expiro | b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd

Analysis

max time kernel
120s
max time network
94s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
07-01-2025 13:01

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
Size

635KB
MD5

9111267bdd481f1ed05fdb0a94e860d1
SHA1

4cc59ff0aa72e90b4573b84d4dd130865f98b31f
SHA256

b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd
SHA512

9af057c08f5396bb7404b51a8cb2c548c5d0108e9012e5139f0572b3c82662795089bccd0acbe50cf99b555d6dd98fd108185d93725b1eb787336709284d21cf
SSDEEP

12288:WDB+kxedc++Zvwx4jZVvPr+WmCqeDkqZ7K0Y7hbMT:WDB+kxeqPZvwujZVn8eDhXYNbS

Score

10^/10

expiro backdoor credential_access discovery spyware stealer

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/memory/2216-2-0x0000000001000000-0x00000000011BA000-memory.dmp	family_expiro1

Executes dropped EXE 8 IoCs

pid	Process
32	elevation_service.exe
4704	elevation_service.exe
624	maintenanceservice.exe
1388	OSE.EXE
1844	ssh-agent.exe
556	AgentService.exe
1952	TrustedInstaller.exe
4292	wbengine.exe

Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Credentials from Web Browsers
T1555.003
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
credential_access stealer

Credentials In Files
T1552.001

Drops Chrome extension 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Local\Google\Chrome\User Data\Default\Extensions\dlddmedljhmbgdhapibnagaanenmajcm\1.0_0\manifest.json	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe

Enumerates connected drives 3 TTPs 21 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\J:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\L:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\N:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\U:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\X:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\G:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\Q:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\V:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\W:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\Y:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\E:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\I:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\T:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\Z:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\S:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\H:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\K:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\M:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\O:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\P:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened (read-only)	\??\R:	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe

Drops file in System32 directory 61 IoCs

description	ioc	Process
File opened for modification	\??\c:\windows\SysWOW64\svchost.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	\??\c:\windows\system32\msdtc.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\perceptionsimulation\perceptionsimulationservice.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\wbengine.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\msdtc.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\perceptionsimulation\perceptionsimulationservice.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\sensordataservice.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	\??\c:\windows\system32\Appvclient.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\dllhost.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\diagsvcs\diagnosticshub.standardcollector.service.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	\??\c:\windows\system32\fxssvc.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\sensordataservice.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	\??\c:\windows\system32\Agentservice.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\Agentservice.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\alg.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\Appvclient.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	\??\c:\windows\system32\snmptrap.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\spectrum.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\spectrum.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\tieringengineservice.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\msiexec.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\alg.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\locator.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\openssh\ssh-agent.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	\??\c:\windows\SysWOW64\msiexec.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	\??\c:\windows\system32\openssh\ssh-agent.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\Agentservice.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\msdtc.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\wbem\wmiApsrv.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\fxssvc.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	\??\c:\windows\system32\msiexec.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\vssvc.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\searchindexer.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\tieringengineservice.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\wbem\wmiApsrv.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\searchindexer.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\Appvclient.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\locator.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\openssh\ssh-agent.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\vds.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\wbengine.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	\??\c:\windows\system32\wbengine.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\dllhost.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\diagsvcs\diagnosticshub.standardcollector.service.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\vds.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\snmptrap.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\snmptrap.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\vssvc.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	\??\c:\windows\system32\WindowsPowerShell\v1.0\powershell.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\lsass.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\lsass.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\perfhost.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\sgrmbroker.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\sgrmbroker.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\system32\svchost.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\fxssvc.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\SysWOW64\msiexec.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe

Drops file in Program Files directory 64 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\common files\microsoft shared\source engine\ose.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\ktab.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\wsgen.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jre-1.8\bin\java-rmi.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\mip.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\unpack200.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jabswitch.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.EXE	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdeps.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\rmid.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\schemagen.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\xjc.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\native2ascii.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Internet Explorer\ieinstal.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javadoc.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jdb.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javaws.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\java.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javac.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Common Files\microsoft shared\OFFICE16\LICLUA.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\dotnet\dotnet.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\javap.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\jp2launcher.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\rmiregistry.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	\??\c:\program files\common files\microsoft shared\source engine\ose.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jstack.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\rmid.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\servertool.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\chrome_pwa_launcher.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Internet Explorer\ieinstal.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jdeps.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\kinit.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\chrmstp.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\orbd.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Internet Explorer\iexplore.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jmap.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Common Files\microsoft shared\VSTO\10.0\VSTOInstaller.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jconsole.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\pack200.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaw.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\kinit.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\ssvagent.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jre-1.8\bin\jabswitch.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Common Files\microsoft shared\ink\TabTip.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\javafxpackager.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jstat.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\klist.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\servertool.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\7-Zip\Uninstall.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\appletviewer.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\jsadebugd.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\policytool.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\javaws.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Common Files\microsoft shared\ink\InputPersonalization.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\Java\jdk-1.8\bin\jmap.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\jre\bin\orbd.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Program Files\Java\jdk-1.8\bin\klist.vir	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe

Drops file in Windows directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe
File opened for modification	\??\c:\windows\microsoft.net\framework64\v3.0\wpf\presentationfontcache.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File opened for modification	\??\c:\windows\servicing\trustedinstaller.exe	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
File created	C:\Windows\Logs\CBS\CBS.log	TrustedInstaller.exe

System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe

Suspicious behavior: LoadsDriver 2 IoCs

pid	Process
656	Process not Found
656	Process not Found

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2216	b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe

C:\Users\Admin\AppData\Local\Temp\b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe
"C:\Users\Admin\AppData\Local\Temp\b9c7eed7f539a7a12d747625f258532860b2a796c2b8845a5d398830680953dd.exe"
1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2216

C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:32

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
1⤵
- Executes dropped EXE
PID:4704

C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
1⤵
- Executes dropped EXE
PID:624

\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
1⤵
- Executes dropped EXE
PID:1388

C:\Windows\System32\OpenSSH\ssh-agent.exe
C:\Windows\System32\OpenSSH\ssh-agent.exe
1⤵
- Executes dropped EXE
PID:1844

C:\Windows\system32\AgentService.exe
C:\Windows\system32\AgentService.exe
1⤵
- Executes dropped EXE
PID:556

C:\Windows\servicing\TrustedInstaller.exe
C:\Windows\servicing\TrustedInstaller.exe
1⤵
- Executes dropped EXE
- Drops file in Windows directory
PID:1952

C:\Windows\system32\wbengine.exe
"C:\Windows\system32\wbengine.exe"
1⤵
- Executes dropped EXE
PID:4292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe

Filesize
2.1MB

MD5
0096d3a80e078fb2978dba5a77c5b0c8

SHA1
031f8289e2c507eb013fc5015217ffcd59061575

SHA256
4be6c41dbe4ff14f6773c9bfff34c950153ff181ac140dee2ee93892d3caf3d5

SHA512
24d95518c4917172e21f336bd66d984068667ffa160fd743656afe9f34b6eff2c20735acfa3ee5106459d7c8af89a1f2faf403b9911fc478ba96040345ec04f6

Download Submit
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe

Filesize
731KB

MD5
9c7e8325e2d864f7b38c99c458236144

SHA1
0292005b3d694a2fc68a04b73e068dd8c857834c

SHA256
dfec2ba5c484168d1d4d4bb04ce1cff0defc6f065f99f5de8b1337aa45a6529a

SHA512
8b9e21931022b0aa7831ce9008d65a6cf9b2365e1195c8e0993adfb62c1021d8da61258f34698f3dda0757163fe0f44280065d133ed57b288c34c215609822a6

Download Submit
C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE

Filesize
748KB

MD5
462911baf51bc3f95e1e247dbcd5fd30

SHA1
3cb7b477d2aa2069262f672dbecd76f9ec15179f

SHA256
5ae1c70b3aedb767da46d169a7bb904cffc39b9b71ccab6dceebb13a691ab9ea

SHA512
41c24c67ea57687e21731c8a6a9358658e342bc7197dd01f2746f287438e5057ed7c4aea44a806ab64ca84ea31e4f7b612c5dad9ec0d0dcd3feb8092253bd1b6

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\setup.vir

Filesize
4.5MB

MD5
7e70e99c739df8174e30bebc0ec9926f

SHA1
e45a690347250bf57b1b1fb0a906cc5019214050

SHA256
60a6e56c1bd87ea3c0eb5c05cbea2bacb16d76d64137dcec30643a3e9d11109b

SHA512
0daa82e380051550798dd6fe04f3a627a1f4029a2333fe14b4bc36a6ec8585bd1d03db1ae40b2e3ad856fe0ed6f8970c8927ea03de3dcadef38fd27b17a9eed7

Download Submit
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe

Filesize
2.1MB

MD5
6cf3432304b1fff7bd4f827021fdddfb

SHA1
55234f722ff172cff468db3a754727a8feceba4d

SHA256
0ab9aab1113564edb7e36296eee1b61c30799960efe9fd6ff2ed49181c51cbe3

SHA512
842b8cf61edee8808f7b33329d3805f5e76b0b1c5503a9b4ce237f9a276536a8df578e6c97c57ee7f05cab0a9e757454d2596fc8a97812de52a535970dd6dc34

Download Submit
C:\Program Files\Internet Explorer\iexplore.exe

Filesize
1.3MB

MD5
2ce184514d6c226eb78f04ce1c9bbd77

SHA1
9bbc478d89d18c7f7a8a08fb3ed6d362220046b9

SHA256
eb9bb17dec3750c032256e209b702e6e67ac8239f078cc6f0855db17755562d3

SHA512
b43709d186f83ddb6773ec75afb0caf43391103fcf0708cd76b56730e55678ff5248ce1d04e595c3f3944012bd7746dac81fbe7b155121d65483752ebc7a00e9

Download Submit
C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe

Filesize
931KB

MD5
f4e2c65e12b744993e5b4b5adfa13abf

SHA1
4a4d47825f38580dbd11c32aaf9bef3c10e1a2fd

SHA256
452c8784fc1e7306677117d8fa1d270b521943631987bb1316cbb697c131fbd2

SHA512
eae86ed412c882529f63fedaaa4e1e539f5d6ede405e29756ac45236ec03f8483cd635c603d99e66c2a899d3c1dfcb86c3536749d1a0684f207ad492cceb6a4a

Download Submit
C:\Windows\System32\AgentService.exe

Filesize
1.7MB

MD5
1c067ba7e7f7dfca42588aa98dedb139

SHA1
2262c31bbdbf7b1dd984c6543021ba96dffe5567

SHA256
82cc66938690723ce7bb9619013dfae4d17525badb492ffa3a1dced09bc02673

SHA512
ce5684ed12b8c54d385bbadd0ecdf21a5beb96633a1dc56f84066c2f8c46ea93f7989101a8a106f7c2605586d560e1d9dd191ee5b15efd16b243c2c5fcc1df34

Download Submit
C:\Windows\System32\Appvclient.vir

Filesize
1.2MB

MD5
b97e6008fe5c4c4dcfb95bfbfbfa81bd

SHA1
38c40f63d1faa587f438b06042171008386faa73

SHA256
a59eaf469d4bef6caacd3b2b5d4cb43bc19c037bff4ea69117f6141f969e993e

SHA512
1b1bf10548a960ca99896953bfeaf3f6886935f6c1221cbe0b0059d45a2b0f191f73fd019d8319e5a04173970f273540f87635818472eac706a3a13b04729793

Download Submit
C:\Windows\System32\OpenSSH\ssh-agent.exe

Filesize
882KB

MD5
bc603813beec92048de06f614132defe

SHA1
a4f43735c592ff5474e4466edda4d3e84628f213

SHA256
64f9efa9ca49469c4164ba7b63954dba2e6012c60d348757704d7d7b19fad561

SHA512
8637175ec8bef4c219c027ac3e97d30ec1817beb1144f00edbd52c0cb044ae61b146b840ee60731093b15f04216c8eb82c752af718126c99d2e66b4adb8f54b7

Download Submit
C:\Windows\System32\wbengine.exe

Filesize
2.0MB

MD5
21be8759d1953d137fde119f064dd97c

SHA1
17bf1b01d2a159689269df14c7eddd689b491ff3

SHA256
e06d498b8c046bfdb0bbb6f527aa09cd3f8f7e2c857fcc08de0c95ef0fed24c7

SHA512
7044b213c7f8b0ceba1f289aaec0324c7bdffb6b8914d6a8cf2bfa5557e8bd8aee5ecbf4c298e3a47648090364d516ddae69e0215cd0532f1b979945cb2749ed

Download Submit
C:\Windows\servicing\TrustedInstaller.exe

Filesize
193KB

MD5
805418acd5280e97074bdadca4d95195

SHA1
a69e4f03d775a7a0cc5ed2d5569cbfbb4d31d2d6

SHA256
73684e31ad4afe3fdc525b51ccaacc14d402c92db9c42e3fcbfe1e65524b1c01

SHA512
630a255950c0ae0983ae907d20326adea36ce262c7784428a0811b04726849c929bc9cea338a89e77447a6cec30b0889694158327c002566d3cf5be2bb88e4de

Download Submit
memory/32-21-0x0000000140000000-0x0000000140368000-memory.dmp

Filesize
3.4MB

Download
memory/32-20-0x0000000140000000-0x0000000140368000-memory.dmp

Filesize
3.4MB

Download
memory/556-81-0x0000000140000000-0x00000001402F4000-memory.dmp

Filesize
3.0MB

Download
memory/556-83-0x0000000140000000-0x00000001402F4000-memory.dmp

Filesize
3.0MB

Download
memory/624-36-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/624-37-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/1388-59-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/1388-60-0x0000000140000000-0x0000000140203000-memory.dmp

Filesize
2.0MB

Download
memory/1844-74-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/1844-73-0x0000000140000000-0x0000000140236000-memory.dmp

Filesize
2.2MB

Download
memory/2216-0-0x0000000001000000-0x00000000011BA000-memory.dmp

Filesize
1.7MB

Download
memory/2216-2-0x0000000001000000-0x00000000011BA000-memory.dmp

Filesize
1.7MB

Download
memory/2216-1-0x0000000001008000-0x0000000001009000-memory.dmp

Filesize
4KB

Download
memory/4292-90-0x0000000140000000-0x000000014034A000-memory.dmp

Filesize
3.3MB

Download
memory/4292-91-0x0000000140000000-0x000000014034A000-memory.dmp

Filesize
3.3MB

Download
memory/4704-28-0x0000000140000000-0x000000014035F000-memory.dmp

Filesize
3.4MB

Download
memory/4704-29-0x0000000140000000-0x000000014035F000-memory.dmp

Filesize
3.4MB

Download