353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1

General

Target

353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1.exe
Size

2.2MB
MD5

fa89967e93181d90392f3c4531a03722
SHA1

977681e1fe347a91994aed30734d5dddf7f30724
SHA256

353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1
SHA512

553371af6f9af613d10ca29273d7db903ceea616ef0de3dc5d3d176c3c6ac3529fbb36717b868f0ff0b6a724641187350f1754622906b628a6538c996c9a7175
SSDEEP

24576:8aYbNpDnMNye1h0C3KGM4WryYsn50Qx93Otko9C5fpDDy5PMtVIE0ygYy08twaJh:89PMoOzirS0QxAv7h90WRpuhuGw

Score

8^/10

evasion persistence spyware stealer

Malware Config

Signatures

Blocks application from running via registry modification 3 IoCs

Adds application to list of disallowed applications.

evasion

Processes:

epicbot_520_pro.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun = "1"	epicbot_520_pro.exe
Key created	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun	epicbot_520_pro.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\DisallowRun\12 = "msconfig.exe"	epicbot_520_pro.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

epicbot_520_pro.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	epicbot_520_pro.exe

Disables Task Manager via registry modification
evasion
Executes dropped EXE 2 IoCs

Processes:

epicbot_520(3).exeepicbot_520(3).exe

pid process

4360 epicbot_520(3).exe
1168 epicbot_520(3).exe

pid	process
4360	epicbot_520(3).exe
1168	epicbot_520(3).exe

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

epicbot_520_pro.exe353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	epicbot_520_pro.exe
Key value queried	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\Control Panel\International\Geo\Nation	353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-929662420-1054238289-2961194603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\epicbot_520_pro.exe"	353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 10 IoCs

Processes:

epicbot_520_pro.exeepicbot_520(3).exeepicbot_520(3).exe

pid	process
4684	epicbot_520_pro.exe
4684	epicbot_520_pro.exe
4360	epicbot_520(3).exe
4360	epicbot_520(3).exe
4360	epicbot_520(3).exe
4360	epicbot_520(3).exe
1168	epicbot_520(3).exe
1168	epicbot_520(3).exe
1168	epicbot_520(3).exe
1168	epicbot_520(3).exe

Suspicious behavior: RenamesItself 1 IoCs

Processes:

353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1.exe

pid process

4324 353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1.exe
Suspicious use of AdjustPrivilegeToken 1 IoCs

Processes:

epicbot_520_pro.exe

description pid process

Token: SeDebugPrivilege 4684 epicbot_520_pro.exe

description	pid	process
Token: SeDebugPrivilege	4684	epicbot_520_pro.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1.exeepicbot_520_pro.exeepicbot_520(3).exe

pid	process
4324	353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1.exe
4684	epicbot_520_pro.exe
1168	epicbot_520(3).exe
1168	epicbot_520(3).exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1.exeepicbot_520_pro.exeepicbot_520(3).exe

description	pid	process	target process
PID 4324 wrote to memory of 4684	4324	353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1.exe	epicbot_520_pro.exe
PID 4324 wrote to memory of 4684	4324	353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1.exe	epicbot_520_pro.exe
PID 4324 wrote to memory of 4684	4324	353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1.exe	epicbot_520_pro.exe
PID 4684 wrote to memory of 4360	4684	epicbot_520_pro.exe	epicbot_520(3).exe
PID 4684 wrote to memory of 4360	4684	epicbot_520_pro.exe	epicbot_520(3).exe
PID 4684 wrote to memory of 4360	4684	epicbot_520_pro.exe	epicbot_520(3).exe
PID 4360 wrote to memory of 1168	4360	epicbot_520(3).exe	epicbot_520(3).exe
PID 4360 wrote to memory of 1168	4360	epicbot_520(3).exe	epicbot_520(3).exe
PID 4360 wrote to memory of 1168	4360	epicbot_520(3).exe	epicbot_520(3).exe

C:\Users\Admin\AppData\Local\Temp\353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1.exe
"C:\Users\Admin\AppData\Local\Temp\353d31173f7dffd41d7a85efb6cab758198f7a1f2c5a75650e5cb98d040b2cf1.exe"
1⤵
- Checks computer location settings
- Adds Run key to start application
- Suspicious behavior: RenamesItself
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4324

C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\epicbot_520_pro.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\epicbot_520_pro.exe" ONCE
2⤵
- Blocks application from running via registry modification
- Disables RegEdit via registry modification
- Checks computer location settings
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4684

C:\Users\Admin\AppData\Local\Temp\epicbot_520(3).exe
"C:\Users\Admin\AppData\Local\Temp\epicbot_520(3).exe"
3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4360

C:\Users\Admin\AppData\Local\Temp\epicbot_520(3).exe
"C:\Users\Admin\AppData\Local\Temp\epicbot_520(3).exe" /wrapper /dir="C:\Users\Admin\AppData\Local\Temp\pkg_f2f1cba0" /pproc="epicbot_520_pro.exe"
4⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:1168

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Credentials in Files

1

T1081

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Data from Local System

1

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\epicbot_520(3).exe

Filesize
1.6MB

MD5
5115c023fad2ced46ece3dc43e5f4ae8

SHA1
8b1dec136879a33be6f7b7805f8ca2423c249fa9

SHA256
dccf21556725e24d7014a4a7289f41a442e380690c298220639689ea7a9e29a8

SHA512
04dea88e1042018b82316f58b466720fd5f1c427548b7c1b593af88bafdeaba6224d29f5a2ca84fb0c031b6f8231ce06d1b100fee713ea811e1ed8997a5d99c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\epicbot_520(3).exe

Filesize
1.6MB

MD5
5115c023fad2ced46ece3dc43e5f4ae8

SHA1
8b1dec136879a33be6f7b7805f8ca2423c249fa9

SHA256
dccf21556725e24d7014a4a7289f41a442e380690c298220639689ea7a9e29a8

SHA512
04dea88e1042018b82316f58b466720fd5f1c427548b7c1b593af88bafdeaba6224d29f5a2ca84fb0c031b6f8231ce06d1b100fee713ea811e1ed8997a5d99c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\epicbot_520(3).exe

Filesize
1.6MB

MD5
5115c023fad2ced46ece3dc43e5f4ae8

SHA1
8b1dec136879a33be6f7b7805f8ca2423c249fa9

SHA256
dccf21556725e24d7014a4a7289f41a442e380690c298220639689ea7a9e29a8

SHA512
04dea88e1042018b82316f58b466720fd5f1c427548b7c1b593af88bafdeaba6224d29f5a2ca84fb0c031b6f8231ce06d1b100fee713ea811e1ed8997a5d99c4

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_f2f1cba0\autorun.txt

Filesize
114B

MD5
c819368178ce1e40fd55c813340a597a

SHA1
81aef3fd883c52de4fe211f3e43f70137cbccdf6

SHA256
1334449583ff7823df9ba97e57bed51eaaba21eed4551e25b07794f1d48c3e31

SHA512
753ce58ed7b76de63f8d68bf95949dfd772e805d0ab514f2706d72b2d504fb53e9beadaed0d34d933fee4f98d3ea13172c8b3a0e391bcab639c3d70003ec71a7

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkg_f2f1cba0\wrapper.xml

Filesize
798B

MD5
1d45a29e3511b982a1f91b33c70e964f

SHA1
176a47b489be3f27dc354a2b9dd0b580bb2f3904

SHA256
0a69c29fe16727b18425df8ded1cfe9d07a380b9f23f1beb32f60fefc000b3dc

SHA512
c574719f56a9cc0a3c393001f0774a5826afa5972906d9d9d214a183724a9f7226483a7181a0030e0f801b481a19957761efc170a10850aec786623eb939eb69

Download Submit
memory/1168-140-0x0000000000000000-mapping.dmp

Download
memory/4324-134-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/4324-132-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/4360-137-0x0000000000000000-mapping.dmp

Download
memory/4684-135-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/4684-136-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download
memory/4684-133-0x0000000000000000-mapping.dmp

Download
memory/4684-144-0x0000000074D00000-0x00000000752B1000-memory.dmp

Filesize
5.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v6

Replay Monitor

Loading Replay Monitor...

Downloads