Analysis
-
max time kernel
86s -
max time network
88s -
platform
windows10-2004_x64 -
resource
win10v2004-20230220-en -
resource tags
arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system -
submitted
02-04-2023 00:58
Static task
static1
Behavioral task
behavioral1
Sample
EPSONResetterPH.exe
Resource
win7-20230220-en
Behavioral task
behavioral2
Sample
EPSONResetterPH.exe
Resource
win10v2004-20230220-en
General
-
Target
EPSONResetterPH.exe
-
Size
8.8MB
-
MD5
7b9e809d18e1d105581ef4757e684e73
-
SHA1
57f497aaabc0127d4a9565314130cc358ed78917
-
SHA256
82439c65507183d1b2a3bd6ff94cec4bc5c700d100e6c16068d53d0f4c4c8c3e
-
SHA512
4df891f7344149dd8d9d1e76358a1d20f0dda502fd8c5171e11e5fa5904c3b3ad8c4bc9d41e0868a8382359b65289c36f01d37850afa573f7b8fbf30e1d3f084
-
SSDEEP
196608:/fztI7J+3b5MLdfWjl2zxulDRKydZrB+zrXiK5I:3xvb5cdf6yxulcydZl6iAI
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
EPSONResetterPH.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ EPSONResetterPH.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
EPSONResetterPH.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion EPSONResetterPH.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion EPSONResetterPH.exe -
Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
Processes:
EPSONResetterPH.exedescription ioc process Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Wine EPSONResetterPH.exe -
Loads dropped DLL 2 IoCs
Processes:
EPSONResetterPH.exepid process 4444 EPSONResetterPH.exe 4444 EPSONResetterPH.exe -
Processes:
EPSONResetterPH.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EPSONResetterPH.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
EPSONResetterPH.exedescription ioc process File opened for modification \??\PhysicalDrive0 EPSONResetterPH.exe -
Drops file in System32 directory 11 IoCs
Processes:
svchost.exedescription ioc process File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe File created C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat svchost.exe File opened for modification C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk svchost.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
EPSONResetterPH.exepid process 4444 EPSONResetterPH.exe -
Modifies registry class 1 IoCs
Processes:
mspaint.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings mspaint.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
EPSONResetterPH.exemspaint.exepid process 4444 EPSONResetterPH.exe 4444 EPSONResetterPH.exe 3352 mspaint.exe 3352 mspaint.exe -
Suspicious use of SetWindowsHookEx 2 IoCs
Processes:
mspaint.exeOpenWith.exepid process 3352 mspaint.exe 2996 OpenWith.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\EPSONResetterPH.exe"C:\Users\Admin\AppData\Local\Temp\EPSONResetterPH.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\SelectTrace.png" /ForceBootstrapPaint3D1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
-
C:\Windows\System32\svchost.exeC:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc1⤵
- Drops file in System32 directory
-
C:\Windows\system32\OpenWith.exeC:\Windows\system32\OpenWith.exe -Embedding1⤵
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\evbD324.tmpFilesize
1KB
MD5c413f831babd0f046ffdab9ac47ec8cb
SHA15cc3f2b179e8373f0cff025db6db26db12ef327b
SHA25699aa6f79f36a6160b79bb71cb7d96eba9366d13fc44f1287a70defd6e8f09d54
SHA5126d03d7c7e56d128ddb42bf9651bf864b9405c3518c92e42dfccbdcd1e55a76a0cb64b2e7947517484a3ed2cfe1faef62acbbe8dc0dcd77f5b6988244f815c8b2
-
C:\Users\Admin\AppData\Local\Temp\evbD374.tmpFilesize
1KB
MD580570626dfe9070d9c5b464ce87e92b3
SHA1b3858e9ab9017c5aec6d513fd4749ed7286604c8
SHA256b57c523a31e19b3aa8e735622c10330f50b69f6162fc7b88a19be7b3905e543f
SHA512790c0e675f3f8227e678aff6c6d24b15c1a27b3285da5d07384dd57d8bc09192827088b0d0a1d96f2e0ea19d71d9c3cf19ceb18ccf475cfba79a8533174b5ecf
-
memory/3356-153-0x00000204BD570000-0x00000204BD580000-memory.dmpFilesize
64KB
-
memory/3356-172-0x00000204C6210000-0x00000204C6211000-memory.dmpFilesize
4KB
-
memory/3356-171-0x00000204C6210000-0x00000204C6211000-memory.dmpFilesize
4KB
-
memory/3356-170-0x00000204C6210000-0x00000204C6211000-memory.dmpFilesize
4KB
-
memory/3356-169-0x00000204C6210000-0x00000204C6211000-memory.dmpFilesize
4KB
-
memory/3356-168-0x00000204C6180000-0x00000204C6181000-memory.dmpFilesize
4KB
-
memory/3356-166-0x00000204C6180000-0x00000204C6181000-memory.dmpFilesize
4KB
-
memory/3356-164-0x00000204C6100000-0x00000204C6101000-memory.dmpFilesize
4KB
-
memory/3356-157-0x00000204BD5B0000-0x00000204BD5C0000-memory.dmpFilesize
64KB
-
memory/4444-143-0x0000000008470000-0x000000000848B000-memory.dmpFilesize
108KB
-
memory/4444-151-0x0000000010000000-0x000000001001A000-memory.dmpFilesize
104KB
-
memory/4444-152-0x0000000008470000-0x000000000848B000-memory.dmpFilesize
108KB
-
memory/4444-150-0x0000000000400000-0x00000000018C6000-memory.dmpFilesize
20.8MB
-
memory/4444-149-0x0000000008470000-0x000000000848B000-memory.dmpFilesize
108KB
-
memory/4444-148-0x0000000010000000-0x000000001001A000-memory.dmpFilesize
104KB
-
memory/4444-133-0x0000000000400000-0x00000000018C6000-memory.dmpFilesize
20.8MB
-
memory/4444-141-0x0000000008470000-0x000000000848B000-memory.dmpFilesize
108KB
-
memory/4444-137-0x0000000010000000-0x000000001001A000-memory.dmpFilesize
104KB