Overview

overview

10

Static

static

3

7698a39ac4...dN.exe

windows7-x64

10

7698a39ac4...dN.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    97s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    17-12-2024 10:06

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe

  • Size

    653KB

  • MD5

    ab3fc4dce62e61a1b0c3c246e1a40a60

  • SHA1

    5b2f7ef1cee65fc898e58392937a7683b9f35420

  • SHA256

    7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0d

  • SHA512

    b6dfb0c4e6dce823050f9d66d39a1287bdfbf97beefe828893fb8d889bdf861e510dce9301e5963eed8dac8250715680d729e686b485ace0748dc1508a2ebb5d

  • SSDEEP

    12288:JTYkuB+NC7dTWJ3s0gKhdQw66zqHR7L3jwAS+QWE3PfQy75alnnEX7nuoK6HQDXc:JsB+Nytop966zqR7jUAFQWeXQy70yTP5

Score
10/10
expirobackdoorcredential_accessdiscoveryevasionspywarestealertrojan

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 1 IoCs
    backdoor
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 7 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 1 IoCs
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 3 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 28 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 6 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe
    "C:\Users\Admin\AppData\Local\Temp\7698a39ac49d8b24acd46154c674f8cceef1fb62d193964d1dc0ce4e9b779a0dN.exe"
    1⤵
    • Drops Chrome extension
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:4040
  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:2936
  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:4320
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    PID:1252
  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:2256
  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    C:\Windows\System32\OpenSSH\ssh-agent.exe
    1⤵
    • Executes dropped EXE
    PID:2748
  • C:\Windows\system32\AgentService.exe
    C:\Windows\system32\AgentService.exe
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:5000
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Executes dropped EXE
    • Suspicious use of AdjustPrivilegeToken
    PID:2564

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    Filesize

    2.1MB

    MD5

    329ab10d1d67f50d825166b8adcf8ca2

    SHA1

    1c174f048b0610333f6cb598e0cd8172d2d9e1b1

    SHA256

    1a40c142d577bf11076adcc8916f5b8e120091f911e9952ee90657d70e328c73

    SHA512

    82a38b0d038e0d42cffbdf28fdd039bc988c58ec726e041fa97c5906242e60ef1829422a54ad006fd879e0df5b1ff5faecbf465b425806cf09d25eb03d15c603

    Download Submit

  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    Filesize

    809KB

    MD5

    96e9b4834e205a83b93b032bc464fd08

    SHA1

    a88673e871b9fe2e34788c587b877c8a7cf149af

    SHA256

    ba398e268caf3728471f5a5c0dad2ba0fbfc19bf358726ec1dfc5eec087a1c26

    SHA512

    1a0d5e21fb77af630b2f363a2beb9078b5b5a159790296868f2432ef4efdce1657ff8844e1f5e6f18eb9b70da93dda5106e2beb936fc18888a749b98d880c4c1

    Download Submit

  • C:\Program Files\7-Zip\7z.exe
    Filesize

    1.1MB

    MD5

    feab1fcaddae3fc981f0822678dfd6f1

    SHA1

    5a9aefe2c7351369cbf19242b14c4f70e0f227c6

    SHA256

    1a18f3ce1624d3a374addc368b311b5675a00bf799643341fdbe6964835350c1

    SHA512

    6d152e3eaf4b955fe7963a786112a9e81ca81d596047fdf76044c9b568596fa50a9c2f4b355bbbff82f41973b020c6a33afa27e26cb9f8c7fb297770749ea135

    Download Submit

  • C:\Program Files\7-Zip\7zFM.exe
    Filesize

    1.5MB

    MD5

    b44e1faeb9e519c4db55a6015d1e2570

    SHA1

    35def54e260c1da6f6812d14dc6e16bd3ce093c4

    SHA256

    59202a79e3a98d65e8ddf0f7806c8673aaf6d6ac45c40bc8f261f42620c66474

    SHA512

    e8fe27a79d405f3dc468d19c79563fb07aa56a17ea083a6b4affc1f29487728aa4a43be05e1ed859326a7b44a6eb525fb1aee5b15525c7070a650b93f16b62d8

    Download Submit

  • C:\Program Files\7-Zip\7zG.exe
    Filesize

    1.2MB

    MD5

    2ea6c281a3789a3e4b671ee19e7d71b0

    SHA1

    db00d4f0acfe12bfc7f301cdb36db00c9959ecf0

    SHA256

    70bb3c703884e1534c3306662f0fe4a9d5e6f47455b5f229b30823d94562efe6

    SHA512

    f851e3352415c2fc18b414314ed67e77d389ba7fd61594a67499aec72ed83b398452e5b696997b0974df4ca9d1c57d6742d6cde8bfadd37b98c004a13efd7ff5

    Download Submit

  • C:\Program Files\7-Zip\Uninstall.exe
    Filesize

    598KB

    MD5

    522fc6a6bad238e46deb8021f49488eb

    SHA1

    04aa24581c591947741b8d97bee2e2176ef94949

    SHA256

    12327c2da5bda290b9ffa7b69795157e4580b18a08ead34fba55419601dead0e

    SHA512

    0312f4310a621a19b17bd2e3ab3b7bcaf94c37ade15b25cfefce9ba44837c9ee9c722562321870199003cc45abc0f8c647e028dd55236cc6566d3edab332e91e

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
    Filesize

    860KB

    MD5

    454381fabbf85139ad747f0cedb27db4

    SHA1

    a1a58b05ebf8e41866e283a1183928d2738d0c25

    SHA256

    919e0e5a983e3af3ba7e13ed4b3a3ef8cc2cc03e599ceb4f997834e65c0c0622

    SHA512

    57d65f93ddea82cf7c0a44d2e15cc0ea585e783433b8386bef49e9d5e7fffdc54cac1a4463ca8115a0881f8c59e5b2b5f6b8135df82250ed1e83f67735b98c28

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
    Filesize

    4.7MB

    MD5

    190e2667557cd6587aa682d061ed7330

    SHA1

    38c18679cb57f8e81c20fb53a5e64e199a2e3ad3

    SHA256

    b4e0abef0ddd60c1950a8ac6385654847d551ca1b87d7e15e72a1155ce53e6f9

    SHA512

    7ba7ca038c52b5f32e36c0e5f6cb4fda3312d794523d8292568b1bf818add9b4ac29d0432f4eb211ac2d3635dd04cc9e4ae320daed01756a254f7bf8454ce9ec

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
    Filesize

    930KB

    MD5

    a616bf9b9da4c76f9d3e77ba9bb5c870

    SHA1

    c7eb59bff61431d1acd7b722b2697b2b50ac1815

    SHA256

    35c856010beb1e1b7a074742b0376b6c4a28a5f5aa04473e1b97a24012d63b30

    SHA512

    6571929c1fd2ec183985eb3ec7c41591dddd291a42fc6d70a761c0ca19ff31cc860d070f30a75261613f623c02ea93aab10658e9344e43ecfbe779dafa368baa

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
    Filesize

    24.0MB

    MD5

    510d39ce202fce96d360c996fc3489ab

    SHA1

    b53d330541934acbce21108187200d4245aa482e

    SHA256

    767443ed60758b39f7362bffb790aa2d4e4e259678df3858b0b201071d63f6ac

    SHA512

    c9b80fc6629a384e666d7a5239828b928107e9400e570ea6c1636c4fb7cde31aa39eb8dbc8984c872f5ffa775194b55aedac286889ad9f4d89a8222527144e6b

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
    Filesize

    2.7MB

    MD5

    600e86d22837f04490b6d756b6e7c4d4

    SHA1

    caa61a46f9764ce4e498ba556d48961b2031c84a

    SHA256

    f4085cb54943d0d69828e6d7e76d048d68d510215f1a8957eb265b864fe6edce

    SHA512

    3b8cef0d932626bc0f89aea570323425336538aef19c3637ce02f7080a2bc5f24f70282a51e1b1006946e864f055eeda0aab043196ea7363e9d8fcb65c7f1bff

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
    Filesize

    825KB

    MD5

    a3c74ad605cf6d47ef9d2411c6ac70b1

    SHA1

    68beed199f69835061b273fe77c16b052ff92c9b

    SHA256

    ba1ed4a6ade0e1a9bdeba5d88aed79eb245ac8cdb95ea57b2e8c52910aec72e9

    SHA512

    44f7814745948fb084a7a8391c36bd6cc426320f054adf16599f15a25b4ac6d2f94dae445ec0d7c177168bf6dea0a5124dc4a717aa3722d40fee27a43de8188b

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    Filesize

    2.2MB

    MD5

    c0158682f30280e966bc602eb3ca84f8

    SHA1

    ba9c6b07d3c5a4d530ba90c07bca144ead8b32cc

    SHA256

    9b35801f3eb5e7946cb7cf5a336a0c12b205df99cd7d0bb34a88d2f4310987a4

    SHA512

    85ac4c83e6533b8d21db0b736a3344996b30cccce80f972a7cc04dd8959eac7c3ed616311eb905b4a822b15d6f318acc196d23c577e213882eaa8262b2615fea

    Download Submit

  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Filesize

    1010KB

    MD5

    f99f019679ec851ae9b31ada3f23de0b

    SHA1

    c8ed89cd1ed2e7091d6949f07d80ef482e880193

    SHA256

    70c516b8fa3686326c8c48f0f741567c5511132322769136d4f06fde5e74fc31

    SHA512

    88a3373a95d4b5b8a463c43d2c0086e85e2e03623b1544ab5cfcae4a1b009b34d2be9f34bbbb45eb277fa0e823cafa653aceae448fab8b43addf5dcc56726fa4

    Download Submit

  • C:\Windows\System32\AgentService.exe
    Filesize

    1.8MB

    MD5

    222e0493b1ba23d9db389539d5c27fbd

    SHA1

    dc07770250e692f159df6f0a3b83ef965f8c6989

    SHA256

    6d4e4f21b9035261081214bd2e31b7a7b359fa5511e63f5eb553189829956c4b

    SHA512

    be5e6492c621bcafe32649401f8ca7f5384eae8b63281e8bf9e6a2b6d985c17095b19d1bc2acc0510b899ffa481f1ea74262c70d08209f919b7d51e1a385b9ff

    Download Submit

  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    Filesize

    960KB

    MD5

    f3379c35ffaac06c3eaa5cbdb436f495

    SHA1

    c427447ca78fe3950839b652d2a414a1a571dbd6

    SHA256

    c39a3a6a3b7762215d5e8f8a02d1567583cad4f177f5aa229ba73f121b717850

    SHA512

    1e4dc111fbaee772c3d20e99eb7f46f49db6ac4e19a9a7f471236cb5d42cf073170e71f097d97f4f34563ec4d30101dcee2f660c22d82604e91d1b305bbefdc5

    Download Submit

  • C:\Windows\System32\emnilgbp.tmp
    Filesize

    1.3MB

    MD5

    1b03ebf550a0f2aeadf4f46f1ef05ccc

    SHA1

    ea809b8c4fc833cc3318e855855707242abfd097

    SHA256

    69b8b6bc0328cc6a55989efa1c3a8b13a6500dd078eb934b6dae36997a1b1764

    SHA512

    b5cfd226862f1c60ce59d711e1d6b7a0498d7040342512e4a111fa5d4175a0a43c8b203ca22c5433cf88dc3e01ef09078141c9dde006d8d1f338499a0ecff176

    Download Submit

  • C:\Windows\System32\wbengine.exe
    Filesize

    2.1MB

    MD5

    66bee37000225dca092b7ac2e8e8c747

    SHA1

    ed54d1dd2f12006507baf73bb1af8676adaf50af

    SHA256

    3510e20aaab2baa03562bac4a3b397c24e3f5b8b5ccc05ee92f42cb43f1c7a24

    SHA512

    1f0d07bc998ec56acf9b981284c256cfd5603de3adda2c69f04a3b843bd506ee6869079a8c0caa82804c73795fd31ec52bbfc07273b6da6d57abc54ff75f34d4

    Download Submit

  • \??\c:\program files\windows media player\wmpnetwk.exe
    Filesize

    1.5MB

    MD5

    2e244fb360578c43fd326a6a36c03ef1

    SHA1

    69738f90baabd9ea1cad4352fc9b12b01c033059

    SHA256

    2e1950beb710951bc09c83b0a2b3d8f3e4874b829e15fa2a62061c9518d747d3

    SHA512

    f5f402ea2c8e6303edbb5443625c13bd0eb2ec2ae27807bcef17e5553e7b461bbc8b8c95029067a6667dcdb41cf6c1e707a2291c6941a32621a3f4a87fb012ca

    Download Submit

  • \??\c:\windows\system32\fxssvc.exe
    Filesize

    1.2MB

    MD5

    ac4f3105cc2d1c3b17b51d9b0796d204

    SHA1

    c225bf40e4c11ab3048adeec62336a510d4a3e75

    SHA256

    bbf3fbaf68adf69c7d01b15be12b7aff47c8f982ad6a34fa618430c35ca91890

    SHA512

    d580024425531172688653622c4d0df611d058dff1a61adca50ad37b5d6c1fbd2611a4c02fa6c257cf24bd1158426fe76de7eb4f63c1d64e275c79bba07f2956

    Download Submit

  • \??\c:\windows\system32\msdtc.exe
    Filesize

    732KB

    MD5

    ed554884cde2ba3a1027dd073b6c164c

    SHA1

    1eb7111557485d70627b5f9dbd1580998ed3fbf3

    SHA256

    f1d6f384b8c78c8ad2838f9efc0c3e737c46406f457fe4613908a340998c72bf

    SHA512

    3a65d35f91889e503b9e1362225992558f3cfc63708f347406f513de2d75b3e7533d2d5edc57f7ece273d302351a9cca1b628f23253ef07c28e2d56782ae0838

    Download Submit

  • \??\c:\windows\system32\msiexec.exe
    Filesize

    655KB

    MD5

    dd97bf61e9531806719de1c56bcdff7c

    SHA1

    fe47afbefb620d263eb8730267c5fd5f876b4c65

    SHA256

    fe8b5940bc411d838797187ff04f1cda129d6dc87480bacb3e1af155044af4a1

    SHA512

    3f8be56866f0a2755b281325f0cc1a239ef2f60aa682f39e6811818961ec6b880a6c5df27cb83643a12319c512ae59b5ea97e0cec0056df226feabbba33622ea

    Download Submit

  • \??\c:\windows\system32\snmptrap.exe
    Filesize

    604KB

    MD5

    0186678c78d826353079b31c6f603720

    SHA1

    88052d4ebef6b1bb4eb79a8ae80fa9cb423a5ed2

    SHA256

    c4ac0ae3bb18b445e8c55b3ec2b5ade218fde985cc9abad1afdcb4882a894da8

    SHA512

    fe53e9d7d18bd71bbc3f2a75ef239e168983af915c5770dec5c2b9214ebe54f25cbf50b1d691a5108a37e7b01fd29dfa6adf3372194ba30fa4f2fc99a6a7a4db

    Download Submit

  • memory/1252-36-0x0000000140000000-0x00000001402C6000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/1252-37-0x0000000140000000-0x00000001402C6000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2256-60-0x0000000140015000-0x0000000140016000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2256-83-0x0000000140000000-0x00000001402C6000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2256-59-0x0000000140000000-0x00000001402C6000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/2564-90-0x0000000140000000-0x000000014040D000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2564-140-0x0000000140000000-0x000000014040D000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2748-101-0x0000000140000000-0x00000001402F9000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2748-73-0x0000000140000000-0x00000001402F9000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2748-74-0x0000000140000000-0x00000001402F9000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2748-93-0x0000000140000000-0x00000001402F9000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/2936-21-0x0000000140000000-0x000000014042B000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/2936-20-0x0000000140000000-0x000000014042B000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/4040-0-0x0000000001000000-0x00000000011DA000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4040-2-0x0000000001000000-0x00000000011DA000-memory.dmp

    Filesize

    1.9MB

    Download

  • memory/4040-1-0x000000000100A000-0x000000000100B000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4320-28-0x0000000140000000-0x0000000140422000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4320-29-0x0000000140000000-0x0000000140422000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/5000-81-0x0000000140000000-0x00000001403B7000-memory.dmp

    Filesize

    3.7MB

    Download

  • memory/5000-82-0x0000000140000000-0x00000001403B7000-memory.dmp

    Filesize

    3.7MB

    Download