expiro | 7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5

General

Target

7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe
Size

927KB
MD5

797c53ab8096a9a97d91bd8b4b25aea0
SHA1

36f56d955c6bcf22b4d6391b61af1c6754b3d29a
SHA256

7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5
SHA512

ea1a7512e42361aa6d08b8107e15a3419e0de4c8fdb8f96f2473dc3279f46ef010fa46fc8910d57a4e3b214b0f7da0e3bbb6241bcf0181978a722d63c5bc05f8
SSDEEP

24576:RjkqcetqSd1ELP34MYTNvyvzEYoo+iiNuZXL:xkqjtqSDELPYsbH

Score

10^/10

expiro backdoor discovery

Malware Config

Signatures

Expiro family
expiro
Expiro, m0yv
Expiro aka m0yv is a multi-functional backdoor written in C++.
backdoor expiro

Expiro payload 1 IoCs

backdoor

resource	yara_rule
behavioral2/memory/4224-3-0x0000000000400000-0x00000000006B6000-memory.dmp	family_expiro1

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3227495264-2217614367-4027411560-1000\Control Panel\International\Geo\Nation	7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe

Drops file in Program Files directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Temp	AdobeARM.exe
File opened for modification	C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\Backup	AdobeARM.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 2 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	AdobeARM.exe

Suspicious behavior: EnumeratesProcesses 10 IoCs

pid	Process
4224	7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe
4224	7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe
4224	7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe
4224	7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe
4224	7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe
4224	7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe
4224	7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe
4224	7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe
4224	7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe
4224	7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
4180	AdobeARM.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 4224 wrote to memory of 4180	4224	7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe	82
PID 4224 wrote to memory of 4180	4224	7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe	82
PID 4224 wrote to memory of 4180	4224	7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe	82
PID 4180 wrote to memory of 2820	4180	AdobeARM.exe	91
PID 4180 wrote to memory of 2820	4180	AdobeARM.exe	91
PID 4180 wrote to memory of 2820	4180	AdobeARM.exe	91

C:\Users\Admin\AppData\Local\Temp\7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe
"C:\Users\Admin\AppData\Local\Temp\7ee11f85e1380cc197c7f86485756207e10e5aaa59f9646dae981641113ff2a5N.exe"
1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4224
- C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe
  "C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
  2⤵
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4180
- - C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe
    "C:\Program Files (x86)\Adobe\Acrobat Reader DC\Reader\Reader_sl.exe"
    3⤵
    PID:2820

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

System Location Discovery

1

T1614

System Language Discovery

1

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\AdobeARM.log

Filesize
358B

MD5
9590ba87d292bfd6e8ebaeedcf3d9e7d

SHA1
ea320f78551c0fe4217f1c00c3910fef75527ad6

SHA256
ecf52bb638cd944b0f9c8ae373a5bcde837c741a1715bb4f5bdde28b40131055

SHA512
157027e8d5a6a9e54142f5e28608d26f095ba1c26a74ccbc2486c4ec32a82cfb271807cae321ce9cb1a3a3a7f86f33e5646ff5edc6147857539cb84af4855691

Download Submit
C:\Users\Admin\AppData\Local\Temp\ArmUI.ini

Filesize
251KB

MD5
864c22fb9a1c0670edf01c6ed3e4fbe4

SHA1
bf636f8baed998a1eb4531af9e833e6d3d8df129

SHA256
b4d4dcd9594d372d7c0c975d80ef5802c88502895ed4b8a26ca62e225f2f18b0

SHA512
ff23616ee67d51daa2640ae638f59a8d331930a29b98c2d1bd3b236d2f651f243f9bae38d58515714886cfbb13b9be721d490aad4f2d10cbba74d7701ab34e09

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpC7C4.tmp

Filesize
3KB

MD5
bbb796dd2b53f7fb7ce855bb39535e2f

SHA1
dfb022a179775c82893fe8c4f59df8f6d19bd2fd

SHA256
ff9b4cf04e3202f150f19c1711767361343935da7841c98b876c42fd2cabce9b

SHA512
0d122f454fcbf4524c2756692f0f33dc98f5bd2426839c6f03cd5c5f4fd507a8a15cf489d7a7ceadd1b95cf31b506c04bf03d613a9ba7d76add92766b1dc5c2b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpDF65.tmp

Filesize
3KB

MD5
ec946860cff4f4a6d325a8de7d6254d2

SHA1
7c909f646d9b2d23c58f73ec2bb603cd59dc11fd

SHA256
19fe53c801ad7edc635f61e9e28d07da31780c2480e6f37ecfc63fffe1b250fe

SHA512
38a98b18dbae063bc533a1ff25a3467a7de197651e07e77a1b22cf8ce251282ab31f61dcff5c51ef186cfd115dc506181d480eabffbe92af01dee6282cbee13e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpDF66.tmp

Filesize
3KB

MD5
fc2430057cb1be74c788f10c2d4540c8

SHA1
cab67ee8d5191fbf9f25545825e06c1a822af2f2

SHA256
dcc9d2695125406282ba990fec39403c44b12964acf51b5e0dc7f2080d714398

SHA512
4e2b9709a9e3ca5173abb35816e5a0aebbf2a7aaf971d7f75f3ae66e4a812cbade103baa5016525f5ab83a60c18f8d3c278c90ff83e4afdae419f81673cb5aee

Download Submit
C:\Users\Admin\AppData\Local\Temp\TmpE15B.tmp

Filesize
3KB

MD5
a58599260c64cb41ed7d156db8ac13ef

SHA1
fb9396eb1270e9331456a646ebf1419fc283dc06

SHA256
aabf92089e16fdb28706356dbc4efb5a81f5277946f2e67695b31676616ed2d2

SHA512
6970cbc42e7ec64ccdb8e5633b7017b1e9ec0d4ad094869e221e9275b814b1442b84827996190159543bdb5e86df6885c45197c533d657db4660fca8ad761a71

Download Submit
memory/4224-0-0x0000000000400000-0x00000000006B6000-memory.dmp

Filesize
2.7MB

Download
memory/4224-1-0x0000000000414000-0x0000000000415000-memory.dmp

Filesize
4KB

Download
memory/4224-3-0x0000000000400000-0x00000000006B6000-memory.dmp

Filesize
2.7MB

Download

Analysis

Sharing