epsilon | a9ea01437d2621405693bf37b93d8fe067954ee00171ccfb07e50b0e71e43b8f

Analysis

max time kernel
65s
max time network
77s
platform
windows10-2004_x64
resource
win10v2004-20240319-fr
resource tags

arch:x64arch:x86image:win10v2004-20240319-frlocale:fr-fros:windows10-2004-x64systemwindows
submitted
25/03/2024, 11:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

Epsilon.exe
Size

134.3MB
MD5

128d442c123dbbeefecbffea681b591b
SHA1

88eaf983ab17105eab1e399794f84f50f0ce6d43
SHA256

a12809190b023bc9ea27d62ef20c705ecdfc59e93c081ee5af996c5b484c325b
SHA512

779f1b557de61fbf9dad1fe04149c18c26a1cabf8beb2c57c2dd57a1a4be3a88187ffbef8657bcd948a0a6d40ea0f09c3381b290fd597210f039b854dec41eb1
SSDEEP

1572864:XicLgaO9p7sMMcmhRhgBx/CyhwGKsME1:khTRsJE1

Score

10^/10

epsilon persistence spyware stealer

Malware Config

Signatures

Epsilon Stealer
Information stealer.
stealer epsilon

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation	Epsilon.exe

Loads dropped DLL 2 IoCs

pid	Process
4092	Epsilon.exe
4092	Epsilon.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WindowsBootManager = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\0\\WindowsBootManager.exe"	reg.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
16	ipinfo.io
15	ipinfo.io

Detects videocard installed 1 TTPs 1 IoCs

Uses WMIC.exe to determine videocard installed.

System Information Discovery

T1082

pid	Process
4308	WMIC.exe

Enumerates processes with tasklist 1 TTPs 2 IoCs

Process Discovery

T1057

pid	Process
2892	tasklist.exe
2304	tasklist.exe

Kills process with taskkill 2 IoCs

evasion

pid	Process
1384	taskkill.exe
4432	taskkill.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
3212	Epsilon.exe
3212	Epsilon.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	3664	WMIC.exe
Token: SeSecurityPrivilege	3664	WMIC.exe
Token: SeTakeOwnershipPrivilege	3664	WMIC.exe
Token: SeLoadDriverPrivilege	3664	WMIC.exe
Token: SeSystemProfilePrivilege	3664	WMIC.exe
Token: SeSystemtimePrivilege	3664	WMIC.exe
Token: SeProfSingleProcessPrivilege	3664	WMIC.exe
Token: SeIncBasePriorityPrivilege	3664	WMIC.exe
Token: SeCreatePagefilePrivilege	3664	WMIC.exe
Token: SeBackupPrivilege	3664	WMIC.exe
Token: SeRestorePrivilege	3664	WMIC.exe
Token: SeShutdownPrivilege	3664	WMIC.exe
Token: SeDebugPrivilege	3664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3664	WMIC.exe
Token: SeRemoteShutdownPrivilege	3664	WMIC.exe
Token: SeUndockPrivilege	3664	WMIC.exe
Token: SeManageVolumePrivilege	3664	WMIC.exe
Token: 33	3664	WMIC.exe
Token: 34	3664	WMIC.exe
Token: 35	3664	WMIC.exe
Token: 36	3664	WMIC.exe
Token: SeIncreaseQuotaPrivilege	3664	WMIC.exe
Token: SeSecurityPrivilege	3664	WMIC.exe
Token: SeTakeOwnershipPrivilege	3664	WMIC.exe
Token: SeLoadDriverPrivilege	3664	WMIC.exe
Token: SeSystemProfilePrivilege	3664	WMIC.exe
Token: SeSystemtimePrivilege	3664	WMIC.exe
Token: SeProfSingleProcessPrivilege	3664	WMIC.exe
Token: SeIncBasePriorityPrivilege	3664	WMIC.exe
Token: SeCreatePagefilePrivilege	3664	WMIC.exe
Token: SeBackupPrivilege	3664	WMIC.exe
Token: SeRestorePrivilege	3664	WMIC.exe
Token: SeShutdownPrivilege	3664	WMIC.exe
Token: SeDebugPrivilege	3664	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3664	WMIC.exe
Token: SeRemoteShutdownPrivilege	3664	WMIC.exe
Token: SeUndockPrivilege	3664	WMIC.exe
Token: SeManageVolumePrivilege	3664	WMIC.exe
Token: 33	3664	WMIC.exe
Token: 34	3664	WMIC.exe
Token: 35	3664	WMIC.exe
Token: 36	3664	WMIC.exe
Token: SeDebugPrivilege	1384	taskkill.exe
Token: SeDebugPrivilege	4432	taskkill.exe
Token: SeDebugPrivilege	2892	tasklist.exe
Token: SeIncreaseQuotaPrivilege	3904	WMIC.exe
Token: SeSecurityPrivilege	3904	WMIC.exe
Token: SeTakeOwnershipPrivilege	3904	WMIC.exe
Token: SeLoadDriverPrivilege	3904	WMIC.exe
Token: SeSystemProfilePrivilege	3904	WMIC.exe
Token: SeSystemtimePrivilege	3904	WMIC.exe
Token: SeProfSingleProcessPrivilege	3904	WMIC.exe
Token: SeIncBasePriorityPrivilege	3904	WMIC.exe
Token: SeCreatePagefilePrivilege	3904	WMIC.exe
Token: SeBackupPrivilege	3904	WMIC.exe
Token: SeRestorePrivilege	3904	WMIC.exe
Token: SeShutdownPrivilege	3904	WMIC.exe
Token: SeDebugPrivilege	3904	WMIC.exe
Token: SeSystemEnvironmentPrivilege	3904	WMIC.exe
Token: SeRemoteShutdownPrivilege	3904	WMIC.exe
Token: SeUndockPrivilege	3904	WMIC.exe
Token: SeManageVolumePrivilege	3904	WMIC.exe
Token: 33	3904	WMIC.exe
Token: 34	3904	WMIC.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 4092 wrote to memory of 1204	4092	Epsilon.exe	94
PID 4092 wrote to memory of 1204	4092	Epsilon.exe	94
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 4092 wrote to memory of 3000	4092	Epsilon.exe	96
PID 1204 wrote to memory of 3664	1204	cmd.exe	97
PID 1204 wrote to memory of 3664	1204	cmd.exe	97
PID 4092 wrote to memory of 3212	4092	Epsilon.exe	99
PID 4092 wrote to memory of 3212	4092	Epsilon.exe	99
PID 4092 wrote to memory of 4376	4092	Epsilon.exe	101
PID 4092 wrote to memory of 4376	4092	Epsilon.exe	101
PID 4376 wrote to memory of 1384	4376	cmd.exe	103
PID 4376 wrote to memory of 1384	4376	cmd.exe	103
PID 4092 wrote to memory of 232	4092	Epsilon.exe	104
PID 4092 wrote to memory of 232	4092	Epsilon.exe	104
PID 232 wrote to memory of 4432	232	cmd.exe	106
PID 232 wrote to memory of 4432	232	cmd.exe	106
PID 4092 wrote to memory of 2692	4092	Epsilon.exe	107
PID 4092 wrote to memory of 2692	4092	Epsilon.exe	107
PID 4092 wrote to memory of 4688	4092	Epsilon.exe	108
PID 4092 wrote to memory of 4688	4092	Epsilon.exe	108
PID 4092 wrote to memory of 4592	4092	Epsilon.exe	109
PID 4092 wrote to memory of 4592	4092	Epsilon.exe	109
PID 4688 wrote to memory of 1732	4688	cmd.exe	113
PID 4688 wrote to memory of 1732	4688	cmd.exe	113
PID 4592 wrote to memory of 2892	4592	cmd.exe	114
PID 4592 wrote to memory of 2892	4592	cmd.exe	114

C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
"C:\Users\Admin\AppData\Local\Temp\Epsilon.exe"
1⤵
- Checks computer location settings
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:4092
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:1204
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic CsProduct Get UUID
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3664
- C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
  "C:\Users\Admin\AppData\Local\Temp\Epsilon.exe" --type=gpu-process --field-trial-handle=1312,15878106716118091171,14795458076751145424,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1648 /prefetch:2
  2⤵
  PID:3000
- C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
  "C:\Users\Admin\AppData\Local\Temp\Epsilon.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1312,15878106716118091171,14795458076751145424,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=fr --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --mojo-platform-channel-handle=1980 /prefetch:8
  2⤵
  - Suspicious behavior: EnumeratesProcesses
  PID:3212
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM chrome.exe /F"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4376
- - C:\Windows\system32\taskkill.exe
    taskkill /IM chrome.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:1384
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:232
- - C:\Windows\system32\taskkill.exe
    taskkill /IM msedge.exe /F
    3⤵
    - Kills process with taskkill
    - Suspicious use of AdjustPrivilegeToken
    PID:4432
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
  2⤵
  PID:2692
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
    3⤵
    PID:2784
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4688
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
    3⤵
    PID:1732
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  - Suspicious use of WriteProcessMemory
  PID:4592
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    - Suspicious use of AdjustPrivilegeToken
    PID:2892
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
  2⤵
  PID:4652
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:3904
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
  2⤵
  PID:4456
- - C:\Windows\System32\Wbem\WMIC.exe
    wmic path win32_VideoController get name
    3⤵
    - Detects videocard installed
    PID:4308
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
  2⤵
  PID:1060
- - C:\Windows\system32\cmd.exe
    cmd /c chcp 65001
    3⤵
    PID:4584
  - - C:\Windows\system32\chcp.com
      chcp 65001
      4⤵
      PID:2060
- - C:\Windows\system32\netsh.exe
    netsh wlan show profiles
    3⤵
    PID:1708
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsBootManager /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsBootManager.exe /f"
  2⤵
  PID:1836
- - C:\Windows\system32\reg.exe
    C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsBootManager /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsBootManager.exe /f
    3⤵
    - Adds Run key to start application
    PID:4156
- C:\Windows\system32\cmd.exe
  C:\Windows\system32\cmd.exe /d /s /c "tasklist"
  2⤵
  PID:3052
- - C:\Windows\system32\tasklist.exe
    tasklist
    3⤵
    - Enumerates processes with tasklist
    PID:2304

C:\Windows\System32\CompPkgSrv.exe
C:\Windows\System32\CompPkgSrv.exe -Embedding
1⤵
PID:1164

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Process Discovery

T1057

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\47e1435f-71b9-48d7-8cd2-e0e8f9f2b6a1.tmp.node

Filesize
652KB

MD5
23d27ff28c534e279752e78228ea7c86

SHA1
dffb31b6af27de08bebe66b6cd2a4cbc785c123a

SHA256
713479673dfb53cd041ed377ae4fb9e06ad2c897de4e9de49e4d5d79d76361fe

SHA512
5f89ef8cd837e713c160ed5f04eef7f19d998abc100c499aa946a1ea615bc1aee526d3055917c6bf16d0e2e487d38269fb832c186880978b1ef6d75723092538

Download Submit
C:\Users\Admin\AppData\Local\Temp\c88ea20d-14ce-47ba-9df6-0d34fd721525.tmp.node

Filesize
2.7MB

MD5
dfd9fc878f9ba46103152b652f6d9a5b

SHA1
ab91f928efeea38b2cffb3bedccd7b5bf36d0a5e

SHA256
15e367a1de229135c65b6099dc5e1f0022d7bac833f8594d04beff5b7d37de3a

SHA512
1749bb2a8e7f8c8057c47067c71c1b27500e1f8a01f8f08c02c41f94b2b17846f4a67741c6401332ec445f667169b3220c4a23a58e8f2d2168d4001328f8fc1b

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

Filesize
240B

MD5
810ae82f863a5ffae14d3b3944252a4e

SHA1
5393e27113753191436b14f0cafa8acabcfe6b2a

SHA256
453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c

SHA512
2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Cookies\Google Chrome_Default.txt

Filesize
273B

MD5
b8aef46cbdea9427ec511cbb43213d22

SHA1
acdc077929d0b2a42b6b18d7693fd883af635be9

SHA256
c5366dce44147b86a5f5a02b8424cbc12cb0218af7d83ef8bc21ece1dd5fcef3

SHA512
ea2a264dc7d0369cd7f0088bf12caf5d9a32c14074e12d7ea5b517939b2ab90ac49011ed3e67389fd231a9ce80933d13895edbf360e87b09f01304b9b3e60886

Download Submit
C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

Filesize
231B

MD5
dec2be4f1ec3592cea668aa279e7cc9b

SHA1
327cf8ab0c895e10674e00ea7f437784bb11d718

SHA256
753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

SHA512
81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

Download Submit
memory/3000-6-0x00007FFB7D770000-0x00007FFB7D771000-memory.dmp

Filesize
4KB

Download
memory/3000-80-0x000001FEEDEA0000-0x000001FEEDECB000-memory.dmp

Filesize
172KB

Download