expiro | 7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6

Analysis

max time kernel
150s
max time network
103s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04/01/2025, 01:18

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Size

772KB
MD5

68029b2bf01d687a4661d4b61a2f0740
SHA1

b9431ba2ae320295935f70a68764c387a9450411
SHA256

7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6
SHA512

1c7f5ab2bad06d24f2b49a8c6b34f60954aabd9abfc2d879c6b1eda7614c4f044bbb6262f015f2ed421e4966b06bf9c693ca854ba17146e7c33830984ea689c0
SSDEEP

24576:mVzwix9dfixVZ1L61ePrXxW4T0tfEEL0uX:eDNfixU12TxcxEEY

Score

10^/10

expiro backdoor credential_access discovery spyware stealer

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 2 IoCs

backdoor

resource	yara_rule
behavioral2/memory/5012-4-0x0000000000400000-0x0000000000688000-memory.dmp	family_expiro1
behavioral2/memory/4576-144-0x0000000140000000-0x000000014041F000-memory.dmp	family_expiro1

Executes dropped EXE 5 IoCs

pid	Process
640	elevation_service.exe
4576	elevation_service.exe
3092	maintenanceservice.exe
1892	OSE.EXE
5032	ssh-agent.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\mdgkfajodaliacghnafobjnclblcfmlm\1.0_0\manifest.json	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\K:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\Q:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\R:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\V:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\W:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\E:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\M:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\N:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\T:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\U:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\Z:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\G:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\H:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\L:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\S:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\X:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\I:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\J:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\O:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\P:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened (read-only)	\??\Y:	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\system32\Appvclient.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\fnadilek.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\SysWOW64\lkcnlcob.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\eomhhneb.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\iaidneoq.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\emnjafka.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\alg.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\vds.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\ijkiqnla.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\mkcofceh.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\mmlkoakh.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\locator.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\meakocng.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\jqlnknjh.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\windows\system32\openssh\dcjinmpc.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\google\chrome\Application\123.0.6312.123\elevation_service.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\cgakfigd.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javah.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\pack200.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\nklemblo.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\java.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\pack200.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\llhhlfmg.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\servertool.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jeoonppk.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\chlmfebj.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.Loader.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\7-Zip\ncjookla.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jar.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Microsoft Office\Office16\OSPPREARM.EXE	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\nnknaeep.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jcmd.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstat.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\acdacdcn.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Microsoft Office\root\Client\lojnilhp.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Client\AppVDllSurrogate64.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Common Files\microsoft shared\MSInfo\onakajab.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\eiknqqhf.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\bmmoojdm.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\keytool.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kefbfhkg.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaw.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\edifekgj.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\orbd.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\knjpmnmh.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\jihehklc.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\elevation_service.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\khigbmnb.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\lajbgcnb.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\bklbclai.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\gnciljmn.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Internet Explorer\ExtExport.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\fadcmdcc.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\ktab.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Microsoft Office\root\Office16\ADDINS\Microsoft Power Query for Excel Integrated\bin\Microsoft.Mashup.Container.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	\??\c:\program files (x86)\microsoft\edge\Application\92.0.902.67\dbdbhfin.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\cpkcoelj.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jre-1.8\bin\kfcbmeeq.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Microsoft Office\Office16\pbjmkqlg.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\7-Zip\pijiegfa.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Internet Explorer\ielowutil.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kggjdgjn.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\oklgbmqo.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jre-1.8\bin\jhffffnb.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
File created	C:\Program Files\Java\jdk-1.8\bin\qqlagjep.tmp	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

Drops file in Windows directory 1 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

Modifies registry class 20 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0 = 14002e80922b16d365937a46956b92703aca08af0000	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\MRUListEx = 00000000ffffffff	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0 = 14001f50e04fd020ea3a6910a2d808002b30309d0000	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = 00000000ffffffff	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\WOW6432Node\CLSID\{018D5C66-4533-4307-9B53-224DE2ED1FE6}\Instance\	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\Bags\1\Shell\SniffedFolderType = "Documents"	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots = 02	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\NodeSlot = "1"	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\0\0\MRUListEx = ffffffff	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{4336a54d-038b-4685-ab02-99bb52d3fb8b}\Instance\	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
Key created	\REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000_Classes\Local Settings\Software\Microsoft\Windows\Shell	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	5012	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
5012	7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

C:\Users\Admin\AppData\Local\Temp\7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
"C:\Users\Admin\AppData\Local\Temp\7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:5012

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:640

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4576

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:3092

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1892

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:5032

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
b99b6787482913f0ea6ea1376c769a2a

SHA1
cda5174c9b6e1de2f7eb002247e3c442095461c8

SHA256
f56e10ede5db4e99ee1fe3fa7c5d932c66a3388842c2df4dc68ba0317c3f8048

SHA512
67645a9193847729e45f4ea26a15c4715e49f901b3e1c39b5787cdf93e7617db01dcec89dde0562265dc56d50d6c6372a924c72c0cdc01e3d40faf764d72729e

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
805KB

MD5
4a72f51a277091600d0b28feb36f889c

SHA1
90476b7960de52ff6847b2d8f2d5a86b583df20c

SHA256
3a95695f0e0f120781a5ebad9f0a9190b8c92dfc33369e402d3eb212c42a9054

SHA512
1f0846cbb88193929c4e368457b6d30401ce609df577179eccc5813842d8146f3bde0993b5e0004e6b87959128661d3736965f7994ffe85aecd64609bb228fc8

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
821KB

MD5
78f05aaf34c0287f48774b6d9ad8ff50

SHA1
f7868ae93c68bec42dfbf55b0c9138fc15908cb6

SHA256
ca19a18eb8a6e4dfa6ec7e0cccc3f5dcbad541f86bc310f71a74bf0f079db2c1

SHA512
49d79bcb3c7552a5296bd9d87bd5e0687053f5f8c0a0652a55a1fbdfcaa728a66a1a130ddcadb6398ef5d821ddecb46fde5582cd12e26021778d8566c6501bf3

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\cpkcoelj.tmp

Filesize
4.6MB

MD5
704d775255ff02e52524c97e8789f527

SHA1
8fd441a4093cf86787b09aa942742939cb9f10c1

SHA256
a0c9848ff3a4184065a716cf221dcee81154492e5be0bddb419510244b1886ed

SHA512
1b64e41ac812b793ccffe188c6283998a9ff131c49386d557a699a43efa2a25dbfaeada773e49da76a4ccb18e8d915578e65568f71e370137b95c2bf0f45effe

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.2MB

MD5
020aeb6b4f19c5eb57283fa9453691a9

SHA1
f6919cb2928e385538a4de38ff64290a23d42e8a

SHA256
ca5b13316efc9750d0f2bd7923b05add0ee4abfbf499a6aa7744f0ee18ff83f4

SHA512
89860a05fe98eb870ddce5baa9e42abb7068c14f8c997e7f96506f8d6a29a391f649a0cbf98bcdbe5fb59e672b7ff986ddd0a985f52a179496265bd607114655

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.4MB

MD5
03f2fef32c2b035739fad16fa55fdb71

SHA1
52f2eb53df62ab94b6b5e56dc716a59fbd4ab9a8

SHA256
8b2f05714977e39add2fcfadda82eb96dd844141398608463fa4f4462a2f1a59

SHA512
ce0a265b50c69bfa26ac1880ad44c9210d5840729852e8d480ed3fab791f3fb9eca3f7d471a7337e551a583e7a4824dd232b032308cad7fd3cce575a115be03d

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
1002KB

MD5
809159d6fe0f975d5e8cd5558acedf1a

SHA1
35bb2794d6eb081154becf477e11a699dbb6e2fb

SHA256
cedcd06a9479642634dc87c48bfb079bdff7becb4cab3d697b8b4c82f56d277b

SHA512
392e3b2d7ffdea75674284046ccc71633f680bb975c70f5d1530d1d01cbd8b1bdab20421aae43aa7d97cade7f1517881984171abb12df124f324972061ca71ef

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
956KB

MD5
4b1f7dffa5776a14c6f61fba688dd807

SHA1
44888ae82d3c4c39b2f44ddc9efdb5c3da9298d2

SHA256
2f43ed82bbf147bc3d62a4e56575af412d9f66f16888f5158e52b326e98f0590

SHA512
74d85252435466569071cbb443d7737e7d5b5b0a727d16cbaa22d4e5cd587fbf54a76bbb8479864322341095d95da7326c4bdddfdd8037b9195189f97ebf1378

Download Submit
memory/640-21-0x0000000140000000-0x0000000140428000-memory.dmp

Filesize
4.2MB

Download
memory/640-22-0x00000001400B2000-0x00000001400B3000-memory.dmp

Filesize
4KB

Download
memory/640-161-0x0000000140000000-0x0000000140428000-memory.dmp

Filesize
4.2MB

Download
memory/640-116-0x0000000140000000-0x0000000140428000-memory.dmp

Filesize
4.2MB

Download
memory/1892-61-0x0000000140000000-0x00000001402C3000-memory.dmp

Filesize
2.8MB

Download
memory/1892-162-0x0000000140000000-0x00000001402C3000-memory.dmp

Filesize
2.8MB

Download
memory/3092-37-0x0000000140000000-0x00000001402C3000-memory.dmp

Filesize
2.8MB

Download
memory/3092-59-0x0000000140000000-0x00000001402C3000-memory.dmp

Filesize
2.8MB

Download
memory/4576-145-0x0000000140000000-0x000000014041F000-memory.dmp

Filesize
4.1MB

Download
memory/4576-30-0x0000000140000000-0x000000014041F000-memory.dmp

Filesize
4.1MB

Download
memory/4576-144-0x0000000140000000-0x000000014041F000-memory.dmp

Filesize
4.1MB

Download
memory/4576-29-0x0000000140000000-0x000000014041F000-memory.dmp

Filesize
4.1MB

Download
memory/4576-169-0x0000000140000000-0x000000014041F000-memory.dmp

Filesize
4.1MB

Download
memory/4576-168-0x0000000140000000-0x000000014041F000-memory.dmp

Filesize
4.1MB

Download
memory/5012-0-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download
memory/5012-4-0x0000000000400000-0x0000000000688000-memory.dmp

Filesize
2.5MB

Download
memory/5012-1-0x000000000040C000-0x000000000040D000-memory.dmp

Filesize
4KB

Download
memory/5032-74-0x0000000140000000-0x00000001402F6000-memory.dmp

Filesize
3.0MB

Download
memory/5032-175-0x0000000140000000-0x00000001402F6000-memory.dmp

Filesize
3.0MB

Download