Analysis
-
max time kernel
52s -
max time network
57s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
02-04-2023 00:58
Static task
static1
Behavioral task
behavioral1
Sample
EPSONResetterPH.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
EPSONResetterPH.exe
Resource
win10v2004-20230220-en
General
-
Target
EPSONResetterPH.exe
-
Size
8.8MB
-
MD5
7b9e809d18e1d105581ef4757e684e73
-
SHA1
57f497aaabc0127d4a9565314130cc358ed78917
-
SHA256
82439c65507183d1b2a3bd6ff94cec4bc5c700d100e6c16068d53d0f4c4c8c3e
-
SHA512
4df891f7344149dd8d9d1e76358a1d20f0dda502fd8c5171e11e5fa5904c3b3ad8c4bc9d41e0868a8382359b65289c36f01d37850afa573f7b8fbf30e1d3f084
-
SSDEEP
196608:/fztI7J+3b5MLdfWjl2zxulDRKydZrB+zrXiK5I:3xvb5cdf6yxulcydZl6iAI
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
EPSONResetterPH.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ EPSONResetterPH.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
EPSONResetterPH.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion EPSONResetterPH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion EPSONResetterPH.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
EPSONResetterPH.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-1283023626-844874658-3193756055-1000\Software\Wine EPSONResetterPH.exe -
Processes:
EPSONResetterPH.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EPSONResetterPH.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
EPSONResetterPH.exedescription ioc process File opened for modification \??\PhysicalDrive0 EPSONResetterPH.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
EPSONResetterPH.exepid process 2040 EPSONResetterPH.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
EPSONResetterPH.exepid process 2040 EPSONResetterPH.exe -
Suspicious use of AdjustPrivilegeToken 4 IoCs
Processes:
AUDIODG.EXEdescription pid process Token: 33 1604 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1604 AUDIODG.EXE Token: 33 1604 AUDIODG.EXE Token: SeIncBasePriorityPrivilege 1604 AUDIODG.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\EPSONResetterPH.exe"C:\Users\Admin\AppData\Local\Temp\EPSONResetterPH.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"1⤵
-
C:\Windows\system32\AUDIODG.EXEC:\Windows\system32\AUDIODG.EXE 0x40c1⤵
- Suspicious use of AdjustPrivilegeToken
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/2040-54-0x0000000000400000-0x00000000018C6000-memory.dmpFilesize
20.8MB
-
memory/2040-57-0x0000000010000000-0x000000001001A000-memory.dmpFilesize
104KB
-
memory/2040-60-0x00000000071C0000-0x00000000071DB000-memory.dmpFilesize
108KB
-
memory/2040-62-0x00000000071C0000-0x00000000071DB000-memory.dmpFilesize
108KB
-
memory/2040-67-0x0000000010000000-0x000000001001A000-memory.dmpFilesize
104KB
-
memory/2040-68-0x00000000071C0000-0x00000000071DB000-memory.dmpFilesize
108KB
-
memory/2040-70-0x0000000010000000-0x000000001001A000-memory.dmpFilesize
104KB
-
memory/2040-71-0x00000000071C0000-0x00000000071DB000-memory.dmpFilesize
108KB
-
memory/2040-69-0x0000000000400000-0x00000000018C6000-memory.dmpFilesize
20.8MB