Overview

overview

8

Static

static

1

ep_setup 12.exe

windows10-2004-x64

8

Analysis

  • max time kernel
    21s
  • max time network
    42s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20230220-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20230220-enlocale:en-usos:windows10-2004-x64system
  • submitted
    22/04/2023, 20:07

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ep_setup 12.exe

  • Size

    1.7MB

  • MD5

    17b928ba118f578e9e3fe800238343d2

  • SHA1

    4e4ea78a27f5ae9bbca60afa7116404169518296

  • SHA256

    856b184fafa717d9335c64aebcd7b92ffac0a199cb64c4963e1b1aebbb8ab411

  • SHA512

    2395dec30a60b29543c08bf6e458d8b02d0e376925e36321cc8fded01e3a040845da423f2e0c7f539f92db4a008c96d93b146e6f5f3c032605bdbe7d5dbce68f

  • SSDEEP

    24576:QaCaSY0GxtC5/ZhQwKDl6MyEVM9vnoFSySXM7qaiaYHJFUP:grY0t26V9fohgToYXU

Score
8/10
discoveryevasionpersistence

Malware Config

Signatures

  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Registers COM server for autorun 1 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 1 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 8 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies registry class 33 IoCs
  • Suspicious use of AdjustPrivilegeToken 11 IoCs
  • Suspicious use of FindShellTrayWindow 39 IoCs
  • Suspicious use of SendNotifyMessage 10 IoCs
  • Suspicious use of SetWindowsHookEx 2 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ep_setup 12.exe
    "C:\Users\Admin\AppData\Local\Temp\ep_setup 12.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:1620
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1412
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      2⤵
      • Launches sc.exe
      PID:1188
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      2⤵
      • Launches sc.exe
      PID:260
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
      2⤵
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:4120
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
      2⤵
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:4600
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Loads dropped DLL
      • Enumerates connected drives
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:64
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:3744
    • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
      "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
      1⤵
        PID:464

      Network

      MITRE ATT&CK Enterprise v6

      Replay Monitor

      Loading Replay Monitor...

      Downloads

      • C:\Program Files\ExplorerPatcher\WebView2Loader.dll
        Filesize

        136KB

        MD5

        c44baed957b05b9327bd371dbf0dbe99

        SHA1

        80b48c656b8555ebc588de3de0ec6c7e75ae4bf1

        SHA256

        ad8bb426a8e438493db4d703242f373d9cb36d8c13e88b6647cd083716e09bef

        SHA512

        ad1b76594dca7cde6bbcde55bc3abe811f9e903e2cf6613d49201e14e789cfc763cb528d499dd2db84db097a210d63c7d88cc909ca1c836d831e3519c2ce7b35

        Download Submit

      • C:\Program Files\ExplorerPatcher\WebView2Loader.dll
        Filesize

        136KB

        MD5

        c44baed957b05b9327bd371dbf0dbe99

        SHA1

        80b48c656b8555ebc588de3de0ec6c7e75ae4bf1

        SHA256

        ad8bb426a8e438493db4d703242f373d9cb36d8c13e88b6647cd083716e09bef

        SHA512

        ad1b76594dca7cde6bbcde55bc3abe811f9e903e2cf6613d49201e14e789cfc763cb528d499dd2db84db097a210d63c7d88cc909ca1c836d831e3519c2ce7b35

        Download Submit

      • C:\Program Files\ExplorerPatcher\ep_weather_host.dll
        Filesize

        243KB

        MD5

        7861db5011cb8fcef56c8190c4c92c3f

        SHA1

        60f671a22a531c38999fce98be5cf1b12f4730aa

        SHA256

        16611afa51db3dca3995dfbc4f34098dd664d34ee4d5076c451885fb05a69d1a

        SHA512

        f9062386680bc4d104dfc5581e8320e936525d9fb7e0a53eac5127e09a98dc96ef3f7dd64797b94a67181a010a228d487b449708566a19021c074f2629c8ad02

        Download Submit

      • C:\Program Files\ExplorerPatcher\ep_weather_host.dll
        Filesize

        243KB

        MD5

        7861db5011cb8fcef56c8190c4c92c3f

        SHA1

        60f671a22a531c38999fce98be5cf1b12f4730aa

        SHA256

        16611afa51db3dca3995dfbc4f34098dd664d34ee4d5076c451885fb05a69d1a

        SHA512

        f9062386680bc4d104dfc5581e8320e936525d9fb7e0a53eac5127e09a98dc96ef3f7dd64797b94a67181a010a228d487b449708566a19021c074f2629c8ad02

        Download Submit

      • C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll
        Filesize

        109KB

        MD5

        78afc90569c2e3d913ca7541c1681f31

        SHA1

        f9a4dcac5c9742700d0fe2e384e863311c7ed84a

        SHA256

        61f3e0c52b84d953e1a3a2a1379e51874f4235d6949dfcda3394cda723996236

        SHA512

        b586a00518195cab9c2e6272e5f0000e9e1e19815a71669d6a10f15d8269bb79c22e4742058ed3bacb56bfa58bc32851556647e37885aec046b4daa94ecf5cbb

        Download Submit

      • C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll
        Filesize

        109KB

        MD5

        78afc90569c2e3d913ca7541c1681f31

        SHA1

        f9a4dcac5c9742700d0fe2e384e863311c7ed84a

        SHA256

        61f3e0c52b84d953e1a3a2a1379e51874f4235d6949dfcda3394cda723996236

        SHA512

        b586a00518195cab9c2e6272e5f0000e9e1e19815a71669d6a10f15d8269bb79c22e4742058ed3bacb56bfa58bc32851556647e37885aec046b4daa94ecf5cbb

        Download Submit

      • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk
        Filesize

        1KB

        MD5

        151084388b5c77d5684198cc06866284

        SHA1

        3224d66adfc1e4fda6636437dedd621a63c80cc0

        SHA256

        4308fdb7409acc52b4bb2eab3b502e9ac85577bf234b6944f937266783c6f662

        SHA512

        d6bf39ff2e55bc4ace71952630a4d27362b244f284f11c6bfb578e2217efe67471e21855ef4006835b8bc4bde8d6a658aee6e1f2e5cf9f3965b64bedf9e05aa5

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3293b4f6-b7d7-47dc-9abf-eb2815cb6c8a}\0.0.filtertrie.intermediate.txt
        Filesize

        28KB

        MD5

        84a4a43e4d3e8876b53c7d879261878b

        SHA1

        e3403ce51d39745d2cce9fd9c8a25c76c4f62c77

        SHA256

        cde133a8c79728abce622dc788848be9e85ae3cced7fd6ce01601f4d922e17c1

        SHA512

        8e319c8b5c69b01bbae54ce64d0f1bdaba9216de2eb2a3d18851af463fc9e9401136a2bc019f7450afc481bf6dfefd0452c89e54dec28aae72a4a0e84008bdbb

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3293b4f6-b7d7-47dc-9abf-eb2815cb6c8a}\0.1.filtertrie.intermediate.txt
        Filesize

        5B

        MD5

        34bd1dfb9f72cf4f86e6df6da0a9e49a

        SHA1

        5f96d66f33c81c0b10df2128d3860e3cb7e89563

        SHA256

        8e1e6a3d56796a245d0c7b0849548932fee803bbdb03f6e289495830e017f14c

        SHA512

        e3787de7c4bc70ca62234d9a4cdc6bd665bffa66debe3851ee3e8e49e7498b9f1cbc01294bf5e9f75de13fb78d05879e82fa4b89ee45623fe5bf7ac7e48eda96

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3293b4f6-b7d7-47dc-9abf-eb2815cb6c8a}\0.2.filtertrie.intermediate.txt
        Filesize

        5B

        MD5

        c204e9faaf8565ad333828beff2d786e

        SHA1

        7d23864f5e2a12c1a5f93b555d2d3e7c8f78eec1

        SHA256

        d65b6a3bf11a27a1ced1f7e98082246e40cf01289fd47fe4a5ed46c221f2f73f

        SHA512

        e72f4f79a4ae2e5e40a41b322bc0408a6dec282f90e01e0a8aaedf9fb9d6f04a60f45a844595727539c1643328e9c1b989b90785271cc30a6550bbda6b1909f8

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\ConstraintIndex\Apps_{3293b4f6-b7d7-47dc-9abf-eb2815cb6c8a}\Apps.index
        Filesize

        1.0MB

        MD5

        9a867f775f12b94ec632faadaa8fbdf0

        SHA1

        730e284b43ea0ace198f3a314f89e6420e9a68d4

        SHA256

        c28afe750da50c6dca12049e856977e44214e3e49a6d8dc3d470880831e97bd5

        SHA512

        1ddc136d65b4c704098a533b0764ce01691e4c184e903e3837c4a7aa0489c066a9e900af9156858e25d997d21af1342610bae12f58bfedb06d745a23a8fc8468

        Download Submit

      • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133266748850294357.txt
        Filesize

        75KB

        MD5

        65019a5db517d9fb830d8a57406a03ea

        SHA1

        817faf2ffe8461f653519e7bd96e7ee75021c891

        SHA256

        3ae88b3a99e6b785bdb44760790bc03ac722ef5b673ad5b3ca49b5cc5eecf84f

        SHA512

        bcc985d3fa48efcbb4a334b1a341a6686ef6c69f237d6d9bdcd9885696d148519ab824b9150194d783cb03189c1cc00a483f1b73ebce323f1f6a303a05b8ea62

        Download Submit

      • C:\Users\Admin\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb
        Filesize

        17.9MB

        MD5

        bc8958ca4f0f0760befa3523238c7d67

        SHA1

        5f75add01201e78860be47a0eb65582733e823c3

        SHA256

        589c2ff9e4ac0465a8b682d6fb988c81b4e91af9f760d174811315681d94b954

        SHA512

        3da6524215e011655c441bd6c085531ce54b81162a6bcb7412977b1f9e488ff600d1a0c6f54252c6c21b76bc8af3b6261632df8f1eccd96e385a0d552a615699

        Download Submit

      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll
        Filesize

        608KB

        MD5

        5cb32354028311ab9b086e0131bc3ae7

        SHA1

        b0752fa7926ff2968cf35954afc1014889a0367f

        SHA256

        c8b206cb5c8d0511af764d16ae46d1fa2b36fe1a7f7c33faa90bf077bcabbea7

        SHA512

        65da00d78e4b56c4ee51a46436922833882fc521387d81f4fa2a82c28e662c441dc84504d7341eef6f778ef37d3226727b4a6fc927743974ed6f319a79a1d4fd

        Download Submit

      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll
        Filesize

        608KB

        MD5

        5cb32354028311ab9b086e0131bc3ae7

        SHA1

        b0752fa7926ff2968cf35954afc1014889a0367f

        SHA256

        c8b206cb5c8d0511af764d16ae46d1fa2b36fe1a7f7c33faa90bf077bcabbea7

        SHA512

        65da00d78e4b56c4ee51a46436922833882fc521387d81f4fa2a82c28e662c441dc84504d7341eef6f778ef37d3226727b4a6fc927743974ed6f319a79a1d4fd

        Download Submit

      • C:\Windows\dxgi.dll
        Filesize

        608KB

        MD5

        5cb32354028311ab9b086e0131bc3ae7

        SHA1

        b0752fa7926ff2968cf35954afc1014889a0367f

        SHA256

        c8b206cb5c8d0511af764d16ae46d1fa2b36fe1a7f7c33faa90bf077bcabbea7

        SHA512

        65da00d78e4b56c4ee51a46436922833882fc521387d81f4fa2a82c28e662c441dc84504d7341eef6f778ef37d3226727b4a6fc927743974ed6f319a79a1d4fd

        Download Submit

      • C:\Windows\dxgi.dll
        Filesize

        608KB

        MD5

        5cb32354028311ab9b086e0131bc3ae7

        SHA1

        b0752fa7926ff2968cf35954afc1014889a0367f

        SHA256

        c8b206cb5c8d0511af764d16ae46d1fa2b36fe1a7f7c33faa90bf077bcabbea7

        SHA512

        65da00d78e4b56c4ee51a46436922833882fc521387d81f4fa2a82c28e662c441dc84504d7341eef6f778ef37d3226727b4a6fc927743974ed6f319a79a1d4fd

        Download Submit

      • memory/64-171-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-181-0x00007FFDB8770000-0x00007FFDB87C2000-memory.dmp

        Filesize

        328KB

        Download

      • memory/64-160-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-161-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-162-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-163-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-164-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-165-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-166-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-167-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-168-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-169-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-170-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-158-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-172-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-173-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-174-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-175-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-176-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-177-0x00007FFDAF180000-0x00007FFDAF7A6000-memory.dmp

        Filesize

        6.1MB

        Download

      • memory/64-179-0x00007FFDB8770000-0x00007FFDB87C2000-memory.dmp

        Filesize

        328KB

        Download

      • memory/64-178-0x00007FFDAE8C0000-0x00007FFDAEEB3000-memory.dmp

        Filesize

        5.9MB

        Download

      • memory/64-180-0x00007FFDB8770000-0x00007FFDB87C2000-memory.dmp

        Filesize

        328KB

        Download

      • memory/64-159-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-183-0x00007FFDB9240000-0x00007FFDB9286000-memory.dmp

        Filesize

        280KB

        Download

      • memory/64-184-0x00007FFDAE090000-0x00007FFDAE2A9000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/64-182-0x00007FFDB8770000-0x00007FFDB87C2000-memory.dmp

        Filesize

        328KB

        Download

      • memory/64-186-0x00007FFDB8720000-0x00007FFDB8770000-memory.dmp

        Filesize

        320KB

        Download

      • memory/64-185-0x00007FFDAE090000-0x00007FFDAE2A9000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/64-188-0x00007FFDB87D0000-0x00007FFDB89F0000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/64-187-0x00007FFDB8720000-0x00007FFDB8770000-memory.dmp

        Filesize

        320KB

        Download

      • memory/64-191-0x00007FFDBB460000-0x00007FFDBB49B000-memory.dmp

        Filesize

        236KB

        Download

      • memory/64-194-0x00007FF73B180000-0x00007FF73B61D000-memory.dmp

        Filesize

        4.6MB

        Download

      • memory/64-201-0x0000000005310000-0x0000000005311000-memory.dmp

        Filesize

        4KB

        Download

      • memory/64-153-0x00007FFDC4A90000-0x00007FFDC51CF000-memory.dmp

        Filesize

        7.2MB

        Download

      • memory/64-152-0x00007FFDC4A90000-0x00007FFDC51CF000-memory.dmp

        Filesize

        7.2MB

        Download

      • memory/64-340-0x000000000CB70000-0x000000000CB8D000-memory.dmp

        Filesize

        116KB

        Download

      • memory/64-157-0x00007FFDB87D0000-0x00007FFDB89F0000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/64-156-0x00007FFDB87D0000-0x00007FFDB89F0000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/64-154-0x00007FFDB87D0000-0x00007FFDB89F0000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/64-155-0x00007FFDB87D0000-0x00007FFDB89F0000-memory.dmp

        Filesize

        2.1MB

        Download

      • memory/464-381-0x0000023088740000-0x0000023088EBA000-memory.dmp

        Filesize

        7.5MB

        Download

      • memory/464-210-0x000002388A200000-0x000002388A220000-memory.dmp

        Filesize

        128KB

        Download

      • memory/464-213-0x000002388A610000-0x000002388A630000-memory.dmp

        Filesize

        128KB

        Download

      • memory/464-208-0x000002388A240000-0x000002388A260000-memory.dmp

        Filesize

        128KB

        Download