Analysis

  • max time kernel
    25s
  • max time network
    17s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20240611-fr
  • resource tags

    arch:x64arch:x86image:win10v2004-20240611-frlocale:fr-fros:windows10-2004-x64systemwindows
  • submitted
    13-06-2024 00:56

General

  • Target

    setup.exe

  • Size

    140.1MB

  • MD5

    b1ccbfbedc38786e9a0e9605b876c38b

  • SHA1

    6be127d660dc19d8abaaa0b7a1fc61e6c4c1cef8

  • SHA256

    ce0fcb2457ffa323e7a9aa65fb7aa3e5cd62bb09faadad83dde9882db04b9f14

  • SHA512

    eb3f5a4e4e801b2d22d1ea8a2d9445430cf49eca895b9583e4fb0f1add3354de9f032d4e50d00d47425e983fc589aa28c3dd1a263a68cb3b6979d8186667c624

  • SSDEEP

    1572864:42Cm7gJKfVjsPawuFHNwczWTeMkF7ZEk8bCkKbj:/aodJFek8+k

Score
10/10

Malware Config

Signatures

  • Epsilon Stealer

    Information stealer.

  • Checks computer location settings 2 TTPs 2 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 2 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Checks processor information in registry 2 TTPs 7 IoCs

    Processor information is often read in order to detect sandboxing environments.

  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Kills process with taskkill 1 IoCs
  • Modifies system certificate store 2 TTPs 3 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of FindShellTrayWindow 1 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\setup.exe
    "C:\Users\Admin\AppData\Local\Temp\setup.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Checks processor information in registry
    • Modifies system certificate store
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of WriteProcessMemory
    PID:1256
    • C:\Users\Admin\AppData\Local\Temp\setup.exe
      "C:\Users\Admin\AppData\Local\Temp\setup.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\setup" --gpu-preferences=UAAAAAAAAADgAAAYAAAAAAAAAAAAAAAAAABgAAAAAAAwAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAEgAAAAAAAAASAAAAAAAAAAYAAAAAgAAABAAAAAAAAAAGAAAAAAAAAAQAAAAAAAAAAAAAAAOAAAAEAAAAAAAAAABAAAADgAAAAgAAAAAAAAACAAAAAAAAAA= --mojo-platform-channel-handle=1656 --field-trial-handle=1888,i,945826514062694195,16084569511533582517,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:2
      2⤵
        PID:4924
      • C:\Users\Admin\AppData\Local\Temp\setup.exe
        "C:\Users\Admin\AppData\Local\Temp\setup.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=fr --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\setup" --mojo-platform-channel-handle=2156 --field-trial-handle=1888,i,945826514062694195,16084569511533582517,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:8
        2⤵
          PID:2564
        • C:\Users\Admin\AppData\Local\Temp\setup.exe
          "C:\Users\Admin\AppData\Local\Temp\setup.exe" --type=renderer --user-data-dir="C:\Users\Admin\AppData\Roaming\setup" --app-path="C:\Users\Admin\AppData\Local\Temp\resources\app.asar" --enable-sandbox --lang=fr --device-scale-factor=1 --num-raster-threads=4 --enable-main-frame-before-activation --renderer-client-id=4 --mojo-platform-channel-handle=2400 --field-trial-handle=1888,i,945826514062694195,16084569511533582517,131072 --disable-features=SpareRendererForSitePerProcess,WinRetrieveSuggestionsOnlyOnDemand /prefetch:1
          2⤵
          • Checks computer location settings
          PID:1728
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
          2⤵
            PID:3888
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
              3⤵
                PID:4572
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
              2⤵
                PID:2628
                • C:\Windows\system32\reg.exe
                  C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
                  3⤵
                    PID:4880
                • C:\Windows\system32\cmd.exe
                  C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
                  2⤵
                    PID:3228
                    • C:\Windows\System32\Wbem\WMIC.exe
                      wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
                      3⤵
                      • Suspicious use of AdjustPrivilegeToken
                      PID:2120
                  • C:\Windows\system32\cmd.exe
                    C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
                    2⤵
                      PID:3904
                      • C:\Windows\System32\Wbem\WMIC.exe
                        wmic path win32_VideoController get name
                        3⤵
                        • Detects videocard installed
                        • Suspicious use of AdjustPrivilegeToken
                        PID:1700
                    • C:\Windows\system32\cmd.exe
                      C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
                      2⤵
                        PID:5076
                        • C:\Windows\system32\cmd.exe
                          cmd /c chcp 65001
                          3⤵
                            PID:5080
                            • C:\Windows\system32\chcp.com
                              chcp 65001
                              4⤵
                                PID:4592
                            • C:\Windows\system32\netsh.exe
                              netsh wlan show profiles
                              3⤵
                                PID:644
                            • C:\Windows\system32\cmd.exe
                              C:\Windows\system32\cmd.exe /d /s /c "taskkill /IM msedge.exe /F"
                              2⤵
                                PID:3256
                                • C:\Windows\system32\taskkill.exe
                                  taskkill /IM msedge.exe /F
                                  3⤵
                                  • Kills process with taskkill
                                  PID:2056

                            Network

                            MITRE ATT&CK Enterprise v15

                            Replay Monitor

                            Loading Replay Monitor...

                            Downloads

                            • C:\Users\Admin\AppData\Local\Temp\4d7f4640-235a-4fff-b13f-228cdcaf1ad3.tmp.node

                              Filesize

                              2.6MB

                              MD5

                              083fd9f2e3e93e1f2c599a2b609c9e5e

                              SHA1

                              6db2b6ce3e60d828ca32a6000c270c09224f3139

                              SHA256

                              5800c926c34c7ef38a45840c30e8855c1b3a6ec1ec8f37ffc6ce2d402728eabd

                              SHA512

                              08206b13d7e91f36d65de545b483d5fa446c2a1d8baab4c2fb19aa711af10cbfd98da3811d34a16033b5c09eb297fdcfaf09a186b4dcf69e84bb4dfcc11d96b2

                            • C:\Users\Admin\AppData\Local\Temp\6da713bf-6b73-4346-8a67-ba04aea8625d.tmp.node

                              Filesize

                              642KB

                              MD5

                              4c8d6ba1b9e1141bfc8f700a9aa543c0

                              SHA1

                              66717fc5b64efb94b61f5476bb3d041c619580ea

                              SHA256

                              0a1ce9b4eaf029f7b13e5b677bb8ad3192c0e3088d854a21bbe304e857f677b4

                              SHA512

                              ee79d8435276650c87664b87b50ec06597630c2f996f68a95e62cec5188e787e5fe35181c4282dda9960039fe17cdb38b0e8a6a5abc39701abec9e2731fcda47

                            • C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\AutoFill Data\All Autofill Data.txt

                              Filesize

                              249B

                              MD5

                              cf7e4a12f932a3fddddacc8b10e1f1b0

                              SHA1

                              db6f9bc2be5e0905086b7b7b07109ef8d67b24ee

                              SHA256

                              1b6d3f6ad849e115bf20175985bed9bcfc6ec206e288b97ac14c3a23b5d28a4b

                              SHA512

                              fab79f26c1841310cc61e2f8336ca05281a9252a34a3c240e500c8775840374edb0a42094c64aa38a29ca79e1cafa114d6f1bbe3009060d32f8c1df9f088c12c

                            • C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Cookies\Google Chrome_Default.txt

                              Filesize

                              216B

                              MD5

                              3850dcbdfccef2b2579651cbf2e766f7

                              SHA1

                              dd26947e7dc339059d9de4a7aa4a2b09ed621f13

                              SHA256

                              c57f2081f932cd5c03d755090fef4d3ac56494a90b425a4d546a0885a98b18e3

                              SHA512

                              67fda6f0d08e466caaa7d18fb7b43da4ce5b575c584565718895048c1b4ccc1bf4559ff83b1f063030baa8970c8abbec1ab477fd1c0d46f391f10c21bcb2ce4e

                            • C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Passwords\All Passwords.txt

                              Filesize

                              231B

                              MD5

                              dec2be4f1ec3592cea668aa279e7cc9b

                              SHA1

                              327cf8ab0c895e10674e00ea7f437784bb11d718

                              SHA256

                              753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

                              SHA512

                              81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

                            • memory/1728-26-0x00007FFF696F0000-0x00007FFF696F1000-memory.dmp

                              Filesize

                              4KB

                            • memory/1728-25-0x00007FFF6A1A0000-0x00007FFF6A1A1000-memory.dmp

                              Filesize

                              4KB

                            • memory/4924-6-0x00007FFF6ABE0000-0x00007FFF6ABE1000-memory.dmp

                              Filesize

                              4KB