expiro | e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760

Analysis

max time kernel
120s
max time network
18s
platform
windows7_x64
resource
win7-20241010-en
resource tags

arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
submitted
16-12-2024 18:08

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
Size

402KB
MD5

e5419bb26deca9e4b7ff178ff8f8b240
SHA1

4b74a932e9a4c6f375a801d88545f36ea812920a
SHA256

e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760
SHA512

22d036328d76a9409cb4e5ef24d170bc8fa24914fd38571f01ca64e4df05201014756ef74e3500f10e1cc8b7780bd82ee4afca41abdda5f2f1475dc1fa62544b
SSDEEP

12288:9vqlqSrzEAupLiPuSrN0lMaKTF/HRzXKxPQZ:psqSroAupL8uSrOlM5/H85K

Score

10^/10

expiro backdoor credential_access discovery evasion spyware stealer trojan

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 3 IoCs

backdoor

resource	yara_rule
behavioral1/memory/1688-2-0x0000000001000000-0x00000000010B2000-memory.dmp	family_expiro1
behavioral1/memory/2948-27-0x0000000010000000-0x000000001008D000-memory.dmp	family_expiro1
behavioral1/memory/2272-75-0x000000002E000000-0x000000002E0A3000-memory.dmp	family_expiro1

Executes dropped EXE 3 IoCs

pid	Process
2948	mscorsvw.exe
2952	mscorsvw.exe
2272	OSE.EXE

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Windows security modification 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3692679935-4019334568-335155002-1000	OSE.EXE
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\Svc\S-1-5-21-3692679935-4019334568-335155002-1000\EnableNotifications = "0"	OSE.EXE

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe

Enumerates connected drives 3 TTPs 42 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\N:	OSE.EXE
File opened (read-only)	\??\O:	OSE.EXE
File opened (read-only)	\??\R:	OSE.EXE
File opened (read-only)	\??\X:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\S:	OSE.EXE
File opened (read-only)	\??\V:	OSE.EXE
File opened (read-only)	\??\K:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\Z:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\G:	OSE.EXE
File opened (read-only)	\??\M:	OSE.EXE
File opened (read-only)	\??\T:	OSE.EXE
File opened (read-only)	\??\E:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\G:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\L:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\N:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\H:	OSE.EXE
File opened (read-only)	\??\I:	OSE.EXE
File opened (read-only)	\??\J:	OSE.EXE
File opened (read-only)	\??\U:	OSE.EXE
File opened (read-only)	\??\Z:	OSE.EXE
File opened (read-only)	\??\X:	OSE.EXE
File opened (read-only)	\??\S:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\U:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\V:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\Y:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\K:	OSE.EXE
File opened (read-only)	\??\L:	OSE.EXE
File opened (read-only)	\??\P:	OSE.EXE
File opened (read-only)	\??\I:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\P:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\T:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\E:	OSE.EXE
File opened (read-only)	\??\R:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\W:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\H:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\J:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\M:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\O:	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened (read-only)	\??\Q:	OSE.EXE
File opened (read-only)	\??\W:	OSE.EXE
File opened (read-only)	\??\Y:	OSE.EXE

Drops file in System32 directory 36 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	OSE.EXE
File opened for modification	\??\c:\windows\syswow64\perfhost.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\svchost.vir	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\ui0detect.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	OSE.EXE
File created	\??\c:\windows\SysWOW64\dllhost.vir	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	OSE.EXE
File opened for modification	\??\c:\windows\SysWOW64\ieetwcollector.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File created	\??\c:\windows\SysWOW64\searchindexer.vir	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	OSE.EXE

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\chrmstp.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\chrome_proxy.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jsadebugd.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmiregistry.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\servertool.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\tnameserv.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jabswitch.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javac.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaw.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\java-rmi.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\policytool.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jvisualvm.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\unpack200.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InkWatson.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmid.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\program files (x86)\google\update\googleupdate.exe	OSE.EXE
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmid.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\TabTip.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\VSTO\10.0\VSTOInstaller.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jmc.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\rmic.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\program files\google\chrome\Application\106.0.5249.119\elevation_service.exe	OSE.EXE
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\InputPersonalization.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\tnameserv.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\program files\windows media player\wmpnetwk.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\serialver.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jarsigner.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\rmiregistry.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File created	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.vir	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\mip.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaws.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\wsimport.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javah.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jstat.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javadoc.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\xjc.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\program files (x86)\common files\microsoft shared\source engine\ose.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Internet Explorer\iediagcmd.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\keytool.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\ktab.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\kinit.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\pack200.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\lib\launcher.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\program files (x86)\mozilla maintenance service\maintenanceservice.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\setup.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javacpl.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\klist.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jcmd.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jhat.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\javaws.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\FlickLearningWizard.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Common Files\Microsoft Shared\ink\ShapeCollector.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\pack200.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\java.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\jre\bin\kinit.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jar.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javaw.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\jconsole.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\javap.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Program Files\Java\jdk1.7.0_80\bin\idlj.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe

Drops file in Windows directory 27 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\ehome\ehrecvr.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\ehome\ehsched.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\aspnet_state.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngenservicelock.dat	mscorsvw.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v2.0.50727\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	OSE.EXE
File created	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.vir	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log	mscorsvw.exe
File created	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.vir	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File created	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3FC426F8-4C7E-4B6D-9D36-A2F6B1020412}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework\v4.0.30319\mscorsvw.exe	OSE.EXE
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	OSE.EXE
File opened for modification	\??\c:\windows\ehome\ehsched.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	C:\Windows\Registration\{02D4B3F1-FD88-11D1-960D-00805FC79235}.{3FC426F8-4C7E-4B6D-9D36-A2F6B1020412}.crmlog	dllhost.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\windows communication foundation\infocard.exe	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
File opened for modification	\??\c:\windows\microsoft.net\framework\v2.0.50727\mscorsvw.exe	OSE.EXE
File created	C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.lock	mscorsvw.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	OSE.EXE

System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mscorsvw.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	OSE.EXE

Suspicious behavior: EnumeratesProcesses 20 IoCs

pid	Process
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE
2272	OSE.EXE

Suspicious use of AdjustPrivilegeToken 5 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	1688	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
Token: SeRestorePrivilege	2884	msiexec.exe
Token: SeTakeOwnershipPrivilege	2884	msiexec.exe
Token: SeSecurityPrivilege	2884	msiexec.exe
Token: SeTakeOwnershipPrivilege	2272	OSE.EXE

Suspicious use of SetWindowsHookEx 2 IoCs

pid	Process
1688	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
1688	e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe

C:\Users\Admin\AppData\Local\Temp\e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe
"C:\Users\Admin\AppData\Local\Temp\e41df91d493484b9992d130f6a6f041cf9909144cc02e7744d6edb4027dce760N.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1688

C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
PID:2948

C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
1⤵
- Executes dropped EXE
PID:2952

C:\Windows\system32\dllhost.exe
C:\Windows\system32\dllhost.exe /Processid:{02D4B3F1-FD88-11D1-960D-00805FC79235}
1⤵
- Drops file in Windows directory
PID:2152

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2884

C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"C:\Program Files (x86)\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
- Windows security modification
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:2272

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ose.vir

Filesize
332KB

MD5
ff92a4b5c488d4c8e9b9df75a833d388

SHA1
3f9547cf82bc3f09a94b2ec6d65b1232f76b071c

SHA256
bbdfac00e47f50f8bad53406110def6ed832cce7a4e79067aba0e2a54c0ce43b

SHA512
a2019a1f19d28314816a5a0ac29a4ad467779449b9553a3e19053ef979b2d92a8194c691f2f9456af4ade510fc2ba746ea20b58429018a0f450cfab1a5871849

Download Submit
C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\setup.exe

Filesize
1.2MB

MD5
78dc183b187d17779dc03f0d19827fd6

SHA1
c53027fc4dd31962f1d58bd6a15de4350ad68ae4

SHA256
f9231d51eb536af4136d5d51905690bd099229e08c29c3dd0a002bde2281cabe

SHA512
7e2c14eabe7464836664838b5446e8036ba5738710596935beca8a5c3122e319898d75b5a579c805581f2c836363c00f7fb1df5449a2745dcc9d0412a23e0b01

Download Submit
C:\Program Files (x86)\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
332KB

MD5
aac672f7ab1bae4d860332f74ebcd6dc

SHA1
34bc1e553cc0f57142b76e099285961f1bff6f7b

SHA256
654e43c1dbda6be5ffcf3de12d8a095d09629088e83732ac80bc02252cb1dc25

SHA512
dde723a42f9725f53a7bd032163a0434b79383bbb1fa5db0c9c827c3f018f49a54f17531c3c5df0732d18eb87d4cc0716fe057134f4ad1eea16944aeb5e06a3a

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe

Filesize
251KB

MD5
51afade4ed6fcfcc0066857d9f2c6c3b

SHA1
dfd7f5a9b72360fc90d8f813eda40751f867582c

SHA256
5ee646f6962fe023ed965c4e6a51d3f8e3335fc733e899573998b079153e18f6

SHA512
1bc3629e8502395cf26729f2f7daf666b5c060a66fa95461500575b134b7c03636419abd37a74e2e87c4a8f37abcd82d3c5b4957e9abb53be9a92fa90532d086

Download Submit
C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log

Filesize
1003KB

MD5
4d91026b11617f127bc4c3821764588f

SHA1
6699ef9985ac1865e78cc6899dc683fd4c48f3cd

SHA256
e6a7b1c53449c2b94bc12d7105091f200640124298192d17ba24f8eccb8bd9eb

SHA512
57aa1e3494c8a4db37251e0df8a30faceed6d831bc447440139e773e30b99864fdc547f11a85bc3387da27adbc540c0864eb937a796c7cc473cdeccff36be423

Download Submit
C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe

Filesize
282KB

MD5
ff738fb95902c6503d18ec5a9114a96c

SHA1
211ede076914d8e5feae528b5c7c7b5189c0f804

SHA256
d60727f190abd7d73e83a428f36125354bcd1707f1c44e4aed2c59b83e52731f

SHA512
1c8a328cd401ea8d764fe2412c8249043473e1bfe690d71c550ddd94a10063ff097727e1deb842440ce61ac387fd6f83548f718dea9fd69191f65f6580fc1ce7

Download Submit
\??\c:\program files (x86)\microsoft office\office14\groove.exe

Filesize
29.7MB

MD5
3a056bbc4d2a3ae8b3938f3fddf74917

SHA1
ffc20499c072b8004a34fb8e87bf00b1e0886dad

SHA256
d05c88a7b50a9c6026cc3fdeb04f8234488e9980ed3d726f02a59dd01eac20ce

SHA512
a41fc8906f6ef0876ae3df59ba59b549525c8d182453735163ef0369470be2687e0f95fd535ad6db564cf066c349e7d03e2ed028a28012c0188d323fd557620d

Download Submit
\??\c:\windows\SysWOW64\searchindexer.exe

Filesize
610KB

MD5
7206fe4e8d09d1ad01c9a3b8d182bbae

SHA1
84fe57d2e3d98db0757edc1b9d7fedc238e7b1aa

SHA256
ef4ef06d0bcf25a0ae0d3443e5cb2db6c447184b06d341b5d26e29ea77323d6e

SHA512
d44c93cf3112bdd2efb42459fce8322f2c2f6142494a182dce6f41b1e4a5ce51ddf9384bd3125167cabd5b798849a6b60945de1547598106b3dff085a8852290

Download Submit
\??\c:\windows\SysWOW64\svchost.exe

Filesize
212KB

MD5
5daa6848ab7354616c88b57c404007cb

SHA1
6f601d4e8bb6d6ab27fc274b291f0e2c89104faa

SHA256
5fad7b0c24833c1f7aaa9acc19e94c1ad8bcfd361ec1c0dc27d4331b3152c5f4

SHA512
dfbd1c5500d70d1d7a1958f39845365aa9741b5c4ee5a6e66c4c8490734273b1a55b40e620e7060b57716ed934ec30127c34012d3834477d01c2ae38d21f86fd

Download Submit
memory/1688-0-0x0000000001000000-0x00000000010B2000-memory.dmp

Filesize
712KB

Download
memory/1688-2-0x0000000001000000-0x00000000010B2000-memory.dmp

Filesize
712KB

Download
memory/1688-1-0x000000000101A000-0x000000000101B000-memory.dmp

Filesize
4KB

Download
memory/2272-45-0x000000002E000000-0x000000002E0A3000-memory.dmp

Filesize
652KB

Download
memory/2272-46-0x000000002E013000-0x000000002E015000-memory.dmp

Filesize
8KB

Download
memory/2272-75-0x000000002E000000-0x000000002E0A3000-memory.dmp

Filesize
652KB

Download
memory/2948-13-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2948-27-0x0000000010000000-0x000000001008D000-memory.dmp

Filesize
564KB

Download
memory/2948-14-0x000000001000C000-0x000000001000D000-memory.dmp

Filesize
4KB

Download
memory/2952-26-0x0000000000400000-0x0000000000496000-memory.dmp

Filesize
600KB

Download