456fb05e5875d5598652df0f9dbaacdce8467c7316af1f872e47a3621af35cd6

Analysis

max time kernel
148s
max time network
149s
platform
windows10-2004_x64
resource
win10v2004-20240508-en
resource tags

arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system
submitted
09/06/2024, 18:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

WF2860_Lite_NA.exe
Size

14.2MB
MD5

c96ee457d9e57dcc36baccd1528e17a5
SHA1

45136b2e9a6325a6d212ba6e2fa2e0b8ec1afe50
SHA256

456fb05e5875d5598652df0f9dbaacdce8467c7316af1f872e47a3621af35cd6
SHA512

61953888f4dfe1bde29dbaeaa0929c56e583248ed99400d569a7206c799f7bb2d66d0e592288fa711aca81f5e3b4eafa6e856a7d95f80ca0f245280ef6667048
SSDEEP

196608:hvAhSqFp79njl0AZqlYZfMyNnXApVdQjHgFZBz5Xnxn33VF+PmB6fHw8emyVp0dq:KhzpdrJZvnX0VdQjH8XxXgw2KEpZaSK

Score

5^/10

Malware Config

Signatures

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2539840389-1261165778-1087677076-1000\Control Panel\International\Geo\Nation	Setup.exe

Drops file in Windows directory 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\EpsonCDInstaller.INI	Setup.exe
File opened for modification	C:\Windows\EpsonCDInstaller.ini	Setup.exe

Executes dropped EXE 3 IoCs

pid	Process
4932	WF2860_Lite_NA.tmp
4060	Setup.exe
3368	Splash.exe

Loads dropped DLL 2 IoCs

pid	Process
4060	Setup.exe
4060	Setup.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 4 IoCs

pid	Process
4932	WF2860_Lite_NA.tmp
4932	WF2860_Lite_NA.tmp
4060	Setup.exe
4060	Setup.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
4932	WF2860_Lite_NA.tmp

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
4060	Setup.exe
4060	Setup.exe
3368	Splash.exe
3368	Splash.exe
4060	Setup.exe
4060	Setup.exe
4060	Setup.exe
4060	Setup.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 4460 wrote to memory of 4932	4460	WF2860_Lite_NA.exe	80
PID 4460 wrote to memory of 4932	4460	WF2860_Lite_NA.exe	80
PID 4460 wrote to memory of 4932	4460	WF2860_Lite_NA.exe	80
PID 4932 wrote to memory of 4060	4932	WF2860_Lite_NA.tmp	88
PID 4932 wrote to memory of 4060	4932	WF2860_Lite_NA.tmp	88
PID 4932 wrote to memory of 4060	4932	WF2860_Lite_NA.tmp	88
PID 4060 wrote to memory of 3368	4060	Setup.exe	89
PID 4060 wrote to memory of 3368	4060	Setup.exe	89
PID 4060 wrote to memory of 3368	4060	Setup.exe	89

C:\Users\Admin\AppData\Local\Temp\WF2860_Lite_NA.exe
"C:\Users\Admin\AppData\Local\Temp\WF2860_Lite_NA.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:4460
- C:\Users\Admin\AppData\Local\Temp\is-TEI5M.tmp\WF2860_Lite_NA.tmp
  "C:\Users\Admin\AppData\Local\Temp\is-TEI5M.tmp\WF2860_Lite_NA.tmp" /SL5="$C0068,14008531,1070592,C:\Users\Admin\AppData\Local\Temp\WF2860_Lite_NA.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of WriteProcessMemory
  PID:4932
- - C:\Users\Admin\AppData\Local\Temp\WF-2860\Setup.exe
    "C:\Users\Admin\AppData\Local\Temp\WF-2860\Setup.exe"
    3⤵
    - Checks computer location settings
    - Drops file in Windows directory
    - Executes dropped EXE
    - Loads dropped DLL
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:4060
  - - C:\Users\Admin\AppData\Local\Temp\WF-2860\res\Splash.exe
      "C:\Users\Admin\AppData\Local\Temp\WF-2860\res\Splash.exe" 5000
      4⤵
      Executes dropped EXE
      Suspicious use of SetWindowsHookEx
      PID:3368

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\WF-2860\Network\EpsonNetSetup\ENSF.dll

Filesize
379KB

MD5
fe166f5c21fabcd26d31cc18075c2cfc

SHA1
20b755e6832b869b6cf44587c24b214c5e4731b2

SHA256
4be62db859fd60655d77bfcfd0af51dc4192fcfd01abe841af983781194f8816

SHA512
4854b6e674a70e9ca80c2f3c51b29681dc29b766645bf0594e875aaaabc8b4e5a7a7dfae427580608aec0093b8218fda70969731755b9fbb718ee44303775b5e

Download Submit
C:\Users\Admin\AppData\Local\Temp\WF-2860\Network\EpsonNetSetup\Resources\UI\00\Default\is-H60EM.tmp

Filesize
814B

MD5
24ebcd33846c1e28ad20a65d3e7f1990

SHA1
54a79981ee36f8ddb8fc30191428afbddfed4778

SHA256
a52311138da9fd6e4071fc60a670a5b5b61cb895d63f67ce080c89f580b5e734

SHA512
9caa8a28deecb77789c959dba763f0f23c16dc2dcf64a6a50ea65dd1f11447b8a21ccac23fefa0db0fe55920e695d928ec81be9825b02accac2773e08936d775

Download Submit
C:\Users\Admin\AppData\Local\Temp\WF-2860\Network\EpsonNetSetup\Resources\UI\00\Default\is-JRLTG.tmp

Filesize
811B

MD5
6dfff01e2b5f2b6ba30df2bd029fc7d7

SHA1
ad38f5828a7710aa01b81434a1e5227dc420eb4e

SHA256
071143c325e1a9fbbb5f70cd009ac5f94f1da13e71ee46d22264d64a3cf34c76

SHA512
6de7402b435eb1353a3c75576fbc48ceab181550ad53b2b0424974592227ab46ba8e8812ebfaa9b3402af810e23ab8e50dbebfbb2b6516d737da25355afd1c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\WF-2860\Network\EpsonNetSetup\Resources\UI\00\Default\is-N8VKM.tmp

Filesize
1KB

MD5
15c740fd95a72e10b4671250279a85dd

SHA1
51c2ee59189f6d21c21b2f9572737f4ac0d15720

SHA256
b407c1c841d7a2a99c9b89a2b7119acb453880023a8c30bc8202fc156342cfee

SHA512
28a246bade901fe515908e42307a8fd80f255e30f60f6b2fc3b1df6dd0da35cfd6b7105741952c92cc7855b6b1eaae89efca345bcaabc7cfb033c7f28f1d01df

Download Submit
C:\Users\Admin\AppData\Local\Temp\WF-2860\Network\EpsonNetSetup\Resources\UI\00\Default\is-QD1G9.tmp

Filesize
1KB

MD5
a97d34b1bb03dd66c53db56f0fd5b7d7

SHA1
851d2c838dcd918dd1605da6136786dba4ab8716

SHA256
9b939aedb97425fb473ebb68915ce3d6058a8686ee775d23d339f7ec792bc495

SHA512
4ae6648e6ceb1bcf360319195f3a78a265b4a4b31f691ab88e813410547e0c41bc4035aaeeb1e6dfecac62f236949a3d50f5585a635f674690c38f8a461d190c

Download Submit
C:\Users\Admin\AppData\Local\Temp\WF-2860\Network\EpsonNetSetup\Resources\UI\02\Default\is-ECMFS.tmp

Filesize
2KB

MD5
f4cef09e189088980b7d5141b7e977e0

SHA1
8f2fa0f212bf1c9c22d975ae51c423ce5177ac2f

SHA256
d22cf4ef479c73f328874e723b880018e285fd6a0d6f61a344b42e21e709eb2e

SHA512
c65d9546f74c0687ff872fa03c37038e0b935c4e3bf16f127b7ff0aa82ada47e1ff5204fa091d43b0c98f3d6583daabb0c6b9bb2c1393c09358ad3256b92939a

Download Submit
C:\Users\Admin\AppData\Local\Temp\WF-2860\Network\EpsonNetSetup\Resources\UI\04\Default\is-DD2I2.tmp

Filesize
3KB

MD5
5997acf7e0a0adc0e897fc4f5b61feca

SHA1
1bbda7e5b09c5fc0e81c123371576a339c039684

SHA256
5934856bb068c59cc786b5fac346686d23ad863340d156692d6c7642c3a90bfb

SHA512
09292567879329b7cc2827bcebf4aa4694654bea015f9e8d03a890f04d41bd0447f7bf87d341cf75cd6ad6bd8af3528ac8c72a5a5ec58b4bd42ae2d1473ad1cf

Download Submit
C:\Users\Admin\AppData\Local\Temp\WF-2860\Setup.exe

Filesize
867KB

MD5
e91df496eb99b1e0c14d51d8d251aba3

SHA1
e0a868c8b0131996a3fe4d19921d9eab549baff4

SHA256
d4b07b9f72e177b7a4a20d02d0f4caecc977611391af5779327cbebf9f10c6fc

SHA512
81aa4f892e1f8b5227c147a21bac958fa30545b1ed20629d9f6bce6d365495ed2b164043b693be3baff5c891b16fb166cf2fa1ef2db3bdbae49abfd1216f0807

Download Submit
C:\Users\Admin\AppData\Local\Temp\WF-2860\res\EPSoftware.dll

Filesize
284KB

MD5
87efd643273bce914ae9f2e1f1880dd7

SHA1
85a8e5413b5346f0f8bcaa29a3626377c846e919

SHA256
d7d6a6136b376fc6c93d4022c359a8278203359d9b282d2d3ba5dfde9c408302

SHA512
34db4d9adc7453259f750115f69c4e360f04fb0950205441a392a78c2f4340e8edd9d4a4ca00d75f5bbeda7cec4c6495cda9385941e91a389aa3ee2d40066569

Download Submit
C:\Users\Admin\AppData\Local\Temp\WF-2860\res\English\License.rtf

Filesize
57KB

MD5
98955df68e1bafafc2dd8a549aa78082

SHA1
c96c0480a873a561b8e73e1620ddb636b8089312

SHA256
71a1fab20988e44099375e2df23ee4b5dc75d94a600a239f898fafde02742952

SHA512
14ec15c8ea384b76777c70073a63c764b7305304187c3f4988e5aecb6eb96334bb8cc15d05126f53bf75b29d7a7761336d4b1eaa91d4a295b21e83b990eee666

Download Submit
C:\Users\Admin\AppData\Local\Temp\WF-2860\res\English\language.ini

Filesize
7KB

MD5
d577b1f24dc43da595180181c458e6fd

SHA1
dde12b510bdf5542a36453dfb2b56b1686b87f50

SHA256
304b8b930d54e851dd68d07634c39e4be17ffdc4815414144d02c53bdcb953ac

SHA512
40646df4d4002fe47a38646d15b9eebe9915bfdd5dd7336aa1fec35d976db3df77b4625b435ab9bf80b8c957b35449fe5e5d18f1aceba6651cf1458489f590df

Download Submit
C:\Users\Admin\AppData\Local\Temp\WF-2860\res\English\uistrings.ini

Filesize
12KB

MD5
25736ff41b760d1178801dba44b8d2d2

SHA1
0879b6bd9cb6c1606be5f98159b0c06560484285

SHA256
90def906cea7bede1b4258718bc6d4b6942d84bf3e48025b24c751d38a52ef1a

SHA512
916892f711910d0144be3ed1bfb55cb1e3820f5b431c50976bbf6846520a9e7c7dca21b48f6065b0cdcd1ee7c8536854505e5d274bf534dd9e84d9393cd28481

Download Submit
C:\Users\Admin\AppData\Local\Temp\WF-2860\res\Splash.exe

Filesize
2.6MB

MD5
59472313e464e19320f2aafdb541ba62

SHA1
a54108d5e7d68c5bd16d95a3c4bde6ec47466a94

SHA256
51033cc3311dda2c154da72dc5f7bebc8f1168d51f07fec4eb833d43fd74f4a4

SHA512
8e5ca315ba3eef94adb21c566c5d64cc00e62b8d9ee61bfcd91e7bc676f23759bea0d3d257e95770018e6c2b69f25e8e0e8d1c67f204eda525cfcf9f4ed53375

Download Submit
C:\Users\Admin\AppData\Local\Temp\WF-2860\res\defaultBackground.png

Filesize
62KB

MD5
060e7a6829d04e59741e23a24b7ec65d

SHA1
15bc563c50bbcdef404132a4a876bb8b71f51cd9

SHA256
a57c44f0c852ef55ae681a69d596b9d417a3477f43c46f2a070cab81d8e05a78

SHA512
94c5f0a059504b81b9013137d1ef6eec617830369a0d8f4aad91b5c7377011c9f8044a586bec2fa79fe98cd7cb1dca4214b9fce53c6b9efd4f64e96a3f7cc87b

Download Submit
C:\Users\Admin\AppData\Local\Temp\WF-2860\res\epson.ini

Filesize
820B

MD5
b3c8a208da29a63bbd732cdea08fa799

SHA1
53ad190dffa4b3c93fa5329dca1fc6cd0b8d5c52

SHA256
bf30f4dfb5e0ffea05433fd168314ae91eb0639231e6097779ac1457c3143acc

SHA512
11b4ecf91fc7f2cdb4675d83e2e825303e90a3da474460a9c0b803cfb4a2f0306f8316a741910e850a2b6193a70d2c31e3706d46b5d65430d219ef5cdbfc77ff

Download Submit
C:\Users\Admin\AppData\Local\Temp\is-TEI5M.tmp\WF2860_Lite_NA.tmp

Filesize
3.3MB

MD5
270f7df585eae5d93251d2f28c292f82

SHA1
2c99939987885a90688274ab7d9f360db67d94a4

SHA256
e1b80d1c89dd6f9deed33841a9ec543e9f712a1fa75d1f1ed152a6c26d8e7ae6

SHA512
204cb07df3a81aa37deae63320b5ad1dd518782135de1178b78df715e0606ee219a6912fb10e6a7e8b585fd3af7dea3823a40222c1669d0db829c6e3aae71049

Download Submit
C:\Windows\EpsonCDInstaller.INI

Filesize
316B

MD5
5d048343039cff56e99b93cc92781456

SHA1
6fec3f176748175f762716163e5cc5f6fd831d65

SHA256
837eda095e5ef7b4e217f00cba4dd873f137221d6cb332cf53514babd5e8f987

SHA512
0e35060535070f94082ee9ee757ae286dce52c77c18f6e130195a9c310253ed5bb218df53706834f163c59c8dd0b6d06f151dca9b630544168595126ef4dcb69

Download Submit
C:\Windows\EpsonCDInstaller.INI

Filesize
403B

MD5
8e76dcd7d1de5e927bccbf877bf70c14

SHA1
f1b83d9c0c707fe9373de9efbb69e49b2fc5b1a2

SHA256
ac75823e3967f31dc01eb4090c7c1b3e763f7930a99aa939e7990a3c0894c5e5

SHA512
deab6d7d7f3a8bb96328bbb32ef56502e6c83503211b60bd20446d616239d7862bac6701a4a02403204670d07a3545c58fdfb034f77f1416e4658be4e49258ef

Download Submit
memory/4460-726-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/4460-2-0x0000000000401000-0x00000000004B7000-memory.dmp

Filesize
728KB

Download
memory/4460-0-0x0000000000400000-0x0000000000513000-memory.dmp

Filesize
1.1MB

Download
memory/4932-731-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download
memory/4932-6-0x0000000000400000-0x000000000074D000-memory.dmp

Filesize
3.3MB

Download