Overview

overview

10

Static

static

3

b760bcf51f...7N.exe

windows7-x64

10

b760bcf51f...7N.exe

windows10-2004-x64

10

Analysis

  • max time kernel
    120s
  • max time network
    94s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20241007-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
  • submitted
    12-01-2025 14:12

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe

  • Size

    610KB

  • MD5

    cfa8191b3ff2d4c91719db8affaa6090

  • SHA1

    1bc6a3276fc444c1faed44347b3180eb8b3803bd

  • SHA256

    b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7

  • SHA512

    8a24aab9c09bb018b7dbe4c78d5437e1bb13aa94111240da99450b3728e2aefd1149c5e007aaefc1856ee591d5e2a8e12bfd96dfa9f620733c835901994cc572

  • SSDEEP

    12288:BPrneXCtwpxa5ICfznTODkiRrZ3VpWCDy7Frd3:BPr4CmpxayCfznTkhVpN6rd

Score
10/10
expirobackdoorcredential_accessdiscoveryevasionspywarestealertrojan

Malware Config

Signatures

  • Expiro family
    expiro
  • Expiro, m0yv

    Expiro aka m0yv is a multi-functional backdoor written in C++.

    backdoorexpiro
  • Expiro payload 2 IoCs
    backdoor
  • Disables taskbar notifications via registry modification
    evasion
  • Executes dropped EXE 5 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Unsecured Credentials: Credentials In Files 1 TTPs

    Steal credentials from unsecured files.

    credential_accessstealer
  • Windows security modification 2 TTPs 2 IoCs
    evasiontrojan
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Drops Chrome extension 1 IoCs
  • Enumerates connected drives 3 TTPs 42 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in System32 directory 64 IoCs
  • Drops file in Program Files directory 64 IoCs
  • Drops file in Windows directory 2 IoCs
  • System Location Discovery: System Language Discovery 1 TTPs 1 IoCs

    Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

    discovery
  • Suspicious behavior: EnumeratesProcesses 34 IoCs
  • Suspicious behavior: LoadsDriver 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 2 IoCs
  • System policy modification 1 TTPs 2 IoCs
    evasion

Processes

  • C:\Users\Admin\AppData\Local\Temp\b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe
    "C:\Users\Admin\AppData\Local\Temp\b760bcf51fccff727d6e3e0fc44ff4eac267ab82a77604912897282e194baac7N.exe"
    1⤵
    • Drops Chrome extension
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • System Location Discovery: System Language Discovery
    • Suspicious use of AdjustPrivilegeToken
    PID:3996
  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    "C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    • Windows security modification
    • Enumerates connected drives
    • Drops file in System32 directory
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of AdjustPrivilegeToken
    • System policy modification
    PID:4176
  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    "C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe"
    1⤵
    • Executes dropped EXE
    PID:3864
  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    "C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe"
    1⤵
    • Executes dropped EXE
    • Drops file in Program Files directory
    PID:2420
  • \??\c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE
    "c:\Program Files\Common Files\Microsoft Shared\Source Engine\OSE.EXE"
    1⤵
    • Executes dropped EXE
    PID:2300
  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    C:\Windows\System32\OpenSSH\ssh-agent.exe
    1⤵
    • Executes dropped EXE
    PID:2620

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files (x86)\Microsoft\Edge\Application\92.0.902.67\elevation_service.exe
    Filesize

    2.1MB

    MD5

    2f0a8fe160430d245910392b0da32002

    SHA1

    46522fbd475b8ae2f4dbc32f65f0037bbc651bac

    SHA256

    6f5f2da57d67a3720c61f9541318bf4342fe277ca475846bcc1af54476dc6322

    SHA512

    9fe281cbf2b7bb42fb5bed9a214f15843f6a67a60bdac67a607cf4230c9d2574a88f3fb217930bff88dc8436f9af386c600d654510eaeafc20b30e437736fdfc

    Download Submit

  • C:\Program Files (x86)\Mozilla Maintenance Service\maintenanceservice.exe
    Filesize

    777KB

    MD5

    cb88f8f62501867ce31dbdab0a871f88

    SHA1

    66cb4e75dfaef6c8e9c46d54ba1239c4fed2d840

    SHA256

    4a62ef6feef8ac71789d199014317eb98d6c74853050e52761c1470e9091b7ca

    SHA512

    4f8bb0055b36b9d04536c6ab2117e9e8f1b1192f6bcb276a2ade00840230d05b57be4cc3671bb0091c20a339f0e1e04488b642548c35773217510c9153f72986

    Download Submit

  • C:\Program Files\7-Zip\7z.exe
    Filesize

    1.1MB

    MD5

    95db16c85b0bb6718bf9569df8969f09

    SHA1

    e1592fe7bd1682a01b36bbfd3c7d71a4a3cb42df

    SHA256

    89ab1ec0e7a4015d2eb3db6947c3eb5fe2322e6bfda9e1ea5e3eccde04598fba

    SHA512

    314670aced7815379e74b02df75187638a9b577064b17d7da6e89a627a3257083d0a9525b73478a70767e9419e3692ce125baeadcdd35d77db162637c0a28401

    Download Submit

  • C:\Program Files\7-Zip\7zFM.exe
    Filesize

    1.4MB

    MD5

    2d13e583ea7ad2c9c7a30eec2d633404

    SHA1

    d37163075c3201a08ebf9b3843b58c92700ca949

    SHA256

    0d9d2b9c743e520d4395841d4c490946d37099f0ffda7c8b3c74c4e39bfff134

    SHA512

    0ffb60d2a1f031483d47c1ea2db1d98047e577d0364f59e88b641296267c47756f3e4c6d42dcdf91f4b9cf01abb6497d6d9ee8880d1e9b9a35ad25e296244a8e

    Download Submit

  • C:\Program Files\7-Zip\7zG.exe
    Filesize

    1.2MB

    MD5

    6c0a7d0ea3efa25db93a916e2e530ecc

    SHA1

    f86d5f1cc9ce322795796a682ef13135a20f746f

    SHA256

    75d2d7f4211a7e35a14a2dcdfbf87e711e1ec570299d1e901c72382c6ef7a7dd

    SHA512

    ce7ecf25ce100e158783c8a2e80a3318ea7158d6d478d5e2dc7fc4ae0264e8f55db51460ca771066939117c0554c6b388c39e8f5a92d77b099006862ee504606

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\AppVShNotify.exe
    Filesize

    828KB

    MD5

    68b81589c4cc2d03122ecdfb435cca16

    SHA1

    fd4b8ad91dfa99237ca6dc5da5176ddc309e8f25

    SHA256

    c241f9f552c8d28407ba20026ce2f069228bc14682a97400774bde2dd8b5d652

    SHA512

    5ce478bf04531876d743693d57a4166b536cae97fc13235d1671d9de9abad5820648f0c3fe4d84d597bcbcc6094f94a410dfcafa6791a60ec8eb00f495d15496

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\IntegratedOffice.exe
    Filesize

    4.6MB

    MD5

    1f3d7a5ddf6726d606598c67c0778755

    SHA1

    8c9aa542337b9cd54493f67d516b095931b6c341

    SHA256

    d23d8d7243f32c9e46b4ee2a5ef4f5303781c00a1dd255051a4ae14e0b1b06bb

    SHA512

    ce340f3e8ed4521e61645c17a5f1c5cecb5a77e4ccf6220d2e4f6af304e67371c9376e94e997348518a950250d41df17b85ed1b194d4bc053c5aa44214f52872

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\MavInject32.exe
    Filesize

    898KB

    MD5

    80383b876ef1f10c6485202ae553a77d

    SHA1

    cf16c2743f12c48c86f3ed02e867395370e07e78

    SHA256

    2599dec6f8c6ae26a717615915edb0b18b164f02899b5806bc82bebc882a2d1c

    SHA512

    a5a16a7ffe79140693dbd43d22bbd5269c0b6bcc6bf26c278631da5af0ccd7543dc141b99f5a0f9f2d140553ac2949cbc4afdc177e5547f9dba3164e584bbe94

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\OfficeC2RClient.exe
    Filesize

    24.0MB

    MD5

    0bbe23f9f76d64a9edb02ecc8f394e7f

    SHA1

    2980d4a3acf209fe2a3883065aaea06b862d0c41

    SHA256

    df2bba1b82e48a972945a69fadcd7681e6853f83c395f2166823349b4c458be6

    SHA512

    f1d1acbab4c0ff35b3fc36039c3ab70c80b121d61099db03219e208f9b84c5f3ac6098db337f7d3ea646502fbbfa58810ad25282f2bcd6161a1aff97fdfdb054

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\ClickToRun\appvcleaner.exe
    Filesize

    2.7MB

    MD5

    075454723cc43feb778729bfaf7d18f2

    SHA1

    6f9649a114bd5c59b219f5877ccb16b9a70df2a1

    SHA256

    d232ea9881898308be16d9bfae39a7ad6bae3a42902e2ce7dce9c97972da1968

    SHA512

    3899c2f592f4e72d72221d9cddb9216bc834233c7af2ef5659372b33ba898a526deb04b7d6cb9a2894d667a386fa9e62ae44c7671362d7229442b6cabc294017

    Download Submit

  • C:\Program Files\Common Files\microsoft shared\Source Engine\OSE.EXE
    Filesize

    793KB

    MD5

    edf52a9d2ac6b9e21563970c030fe0a4

    SHA1

    eae1a24a84a60d3746951076616eb6ed40b2e645

    SHA256

    4707fa9056be7fd16d11235df37ee1165188a141c40c68a213a5ba13b8b0298f

    SHA512

    cc7d6e3fa8f2ffde4e0173c9ec5e64e04255ef35b8b1903e4655752cd9f6e1a7e4c6379e95d63d509b0b7065a717b1a57b38ad7963d38a7d4f731d689b879db2

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\Installer\cpkcoelj.tmp
    Filesize

    4.6MB

    MD5

    5d0d72c1705d8529937dc515a5cd98eb

    SHA1

    2e8483246a7bb3f1982abaa023fdfa914d7362b9

    SHA256

    e30b10abfa9a671ae056f05288f2c85a04f8d2b4db7a3cb54b4656e6a07c12d4

    SHA512

    ea406e6023146892db8796547f9324b858d78b38fe0ac91cb77427fd10ace6f935d9b30af26e922e27b0f227bc0660346fe5112c3345d761016a78da847e60d0

    Download Submit

  • C:\Program Files\Google\Chrome\Application\123.0.6312.123\elevation_service.exe
    Filesize

    2.1MB

    MD5

    a76710eb530c2239cbb12efa848fb207

    SHA1

    829bd5fc6d01d8e22f5c40853a5b6897a9f8b548

    SHA256

    44235e109a33d59ae49beb907928c9f7814c3ec0d311c0ede0478c2d634c3c74

    SHA512

    2a2b20620952f5a73253235d553fc6f4fb001c0ce4e88b1ef3bf5105a04192db844dbd70db824eb6bd416310dac10410e3ef7361b9a4a37cd535aeac9fe3e1c9

    Download Submit

  • C:\Program Files\Internet Explorer\iexplore.exe
    Filesize

    1.3MB

    MD5

    b735bbb8bf22994ccb800f1e0194a855

    SHA1

    05e47aa3019dacfb16eb1d8e7fdb12a0c52edaea

    SHA256

    fda2232e15528b568907c279563581c627c699992b570cb0d40bb5db5d797bff

    SHA512

    b32dd4cf565e001bf987e7af7c273b77b766b641a83f46251621843d4fe49705a8456e45918eb0ef1491fe2d1f41727a9f1c928468bc13f4b6cf49f98dd7de21

    Download Submit

  • C:\Windows\SysWOW64\WindowsPowerShell\v1.0\powershell.exe
    Filesize

    978KB

    MD5

    b392b9b0291a3bfecb80de66901296d2

    SHA1

    ef0454408a6ea1e9d17195eeecbbbba7264565ec

    SHA256

    82bb7f7dd8a27ab8de308698e6c2a7cb762b2fc4c6a6f6fa1f396c7417550909

    SHA512

    b9fa6f99014e967a24622567d139c93634d9d02992079afac3350200db80e3f17784d19647a958a42b6ae7f9b1cfc9939b0665eb50684c565f9bf2c18225e1a4

    Download Submit

  • C:\Windows\System32\OpenSSH\ssh-agent.exe
    Filesize

    928KB

    MD5

    0600b3f3384128a66ba3f10e2a44bd90

    SHA1

    98544c4c97ec4069941e9648d17fcb4b128822d3

    SHA256

    1bca3811f7703700446fd324aa3bd99421ca194d932aa82c9f6096f1b32c2b6f

    SHA512

    6150d653eb09fa1ab91fd3b1da12e8ef9ec219ad53a7787f63273b15eafaa182999e36e619ca98c4b6bb2da3d94ee395a7c4f1edf2e5a6e1b0e52df3d18adc7b

    Download Submit

  • C:\Windows\System32\mkmepnpo.tmp
    Filesize

    1.3MB

    MD5

    7f7d5cc7e954c8f01a02105acecb78ab

    SHA1

    c2813f3e0c3abe06db444f23c32f209754aaeb5c

    SHA256

    7bfd8c8af2a931e763ab001bb4e970033085fca9f814e8d4efc4ca980e83f2b1

    SHA512

    a9ff1a16d27c97b5753dca6865e121d863d71169ffaae8764b1742eba37b2bf2abed485d28c9257462f938a2bf9cbfde2ce75aa11b75b83e9a405eec42b51b3a

    Download Submit

  • \??\c:\program files\windows media player\wmpnetwk.exe
    Filesize

    1.5MB

    MD5

    5faef900de39eb0bb34b127762d2f533

    SHA1

    3ea0077c9b84565eba52d0934ea95127003b3380

    SHA256

    8a593866a85deb13026c59f1908795812140e14a3775e30b026c7d4a4ef50454

    SHA512

    49490339683d96e0d56011860b11e5d815b465445a315e00f9253242f75162d0d4942ac186a63448c742d8bf9e3693e1f1f434057b8c9bc243b63adbbdb9a93e

    Download Submit

  • \??\c:\windows\system32\Agentservice.exe
    Filesize

    1.7MB

    MD5

    26c5dcb88f2134e6eec185a76067134c

    SHA1

    67d538bf5eca2eb777ea9b96f41911df8fc3d3a4

    SHA256

    bacff30b7afc7cbad468e83f07a6cde7f8493ef8c3fda4339225c14f9f697f65

    SHA512

    1d020ccf2276792cad2e0737b595970ef996fa7eca780c87f789453f89c08828d06a85feecbe0a0d32ca1f3d8148cefc7106f54f2ce0dbea509ff88c539f1109

    Download Submit

  • \??\c:\windows\system32\fxssvc.exe
    Filesize

    1.2MB

    MD5

    2e8bd7b339b20c6b5d81c871e436fa6d

    SHA1

    bcd4bb51faad8310be43b3d1f8a12e87efb63cf8

    SHA256

    00d42be8cd33cf25d87a68e67b43148cc91c82feb5e0f6d34c062cac1dfe0299

    SHA512

    a54458cab55e9505d42f88dff3cd419716ca439982a29406da08019a612077078bd38d128200648582470d285d06b55507228c647a2aabd576ea78fda7f55308

    Download Submit

  • \??\c:\windows\system32\msdtc.exe
    Filesize

    700KB

    MD5

    a36da686b1388a1efbc87b0a3027800f

    SHA1

    f4ba61cc6a58cbf62dc4bfdfaed94b552494f69d

    SHA256

    66855c2627a30f9e3899be1740776accb1f676b0d3e117d22f848a8a535aadda

    SHA512

    7134903f7ffdd9cd8b28a74ecc42b93103e14fabf7f8a42a242d3d9528f4d10735276afe2825499f6703e332ae705638ec544bf3b5b4ca50ac9106b2d73f11e5

    Download Submit

  • \??\c:\windows\system32\msiexec.exe
    Filesize

    623KB

    MD5

    e3c852e9f7470af2c876a6a8fa1278be

    SHA1

    2a447acd84ba331ad9d6fecfd4efa2d691806c69

    SHA256

    c5025d9e913fb486be3ad89323326357ffc575880d949cc0d2311cdfb66782ee

    SHA512

    be7fbfdf32f23bbb2829267b6a47138412f050a50efe6ffabce104dcf982717c3c6c2a0651d6ed6fd67e8aba60416de95322c5d78c4bbfb3c39ec82df813efec

    Download Submit

  • \??\c:\windows\system32\snmptrap.exe
    Filesize

    572KB

    MD5

    8f3375c17bae1d2a89e937287fdb6dd9

    SHA1

    6126555de5dcb6eccad5ab0d5ff6d995b81e401c

    SHA256

    b779769f32ea7dea630e4645add597c8acc15e03764feab7bae247982d0c2a75

    SHA512

    27094bca25e1db9a68a51a0764054d91b237afb1364ef43919a74d33e17140d1b937508c34583da769dd51ab970e9e811ab1003a09a781dbda535b5db305e64c

    Download Submit

  • \??\c:\windows\system32\wbengine.exe
    Filesize

    2.1MB

    MD5

    0eeb65ba57e671dd11405f80b728c9c4

    SHA1

    c1b8bed8a002075bc21d15594a9368302c99a124

    SHA256

    5d522de86588c082f4edd5742267ce1abb6e818a2d8fab7c0282390254da974e

    SHA512

    463da879c85df18ac62619cde1a4c6bedaa89eb1b395238b5275dbba106d047dffc7e00105a0cc1d5219633d01757f55592008c40170c911ee1d336d184e88c3

    Download Submit

  • memory/2300-152-0x0000000140000000-0x00000001402B2000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2300-61-0x0000000140000000-0x00000001402B2000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2300-163-0x0000000140000000-0x00000001402B2000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2300-62-0x0000000140000000-0x00000001402B2000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2420-59-0x0000000140000000-0x00000001402B2000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2420-36-0x0000000140000000-0x00000001402B2000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2420-37-0x0000000140000000-0x00000001402B2000-memory.dmp

    Filesize

    2.7MB

    Download

  • memory/2620-75-0x0000000140000000-0x00000001402E5000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/2620-174-0x0000000140000000-0x00000001402E5000-memory.dmp

    Filesize

    2.9MB

    Download

  • memory/3864-118-0x0000000140000000-0x000000014040E000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/3864-122-0x0000000140000000-0x000000014040E000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/3864-29-0x0000000140000000-0x000000014040E000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/3864-28-0x0000000140000000-0x000000014040E000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/3996-0-0x0000000000400000-0x0000000000656000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/3996-2-0x0000000000400000-0x0000000000656000-memory.dmp

    Filesize

    2.3MB

    Download

  • memory/3996-1-0x0000000000407000-0x0000000000408000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4176-117-0x0000000140000000-0x0000000140417000-memory.dmp

    Filesize

    4.1MB

    Download

  • memory/4176-21-0x00000001400B2000-0x00000001400B3000-memory.dmp

    Filesize

    4KB

    Download

  • memory/4176-20-0x0000000140000000-0x0000000140417000-memory.dmp

    Filesize

    4.1MB

    Download