652a90d0737fca53fa6583c35883457c6259723791c42a5e14516a43f948306a

Analysis

max time kernel
151s
max time network
33s
platform
windows7_x64
resource
win7-20230220-en
resource tags

arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system
submitted
23/03/2023, 07:16

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EasyPrint_Setup_V3.3.8.1.exe
Size

17.8MB
MD5

88173747c343b2bd8b52f6fbc4ffd34c
SHA1

9e227d3ae4a8f1d0fb2b21233e6918276b3848bb
SHA256

18bca2b934ec681647548dba8602fc716c40c11cc89ce19ba137bb1ec5d07c66
SHA512

9e8494ba1bbdef37db381bccbd0581ee8ede07a923d34f232515694ff528c787f4769cbd75855e9384a732cb5b130c352d5e155f77cbab29eaff9c609c261df4
SSDEEP

393216:6y2M6q9cTKsoRcLnosh5aitS8O/BtYX9fQEcEkqM8:6NM19cTWcLnLHJS1YX9oEcvf8

Score

7^/10

Malware Config

Signatures

Executes dropped EXE 1 IoCs

pid	Process
1716	EasyPrint_Setup_V3.3.8.1.tmp

Loads dropped DLL 3 IoCs

pid	Process
1696	EasyPrint_Setup_V3.3.8.1.exe
1716	EasyPrint_Setup_V3.3.8.1.tmp
1716	EasyPrint_Setup_V3.3.8.1.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
1716	EasyPrint_Setup_V3.3.8.1.tmp

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 1696 wrote to memory of 1716	1696	EasyPrint_Setup_V3.3.8.1.exe	28
PID 1696 wrote to memory of 1716	1696	EasyPrint_Setup_V3.3.8.1.exe	28
PID 1696 wrote to memory of 1716	1696	EasyPrint_Setup_V3.3.8.1.exe	28
PID 1696 wrote to memory of 1716	1696	EasyPrint_Setup_V3.3.8.1.exe	28
PID 1696 wrote to memory of 1716	1696	EasyPrint_Setup_V3.3.8.1.exe	28
PID 1696 wrote to memory of 1716	1696	EasyPrint_Setup_V3.3.8.1.exe	28
PID 1696 wrote to memory of 1716	1696	EasyPrint_Setup_V3.3.8.1.exe	28

C:\Users\Admin\AppData\Local\Temp\EasyPrint_Setup_V3.3.8.1.exe
"C:\Users\Admin\AppData\Local\Temp\EasyPrint_Setup_V3.3.8.1.exe"
1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1696
- C:\Users\Admin\AppData\Local\Temp\is-J9IQR.tmp\EasyPrint_Setup_V3.3.8.1.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-J9IQR.tmp\EasyPrint_Setup_V3.3.8.1.tmp" /SL5="$70122,18332925,51712,C:\Users\Admin\AppData\Local\Temp\EasyPrint_Setup_V3.3.8.1.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious behavior: GetForegroundWindowSpam
  PID:1716

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\is-J9IQR.tmp\EasyPrint_Setup_V3.3.8.1.tmp

Filesize
693KB

MD5
c23f3f69452698b49f33d023e59ff5ad

SHA1
0e1da905f5b0975d351de0ed358b1496e02c7787

SHA256
556c901684368176a8ed8bb383c5bfac2389c84edc16b5e8885a00940a7a0157

SHA512
717c6b69f7d8b342af3d1084282c8accac50cf29408e7287cc0770e89e1a3111760c9d204e62dc69f4eadae97414c6fd325441f376d99749d50c2e1dd647ba86

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-J9IQR.tmp\EasyPrint_Setup_V3.3.8.1.tmp

Filesize
693KB

MD5
c23f3f69452698b49f33d023e59ff5ad

SHA1
0e1da905f5b0975d351de0ed358b1496e02c7787

SHA256
556c901684368176a8ed8bb383c5bfac2389c84edc16b5e8885a00940a7a0157

SHA512
717c6b69f7d8b342af3d1084282c8accac50cf29408e7287cc0770e89e1a3111760c9d204e62dc69f4eadae97414c6fd325441f376d99749d50c2e1dd647ba86

Download Submit
\Users\Admin\AppData\Local\Temp\is-J9IQR.tmp\EasyPrint_Setup_V3.3.8.1.tmp

Filesize
693KB

MD5
c23f3f69452698b49f33d023e59ff5ad

SHA1
0e1da905f5b0975d351de0ed358b1496e02c7787

SHA256
556c901684368176a8ed8bb383c5bfac2389c84edc16b5e8885a00940a7a0157

SHA512
717c6b69f7d8b342af3d1084282c8accac50cf29408e7287cc0770e89e1a3111760c9d204e62dc69f4eadae97414c6fd325441f376d99749d50c2e1dd647ba86

Download Submit
\Users\Admin\AppData\Local\Temp\is-TH3DE.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
\Users\Admin\AppData\Local\Temp\is-TH3DE.tmp\_isetup\_shfoldr.dll

Filesize
22KB

MD5
92dc6ef532fbb4a5c3201469a5b5eb63

SHA1
3e89ff837147c16b4e41c30d6c796374e0b8e62c

SHA256
9884e9d1b4f8a873ccbd81f8ad0ae257776d2348d027d811a56475e028360d87

SHA512
9908e573921d5dbc3454a1c0a6c969ab8a81cc2e8b5385391d46b1a738fb06a76aa3282e0e58d0d2ffa6f27c85668cd5178e1500b8a39b1bbae04366ae6a86d3

Download Submit
memory/1696-54-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1696-70-0x0000000000400000-0x0000000000414000-memory.dmp

Filesize
80KB

Download
memory/1716-69-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1716-71-0x0000000000400000-0x00000000004BE000-memory.dmp

Filesize
760KB

Download