b18a540f4506ae9400bbc58fb8b69028274b3ccc4851de605df77b545c7c625b

Analysis

max time kernel
40s
max time network
41s
platform
windows10-2004_x64
resource
win10v2004-20230915-en
resource tags

arch:x64arch:x86image:win10v2004-20230915-enlocale:en-usos:windows10-2004-x64system
submitted
03/10/2023, 15:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EPS_setup.exe
Size

4.3MB
MD5

3d0b02cad726d1a45a3f55bcf395b210
SHA1

cb2239ee9f5e6652ce7e54f49d667874312161a3
SHA256

b18a540f4506ae9400bbc58fb8b69028274b3ccc4851de605df77b545c7c625b
SHA512

f21c530547c161405d72c518e2849db299bd6e625758a83095c8b5a894f1287861693a0f2ba76593558d7160ad539f3273ff842f259e3fb886dbfa4abc4a90f1
SSDEEP

49152:GqeNVSZPSLIkg/JFF85w8pLe0xgcMw10EDl0qO7wv3My+B2sO2skryk9ReN/xj:3EsPSLIlM5w8Rbdr0SI723My+AsGkCr

Score

7^/10

bootkit discovery persistence

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
5108	EPS_setup.tmp
2004	EPS.exe

Loads dropped DLL 4 IoCs

pid	Process
2004	EPS.exe
2004	EPS.exe
2004	EPS.exe
2004	EPS.exe

Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
discovery

Query Registry
T1012

Writes to the Master Boot Record (MBR) 1 TTPs 1 IoCs

Bootkits write to the MBR to gain persistence at a level below the operating system.

bootkit persistence

Bootkit

T1542.003

description	ioc	Process
File opened for modification	\??\PhysicalDrive0	EPS.exe

Drops file in Program Files directory 14 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\EPS.exe	EPS_setup.tmp
File created	C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\unins000.msg	EPS_setup.tmp
File opened for modification	C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\unins000.dat	EPS_setup.tmp
File opened for modification	C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\mfc100.dll	EPS_setup.tmp
File opened for modification	C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\msvcp100.dll	EPS_setup.tmp
File created	C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\is-B426B.tmp	EPS_setup.tmp
File created	C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\is-HJ0QN.tmp	EPS_setup.tmp
File opened for modification	C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\msvcr100.dll	EPS_setup.tmp
File created	C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\is-5HGK8.tmp	EPS_setup.tmp
File created	C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\is-26PSL.tmp	EPS_setup.tmp
File created	C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\unins000.dat	EPS_setup.tmp
File created	C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\is-2LNCT.tmp	EPS_setup.tmp
File created	C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\is-CFID3.tmp	EPS_setup.tmp
File created	C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\is-58C6U.tmp	EPS_setup.tmp

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5108	EPS_setup.tmp
5108	EPS_setup.tmp

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
5108	EPS_setup.tmp
2004	EPS.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2004	EPS.exe

Suspicious use of SetWindowsHookEx 6 IoCs

pid	Process
2004	EPS.exe
2004	EPS.exe
2004	EPS.exe
2004	EPS.exe
2004	EPS.exe
2004	EPS.exe

Suspicious use of WriteProcessMemory 6 IoCs

description	pid	Process	procid_target
PID 2776 wrote to memory of 5108	2776	EPS_setup.exe	87
PID 2776 wrote to memory of 5108	2776	EPS_setup.exe	87
PID 2776 wrote to memory of 5108	2776	EPS_setup.exe	87
PID 5108 wrote to memory of 2004	5108	EPS_setup.tmp	96
PID 5108 wrote to memory of 2004	5108	EPS_setup.tmp	96
PID 5108 wrote to memory of 2004	5108	EPS_setup.tmp	96

C:\Users\Admin\AppData\Local\Temp\EPS_setup.exe
"C:\Users\Admin\AppData\Local\Temp\EPS_setup.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2776
- C:\Users\Admin\AppData\Local\Temp\is-DR20S.tmp\EPS_setup.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-DR20S.tmp\EPS_setup.tmp" /SL5="$700DC,3714644,795648,C:\Users\Admin\AppData\Local\Temp\EPS_setup.exe"
  2⤵
  - Executes dropped EXE
  - Drops file in Program Files directory
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:5108
- - C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\EPS.exe
    "C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\EPS.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - Writes to the Master Boot Record (MBR)
    - Suspicious use of FindShellTrayWindow
    - Suspicious use of SendNotifyMessage
    - Suspicious use of SetWindowsHookEx
    PID:2004

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Pre-OS Boot

T1542

Bootkit

T1542.003

Privilege Escalation

Defense Evasion

Pre-OS Boot

T1542

Bootkit

T1542.003

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\EPS.exe

Filesize
574KB

MD5
b6ae1db2233568d6571fe949125b0bab

SHA1
e75eb96b5d30014a83e9dde43334d4b78494a3e3

SHA256
fbc65fe373c16600ac9becea7158b1e73fb49047b8922feee8f9b1f1250d4d07

SHA512
64076c815a4509c7b9ecd6c789470d0ee7c49034f71a61cf6f61c4796b04c7a213562dfb32c1a30eff0a0a087dc2bd52070c69a8ce88d2816eb2e80c566f37b5

Download Submit
C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\EPS.exe

Filesize
574KB

MD5
b6ae1db2233568d6571fe949125b0bab

SHA1
e75eb96b5d30014a83e9dde43334d4b78494a3e3

SHA256
fbc65fe373c16600ac9becea7158b1e73fb49047b8922feee8f9b1f1250d4d07

SHA512
64076c815a4509c7b9ecd6c789470d0ee7c49034f71a61cf6f61c4796b04c7a213562dfb32c1a30eff0a0a087dc2bd52070c69a8ce88d2816eb2e80c566f37b5

Download Submit
C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\EPS.exe

Filesize
574KB

MD5
b6ae1db2233568d6571fe949125b0bab

SHA1
e75eb96b5d30014a83e9dde43334d4b78494a3e3

SHA256
fbc65fe373c16600ac9becea7158b1e73fb49047b8922feee8f9b1f1250d4d07

SHA512
64076c815a4509c7b9ecd6c789470d0ee7c49034f71a61cf6f61c4796b04c7a213562dfb32c1a30eff0a0a087dc2bd52070c69a8ce88d2816eb2e80c566f37b5

Download Submit
C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\MSVCP100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\MSVCR100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\mfc100.dll

Filesize
4.2MB

MD5
493fc0f59054a6f4f3775655fb55295c

SHA1
2afe4f5eb626fb5c5aa5bb6c2bc61c88e37cf42f

SHA256
cac58c98f7e587ba1b2a4f41874764b59bdf6cb684a4a44aee93f91b3b9a019b

SHA512
9da41078a65a6b8c731388ccf4ce2a988705305f29f0841039b96cd2649f82e8ea219f082de184826e39f0edaa4a1d9aff2e60ebb8d27771222d0c7cb165598d

Download Submit
C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\mfc100.dll

Filesize
4.2MB

MD5
493fc0f59054a6f4f3775655fb55295c

SHA1
2afe4f5eb626fb5c5aa5bb6c2bc61c88e37cf42f

SHA256
cac58c98f7e587ba1b2a4f41874764b59bdf6cb684a4a44aee93f91b3b9a019b

SHA512
9da41078a65a6b8c731388ccf4ce2a988705305f29f0841039b96cd2649f82e8ea219f082de184826e39f0edaa4a1d9aff2e60ebb8d27771222d0c7cb165598d

Download Submit
C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\msvcp100.dll

Filesize
411KB

MD5
bc83108b18756547013ed443b8cdb31b

SHA1
79bcaad3714433e01c7f153b05b781f8d7cb318d

SHA256
b2ad109c15eaa92079582787b7772ba0a2f034f7d075907ff87028df0eaea671

SHA512
6e72b2d40e47567b3e506be474dafa7cacd0b53cd2c2d160c3b5384f2f461fc91bb5fdb614a351f628d4e516b3bbdabc2cc6d4cb4710970146d2938a687dd011

Download Submit
C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\msvcr100.dll

Filesize
755KB

MD5
0e37fbfa79d349d672456923ec5fbbe3

SHA1
4e880fc7625ccf8d9ca799d5b94ce2b1e7597335

SHA256
8793353461826fbd48f25ea8b835be204b758ce7510db2af631b28850355bd18

SHA512
2bea9bd528513a3c6a54beac25096ee200a4e6ccfc2a308ae9cfd1ad8738e2e2defd477d59db527a048e5e9a4fe1fc1d771701de14ef82b4dbcdc90df0387630

Download Submit
C:\Program Files (x86)\Didsoft\Elite Proxy Switcher\unins000.exe

Filesize
2.5MB

MD5
4dd95bdea5d7f374b64b81d7fd5121a5

SHA1
19915c376b37662184e55422040e20f4121f3f7f

SHA256
7aff0c5d9017ecea08f9a9b169f5e50551d4a8aac0681c9c49a251e1339c8bce

SHA512
055d72412132421b21eb30e4da3463209cf6b1aad3f51aa9966a584e677e3e13cfbe993eeb9f79959e6c8a9529c9940cb379308e931374f1f950372956be6deb

Download Submit
C:\ProgramData\EPS\EPS_Setting.ini

Filesize
345B

MD5
20392dd491583ea5b8e676336d65b5bc

SHA1
6746fd0856cce70fb5df8c4bcda1b87004610b63

SHA256
81d1add43d768cc45aeb4f2cf67370bff113dcd9d712269587fcb99cc9679130

SHA512
86ff8c96038125957e4ed3b41e775d3a467d64dc32f6712a78ff3c3541de343e12e620407cf73a032b389efb82072853bec3cb5d60e9074b3cb428272cd82ec5

Download Submit
C:\ProgramData\EPS\list.dat

Filesize
36B

MD5
989a825ecaa519865ea39c9c2591e42e

SHA1
774a0f4425d0c00423d499270fe372ea5167b0bd

SHA256
3be0afa28ced01a026e5e84b99afd332a808da3ab079448f8ffe6ee3ab4a042b

SHA512
b8e5750c7b07fe81d7f35d40b0ca11825b1270c65adccddf93b2e02172eaf77c20a34635a405cb6aa6ebbb460ee2d95b56d75ce0cfc334649db1b7a89a5af328

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DR20S.tmp\EPS_setup.tmp

Filesize
2.5MB

MD5
4dd95bdea5d7f374b64b81d7fd5121a5

SHA1
19915c376b37662184e55422040e20f4121f3f7f

SHA256
7aff0c5d9017ecea08f9a9b169f5e50551d4a8aac0681c9c49a251e1339c8bce

SHA512
055d72412132421b21eb30e4da3463209cf6b1aad3f51aa9966a584e677e3e13cfbe993eeb9f79959e6c8a9529c9940cb379308e931374f1f950372956be6deb

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-DR20S.tmp\EPS_setup.tmp

Filesize
2.5MB

MD5
4dd95bdea5d7f374b64b81d7fd5121a5

SHA1
19915c376b37662184e55422040e20f4121f3f7f

SHA256
7aff0c5d9017ecea08f9a9b169f5e50551d4a8aac0681c9c49a251e1339c8bce

SHA512
055d72412132421b21eb30e4da3463209cf6b1aad3f51aa9966a584e677e3e13cfbe993eeb9f79959e6c8a9529c9940cb379308e931374f1f950372956be6deb

Download Submit
memory/2776-8-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2776-63-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/2776-1-0x0000000000400000-0x00000000004D0000-memory.dmp

Filesize
832KB

Download
memory/5108-6-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download
memory/5108-50-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/5108-62-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/5108-9-0x0000000000400000-0x0000000000686000-memory.dmp

Filesize
2.5MB

Download
memory/5108-10-0x0000000002640000-0x0000000002641000-memory.dmp

Filesize
4KB

Download