Analysis
-
max time kernel
120s -
max time network
95s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
-
submitted
08-01-2025 01:51
General
-
Target
7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe
-
Size
635KB
-
MD5
79fe1ca4d124971e6b872d5d6acd25f0
-
SHA1
eca06b23d460392695fbea380a6e4ed69ea14d55
-
SHA256
7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223d
-
SHA512
7e37f5cff2d86b325d3acb44b1a6821c94a221a70fa9ac81369fd8b22aeea3df5e6e652ba46618f7b06393045b09e7d8c7c676334c14666f27b9c1a0cf2dcf61
-
SSDEEP
12288:WDB+kxedc++Zvwx4jZVvPr+WmCqeDkqZ7K0Y7hbM:WDB+kxeqPZvwujZVn8eDhXYNb
Malware Config
Signatures
-
Expiro family
-
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
-
Expiro payload 1 IoCs
-
Executes dropped EXE 7 IoCs
-
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Unsecured Credentials: Credentials In Files 1 TTPs
Steal credentials from unsecured files.
-
Drops Chrome extension 1 IoCs
-
Enumerates connected drives 3 TTPs 21 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
-
Drops file in System32 directory 61 IoCs
-
Drops file in Program Files directory 64 IoCs
-
Drops file in Windows directory 2 IoCs
-
System Location Discovery: System Language Discovery 1 TTPs 1 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
-
Suspicious behavior: LoadsDriver 2 IoCs
-
Suspicious use of AdjustPrivilegeToken 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe"C:\Users\Admin\AppData\Local\Temp\7971ad20e117b347787bb55470bde1cfa814d6479c1ccc5767e2c935b507223dN.exe"1⤵
- Drops Chrome extension
- Enumerates connected drives
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
-
C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"1⤵
- Executes dropped EXE
-
C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"1⤵
- Executes dropped EXE
-
\??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"1⤵
- Executes dropped EXE
-
C:\Windows\System32\OpenSSH\ssh-agent.exeC:\Windows\System32\OpenSSH\ssh-agent.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\AgentService.exeC:\Windows\system32\AgentService.exe1⤵
- Executes dropped EXE
-
C:\Windows\system32\wbengine.exe"C:\Windows\system32\wbengine.exe"1⤵
- Executes dropped EXE
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
2Credentials In Files
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.1MB
MD5728d84fff68da35a042eeafd1a1a6f8d
SHA199c023c9ad7e08b4f1582b2c7155507c5145eedf
SHA25629cb1d54bdd145d412c4135dc3ea82e4e71c740c5acf87935c6a439d66e4665c
SHA5121f446113fc79123656577e5ebea617f5c522432bb77f5ba2b6d016f0869ca2cb65273525d4c23ceef2ffa4aee1efe61abe35b4639ded67b8fb2da2c68e92d127
-
Filesize
731KB
MD52766363e84ea8a7b1d598ba44f2fe9b1
SHA1f99b8159e9bee349a555919e512734df62841256
SHA256265f68a15efb653731a93129e55de8d33a421fb6c0d50900e6eef7cb7f51888e
SHA512ae1e415ae31632c30908b2a300a378838b102a7b4d48c8313f698ea487b88358599aed35453a522252be581b8db550928e0ba6e2605f4eab98ca26178ad3c64a
-
Filesize
748KB
MD5baef7b59514fda9c4d72af455e243e6b
SHA1f2ccc7355d690bf5ebb2109faa18eb8ee1ff18df
SHA256e406b3c8e270639bbf232166b3e7fe4db11cbca8d42ac32746d42896dd1ff448
SHA5124dc9b4abf3d3aa56d28447cab6582b578c0832c4c3e46149f22df4152b1c83e819c87213a4b0f35d2bdb61c46e19ee531118f241553e9576c6729d6538b7ae8f
-
Filesize
4.5MB
MD57e70e99c739df8174e30bebc0ec9926f
SHA1e45a690347250bf57b1b1fb0a906cc5019214050
SHA25660a6e56c1bd87ea3c0eb5c05cbea2bacb16d76d64137dcec30643a3e9d11109b
SHA5120daa82e380051550798dd6fe04f3a627a1f4029a2333fe14b4bc36a6ec8585bd1d03db1ae40b2e3ad856fe0ed6f8970c8927ea03de3dcadef38fd27b17a9eed7
-
Filesize
2.1MB
MD50d88a4d009736f57deeb1e3adb15f4ea
SHA1751375995d11e823fab0faddd9234544487786ac
SHA256dc48e8c461be6b2d8eb6e9a6609ca712eeb9b28dd47aeecd2ccb8b3f4775e3df
SHA51270f920d69bdb12bcc2980a568fd959e02231e6d0fc0931b82f858fed9d424a5ba36d543286090c3d5f627ab4728ab236774e96eb5b4c3ff915c0d7dfe6630814
-
Filesize
1.3MB
MD58dcf62d975d0fd92d9ddb50dee8afacc
SHA1b09e10ceadb51eb61ba39b6db96fb4fa5b973d2f
SHA256dd0213a6043ee5dd362c08515eea4152714dc45edc498d3313a9a07841ec4c7c
SHA512800481fd63ab40a205a5c32bd17af6712647ab09c210afdd4d4521d46cb9b71bda9fd37545ef168550b8a3881fa78c19ccef10ba370df095af73d42c1053c2fa
-
Filesize
931KB
MD5fbd875ad468e8cb2ac2459a4be9eab45
SHA12d4e6ddbeb1006dc17630abe1a5563e27e78e828
SHA2565eccaadb12b3438dd681afefb72a30c1253e93b3f8345cd12bc159600c9b8355
SHA512aad9248f69d21ab1a859daf020a168e6819a9e4076c1bfc83919cf08c890f733d1468495ad6db03d8aa0a4cf0ca8225dbe1129c0308a73e1a5afee30b79376ea
-
Filesize
1.7MB
MD593ad44333f94fac28d68e1d372ff2baa
SHA149a64e17414158ba8b1bb7357e7824ba5022a36d
SHA256917fb117cc36aa39267ec8aa6f301b39e963335268ecda74f856b6feb9648b89
SHA512071cccd2ea61d2ac66c8bf104a8fe91b7f2fc4ba0b2cd8dd85be5bd0352c85a1b3a0b2cd7481567d30a5ccde009a5726c68434127f34c0acd8e2b7442331011a
-
Filesize
1.2MB
MD5c95d533fb581868667b182f5f9b9c917
SHA1c4bf0582f4e47590c948f9de4746768f41448a99
SHA2564174521f3d92155435769aaabb3f9b29f383a547f9b332933f1ef86ccb4065b5
SHA5122defc59f004d1844581ee5bc4ec0781d496be351dbba28fbe48ebb2a10b990036b35bf127f92c3670d35b7b87489c304ba57669db6abe2d73ff1db40e95e0a07
-
Filesize
882KB
MD57b950c387a12cf77207c9fdb9f42a4f0
SHA178b8e1bb3a93cd2148eb5cbbc4b49d485e31b8eb
SHA256e3650a6e7ba3349ad5e755bde1ee24452e27ed1bbe51e2ad1f0c8cc14e691394
SHA512061c7f9ff969576dc345558f247ebd754bb71b9809e4c6263816f6e0c7d678f400fc99ed4a50a7ff97d93e1e26477650f4f1262aef664e610f6a6aa5892b3268
-
Filesize
2.0MB
MD5673c6b7182dc5de6cad7e283aa330f56
SHA1af55b4a1913e51d7816e889be8dbb5646780afed
SHA2561ddc7c4bb93f7a813d877e338c0f8beca7c46e9049b532add3d14431312fabff
SHA51294561a94bb9b40d755014ed9ab30aa248d5d12490a54966983b916860c8801c909f5c155cd5228f8068a1cc3cfd908809cde2d73a92390a4b30d5e0a2c0733de
-
Filesize
3.3MB
-
Filesize
3.3MB
-
Filesize
1.7MB
-
Filesize
4KB
-
Filesize
1.7MB
-
Filesize
2.2MB
-
Filesize
2.2MB
-
Filesize
3.0MB
-
Filesize
3.0MB
-
Filesize
2.0MB
-
Filesize
2.0MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
3.4MB
-
Filesize
2.0MB
-
Filesize
2.0MB