Overview

overview

10

Static

static

3

7c9966301e...f6.exe

windows7-x64

10

7c9966301e...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    120s
  • platform
    windows7_x64
  • resource
    win7-20241010-en
  • resource tags

    arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system
  • submitted
    04-01-2025 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

  • Size

    772KB

  • MD5

    68029b2bf01d687a4661d4b61a2f0740

  • SHA1

    b9431ba2ae320295935f70a68764c387a9450411

  • SHA256

    7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6

  • SHA512

    1c7f5ab2bad06d24f2b49a8c6b34f60954aabd9abfc2d879c6b1eda7614c4f044bbb6262f015f2ed421e4966b06bf9c693ca854ba17146e7c33830984ea689c0

  • SSDEEP

    24576:mVzwix9dfixVZ1L61ePrXxW4T0tfEEL0uX:eDNfixU12TxcxEEY

Score
10/10
expirobackdoorcredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 4 IoCs
    backdoor
  • Executes dropped EXE 7 IoCs
  • Loads dropped DLL 3 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Drops Chrome extension 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 49 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 33 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 3 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 20 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 3 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
    "C:\Users\Admin\AppData\Local\Temp\7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe"
    1⤵
    • Drops Chrome extension
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious behavior: GetForegroundWindowSpam
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:2256
  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:2588
  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:2392
  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    PID:1264
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:1284
  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:2832
  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    PID:2464

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\MSOCache\All Users\{90140000-0011-0000-0000-0000000FF1CE}-C\ncjookla.tmp
    Filesize

    718KB

    MD5

    bb37dc16c22399fc42a11f24fc098fd6

    SHA1

    9d21434e0c84d52e51913d38ba2f9b4fc55b9fa8

    SHA256

    466d69c86e14a0f1a1e01a5db7f42253f07e6e16ebc710d4607064fee89c58d2

    SHA512

    80b55f99708ceb38b5736ced0df3843da705bf55c6e9d8cbfba949817a48604ddef38914f138873a8943d3cdb8c8ac9a8230d3fd666c2d50c6283100d60f17dc

    Download Submit

  • C:\Program Files\Google\Chrome\Application\106.0.5249.119\Installer\odadaonc.tmp
    Filesize

    4.9MB

    MD5

    6c1481e2ee8c617dae4bcdb818e0e5ab

    SHA1

    4cdc1ab33a387552b4fcd523b7cc9ae7f9ba016a

    SHA256

    e0d37b083fe1295eb7b142da850384101d6c84dbaca9103db0f31503eb695fae

    SHA512

    54d9975ab30b05db3b1a9152c3394635f0d99260f91aa2bbb77564c15f1530d0f1ac2b8e500aeee277510a9c34da8ceff7371666df5c6d5f0a50c6d8132f674b

    Download Submit

  • C:\Program Files\Internet Explorer\iexplore.exe
    Filesize

    1.3MB

    MD5

    1f77233f290db19fdc0f6a0731fa8fc6

    SHA1

    593fd55a3644ee9e4a1ba928918e017314cc6bb0

    SHA256

    6c77d887334b2416ec1f76a7ac7720d1b578329d6c0cfd2c5189a1eb6f942727

    SHA512

    ab4bc14a3679e51c31a7d4d11b52b6c49ec8c4b84858d1e82b5f377025eedd0252bc97810211da6c8cf0cabaa2f96f4876ebf74b7781aa381b5f8aaeaeb48201

    Download Submit

  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\mscorsvw.exe
    Filesize

    664KB

    MD5

    bda7dfdff2981f574ebc3a58941d3150

    SHA1

    bbf6fe5777cc2387f51cd0de66ff072c6f5c92f8

    SHA256

    b9660b3a798251eac8a915a11e8de919370a531bfcb945f5ba48cd449b517d01

    SHA512

    bdd2836d62d8839423dd75f7a3670e190accfe406128e9a7070e60a1bc4e938168399647be06000feda7aa4769ab49363bd03145bad4e89a07b079d2eaf16733

    Download Submit

  • C:\Windows\Microsoft.NET\Framework64\v2.0.50727\ngen_service.log
    Filesize

    872KB

    MD5

    4603242c654c0789931e29a0c2c90150

    SHA1

    c5f68570a6c07ac4a004846ef6d7e5132aa0a652

    SHA256

    f9aa21ed44eaacf161fbded4d3e26afb05278ab820f8b3107ef7f7ce5244fe1e

    SHA512

    b5900a5ef75b480aa5378b12208786021b3927f5cdb6e5543e95ce01194c597f68d9712e4de862644ecfd4e8d8114705ddd3d731e9997245bebfc6f2653e8765

    Download Submit

  • C:\Windows\Microsoft.NET\Framework64\v4.0.30319\ngen_service.log
    Filesize

    880B

    MD5

    c31d2604ba4b7683773c3fc05508d28a

    SHA1

    608362e0634f52c2934e76f284e41acd7adbd4e2

    SHA256

    7b53c1d823be8854071691268053cc177fc88bd357332b69039bebafb62107db

    SHA512

    ec3ef7e3f5edfd526cbec32a18f8d577a2240a5a1706cc96ba5a5b2fc235dbae372f850f6e8c8a209da6a771b04cf935c581def0c7d5846ffa4d2ed97c6a6797

    Download Submit

  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\mscorsvw.exe
    Filesize

    641KB

    MD5

    4e01deddef5d6f475c415db03d0c9b26

    SHA1

    d7a21a4ae0630ef1d3bf02a9b655b87dea67ba3a

    SHA256

    66ba7c107ddcb430e8b79b443cffcc1e6ba4f519f1b8a6360ba684ae1aa72000

    SHA512

    cc2fde636e8f27b59170867c4880e129f6bf9a675a217716a98bdecace225bf6a38053aad8aa3a7a5f41c009efb2210d924bb41d510f480390ecab78846cdd31

    Download Submit

  • C:\Windows\Microsoft.NET\Framework\v2.0.50727\ngen_service.log
    Filesize

    1003KB

    MD5

    7625c0177e24cae79d8597fe1f907cac

    SHA1

    661c2c3342311b1dd5446507963453aafb6fd4a2

    SHA256

    da79df8e9e0db56ddfd32f39083c7e41d88dba0bcc890635220b52acd1f7855a

    SHA512

    c32e6af29766643c27adf284c381b12d20f59e844d9634c8c6c9e9e71c300d093c0df2893067031de3fe38ffd691de7e1e8661559126545503067ad05573d563

    Download Submit

  • C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
    Filesize

    668KB

    MD5

    a8de43b05ceb6c4536a114f036990306

    SHA1

    2c9aad1f822cb3c1171891cac1f6ece60885ec97

    SHA256

    4bf60cf0f52f026d71d168936d98db3a838f21e0adeddba81bd6b8cc81446766

    SHA512

    81d1203298ad81e9c012fbbdaa120d743141e0dcc6589c1f2d75d534272e81afa413171a5296f0171c82f8cafb757b33f084107e6140554a8507be4fc950256e

    Download Submit

  • \Program Files\Google\Chrome\Application\106.0.5249.119\elevation_service.exe
    Filesize

    2.2MB

    MD5

    c51d1f389750228361c812f6179ba650

    SHA1

    8c03dc5c8e7392878a2d3e19c62f8297d79dc9a9

    SHA256

    01f5abe36bb7a7eff2afdb9957e2805f30fcfe8f8e3489672b540e06aa34beab

    SHA512

    c35ec85d639c1663aa9b2cd43d8603eea35ca828ac9f4aa2946e80e355c046214611840ffe91babe7120f4d20ac41b3de5643e2ef5a810fd97e6eeab336245b3

    Download Submit

  • \Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
    Filesize

    690KB

    MD5

    5cba755b4a1f45d23821e4079a04ab3c

    SHA1

    0a5beaf7aee40d0d1f8df0ae127083ecfc54b4ad

    SHA256

    8e48d45d2b68374a4f5664315491a79efe55e34f80ca91b2a40dd58c53e7a193

    SHA512

    bcb650d49c1f2a5e31c444d9226746e2206b0efde59591acc3709642996abd6ced043c7e29e225120d1bf1adf21b7bd8a89872df2ed36a810a3f4273a4bd6ea9

    Download Submit

  • memory/1264-94-0x0000000000400000-0x000000000066F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1264-49-0x0000000000400000-0x000000000066F000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/1284-95-0x0000000140000000-0x00000001402A1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/1284-59-0x0000000140000000-0x00000001402A1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2256-1-0x0000000000FD0000-0x0000000001258000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2256-4-0x0000000006820000-0x0000000006822000-memory.dmp

    Filesize

    8KB

    Download

  • memory/2256-5-0x0000000000400000-0x0000000000688000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2256-0-0x0000000000400000-0x0000000000688000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/2392-77-0x0000000010000000-0x000000001029B000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2392-36-0x0000000010000000-0x000000001029B000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2464-334-0x0000000140000000-0x00000001402A1000-memory.dmp

    Filesize

    2.6MB

    Download

  • memory/2588-23-0x0000000010000000-0x0000000010267000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2588-78-0x0000000010000000-0x0000000010267000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2832-169-0x0000000140000000-0x000000014042B000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/2832-88-0x0000000140000000-0x000000014042B000-memory.dmp

    Filesize

    4.2MB

    Download