Overview

overview

10

Static

static

3

7c9966301e...f6.exe

windows7-x64

10

7c9966301e...f6.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    150s
  • max time network
    151s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    04-01-2025 01:24

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe

  • Size

    772KB

  • MD5

    68029b2bf01d687a4661d4b61a2f0740

  • SHA1

    b9431ba2ae320295935f70a68764c387a9450411

  • SHA256

    7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6

  • SHA512

    1c7f5ab2bad06d24f2b49a8c6b34f60954aabd9abfc2d879c6b1eda7614c4f044bbb6262f015f2ed421e4966b06bf9c693ca854ba17146e7c33830984ea689c0

  • SSDEEP

    24576:mVzwix9dfixVZ1L61ePrXxW4T0tfEEL0uX:eDNfixU12TxcxEEY

Score
10/10
expirobackdoorcredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 1 IoCs
    backdoor
  • Executes dropped EXE 6 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Drops Chrome extension 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 61 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Modifies registry class 20 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs
  • Suspicious use of SetWindowsHookEx 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe
    "C:\Users\Admin\AppData\Local\Temp\7c9966301ef6631298ddcc0d8ef36d7df2464cdaa9217b6ec1ec686c740b37f6.exe"
    1⤵
    • Drops Chrome extension
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Modifies registry class
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of SetWindowsHookEx
    PID:1036
  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:1852
  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:2852
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    PID:1620
  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    PID:1140
  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    C:\Windows\System32\OpenSSH\ssh-agent.exe
    1⤵
    • Executes dropped EXE
    PID:4080
  • C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\servicing\TrustedInstaller.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:4400

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    Filesize

    2.1MB

    MD5

    8fc3f6329ab848c459efbf8ff3a3d29c

    SHA1

    2182189f28ce85a4bf9ba93a2585e6df10a4c42c

    SHA256

    61295b7c6251d5aec8631fc78f6935b8ce678dd0c500f6353cbdfb4544cb6fcb

    SHA512

    50e886aec800c74ffb71575737e879bb889fc1a2dbe6c10ebd9ebbbc09cda32a41c99726ada138b3694bafafd12742376cb8e5143cf1070b98b761d43f77c077

    Download Submit

  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    Filesize

    805KB

    MD5

    5639c093007affb46421a5e526d0dc2d

    SHA1

    a3b12ff891e9a488343c3b57f91f629534fb2409

    SHA256

    5a718f88a9579cbd7a501d4da759657d682be9abe5fc6b794d79cf98ff1c6c94

    SHA512

    e1abd037f3aa01791a7e58e39e7c421806e207e29321c9bb7c8806fca9f890ec643923d69b1b898e0702941c897a7aa9f85fcf96afb2054150b0804dc6553893

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
    Filesize

    821KB

    MD5

    152854f39de569c19dd49438f81a9993

    SHA1

    b60c97a2c1338f49fdce9c11caa43ecd3108f317

    SHA256

    ee5196e7115dcb8fe047868a314bff584b65dbb44af30f8e1ee89d2377952ec0

    SHA512

    fe0ab2997d822cea464ef70e8a4a4c24ff80d5f6806a0f9012f9d1bd525055511f815982390ce17deaa293851e06034230c57f9c50b82895608c24d664867d9d

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\cpkcoelj.tmp
    Filesize

    4.6MB

    MD5

    704d775255ff02e52524c97e8789f527

    SHA1

    8fd441a4093cf86787b09aa942742939cb9f10c1

    SHA256

    a0c9848ff3a4184065a716cf221dcee81154492e5be0bddb419510244b1886ed

    SHA512

    1b64e41ac812b793ccffe188c6283998a9ff131c49386d557a699a43efa2a25dbfaeada773e49da76a4ccb18e8d915578e65568f71e370137b95c2bf0f45effe

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    Filesize

    2.2MB

    MD5

    59c67321213171345a1fc492080e9761

    SHA1

    cd652fc23500a946e3facc8f092116d6e32e9806

    SHA256

    b775c361f59af8021b73f025de27e1a1115f125d2842e9cd135944febaf2f07e

    SHA512

    73aedbce711ab7b20ceeb0b98a0c37aa07869c55228413b8ef5530e8ff681e1ea4de231ccbea45254033f40fb66ff6869d52878ddb3522a8580edc101aeb8516

    Download Submit

  • C:\Program Files\Internet Explorer\iexplore.exe
    Filesize

    1.4MB

    MD5

    8310aa484028bbd4a072c8b32fbee011

    SHA1

    ff6a70ddee82b510101c7b45faff8b937170110f

    SHA256

    646b1980e1f7910e428ba700ce3f252e919aeaccce055627d6bfad088a008ddf

    SHA512

    c21a8e0f3ef980687077b107285bc0200f1deb08847862ad9e2e2f584b4b2f76a749110eddc24588ba4a7b3ccbe4ac04fe7d8afdb24fa01c2e8e9f75968dc8fb

    Download Submit

  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Filesize

    1002KB

    MD5

    0743bd0831c81898e8b1fad436b89e50

    SHA1

    a1da77aac13a96624e15300120b37c0497b72247

    SHA256

    5b035201ba2b9776a738004affd972cede368af4a053a97f80394997880e8ce6

    SHA512

    6d50ad1bf0546b9891ced258189214d3e83505a876589a9d523a7a9a43e88a3253e5e8dbcf54ec1b87563c4cfc531e2ac26d8d8198124dcfde51f8e8355a7df5

    Download Submit

  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    Filesize

    956KB

    MD5

    9d390e390313f8e8da138655d2cca314

    SHA1

    4d367e60673466564224def86df1479b01a27e6e

    SHA256

    dcf289ae8b5213b9b2a4c7ce95cfaf6554fe96d5d73e12bef1269f81ab6bfd59

    SHA512

    f9e556f1262e8489b85769e724ebf3791544d9afe67b35229f4894a9c3289a0715e7e016d9650b1725452f23ac2c3f348e10292f0884558b6b238f4f9e0acc49

    Download Submit

  • C:\Windows\servicing\TrustedInstaller.exe
    Filesize

    193KB

    MD5

    805418acd5280e97074bdadca4d95195

    SHA1

    a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

    SHA256

    73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

    SHA512

    630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

    Download Submit

  • memory/1036-4-0x0000000000400000-0x0000000000688000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1036-1-0x000000000040C000-0x000000000040D000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1036-0-0x0000000000400000-0x0000000000688000-memory.dmp

    Filesize

    2.5MB

    Download

  • memory/1140-145-0x0000000140000000-0x00000001402C3000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/1140-60-0x0000000140000000-0x00000001402C3000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/1140-144-0x0000000140000000-0x00000001402C3000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/1620-37-0x0000000140000000-0x00000001402C3000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/1620-61-0x0000000140000000-0x00000001402C3000-memory.dmp

    Filesize

    2.8MB

    Download

  • memory/1852-111-0x0000000140000000-0x0000000140428000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/1852-143-0x0000000140000000-0x0000000140428000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/1852-22-0x00000001400B2000-0x00000001400B3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/1852-21-0x0000000140000000-0x0000000140428000-memory.dmp

    Filesize

    4.2MB

    Download

  • memory/2852-29-0x0000000140000000-0x000000014041F000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2852-141-0x0000000140000000-0x000000014041F000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2852-142-0x0000000140000000-0x000000014041F000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2852-118-0x0000000140000000-0x000000014041F000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2852-112-0x0000000140000000-0x000000014041F000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/2852-30-0x0000000140000000-0x000000014041F000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4080-146-0x0000000140000000-0x00000001402F6000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/4080-74-0x0000000140000000-0x00000001402F6000-memory.dmp

    Filesize

    3.0MB

    Download