Analysis

  • max time kernel
    163s
  • max time network
    191s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240226-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
  • submitted
    29-03-2024 01:28

General

  • Target

    Epsilon.exe

  • Size

    134.3MB

  • MD5

    128d442c123dbbeefecbffea681b591b

  • SHA1

    88eaf983ab17105eab1e399794f84f50f0ce6d43

  • SHA256

    a12809190b023bc9ea27d62ef20c705ecdfc59e93c081ee5af996c5b484c325b

  • SHA512

    779f1b557de61fbf9dad1fe04149c18c26a1cabf8beb2c57c2dd57a1a4be3a88187ffbef8657bcd948a0a6d40ea0f09c3381b290fd597210f039b854dec41eb1

  • SSDEEP

    1572864:XicLgaO9p7sMMcmhRhgBx/CyhwGKsME1:khTRsJE1

Malware Config

Signatures

  • Epsilon Stealer

    Information stealer.

  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Adds Run key to start application 2 TTPs 1 IoCs
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Enumerates processes with tasklist 1 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 7 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
    "C:\Users\Admin\AppData\Local\Temp\Epsilon.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:2656
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:3980
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic CsProduct Get UUID
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:4284
    • C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
      "C:\Users\Admin\AppData\Local\Temp\Epsilon.exe" --type=gpu-process --field-trial-handle=1632,16709578440016631260,1987691553518215258,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --gpu-preferences=UAAAAAAAAADgAAAIAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1640 /prefetch:2
      2⤵
        PID:1036
      • C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
        "C:\Users\Admin\AppData\Local\Temp\Epsilon.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --field-trial-handle=1632,16709578440016631260,1987691553518215258,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --mojo-platform-channel-handle=1956 /prefetch:8
        2⤵
        • Suspicious behavior: EnumeratesProcesses
        PID:2480
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:3044
        • C:\Windows\system32\taskkill.exe
          taskkill /IM msedge.exe /F
          3⤵
          • Kills process with taskkill
          • Suspicious use of AdjustPrivilegeToken
          PID:2592
      • C:\Windows\system32\cmd.exe
        C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
        2⤵
        • Suspicious use of WriteProcessMemory
        PID:4584
        • C:\Windows\system32\reg.exe
          C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
          3⤵
            PID:368
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3548
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
            3⤵
              PID:4620
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "tasklist"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:1072
            • C:\Windows\system32\tasklist.exe
              tasklist
              3⤵
              • Enumerates processes with tasklist
              • Suspicious use of AdjustPrivilegeToken
              PID:3224
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
            2⤵
              PID:3692
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:3840
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
              2⤵
                PID:3544
                • C:\Windows\System32\Wbem\WMIC.exe
                  wmic path win32_VideoController get name
                  3⤵
                  • Detects videocard installed
                  PID:4280
              • C:\Windows\system32\cmd.exe
                C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
                2⤵
                  PID:4636
                  • C:\Windows\system32\cmd.exe
                    cmd /c chcp 65001
                    3⤵
                      PID:3372
                      • C:\Windows\system32\chcp.com
                        chcp 65001
                        4⤵
                          PID:1256
                      • C:\Windows\system32\netsh.exe
                        netsh wlan show profiles
                        3⤵
                          PID:2964
                      • C:\Windows\system32\cmd.exe
                        C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsBootManager /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsBootManager.exe /f"
                        2⤵
                          PID:4928
                          • C:\Windows\system32\reg.exe
                            C:\Windows\system32\reg.exe ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v WindowsBootManager /t REG_SZ /d C:\Users\Admin\AppData\Local\Microsoft\Windows\0\WindowsBootManager.exe /f
                            3⤵
                            • Adds Run key to start application
                            PID:696
                        • C:\Windows\system32\cmd.exe
                          C:\Windows\system32\cmd.exe /d /s /c "tasklist"
                          2⤵
                            PID:3052
                            • C:\Windows\system32\tasklist.exe
                              tasklist
                              3⤵
                              • Enumerates processes with tasklist
                              PID:3876
                          • C:\Users\Admin\AppData\Local\Temp\Epsilon.exe
                            "C:\Users\Admin\AppData\Local\Temp\Epsilon.exe" --type=gpu-process --field-trial-handle=1632,16709578440016631260,1987691553518215258,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\Epsilon" --gpu-preferences=UAAAAAAAAADoAAAIAAAAAAAAAAAAAAAAAABgAAAIAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAHgAAAAAAAAAeAAAAAAAAAAoAAAABAAAACAAAAAAAAAAKAAAAAAAAAAwAAAAAAAAADgAAAAAAAAAEAAAAAAAAAAAAAAADQAAABAAAAAAAAAAAQAAAA0AAAAQAAAAAAAAAAQAAAANAAAAEAAAAAAAAAAHAAAADQAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=2688 /prefetch:2
                            2⤵
                            • Suspicious behavior: EnumeratesProcesses
                            PID:2528
                        • C:\Windows\System32\CompPkgSrv.exe
                          C:\Windows\System32\CompPkgSrv.exe -Embedding
                          1⤵
                            PID:3692

                          Network

                          MITRE ATT&CK Enterprise v15

                          Replay Monitor

                          Loading Replay Monitor...

                          Downloads

                          • C:\Users\Admin\AppData\Local\Temp\0954fe55-a85f-4c5d-b81c-c8ac49ad436b.tmp.node

                            Filesize

                            2.7MB

                            MD5

                            c639773c96bd5fbdaf6f1a6333662bb4

                            SHA1

                            0f5fecc2a6c750ddb730f382310e9e64ab8f202c

                            SHA256

                            c09f6c2894a46f149688601cb67624afdd122a0c494fa926fa0f83c75785ea35

                            SHA512

                            9bbe978078db99c917a315cf001a0713858007d2fc0632c73b30b490c89ceaa70578bcc38c6a59845e97c643c708587910ce27b687c96d298f5bf007d4c70802

                          • C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

                            Filesize

                            240B

                            MD5

                            810ae82f863a5ffae14d3b3944252a4e

                            SHA1

                            5393e27113753191436b14f0cafa8acabcfe6b2a

                            SHA256

                            453478914b72d9056472fb1e44c69606c62331452f47a1f3c02190f26501785c

                            SHA512

                            2421a397dd2ebb17947167addacd3117f666ddab388e3678168075f58dc8eee15bb49a4aac2290140ae5102924852d27b538740a859d0b35245f505b20f29112

                          • C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Credit Cards\All Credit Cards.txt

                            Filesize

                            231B

                            MD5

                            dec2be4f1ec3592cea668aa279e7cc9b

                            SHA1

                            327cf8ab0c895e10674e00ea7f437784bb11d718

                            SHA256

                            753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

                            SHA512

                            81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

                          • C:\Users\Admin\AppData\Local\Temp\fa7a0eaa-e6da-4b06-aa55-a9e3b04dbad1.tmp.node

                            Filesize

                            652KB

                            MD5

                            7f9b96ba7cbbb0c88d2005ccb669b54c

                            SHA1

                            c3aea9f1075493deb74c1a05f73f609a8086a8d9

                            SHA256

                            8c60efec7940e69a083350640ec5f42d43d8b979711080f1aef3bda825a9928b

                            SHA512

                            306aa838d928fc98b0d7429d984cf32d4814d9312445f4745bcf7f920d63223f8e1965bb36f7bf6518228f4541c5c5aa74fc28aa358055f1f893b0edd7216d82

                          • memory/1036-6-0x00007FFA24BC0000-0x00007FFA24BC1000-memory.dmp

                            Filesize

                            4KB

                          • memory/2528-79-0x000001C136F30000-0x000001C136F31000-memory.dmp

                            Filesize

                            4KB

                          • memory/2528-78-0x000001C136F30000-0x000001C136F31000-memory.dmp

                            Filesize

                            4KB

                          • memory/2528-80-0x000001C136F30000-0x000001C136F31000-memory.dmp

                            Filesize

                            4KB

                          • memory/2528-85-0x000001C136F30000-0x000001C136F31000-memory.dmp

                            Filesize

                            4KB

                          • memory/2528-84-0x000001C136F30000-0x000001C136F31000-memory.dmp

                            Filesize

                            4KB

                          • memory/2528-86-0x000001C136F30000-0x000001C136F31000-memory.dmp

                            Filesize

                            4KB

                          • memory/2528-87-0x000001C136F30000-0x000001C136F31000-memory.dmp

                            Filesize

                            4KB

                          • memory/2528-88-0x000001C136F30000-0x000001C136F31000-memory.dmp

                            Filesize

                            4KB

                          • memory/2528-90-0x000001C136F30000-0x000001C136F31000-memory.dmp

                            Filesize

                            4KB

                          • memory/2528-89-0x000001C136F30000-0x000001C136F31000-memory.dmp

                            Filesize

                            4KB