize
1.9MB

Download
memory/2580-47-0x0000000100000000-0x00000001001DB000-memory.dmp

Filesize
1.9MB

Download
memory/2580-2-0x0000000100002000-0x0000000100003000-memory.dmp

Filesize
4KB

Download
memory/2580-0-0x0000000100000000-0x00000001001DB000-memory.dmp

Filesize
1.9MB

Download
memory/2580-46-0x000007FEFBB20000-0x000007FEFBB6C000-memory.dmp

Filesize
304KB

Download
memory/2580-1-0x000007FEFBB20000-0x000007FEFBB6C000-memory.dmp

Filesize
304KB

Download
memory/2680-45-0x0000000000400000-0x00000000005B2000-memory.dmp

Filesize
1.7MB

Download
memory/2924-34-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2924-35-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2924-52-0x0000000010000000-0x00000000101DB000-memory.dmp

Filesize
1.9MB

Download
memory/2948-50-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download
memory/2948-21-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2948-20-0x0000000010000000-0x00000000101A9000-memory.dmp

Filesize
1.7MB

Download

Analysis

Sharing