Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

3

b9c7eed7f5...dd.exe

windows7-x64

10

b9c7eed7f5...dd.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    07/01/2025, 13:01 UTC

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe

  • Size

    635KB

  • MD5

    9111267bdd481f1ed05fdb0a94e860d1

  • SHA1

    4cc59ff0aa72e90b4573b84d4dd130865f98b31f

  • SHA256

    b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd

  • SHA512

    9af057c08f5396bb7404b51a8cb2c548c5d0108e9012e5139f0572b3c82662795089bccd0acbe50cf99b555d6dd98fd108185d93725b1eb787336709284d21cf

  • SSDEEP

    12288:WDB+kxedc++Zvwx4jZVvPr+WmCqeDkqZ7K0Y7hbMT:WDB+kxeqPZvwujZVn8eDhXYNbS

Score
10/10
expirobackdoorcredential_accessdiscoveryspywarestealer

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 1 IoCs
    backdoor
  • Executes dropped EXE 8 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Drops Chrome extension 1 IoCs
  • Enumerates connected drives 3 TTPs 21 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 61 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 4 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
    "C:\Users\Admin\AppData\Local\Temp\b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe"
    1⤵
    • Drops Chrome extension
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:2216
  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:32
  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:4704
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    PID:624
  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    PID:1388
  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    C:\Windows\System32\OpenSSH\ssh-agent.exe
    1⤵
    • Executes dropped EXE
    PID:1844
  • C:\Windows\system32\AgentService.exe
    C:\Windows\system32\AgentService.exe
    1⤵
    • Executes dropped EXE
    PID:556
  • C:\Windows\servicing\TrustedInstaller.exe
    C:\Windows\servicing\TrustedInstaller.exe
    1⤵
    • Executes dropped EXE
    • Drops file in Windows directory
    PID:1952
  • C:\Windows\system32\wbengine.exe
    "C:\Windows\system32\wbengine.exe"
    1⤵
    • Executes dropped EXE
    PID:4292

Network

  • flag-us
    DNS
    8.8.8.8.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    8.8.8.8.in-addr.arpa
    IN PTR
    Response
    8.8.8.8.in-addr.arpa
    IN PTR
    dnsgoogle
  • flag-us
    DNS
    217.106.137.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    217.106.137.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    172.214.232.199.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    172.214.232.199.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    20.160.190.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    20.160.190.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    95.221.229.192.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    95.221.229.192.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    104.219.191.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    104.219.191.52.in-addr.arpa
    IN PTR
  • flag-us
    DNS
    53.210.109.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    53.210.109.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    198.187.3.20.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    198.187.3.20.in-addr.arpa
    IN PTR
    Response
  • flag-us
    DNS
    168.100.16.2.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    168.100.16.2.in-addr.arpa
    IN PTR
    Response
    168.100.16.2.in-addr.arpa
    IN PTR
    a2-16-100-168deploystaticakamaitechnologiescom
  • flag-us
    DNS
    19.229.111.52.in-addr.arpa
    Remote address:
    8.8.8.8:53
    Request
    19.229.111.52.in-addr.arpa
    IN PTR
    Response
No results found
  • 8.8.8.8:53
    8.8.8.8.in-addr.arpa
    dns
    66 B
     90 B
     1
    1

    DNS Request

    8.8.8.8.in-addr.arpa

  • 8.8.8.8:53
    217.106.137.52.in-addr.arpa
    dns
    73 B
     147 B
     1
    1

    DNS Request

    217.106.137.52.in-addr.arpa

  • 8.8.8.8:53
    172.214.232.199.in-addr.arpa
    dns
    74 B
     128 B
     1
    1

    DNS Request

    172.214.232.199.in-addr.arpa

  • 8.8.8.8:53
    20.160.190.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    20.160.190.20.in-addr.arpa

  • 8.8.8.8:53
    95.221.229.192.in-addr.arpa
    dns
    73 B
     144 B
     1
    1

    DNS Request

    95.221.229.192.in-addr.arpa

  • 8.8.8.8:53
    104.219.191.52.in-addr.arpa
    dns
    146 B
     147 B
     2
    1

    DNS Request

    104.219.191.52.in-addr.arpa

    DNS Request

    104.219.191.52.in-addr.arpa

  • 8.8.8.8:53
    53.210.109.20.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    53.210.109.20.in-addr.arpa

  • 8.8.8.8:53
    198.187.3.20.in-addr.arpa
    dns
    71 B
     157 B
     1
    1

    DNS Request

    198.187.3.20.in-addr.arpa

  • 8.8.8.8:53
    168.100.16.2.in-addr.arpa
    dns
    71 B
     135 B
     1
    1

    DNS Request

    168.100.16.2.in-addr.arpa

  • 8.8.8.8:53
    19.229.111.52.in-addr.arpa
    dns
    72 B
     158 B
     1
    1

    DNS Request

    19.229.111.52.in-addr.arpa

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    Filesize

    2.1MB

    MD5

    0096d3a80e078fb2978dba5a77c5b0c8

    SHA1

    031f8289e2c507eb013fc5015217ffcd59061575

    SHA256

    4be6c41dbe4ff14f6773c9bfff34c950153ff181ac140dee2ee93892d3caf3d5

    SHA512

    24d95518c4917172e21f336bd66d984068667ffa160fd743656afe9f34b6eff2c20735acfa3ee5106459d7c8af89a1f2faf403b9911fc478ba96040345ec04f6

    Download Submit

  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    Filesize

    731KB

    MD5

    9c7e8325e2d864f7b38c99c458236144

    SHA1

    0292005b3d694a2fc68a04b73e068dd8c857834c

    SHA256

    dfec2ba5c484168d1d4d4bb04ce1cff0defc6f065f99f5de8b1337aa45a6529a

    SHA512

    8b9e21931022b0aa7831ce9008d65a6cf9b2365e1195c8e0993adfb62c1021d8da61258f34698f3dda0757163fe0f44280065d133ed57b288c34c215609822a6

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
    Filesize

    748KB

    MD5

    462911baf51bc3f95e1e247dbcd5fd30

    SHA1

    3cb7b477d2aa2069262f672dbecd76f9ec15179f

    SHA256

    5ae1c70b3aedb767da46d169a7bb904cffc39b9b71ccab6dceebb13a691ab9ea

    SHA512

    41c24c67ea57687e21731c8a6a9358658e342bc7197dd01f2746f287438e5057ed7c4aea44a806ab64ca84ea31e4f7b612c5dad9ec0d0dcd3feb8092253bd1b6

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.vir
    Filesize

    4.5MB

    MD5

    7e70e99c739df8174e30bebc0ec9926f

    SHA1

    e45a690347250bf57b1b1fb0a906cc5019214050

    SHA256

    60a6e56c1bd87ea3c0eb5c05cbea2bacb16d76d64137dcec30643a3e9d11109b

    SHA512

    0daa82e380051550798dd6fe04f3a627a1f4029a2333fe14b4bc36a6ec8585bd1d03db1ae40b2e3ad856fe0ed6f8970c8927ea03de3dcadef38fd27b17a9eed7

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    Filesize

    2.1MB

    MD5

    6cf3432304b1fff7bd4f827021fdddfb

    SHA1

    55234f722ff172cff468db3a754727a8feceba4d

    SHA256

    0ab9aab1113564edb7e36296eee1b61c30799960efe9fd6ff2ed49181c51cbe3

    SHA512

    842b8cf61edee8808f7b33329d3805f5e76b0b1c5503a9b4ce237f9a276536a8df578e6c97c57ee7f05cab0a9e757454d2596fc8a97812de52a535970dd6dc34

    Download Submit

  • C:\Program Files\Internet Explorer\iexplore.exe
    Filesize

    1.3MB

    MD5

    2ce184514d6c226eb78f04ce1c9bbd77

    SHA1

    9bbc478d89d18c7f7a8a08fb3ed6d362220046b9

    SHA256

    eb9bb17dec3750c032256e209b702e6e67ac8239f078cc6f0855db17755562d3

    SHA512

    b43709d186f83ddb6773ec75afb0caf43391103fcf0708cd76b56730e55678ff5248ce1d04e595c3f3944012bd7746dac81fbe7b155121d65483752ebc7a00e9

    Download Submit

  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Filesize

    931KB

    MD5

    f4e2c65e12b744993e5b4b5adfa13abf

    SHA1

    4a4d47825f38580dbd11c32aaf9bef3c10e1a2fd

    SHA256

    452c8784fc1e7306677117d8fa1d270b521943631987bb1316cbb697c131fbd2

    SHA512

    eae86ed412c882529f63fedaaa4e1e539f5d6ede405e29756ac45236ec03f8483cd635c603d99e66c2a899d3c1dfcb86c3536749d1a0684f207ad492cceb6a4a

    Download Submit

  • C:\Windows\System32\AgentService.exe
    Filesize

    1.7MB

    MD5

    1c067ba7e7f7dfca42588aa98dedb139

    SHA1

    2262c31bbdbf7b1dd984c6543021ba96dffe5567

    SHA256

    82cc66938690723ce7bb9619013dfae4d17525badb492ffa3a1dced09bc02673

    SHA512

    ce5684ed12b8c54d385bbadd0ecdf21a5beb96633a1dc56f84066c2f8c46ea93f7989101a8a106f7c2605586d560e1d9dd191ee5b15efd16b243c2c5fcc1df34

    Download Submit

  • C:\Windows\System32\Appvclient.vir
    Filesize

    1.2MB

    MD5

    b97e6008fe5c4c4dcfb95bfbfbfa81bd

    SHA1

    38c40f63d1faa587f438b06042171008386faa73

    SHA256

    a59eaf469d4bef6caacd3b2b5d4cb43bc19c037bff4ea69117f6141f969e993e

    SHA512

    1b1bf10548a960ca99896953bfeaf3f6886935f6c1221cbe0b0059d45a2b0f191f73fd019d8319e5a04173970f273540f87635818472eac706a3a13b04729793

    Download Submit

  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    Filesize

    882KB

    MD5

    bc603813beec92048de06f614132defe

    SHA1

    a4f43735c592ff5474e4466edda4d3e84628f213

    SHA256

    64f9efa9ca49469c4164ba7b63954dba2e6012c60d348757704d7d7b19fad561

    SHA512

    8637175ec8bef4c219c027ac3e97d30ec1817beb1144f00edbd52c0cb044ae61b146b840ee60731093b15f04216c8eb82c752af718126c99d2e66b4adb8f54b7

    Download Submit

  • C:\Windows\System32\wbengine.exe
    Filesize

    2.0MB

    MD5

    21be8759d1953d137fde119f064dd97c

    SHA1

    17bf1b01d2a159689269df14c7eddd689b491ff3

    SHA256

    e06d498b8c046bfdb0bbb6f527aa09cd3f8f7e2c857fcc08de0c95ef0fed24c7

    SHA512

    7044b213c7f8b0ceba1f289aaec0324c7bdffb6b8914d6a8cf2bfa5557e8bd8aee5ecbf4c298e3a47648090364d516ddae69e0215cd0532f1b979945cb2749ed

    Download Submit

  • C:\Windows\servicing\TrustedInstaller.exe
    Filesize

    193KB

    MD5

    805418acd5280e97074bdadca4d95195

    SHA1

    a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

    SHA256

    73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

    SHA512

    630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

    Download Submit

  • memory/32-21-0x0000000140000000-0x0000000140368000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/32-20-0x0000000140000000-0x0000000140368000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/556-81-0x0000000140000000-0x00000001402F4000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/556-83-0x0000000140000000-0x00000001402F4000-memory.dmp

    Filesize

    3.0MB

    Download

  • memory/624-36-0x0000000140000000-0x0000000140203000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/624-37-0x0000000140000000-0x0000000140203000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-59-0x0000000140000000-0x0000000140203000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1388-60-0x0000000140000000-0x0000000140203000-memory.dmp

    Filesize

    2.0MB

    Download

  • memory/1844-74-0x0000000140000000-0x0000000140236000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/1844-73-0x0000000140000000-0x0000000140236000-memory.dmp

    Filesize

    2.2MB

    Download

  • memory/2216-0-0x0000000001000000-0x00000000011BA000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2216-2-0x0000000001000000-0x00000000011BA000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2216-1-0x0000000001008000-0x0000000001009000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4292-90-0x0000000140000000-0x000000014034A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4292-91-0x0000000140000000-0x000000014034A000-memory.dmp

    Filesize

    3.3MB

    Download

  • memory/4704-28-0x0000000140000000-0x000000014035F000-memory.dmp

    Filesize

    3.4MB

    Download

  • memory/4704-29-0x0000000140000000-0x000000014035F000-memory.dmp

    Filesize

    3.4MB

    Download

We care about your privacy.

This website stores cookies on your computer. These cookies are used to improve your website experience and provide more personalized services to you, both on this website and through other media. To find out more about the cookies we use, see our Privacy Policy.