Overview

overview

10

Static

static

3

fafaae5eb9...60.exe

windows7-x64

10

fafaae5eb9...60.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    92s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    01-01-2025 00:15

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe

  • Size

    555KB

  • MD5

    0cc3d8cf8bdd19f9c4e2ff65f825f321

  • SHA1

    465982caffd39ce142eb30cf0ac0957996853ead

  • SHA256

    fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260

  • SHA512

    2af08782fc289ab6a8009f609f8330b64f51e5f288ac096a8a6ea6b9b5e9c9be492046374f54918267503716cf048f0e2ff40a25a1ff1895941057f756d93349

  • SSDEEP

    12288:T7RRaMMMMM2MMMMM/H0jZrctbNgED36KATHFNpsOFgaPJn29BPP0Ih/2YDiG:T7RRaMMMMM2MMMMM/HK5sbNgED36KAr+

Score
10/10
expirobackdoorcredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 1 IoCs
    backdoor
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Drops Chrome extension 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 61 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe
    "C:\Users\Admin\AppData\Local\Temp\fafaae5eb974dd2b969852a7d35166d5583578c0cbb631ab6b390181b9d3a260.exe"
    1⤵
    • Drops Chrome extension
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:1928
  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:4780
  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:3580
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    PID:5108
  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    PID:2540
  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    C:\Windows\System32\OpenSSH\ssh-agent.exe
    1⤵
    • Executes dropped EXE
    PID:3880

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    Filesize

    2.0MB

    MD5

    203bf9ca91c9800730e62da18354e37b

    SHA1

    7a528ea99982da1450607d68f7694e66ba3ac0a4

    SHA256

    2073f6d357958233cd9b2aea52d64d7089fbe58d28725c9566dbb7b436ce0e83

    SHA512

    035bce8ebb14f5cc191b8a383144c2054165622e667188905e9ae32bcc9270529394987f862830b0aac4d24b828c96c6587f0c54d9749fbb6eba3a1ae1289142

    Download Submit

  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    Filesize

    719KB

    MD5

    e4654699af433ef1110e01262f1ec783

    SHA1

    ca2cbc1de11b2275ff286f382fbd8dfc39b4f5e4

    SHA256

    0a669d72c5274bf4222caed8388567db3f5adb188a5b26e9cf736206137ef8d0

    SHA512

    269aef4ff98a95b568b85d00356254346f22ca403c2a7b59013d6cb502201e4f19e46c5c849665606a6e3c469533d60c2a8b59cea62bad3fa03d23cdafc8e384

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
    Filesize

    736KB

    MD5

    b0a310168227d63901fdc37469be3189

    SHA1

    df721d482fa0267b4f6791fd24cb31a5f4e6f44a

    SHA256

    44090250fce539bd3b39d914ef3ea3b548f5d54420e3c79e8da116c638fc6b13

    SHA512

    5a852f8f6c7507f2e4a2ecf88a9d9b918efc1d2006b67ddfdcb88779d91e1b8156e7851445f0acf40698870831d5b9161da7c466fbdb18fb1332b52184e5b140

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.vir
    Filesize

    4.5MB

    MD5

    32350471480dbf8fcbf958dbb895b9e9

    SHA1

    ce625aa9bae20e6d12b7e7255b444feee9676f63

    SHA256

    9925b8676bc655cc9dcbabeedaa19e0dc3d0310e0f45b2c1962cd13da19b3d81

    SHA512

    dffe3661e517f8a9e30437467ac1b536cd79f9c3109de62deb56716ff581499c4c0d6a56bddf55bf1bb4fe2e2285649bf6e5d05807b2eac90ed9dba8315f24ab

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    Filesize

    2.1MB

    MD5

    686dbf4105670428afebbe0644217413

    SHA1

    f21d14524b4ce66917c70c8c0fe28f89944834aa

    SHA256

    7f33ebd5dbcd07d7c296b2612c2140629b36a5506d135a73432bbc66e809fe99

    SHA512

    e607b2dc0b95dede2e7a192390fdd2aa2ee22b55fafc14a8b11a99b82f82bcba90f530e912ce2c951120c0db39307bb1e9a288799d5f3e07fabdd2a9f5d4ddfc

    Download Submit

  • C:\Program Files\Internet Explorer\iexplore.exe
    Filesize

    1.3MB

    MD5

    05b09f13a2436e42b3545187d2b85135

    SHA1

    36ee34303251696cb54bfb664f42f44863960628

    SHA256

    da8e864bfc636da56a77f9243cb25a10ce4b8722f7e25e6fa0b3f50f1584b7ec

    SHA512

    30d75199c52d5eb5c33fe90a0007db9ef5ddf608d85b1eab6fe0e77a16be0148a711054fdee1d91337c4ab28f9e96fc6e48562eeffaaa82ab4afa80dc201752b

    Download Submit

  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Filesize

    919KB

    MD5

    01066b9cc3eefbedd8f55f97528b6c8f

    SHA1

    afa704775934889653ed3e2dcf68dd8cc438da98

    SHA256

    db3c0a24fccb17203d131eb61484d369ede5c6b8213b7ed69875ab7edec085e3

    SHA512

    b2ccecba377ef88e4002bf013a65064ab942d97423e84ec68c97acc78e5b91d4689e3b3a615c61925d90db1a81ae9bb22df2b94db4ea499695a0b1b84ae74d87

    Download Submit

  • C:\Windows\System32\Appvclient.vir
    Filesize

    1.2MB

    MD5

    5ae83ad15b93c68f1f45c9827a3218ac

    SHA1

    61f9c3c64a3716dab670e748f82ca5af344360a4

    SHA256

    15fd5137ef666678d27b2aa45ba06458604816bd099fb14f13622bd94da5dd28

    SHA512

    6ee12cc6ff180a8492f1958c99f01934138686b383d2f0da7238ece76ab407a7a4cd8e81b5891f23ba9df875460803da7c996ff2e776ff17c43a82f33c058adb

    Download Submit

  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    Filesize

    870KB

    MD5

    636d79c0a623364ea1e301202932907a

    SHA1

    ae6769f151f242d34aa70edb114cb72b6c9cc32a

    SHA256

    529d1d9563dbb5598c18a64225e45707d780ae0886194f90d50235d87dba4966

    SHA512

    528dbc5aae9b83c5798ca3e2da10fa15e868ee004e0d44cac9710b7dd3d0b7195610fbf99b9a107bf5b95346abe065804c454ca6d032677990682fab6248b87d

    Download Submit

  • memory/1928-0-0x0000000001000000-0x00000000011B0000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1928-2-0x0000000001000000-0x00000000011B0000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/1928-1-0x0000000001002000-0x0000000001003000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2540-175-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2540-166-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2540-62-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/2540-61-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/3580-173-0x0000000140000000-0x000000014036B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3580-172-0x0000000140000000-0x000000014036B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3580-28-0x0000000140000000-0x000000014036B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3580-118-0x0000000140000000-0x000000014036B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3580-140-0x0000000140000000-0x000000014036B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3580-29-0x0000000140000000-0x000000014036B000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/3880-74-0x0000000140000000-0x0000000140242000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/3880-176-0x0000000140000000-0x0000000140242000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/4780-174-0x0000000140000000-0x0000000140374000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4780-21-0x00000001400B2000-0x00000001400B3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4780-117-0x0000000140000000-0x0000000140374000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/4780-20-0x0000000140000000-0x0000000140374000-memory.dmp

    Filesize

    3.5MB

    Download

  • memory/5108-36-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/5108-59-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download

  • memory/5108-52-0x0000000140000000-0x000000014020F000-memory.dmp

    Filesize

    2.1MB

    Download