Analysis

  • max time kernel
    10s
  • max time network
    16s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240221-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240221-enlocale:en-usos:windows10-2004-x64system
  • submitted
    21-02-2024 21:44

General

  • Target

    ep_setup.exe

  • Size

    2.4MB

  • MD5

    0f0d942625a01ba2bfa7f4ff6374f03b

  • SHA1

    8c08e5ff28353a0116f57afb9e8e1cd0641cffd3

  • SHA256

    0d46bd6e83d661567efd6d79ae760a041f6a1ea72b4b043da428c7fbb93ad27f

  • SHA512

    be976731c23ea8042cc354a98988c0d1832f548d62ae32d8969cd739ee7ee546ea2635550ea803bd9be4c6f3c2518928e1e179233aeca7ae324190b3b4b51ea7

  • SSDEEP

    24576:jvRLtzMabuizATYgBgYBUC6PPE+hhf4udB2mMRK+ZJlrF9ZoiO2V0UcSG3UN9d1r:dRzMabfnwn62Zfp9b1+SkUw

Malware Config

Signatures

  • Stops running service(s) 3 TTPs
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 4 IoCs
  • Registers COM server for autorun 1 TTPs 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 2 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Modifies registry class 22 IoCs
  • Suspicious behavior: EnumeratesProcesses 10 IoCs
  • Suspicious use of FindShellTrayWindow 51 IoCs
  • Suspicious use of SendNotifyMessage 1 IoCs
  • Suspicious use of WriteProcessMemory 10 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\ep_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\ep_setup.exe"
    1⤵
    • Checks computer location settings
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious behavior: EnumeratesProcesses
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4748
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      2⤵
      • Launches sc.exe
      PID:4896
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      2⤵
      • Launches sc.exe
      PID:1664
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
      2⤵
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:3920
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
      2⤵
      • Loads dropped DLL
      • Registers COM server for autorun
      • Modifies registry class
      PID:3452
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Loads dropped DLL
      • Suspicious use of FindShellTrayWindow
      PID:2044
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
      PID:1936
    • C:\Windows\explorer.exe
      explorer.exe
      1⤵
        PID:4416
      • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
        "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
        1⤵
          PID:3700
        • C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe
          "C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca
          1⤵
            PID:1412

          Network

          MITRE ATT&CK Enterprise v15

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • C:\Program Files\ExplorerPatcher\WebView2Loader.dll

            Filesize

            136KB

            MD5

            c44baed957b05b9327bd371dbf0dbe99

            SHA1

            80b48c656b8555ebc588de3de0ec6c7e75ae4bf1

            SHA256

            ad8bb426a8e438493db4d703242f373d9cb36d8c13e88b6647cd083716e09bef

            SHA512

            ad1b76594dca7cde6bbcde55bc3abe811f9e903e2cf6613d49201e14e789cfc763cb528d499dd2db84db097a210d63c7d88cc909ca1c836d831e3519c2ce7b35

          • C:\Program Files\ExplorerPatcher\ep_weather_host.dll

            Filesize

            238KB

            MD5

            bf39429762a6ac4606516dd454ee3d32

            SHA1

            8388f4ddd5c91a3dc3c64ec7572ff0c9a16cb304

            SHA256

            a3429b8060930cdfed715f5baf4cb9bf1d48a9fcaa25bf84c02587cbf502da88

            SHA512

            054270517c3b6800f9efcbcf40bd49a5f845e5687f8b9ada07ac23dec993c9dcb4085fc941df56f8a5aae38ddd54d2520ecfd5fa520e33dd36c44b9fc58e0954

          • C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll

            Filesize

            109KB

            MD5

            27db891c07f48b2aa217916e313b4290

            SHA1

            4e78b077ee65244c04261de5cee48af9db527a45

            SHA256

            c37861c2d351366d55b39f95336625f5d4a23b83839b8c419531322aded6d679

            SHA512

            4b3792ffc63a2dc44ecace6716b5cac09fff326abb5932e2ae42bb77fefff9acddbdbf7443caaa9fba12b41dd41ab7887dbdaa15066ace23b91ab24c34bd4727

          • C:\Windows\dxgi.dll

            Filesize

            626KB

            MD5

            7638f76208571b7c3a2a42dd9b2fcd4c

            SHA1

            71dda667c93210c880115044eaf9e8b22c64466d

            SHA256

            ecd3d3961c5dc287413bccc5554250a0baa032326617db5140d9c23f4a51a024

            SHA512

            957304e779851d27b5b0b1f936ed26a7bf4e65db56ea4fb845c4ddb1f695c220524b133b374825cff93c0b55e0138010d05153ea373fa9fcba848c11b5761349

          • memory/2044-20-0x00007FF925A10000-0x00007FF92614F000-memory.dmp

            Filesize

            7.2MB

          • memory/2044-21-0x00007FF925A10000-0x00007FF92614F000-memory.dmp

            Filesize

            7.2MB

          • memory/2044-22-0x00007FF910280000-0x00007FF9104A0000-memory.dmp

            Filesize

            2.1MB

          • memory/2044-23-0x00007FF910280000-0x00007FF9104A0000-memory.dmp

            Filesize

            2.1MB

          • memory/2044-24-0x00007FF910280000-0x00007FF9104A0000-memory.dmp

            Filesize

            2.1MB

          • memory/2044-25-0x00007FF910280000-0x00007FF9104A0000-memory.dmp

            Filesize

            2.1MB

          • memory/2044-26-0x00007FF910280000-0x00007FF9104A0000-memory.dmp

            Filesize

            2.1MB

          • memory/2044-27-0x00007FF910280000-0x00007FF9104A0000-memory.dmp

            Filesize

            2.1MB

          • memory/2044-28-0x00007FF925100000-0x00007FF9252A1000-memory.dmp

            Filesize

            1.6MB

          • memory/2044-29-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-30-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-31-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-32-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-33-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-34-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-35-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-36-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-37-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-38-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-39-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-40-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-41-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-42-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-43-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-44-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-45-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-46-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-47-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-48-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-49-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-50-0x00007FF90F980000-0x00007FF90FFA6000-memory.dmp

            Filesize

            6.1MB

          • memory/2044-51-0x00007FF90F200000-0x00007FF90F7F3000-memory.dmp

            Filesize

            5.9MB

          • memory/2044-53-0x00007FF919210000-0x00007FF919262000-memory.dmp

            Filesize

            328KB

          • memory/2044-52-0x00007FF919210000-0x00007FF919262000-memory.dmp

            Filesize

            328KB

          • memory/2044-54-0x00007FF919210000-0x00007FF919262000-memory.dmp

            Filesize

            328KB

          • memory/2044-55-0x00007FF919210000-0x00007FF919262000-memory.dmp

            Filesize

            328KB

          • memory/2044-57-0x00007FF90EDB0000-0x00007FF90EFC9000-memory.dmp

            Filesize

            2.1MB

          • memory/2044-58-0x00007FF90EDB0000-0x00007FF90EFC9000-memory.dmp

            Filesize

            2.1MB

          • memory/2044-56-0x00007FF9186F0000-0x00007FF918736000-memory.dmp

            Filesize

            280KB

          • memory/2044-59-0x00007FF9186A0000-0x00007FF9186F0000-memory.dmp

            Filesize

            320KB

          • memory/2044-62-0x00007FF91CF80000-0x00007FF91CFBB000-memory.dmp

            Filesize

            236KB

          • memory/2044-61-0x00007FF9186A0000-0x00007FF9186F0000-memory.dmp

            Filesize

            320KB

          • memory/2044-66-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-65-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/2044-70-0x0000000002E80000-0x0000000002F95000-memory.dmp

            Filesize

            1.1MB

          • memory/4416-72-0x00007FF925A10000-0x00007FF92614F000-memory.dmp

            Filesize

            7.2MB

          • memory/4416-74-0x00007FF91A660000-0x00007FF91A880000-memory.dmp

            Filesize

            2.1MB

          • memory/4416-76-0x00007FF91A660000-0x00007FF91A880000-memory.dmp

            Filesize

            2.1MB

          • memory/4416-78-0x00007FF91A660000-0x00007FF91A880000-memory.dmp

            Filesize

            2.1MB

          • memory/4416-77-0x00007FF91A660000-0x00007FF91A880000-memory.dmp

            Filesize

            2.1MB

          • memory/4416-75-0x00007FF91A660000-0x00007FF91A880000-memory.dmp

            Filesize

            2.1MB

          • memory/4416-79-0x00007FF91A660000-0x00007FF91A880000-memory.dmp

            Filesize

            2.1MB

          • memory/4416-73-0x00007FF925A10000-0x00007FF92614F000-memory.dmp

            Filesize

            7.2MB

          • memory/4416-80-0x00007FF925100000-0x00007FF9252A1000-memory.dmp

            Filesize

            1.6MB

          • memory/4416-81-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/4416-82-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/4416-83-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/4416-85-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/4416-84-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/4416-86-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/4416-87-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/4416-88-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/4416-89-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB

          • memory/4416-90-0x00007FF6EF550000-0x00007FF6EF9ED000-memory.dmp

            Filesize

            4.6MB