82439c65507183d1b2a3bd6ff94cec4bc5c700d100e6c16068d53d0f4c4c8c3e

General

Target

EPSONResetterPH.exe
Size

8.8MB
MD5

7b9e809d18e1d105581ef4757e684e73
SHA1

57f497aaabc0127d4a9565314130cc358ed78917
SHA256

82439c65507183d1b2a3bd6ff94cec4bc5c700d100e6c16068d53d0f4c4c8c3e
SHA512

4df891f7344149dd8d9d1e76358a1d20f0dda502fd8c5171e11e5fa5904c3b3ad8c4bc9d41e0868a8382359b65289c36f01d37850afa573f7b8fbf30e1d3f084
SSDEEP

196608:/fztI7J+3b5MLdfWjl2zxulDRKydZrB+zrXiK5I:3xvb5cdf6yxulcydZl6iAI

Score

9^/10

bootkit evasion persistence trojan

Malware Config

Signatures

Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

EPSONResetterPH.exe

description ioc process

Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ EPSONResetterPH.exe

description	ioc	process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	EPSONResetterPH.exe

Checks BIOS information in registry 2 TTPs 2 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

EPSONResetterPH.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	EPSONResetterPH.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion	EPSONResetterPH.exe

Identifies Wine through registry keys 2 TTPs 1 IoCs
Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.
evasion

Query Registry
T1012

Virtualization/Sandbox Evasion
T1497

Processes:

EPSONResetterPH.exe

description ioc process

Key opened \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Wine EPSONResetterPH.exe
Loads dropped DLL 2 IoCs

Processes:

EPSONResetterPH.exe

pid process

4444 EPSONResetterPH.exe
4444 EPSONResetterPH.exe
Checks whether UAC is enabled 1 TTPs 1 IoCs
evasion trojan

System Information Discovery
T1082

Processes:

EPSONResetterPH.exe

description ioc process

Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA EPSONResetterPH.exe
Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
bootkit persistence

Bootkit
T1067

Processes:

EPSONResetterPH.exe

description ioc process

File opened for modification \??\PhysicalDrive0 EPSONResetterPH.exe

description	ioc	process
Key opened	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000\Software\Wine	EPSONResetterPH.exe

pid	process
4444	EPSONResetterPH.exe
4444	EPSONResetterPH.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	EPSONResetterPH.exe

description	ioc	process
File opened for modification	\??\PhysicalDrive0	EPSONResetterPH.exe

Drops file in System32 directory 11 IoCs

Processes:

svchost.exe

description	ioc	process
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.jfm	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.log	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jcp	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.jtx	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSStmp.log	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00001.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSSres00002.jrs	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe
File created	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSTokenDB2.dat	svchost.exe
File opened for modification	C:\Windows\system32\config\systemprofile\AppData\Local\DataSharing\Storage\DSS.chk	svchost.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs

Processes:

EPSONResetterPH.exe

pid process

4444 EPSONResetterPH.exe
Modifies registry class 1 IoCs

Processes:

mspaint.exe

description ioc process

Key created \REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings mspaint.exe
Suspicious behavior: EnumeratesProcesses 4 IoCs

Processes:

EPSONResetterPH.exemspaint.exe

pid process

4444 EPSONResetterPH.exe
4444 EPSONResetterPH.exe
3352 mspaint.exe
3352 mspaint.exe
Suspicious use of SetWindowsHookEx 2 IoCs

Processes:

mspaint.exeOpenWith.exe

pid process

3352 mspaint.exe
2996 OpenWith.exe

pid	process
4444	EPSONResetterPH.exe

description	ioc	process
Key created	\REGISTRY\USER\S-1-5-21-144354903-2550862337-1367551827-1000_Classes\Local Settings	mspaint.exe

pid	process
4444	EPSONResetterPH.exe
4444	EPSONResetterPH.exe
3352	mspaint.exe
3352	mspaint.exe

pid	process
3352	mspaint.exe
2996	OpenWith.exe

C:\Users\Admin\AppData\Local\Temp\EPSONResetterPH.exe
"C:\Users\Admin\AppData\Local\Temp\EPSONResetterPH.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Identifies Wine through registry keys
- Loads dropped DLL
- Checks whether UAC is enabled
- Writes to the Master Boot Record (MBR)
- Suspicious use of NtSetInformationThreadHideFromDebugger
- Suspicious behavior: EnumeratesProcesses
PID:4444

C:\Windows\system32\mspaint.exe
"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Desktop\SelectTrace.png" /ForceBootstrapPaint3D
1⤵
- Modifies registry class
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:3352

C:\Windows\System32\svchost.exe
C:\Windows\System32\svchost.exe -k LocalSystemNetworkRestricted -p -s DsSvc
1⤵
- Drops file in System32 directory
PID:3356

C:\Windows\system32\OpenWith.exe
C:\Windows\system32\OpenWith.exe -Embedding
1⤵
- Suspicious use of SetWindowsHookEx
PID:2996

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Bootkit

1

T1067

Privilege Escalation

Defense Evasion

Virtualization/Sandbox Evasion

2

T1497

Credential Access

Discovery

Query Registry

3

T1012

Virtualization/Sandbox Evasion

2

T1497

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\evbD324.tmp
Filesize
1KB

MD5
c413f831babd0f046ffdab9ac47ec8cb

SHA1
5cc3f2b179e8373f0cff025db6db26db12ef327b

SHA256
99aa6f79f36a6160b79bb71cb7d96eba9366d13fc44f1287a70defd6e8f09d54

SHA512
6d03d7c7e56d128ddb42bf9651bf864b9405c3518c92e42dfccbdcd1e55a76a0cb64b2e7947517484a3ed2cfe1faef62acbbe8dc0dcd77f5b6988244f815c8b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\evbD374.tmp
Filesize
1KB

MD5
80570626dfe9070d9c5b464ce87e92b3

SHA1
b3858e9ab9017c5aec6d513fd4749ed7286604c8

SHA256
b57c523a31e19b3aa8e735622c10330f50b69f6162fc7b88a19be7b3905e543f

SHA512
790c0e675f3f8227e678aff6c6d24b15c1a27b3285da5d07384dd57d8bc09192827088b0d0a1d96f2e0ea19d71d9c3cf19ceb18ccf475cfba79a8533174b5ecf

Download Submit
memory/3356-153-0x00000204BD570000-0x00000204BD580000-memory.dmp

Filesize
64KB

Download
memory/3356-172-0x00000204C6210000-0x00000204C6211000-memory.dmp

Filesize
4KB

Download
memory/3356-171-0x00000204C6210000-0x00000204C6211000-memory.dmp

Filesize
4KB

Download
memory/3356-170-0x00000204C6210000-0x00000204C6211000-memory.dmp

Filesize
4KB

Download
memory/3356-169-0x00000204C6210000-0x00000204C6211000-memory.dmp

Filesize
4KB

Download
memory/3356-168-0x00000204C6180000-0x00000204C6181000-memory.dmp

Filesize
4KB

Download
memory/3356-166-0x00000204C6180000-0x00000204C6181000-memory.dmp

Filesize
4KB

Download
memory/3356-164-0x00000204C6100000-0x00000204C6101000-memory.dmp

Filesize
4KB

Download
memory/3356-157-0x00000204BD5B0000-0x00000204BD5C0000-memory.dmp

Filesize
64KB

Download
memory/4444-143-0x0000000008470000-0x000000000848B000-memory.dmp

Filesize
108KB

Download
memory/4444-151-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/4444-152-0x0000000008470000-0x000000000848B000-memory.dmp

Filesize
108KB

Download
memory/4444-150-0x0000000000400000-0x00000000018C6000-memory.dmp

Filesize
20.8MB

Download
memory/4444-149-0x0000000008470000-0x000000000848B000-memory.dmp

Filesize
108KB

Download
memory/4444-148-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download
memory/4444-133-0x0000000000400000-0x00000000018C6000-memory.dmp

Filesize
20.8MB

Download
memory/4444-141-0x0000000008470000-0x000000000848B000-memory.dmp

Filesize
108KB

Download
memory/4444-137-0x0000000010000000-0x000000001001A000-memory.dmp

Filesize
104KB

Download

Analysis

Sharing