Analysis
-
max time kernel
10s -
max time network
16s -
platform
windows10-2004_x64 -
resource
win10v2004-20240221-en -
resource tags
arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system -
submitted
21-02-2024 21:44
Behavioral task
behavioral1
Sample
ep_setup.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
ep_setup.exe
Resource
win10v2004-20240221-en
General
-
Target
ep_setup.exe
-
Size
2.4MB
-
MD5
0f0d942625a01ba2bfa7f4ff6374f03b
-
SHA1
8c08e5ff28353a0116f57afb9e8e1cd0641cffd3
-
SHA256
0d46bd6e83d661567efd6d79ae760a041f6a1ea72b4b043da428c7fbb93ad27f
-
SHA512
be976731c23ea8042cc354a98988c0d1832f548d62ae32d8969cd739ee7ee546ea2635550ea803bd9be4c6f3c2518928e1e179233aeca7ae324190b3b4b51ea7
-
SSDEEP
24576:jvRLtzMabuizATYgBgYBUC6PPE+hhf4udB2mMRK+ZJlrF9ZoiO2V0UcSG3UN9d1r:dRzMabfnwn62Zfp9b1+SkUw
Malware Config
Signatures
-
Stops running service(s) 3 TTPs
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
ep_setup.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000\Control Panel\International\Geo\Nation ep_setup.exe -
Loads dropped DLL 4 IoCs
Processes:
regsvr32.exeregsvr32.exeexplorer.exepid Process 3920 regsvr32.exe 3920 regsvr32.exe 3452 regsvr32.exe 2044 explorer.exe -
Registers COM server for autorun 1 TTPs 6 IoCs
Processes:
regsvr32.exeregsvr32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host_stub.dll" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32 regsvr32.exe -
Checks installed software on the system 1 TTPs
Looks up Uninstall key entries in the registry to enumerate software on the system.
-
Drops file in Program Files directory 9 IoCs
Processes:
ep_setup.exedescription ioc Process File opened for modification C:\Program Files\ExplorerPatcher\ep_setup.exe ep_setup.exe File created C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll ep_setup.exe File created C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll ep_setup.exe File created C:\Program Files\ExplorerPatcher\ep_gui.dll ep_setup.exe File created C:\Program Files\ExplorerPatcher\ep_dwm.exe ep_setup.exe File created C:\Program Files\ExplorerPatcher\ep_weather_host.dll ep_setup.exe File created C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll ep_setup.exe File created C:\Program Files\ExplorerPatcher\ep_setup.exe ep_setup.exe File created C:\Program Files\ExplorerPatcher\WebView2Loader.dll ep_setup.exe -
Drops file in Windows directory 2 IoCs
Processes:
ep_setup.exedescription ioc Process File created C:\Windows\dxgi.dll ep_setup.exe File created C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll ep_setup.exe -
Launches sc.exe 2 IoCs
Sc.exe is a Windows utlilty to control services on the system.
Processes:
sc.exesc.exepid Process 4896 sc.exe 1664 sc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 22 IoCs
Processes:
regsvr32.exeregsvr32.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32\ = "{CDBF3734-F847-4F1B-B953-A605434DC1E7}" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32\ThreadingModel = "Apartment" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\ = "ExplorerPatcher Weather Host" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\AppID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\DllSurrogate regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ = "C:\\Program Files\\ExplorerPatcher\\ep_weather_host_stub.dll" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D} regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\ = "ExplorerPatcher Weather Host" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\AppID = "{A6EA9C2D-4982-4827-9204-0AC532959F6D}" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{A6EA9C2D-4982-4827-9204-0AC532959F6D}\InProcServer32 regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\CLSID regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ = "IEPWeather" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\NumMethods\ = "28" regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32 regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\InProcServer32\ThreadingModel = "Both" regsvr32.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\CLSID\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ = "PSFactoryBuffer" regsvr32.exe Key created \REGISTRY\USER\S-1-5-21-1392040655-2056082574-619088944-1000_Classes\Interface regsvr32.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\Interface\{CDBF3734-F847-4F1B-B953-A605434DC1E7}\ProxyStubClsid32 regsvr32.exe -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
ep_setup.exepid Process 4748 ep_setup.exe 4748 ep_setup.exe 4748 ep_setup.exe 4748 ep_setup.exe 4748 ep_setup.exe 4748 ep_setup.exe 4748 ep_setup.exe 4748 ep_setup.exe 4748 ep_setup.exe 4748 ep_setup.exe -
Suspicious use of FindShellTrayWindow 51 IoCs
Processes:
ep_setup.exeexplorer.exepid Process 4748 ep_setup.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe 2044 explorer.exe -
Suspicious use of SendNotifyMessage 1 IoCs
Processes:
ep_setup.exepid Process 4748 ep_setup.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
ep_setup.exedescription pid Process procid_target PID 4748 wrote to memory of 4896 4748 ep_setup.exe 89 PID 4748 wrote to memory of 4896 4748 ep_setup.exe 89 PID 4748 wrote to memory of 1664 4748 ep_setup.exe 91 PID 4748 wrote to memory of 1664 4748 ep_setup.exe 91 PID 4748 wrote to memory of 3920 4748 ep_setup.exe 93 PID 4748 wrote to memory of 3920 4748 ep_setup.exe 93 PID 4748 wrote to memory of 3452 4748 ep_setup.exe 94 PID 4748 wrote to memory of 3452 4748 ep_setup.exe 94 PID 4748 wrote to memory of 2044 4748 ep_setup.exe 95 PID 4748 wrote to memory of 2044 4748 ep_setup.exe 95
Processes
-
C:\Users\Admin\AppData\Local\Temp\ep_setup.exe"C:\Users\Admin\AppData\Local\Temp\ep_setup.exe"1⤵
- Checks computer location settings
- Drops file in Program Files directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:4748 -
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB2⤵
- Launches sc.exe
PID:4896
-
-
C:\Windows\system32\sc.exe"C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB2⤵
- Launches sc.exe
PID:1664
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:3920
-
-
C:\Windows\system32\regsvr32.exe"C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"2⤵
- Loads dropped DLL
- Registers COM server for autorun
- Modifies registry class
PID:3452
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"2⤵
- Loads dropped DLL
- Suspicious use of FindShellTrayWindow
PID:2044
-
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:1936
-
C:\Windows\explorer.exeexplorer.exe1⤵PID:4416
-
C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe"C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca1⤵PID:3700
-
C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe"C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca1⤵PID:1412
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
1Registry Run Keys / Startup Folder
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
136KB
MD5c44baed957b05b9327bd371dbf0dbe99
SHA180b48c656b8555ebc588de3de0ec6c7e75ae4bf1
SHA256ad8bb426a8e438493db4d703242f373d9cb36d8c13e88b6647cd083716e09bef
SHA512ad1b76594dca7cde6bbcde55bc3abe811f9e903e2cf6613d49201e14e789cfc763cb528d499dd2db84db097a210d63c7d88cc909ca1c836d831e3519c2ce7b35
-
Filesize
238KB
MD5bf39429762a6ac4606516dd454ee3d32
SHA18388f4ddd5c91a3dc3c64ec7572ff0c9a16cb304
SHA256a3429b8060930cdfed715f5baf4cb9bf1d48a9fcaa25bf84c02587cbf502da88
SHA512054270517c3b6800f9efcbcf40bd49a5f845e5687f8b9ada07ac23dec993c9dcb4085fc941df56f8a5aae38ddd54d2520ecfd5fa520e33dd36c44b9fc58e0954
-
Filesize
109KB
MD527db891c07f48b2aa217916e313b4290
SHA14e78b077ee65244c04261de5cee48af9db527a45
SHA256c37861c2d351366d55b39f95336625f5d4a23b83839b8c419531322aded6d679
SHA5124b3792ffc63a2dc44ecace6716b5cac09fff326abb5932e2ae42bb77fefff9acddbdbf7443caaa9fba12b41dd41ab7887dbdaa15066ace23b91ab24c34bd4727
-
Filesize
626KB
MD57638f76208571b7c3a2a42dd9b2fcd4c
SHA171dda667c93210c880115044eaf9e8b22c64466d
SHA256ecd3d3961c5dc287413bccc5554250a0baa032326617db5140d9c23f4a51a024
SHA512957304e779851d27b5b0b1f936ed26a7bf4e65db56ea4fb845c4ddb1f695c220524b133b374825cff93c0b55e0138010d05153ea373fa9fcba848c11b5761349