Windows 7 deprecation

Windows 7 will be removed from tria.ge on 2025-03-31

Overview

overview

10

Static

static

10

ep_setup (1).exe

windows7-x64

1

ep_setup (1).exe

windows10-2004-x64

8

Resubmissions

02/02/2024, 13:20

240202-qlebdahcaj 10

Analysis

  • max time kernel
    297s
  • max time network
    303s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20231215-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20231215-enlocale:en-usos:windows10-2004-x64system
  • submitted
    02/02/2024, 13:20

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ep_setup (1).exe

  • Size

    2.3MB

  • MD5

    7ea3f1aacb347b9acd4a536197330eaa

  • SHA1

    beab07dde096910d7214d82dc12f383df1fa399c

  • SHA256

    e44790e25db09d1fdcaa1b4a8e868a31d646a260c9df4923aea7be8efa0d8e1d

  • SHA512

    cf1f53481b6b9f723e6832f027dd496ba1e9bad3bd797ab8626f0d84a17a0e115d717d3d0915954044867b5eabb20936cba1c44afe5ae23c8d75fc1dcc963493

  • SSDEEP

    24576:xM0DuVs8+3mStH9DpRfds8q6XPBaUk+i3zvbWZQVHsx59hNnrDoiY/dAlzaY40qI:lDA+79P1XE29h9rtgoOjzKAjU

Score
8/10
discoveryevasionpersistence

Malware Config

Signatures

  • Downloads MZ/PE file
  • Modifies Installed Components in the registry 2 TTPs 1 IoCs
    persistence
  • Stops running service(s) 3 TTPs
    evasion
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 5 IoCs
  • Registers COM server for autorun 1 TTPs 6 IoCs
    persistence
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 10 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 26 IoCs
  • Suspicious use of SetWindowsHookEx 10 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ep_setup (1).exe
    "C:\Users\Admin\AppData\Local\Temp\ep_setup (1).exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2860
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2612
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      2⤵
      • Launches sc.exe
      PID:3620
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      2⤵
      • Launches sc.exe
      PID:2480
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
      2⤵
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:1952
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
      2⤵
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:3692
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Modifies Installed Components in the registry
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:4572
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    PID:3020
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:368
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4984
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1440
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1732
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2976
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:1300
  • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
    "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
    1⤵
      PID:496

    Network

    MITRE ATT&CK Enterprise v15

    Replay Monitor

    Loading Replay Monitor...

    Downloads

    • C:\Program Files\ExplorerPatcher\WebView2Loader.dll
      Filesize

      136KB

      MD5

      c44baed957b05b9327bd371dbf0dbe99

      SHA1

      80b48c656b8555ebc588de3de0ec6c7e75ae4bf1

      SHA256

      ad8bb426a8e438493db4d703242f373d9cb36d8c13e88b6647cd083716e09bef

      SHA512

      ad1b76594dca7cde6bbcde55bc3abe811f9e903e2cf6613d49201e14e789cfc763cb528d499dd2db84db097a210d63c7d88cc909ca1c836d831e3519c2ce7b35

      Download Submit

    • C:\Program Files\ExplorerPatcher\ep_gui.dll
      Filesize

      578KB

      MD5

      37fc9dc443a51d38a73c65f59ee4ba0f

      SHA1

      5e5c62aad0ee2888a078ef19d6980b0207149917

      SHA256

      4698e09658fdb4a352aa9448c271470f8446dc8c0b6747a2bc26a0f51a76d323

      SHA512

      e317a8db4008adf8d3ac59c9881232ced516925baf7c1f10db8db840c9e1fb0e45f30a0d1b35a8d3917a0fd22b39a278e60e6726e2e40d7ba95955b366fbf9be

      Download Submit

    • C:\Program Files\ExplorerPatcher\ep_weather_host.dll
      Filesize

      236KB

      MD5

      5a23a64d9267c2534e53b0b09181876a

      SHA1

      3c5d6d93d64204a28c2244a018687651ba437b0f

      SHA256

      86dde99b9ae74fc50c8dae7159034d32ecb000275cfc8cf9392b5e7f96b1d67c

      SHA512

      4c8760b970173ed041fd3716b082b61738a65d9a6fadd2eae1e5a2dcd225efc35e84d9d886b0b662f433a2b01c4ae985f861aa0b6d1800eaca62a3d8a7e5dcc1

      Download Submit

    • C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll
      Filesize

      109KB

      MD5

      67573e80163a00e588854452ee70347b

      SHA1

      8aa26b013321504a7f67e59e1ecfcce3667d20ed

      SHA256

      5cef5e9812c3923a48d92ab9ca120251cc678a44f209224e3d676b4063b532b7

      SHA512

      f0ec2b0ca97b4c38f6d6e3873137ecf087a5011bd7ec4d57666a5ec7f7025259bc321e0814b086adb02c97b331c3f25a033010c036b5abf7dba91b5e548dd7e0

      Download Submit

    • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk
      Filesize

      1KB

      MD5

      05501541194616310d8c6b2ea580b67e

      SHA1

      580557a66473ff746519ee17095924d2911d1f4a

      SHA256

      cf705ee15e48029cd5d3809ead5fafa358b27aba766d909968464384144c8dfa

      SHA512

      ff73491221f5b95ecfa2f7e309e47097ac0c21218668ca1dab70675da321424b31af1fdc7c5527eac36bdabb224c45fe639f141b540b8814e73da8604f67edee

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Office_SETLANG_EXE_15
      Filesize

      36KB

      MD5

      0e2a09c8b94747fa78ec836b5711c0c0

      SHA1

      92495421ad887f27f53784c470884802797025ad

      SHA256

      0c1cdbbf6d974764aad46477863059eaec7b1717a7d26b025f0f8fe24338bb36

      SHA512

      61530a33a6109467962ba51371821ea55bb36cd2abc0e7a15f270abf62340e9166e66a1b10f4de9a306b368820802c4adb9653b9a5acd6f1e825e60128fd2409

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\Microsoft_Windows_ControlPanel
      Filesize

      36KB

      MD5

      fb5f8866e1f4c9c1c7f4d377934ff4b2

      SHA1

      d0a329e387fb7bcba205364938417a67dbb4118a

      SHA256

      1649ec9493be27f76ae7304927d383f8a53dd3e41ea1678bacaff33120ea4170

      SHA512

      0fbe2843dfeab7373cde0643b20c073fdc2fcbefc5ae581fd1656c253dfa94e8bba4d348e95cc40d1e872456ecca894b462860aeac8b92cedb11a7cad634798c

      Download Submit

    • C:\Users\Admin\AppData\Local\Packages\microsoft.windows.search_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\0A55C1OB\microsoft.windows[1].xml
      Filesize

      97B

      MD5

      291a3f3ebf21195c8af7c2f120ca4dfc

      SHA1

      1cade2dac000db3bca92e2daee371beffd2c0bee

      SHA256

      fbe32bda6ca669397ca6d02b329f235aee87a8f36b09a589548e969c19cb78de

      SHA512

      ed2dea282f97d25171e0e95fe718103e04e37f13a1edf79373af204ac344cdb9a0fca34d82e45d3475a9845ee92644a99a1c2733f8858fe384e3b6958331f287

      Download Submit

    • C:\Users\Admin\AppData\Roaming\ExplorerPatcher\StartUI.pdb
      Filesize

      35.4MB

      MD5

      7fa5409f40c7999b2d6df5d36631f841

      SHA1

      3c24c505de1b9900ef4ba8b13d03d0c3486a58eb

      SHA256

      37daf447f92f6d910d69fd8b9d549aa3d098dc38b374a63e83b15ca16f26504c

      SHA512

      46841811612018c0e39f7cac76094d7f48fd591cd1a0e93fe592ae85e678f7b75b1aa5a132f3fc6a49bce2f6c4ac8f9026d02dcce58ff4bacb4fca9d3ab85ac0

      Download Submit

    • C:\Windows\dxgi.dll
      Filesize

      619KB

      MD5

      c2b7c0292fff860897c99ce9260d1715

      SHA1

      cef060346dd189ae8da2c94eb21e0e4c1149f4b2

      SHA256

      60591d5eef5a3e79019f98c7e1ebd18a4b58f8b74909ce7236cd1bd93d8342ed

      SHA512

      ea005ed166da70f807f9e7caacaac9c0f9dd4d57267a1da6a34c33f1334511ae8f6bc4ed0de9759e119f1769a5dbeaa146cc789af3afffb71c840630c2961712

      Download Submit

    • memory/368-93-0x000001E01AE70000-0x000001E01AE90000-memory.dmp

      Filesize

      128KB

      Download

    • memory/368-95-0x000001E01AE30000-0x000001E01AE50000-memory.dmp

      Filesize

      128KB

      Download

    • memory/368-100-0x000001E01B240000-0x000001E01B260000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1300-210-0x00000186B5590000-0x00000186B55B0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1300-216-0x00000186B59F0000-0x00000186B5A10000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1300-213-0x00000186B5550000-0x00000186B5570000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1440-147-0x00000216FA490000-0x00000216FA4B0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1440-150-0x00000216FA8A0000-0x00000216FA8C0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1440-145-0x00000216FA4D0000-0x00000216FA4F0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1732-168-0x000001B866680000-0x000001B8666A0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1732-170-0x000001B866640000-0x000001B866660000-memory.dmp

      Filesize

      128KB

      Download

    • memory/1732-172-0x000001B866AE0000-0x000001B866B00000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2976-189-0x000001697C740000-0x000001697C760000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2976-192-0x000001697C700000-0x000001697C720000-memory.dmp

      Filesize

      128KB

      Download

    • memory/2976-194-0x000001697CBC0000-0x000001697CBE0000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4572-34-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-81-0x0000000003020000-0x0000000003021000-memory.dmp

      Filesize

      4KB

      Download

    • memory/4572-44-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-45-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-42-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-47-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-48-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-49-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-50-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-51-0x00007FFB06020000-0x00007FFB06646000-memory.dmp

      Filesize

      6.1MB

      Download

    • memory/4572-52-0x00007FFB058A0000-0x00007FFB05E93000-memory.dmp

      Filesize

      5.9MB

      Download

    • memory/4572-53-0x00007FFB0F5F0000-0x00007FFB0F642000-memory.dmp

      Filesize

      328KB

      Download

    • memory/4572-54-0x00007FFB0F5F0000-0x00007FFB0F642000-memory.dmp

      Filesize

      328KB

      Download

    • memory/4572-55-0x00007FFB0F5F0000-0x00007FFB0F642000-memory.dmp

      Filesize

      328KB

      Download

    • memory/4572-56-0x00007FFB0F5F0000-0x00007FFB0F642000-memory.dmp

      Filesize

      328KB

      Download

    • memory/4572-57-0x00007FFB10300000-0x00007FFB10346000-memory.dmp

      Filesize

      280KB

      Download

    • memory/4572-58-0x00007FFB06880000-0x00007FFB06A99000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4572-59-0x00007FFB06880000-0x00007FFB06A99000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4572-60-0x00007FFB0F5A0000-0x00007FFB0F5F0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4572-62-0x00007FFB0F5A0000-0x00007FFB0F5F0000-memory.dmp

      Filesize

      320KB

      Download

    • memory/4572-63-0x00007FFB0F080000-0x00007FFB0F0BB000-memory.dmp

      Filesize

      236KB

      Download

    • memory/4572-66-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-67-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-43-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-41-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-40-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-39-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-38-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-37-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-20-0x00007FFB1BEC0000-0x00007FFB1C5FF000-memory.dmp

      Filesize

      7.2MB

      Download

    • memory/4572-21-0x00007FFB1BEC0000-0x00007FFB1C5FF000-memory.dmp

      Filesize

      7.2MB

      Download

    • memory/4572-22-0x00007FFB0E850000-0x00007FFB0EA70000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4572-35-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-36-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-33-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-31-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-32-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-30-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-29-0x00007FF792DF0000-0x00007FF79328D000-memory.dmp

      Filesize

      4.6MB

      Download

    • memory/4572-28-0x00007FFB1BD10000-0x00007FFB1BEB1000-memory.dmp

      Filesize

      1.6MB

      Download

    • memory/4572-27-0x00007FFB0E850000-0x00007FFB0EA70000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4572-26-0x00007FFB0E850000-0x00007FFB0EA70000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4572-25-0x00007FFB0E850000-0x00007FFB0EA70000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4572-24-0x00007FFB0E850000-0x00007FFB0EA70000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4572-23-0x00007FFB0E850000-0x00007FFB0EA70000-memory.dmp

      Filesize

      2.1MB

      Download

    • memory/4984-123-0x00000184FCB20000-0x00000184FCB40000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4984-121-0x00000184FC510000-0x00000184FC530000-memory.dmp

      Filesize

      128KB

      Download

    • memory/4984-118-0x00000184FC550000-0x00000184FC570000-memory.dmp

      Filesize

      128KB

      Download