e862a4c024eb9c3df7442591bbf0700a3bb2b498fa80bc99296e9fb33defd120

Analysis

max time kernel
150s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20231222-en
resource tags

arch:x64arch:x86image:win10v2004-20231222-enlocale:en-usos:windows10-2004-x64system
submitted
19/01/2024, 13:06

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

EpsilonSetup.exe
Size

147.0MB
MD5

71cbb2a62b34a12c30b9c1c26b0e52a4
SHA1

d749dab0b72d81f1ef74a99bf8d7d3553b507057
SHA256

cf43804749edd21997f8bc987a0b90188a43bcd5b561572593f09d2647918a43
SHA512

8a3e14c4f49251cf6c755514c5aca567fa85ed622766d258a6799ae0c7326b69968db8e9d512b0f605c5a141b61dc84e7d68a3f56204961c232be11b76b19b22
SSDEEP

1572864:groLm1cZ4K5MvHwpkeg9duXYFPEiFWITK886rc028B+yJwG5xmR:VCjwAI8xO

Score

7^/10

spyware stealer

Malware Config

Signatures

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Updater.exe	EpsilonSetup.exe

Loads dropped DLL 2 IoCs

pid	Process
2232	EpsilonSetup.exe
2232	EpsilonSetup.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates processes with tasklist 1 TTPs 16 IoCs

Process Discovery

T1057

pid	Process
3536	tasklist.exe
2164	tasklist.exe
3512	tasklist.exe
404	tasklist.exe
3348	tasklist.exe
1756	tasklist.exe
2460	tasklist.exe
4940	tasklist.exe
2116	tasklist.exe
4848	tasklist.exe
4752	tasklist.exe
1776	tasklist.exe
3900	tasklist.exe
2812	tasklist.exe
1756	tasklist.exe
3928	tasklist.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4976	EpsilonSetup.exe
4976	EpsilonSetup.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeDebugPrivilege	1756	tasklist.exe
Token: SeDebugPrivilege	3900	tasklist.exe
Token: SeDebugPrivilege	2812	tasklist.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeDebugPrivilege	4940	tasklist.exe
Token: SeDebugPrivilege	3928	tasklist.exe
Token: SeDebugPrivilege	404	tasklist.exe
Token: SeDebugPrivilege	2116	tasklist.exe
Token: SeDebugPrivilege	4848	tasklist.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeDebugPrivilege	1756	tasklist.exe
Token: SeDebugPrivilege	4752	tasklist.exe
Token: SeDebugPrivilege	1776	tasklist.exe
Token: SeDebugPrivilege	3348	tasklist.exe
Token: SeDebugPrivilege	3536	tasklist.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeDebugPrivilege	2164	tasklist.exe
Token: SeDebugPrivilege	3512	tasklist.exe
Token: SeDebugPrivilege	2460	tasklist.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe
Token: SeShutdownPrivilege	2232	EpsilonSetup.exe
Token: SeCreatePagefilePrivilege	2232	EpsilonSetup.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2232 wrote to memory of 3320	2232	EpsilonSetup.exe	92
PID 2232 wrote to memory of 3320	2232	EpsilonSetup.exe	92
PID 3320 wrote to memory of 1756	3320	cmd.exe	94
PID 3320 wrote to memory of 1756	3320	cmd.exe	94
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3856	2232	EpsilonSetup.exe	95
PID 2232 wrote to memory of 3384	2232	EpsilonSetup.exe	98
PID 2232 wrote to memory of 3384	2232	EpsilonSetup.exe	98
PID 2232 wrote to memory of 3672	2232	EpsilonSetup.exe	100
PID 2232 wrote to memory of 3672	2232	EpsilonSetup.exe	100
PID 3672 wrote to memory of 3900	3672	cmd.exe	102
PID 3672 wrote to memory of 3900	3672	cmd.exe	102
PID 2232 wrote to memory of 1776	2232	EpsilonSetup.exe	103
PID 2232 wrote to memory of 1776	2232	EpsilonSetup.exe	103
PID 1776 wrote to memory of 2812	1776	cmd.exe	105
PID 1776 wrote to memory of 2812	1776	cmd.exe	105
PID 2232 wrote to memory of 4972	2232	EpsilonSetup.exe	106
PID 2232 wrote to memory of 4972	2232	EpsilonSetup.exe	106
PID 4972 wrote to memory of 4940	4972	cmd.exe	108
PID 4972 wrote to memory of 4940	4972	cmd.exe	108
PID 2232 wrote to memory of 2344	2232	EpsilonSetup.exe	109
PID 2232 wrote to memory of 2344	2232	EpsilonSetup.exe	109
PID 2344 wrote to memory of 3928	2344	cmd.exe	111
PID 2344 wrote to memory of 3928	2344	cmd.exe	111
PID 2232 wrote to memory of 2592	2232	EpsilonSetup.exe	112
PID 2232 wrote to memory of 2592	2232	EpsilonSetup.exe	112
PID 2592 wrote to memory of 404	2592	cmd.exe	114
PID 2592 wrote to memory of 404	2592	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\EpsilonSetup.exe
"C:\Users\Admin\AppData\Local\Temp\EpsilonSetup.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2232
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3320
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- C:\Users\Admin\AppData\Local\Temp\EpsilonSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonSetup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1556 --field-trial-handle=1752,i,14929015352515415817,13888800670055878610,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  PID:3856
- C:\Users\Admin\AppData\Local\Temp\EpsilonSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonSetup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --mojo-platform-channel-handle=1996 --field-trial-handle=1752,i,14929015352515415817,13888800670055878610,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
  2⤵
  PID:3384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:3672
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3900
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1776
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2812
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4972
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4940
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2344
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3928
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:2592
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:404
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1456
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2116
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4384
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4848
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5004
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1756
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4144
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:4752
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:5032
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:1776
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3000
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3348
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:2600
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3536
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:1788
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2164
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:4224
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:3512
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3952
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2460
- C:\Users\Admin\AppData\Local\Temp\EpsilonSetup.exe
  "C:\Users\Admin\AppData\Local\Temp\EpsilonSetup.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\project" --gpu-preferences=UAAAAAAAAADoAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAACQAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=936 --field-trial-handle=1752,i,14929015352515415817,13888800670055878610,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:4976

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\305e1cd1-9fae-4c50-b438-3aadbdde292c.tmp.node

Filesize
135KB

MD5
0b5b5c8b7a7d8229480d5daa5ecca1be

SHA1
c1bc3a25f374e3609d0782f2cb9dd340a73c5f84

SHA256
e59e21b84b2a6200c3789157d5f14407ea4dfe880bb2113666d10e98ceb3ee8f

SHA512
7924bc9ce70f37d3ea4ab2cbd2d94e53d9f77db42a8cc868a1bd0d3cca235fece5f46ea091fe96839fd6a5e63e9473d9d0d5c2d2e0ef1545757dfae792b6e1a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\f852f2c4-13e2-485b-9dc4-d40aea8f03e4.tmp.node

Filesize
1.8MB

MD5
beb8d911d40e8fe94770d9d341e0de11

SHA1
d24d31e5b44a4a80969e2a669fb9b0ed42cfd479

SHA256
ec41fc2fee2abcbf0559965501f54aae47cff24a87204fd3a85d86c7d53d53c7

SHA512
079c43c2533fa35411247dd091c5caedb4a0dbdeee7b8f9fbbba6f521d760856822d373f1e6682eff10bebc63168cb4a445aee7b23047e4d784ab28891d07bfe

Download Submit
memory/3856-10-0x00007FFEB5580000-0x00007FFEB5581000-memory.dmp

Filesize
4KB

Download
memory/4976-57-0x00000225D8CD0000-0x00000225D8CD1000-memory.dmp

Filesize
4KB

Download
memory/4976-47-0x00000225D8CD0000-0x00000225D8CD1000-memory.dmp

Filesize
4KB

Download
memory/4976-58-0x00000225D8CD0000-0x00000225D8CD1000-memory.dmp

Filesize
4KB

Download
memory/4976-48-0x00000225D8CD0000-0x00000225D8CD1000-memory.dmp

Filesize
4KB

Download
memory/4976-56-0x00000225D8CD0000-0x00000225D8CD1000-memory.dmp

Filesize
4KB

Download
memory/4976-55-0x00000225D8CD0000-0x00000225D8CD1000-memory.dmp

Filesize
4KB

Download
memory/4976-54-0x00000225D8CD0000-0x00000225D8CD1000-memory.dmp

Filesize
4KB

Download
memory/4976-53-0x00000225D8CD0000-0x00000225D8CD1000-memory.dmp

Filesize
4KB

Download
memory/4976-52-0x00000225D8CD0000-0x00000225D8CD1000-memory.dmp

Filesize
4KB

Download
memory/4976-46-0x00000225D8CD0000-0x00000225D8CD1000-memory.dmp

Filesize
4KB

Download