Overview

overview

8

Static

static

3

ep_setup.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    41s
  • max time network
    43s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    12/09/2024, 17:19

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ep_setup.exe

  • Size

    2.4MB

  • MD5

    2a780b2c5d0750462a12dde2b99b2371

  • SHA1

    e29235897f4e4af623d243bbb887bc7680a54c2f

  • SHA256

    62ed3f40d0c6e91fa454987789aeeca5118839431518fd06be1a7edfe939170c

  • SHA512

    f93203e4503c55c028d12c2ce80003157f91043a91278e03488c51a1ba3944d03fd95a01e062e694e678652a0ffc1c2212a9bb483cb2b323736529d69d821cfc

  • SSDEEP

    24576:X9LZyqlR1WabNAisVOqGcMrQLgAP8tXD0azP845aeHEoOJSpCzAoi0hCCtf63Flu:V0qjkJrwOsAP8kSpoEYtQRj20w

Score
8/10
discoveryevasionexecutionpersistenceprivilege_escalation

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Loads dropped DLL 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 5 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 38 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 54 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence

Processes

  • C:\Users\Admin\AppData\Local\Temp\ep_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\ep_setup.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:4724
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:1012
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      2⤵
      • Launches sc.exe
      PID:3672
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      2⤵
      • Launches sc.exe
      PID:2584
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:3236
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:3744
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:1608
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:808
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:3152

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        System Services

        1
        T1569

        Service Execution

        1
        T1569.002

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Active Setup

        1
        T1547.014

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Component Object Model Hijacking

        1
        T1546.015

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Active Setup

        1
        T1547.014

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Component Object Model Hijacking

        1
        T1546.015

        Defense Evasion

        Impair Defenses

        1
        T1562

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Peripheral Device Discovery

        2
        T1120

        Query Registry

        5
        T1012

        System Information Discovery

        4
        T1082

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Service Stop

        1
        T1489

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\ExplorerPatcher\WebView2Loader.dll
          Filesize

          136KB

          MD5

          c44baed957b05b9327bd371dbf0dbe99

          SHA1

          80b48c656b8555ebc588de3de0ec6c7e75ae4bf1

          SHA256

          ad8bb426a8e438493db4d703242f373d9cb36d8c13e88b6647cd083716e09bef

          SHA512

          ad1b76594dca7cde6bbcde55bc3abe811f9e903e2cf6613d49201e14e789cfc763cb528d499dd2db84db097a210d63c7d88cc909ca1c836d831e3519c2ce7b35

          Download Submit

        • C:\Program Files\ExplorerPatcher\ep_gui.dll
          Filesize

          707KB

          MD5

          f00118b4ef99e6a8699f1fd675dea96d

          SHA1

          d87679a7a61ac72022d68102d282edb77472fdfb

          SHA256

          ce3ea08fa5adc9faf6593da82585b4326bcd97c9f623514d12ef97519e41efe1

          SHA512

          9b71f1c5292f864f1899ac317457f4556914c6584acc9b21d58f2920db4ed616da34e046e4af078735592f55f64ec27c4a2fcbdf1694b52848b62ab5ebdc88a3

          Download Submit

        • C:\Program Files\ExplorerPatcher\ep_weather_host.dll
          Filesize

          238KB

          MD5

          f7b3274e38e773ca6729296430af847e

          SHA1

          f7caf054b2dc3340de4e05a696e6cf7cdda92e98

          SHA256

          eeeab76981588958eba5708c23fc9923dfa116bc7d683b359780c9d0a25fdc18

          SHA512

          9123b0c0c29d93f3779ffcacad70aa2de3b1988c55ff5ea3ce1b6b8dedae12e82191657b74098b47cad95223b7a97e4fce3b355ae5c0f12ce0cd65f7ca153253

          Download Submit

        • C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll
          Filesize

          109KB

          MD5

          261a49c20c1a913c86537c7b90206d44

          SHA1

          3d85ad13db3bc74dbc7f86d7e59030e1c39f75c7

          SHA256

          b43cf4dff259b279c0849cfb2de33ac12a742af0f348c335ca02395daf819a9d

          SHA512

          a0f09916cbc027c07ecd4494803f920fef86e21e45a4994a50c82beac12d1ed1439bc5dee51e3c3652bdc44e84f3db3656ee3783c60e176cf392c4f6ff3431d4

          Download Submit

        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk
          Filesize

          1KB

          MD5

          26bd300c4dafb69601acbdf4c330907f

          SHA1

          1f3f845b4c9bdc4e45fe4076167574c39ab8ba30

          SHA256

          7b0a1f8d790bf7fcd3a792ba92c9e67c5b4b77a77cfe0fc4eafdc38cd70d3b1e

          SHA512

          34096d1017d476d434ab341fef277e873de377176517e348b22561b1d8f2935a43274041cf84dbb5475aee30221d6413160992f33ccc53ad75f2b6f0d92e78cf

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\P3RJMKM0\www.bing[1].xml
          Filesize

          2KB

          MD5

          5a95d1c276aa12fe1f4abfc0e937510a

          SHA1

          f125dda77ae19dcc10d972e8fe3c4d028b4b11c8

          SHA256

          d9591853cac422d10d318432fe8c817f11a4f019dbd658615bb62f4845e1ff95

          SHA512

          d4004981cfc5acf04d92df20cb5a39544b746d8c8ebf94b7fc9a25c9fcc7021006f3a67fad1e3cd0389ce996165bd2053c43a1dfae9e4335dabc382925de13c6

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\P3RJMKM0\www.bing[1].xml
          Filesize

          19KB

          MD5

          a44f5ed5d2036b880299f6c6dfb37bd5

          SHA1

          794fdbd6130706fca5eeab5733e89b2d5c9d099f

          SHA256

          421ab6e7a9c545082ec843228ff787b7a14013be1848dd9750d4d10449750836

          SHA512

          cd74eab3f64cea7865f5fdfe6d57fa191f9a20524f0c8cf10210b6e32545034530becea1f48c446bdd498189717acddecab17528cab2ff74ed2253bc62d12e15

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\P3RJMKM0\www.bing[1].xml
          Filesize

          17KB

          MD5

          f3b1d72771c4a8ec7b4ba8ff4e3cab88

          SHA1

          fa6c766f1419399e7dde2d681a9ad8f3c5df298c

          SHA256

          da325f703e739b1d33d1e5ccb52443e608e9880d5aa991b8270d2336a9ea44b3

          SHA512

          2eedc809909150b4b4fa46e3dc038dcf1f5a81f3508976c93d26635df43c3ad474d1ab86015697dfe649ee457028594ed377229b563f6bc554a1219b52d751e7

          Download Submit

        • C:\Users\Admin\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb
          Filesize

          24.0MB

          MD5

          def29fd81caf648be9b71298bb7513d0

          SHA1

          cd3ac3f22d51dc9d949409fd84848c4b1d8f6bab

          SHA256

          745f3e5f484b42c4650847b82ea36ff132b228d4096f49c493a2a7b1e32d5dce

          SHA512

          937ce45ba86505225e272b9ab8f1628722a8d70e523253758d6bdf8d531e279a256da3c9682aa63826c7ff0d41340bd936e88f066ba6b6c87d73370eda6ab889

          Download Submit

        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll
          Filesize

          681KB

          MD5

          c7a8da85f58c64902df64a68d5db465e

          SHA1

          8fcfa32d3cfcb2d8fd51c2a12c7b8b2c52f6a436

          SHA256

          16aecddf3f3d638e65c625a81a351da28beb8ae6bf4dd79905d8b363ac4f0dd6

          SHA512

          209d1dbe8f0e9766ad2bd3c1bd5c6aa2c4d9a60a1f717f3801d8a618bd478a2b44403dd98686a9502ab9378dd73339d7438194af2d70e9d95ab17b708ec8712a

          Download Submit

        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.DLL
          Filesize

          151KB

          MD5

          55d39dd38224b6f8d291b2270215a0e4

          SHA1

          d80d78413dc14a77c09b4c073cc84774bf5a37d3

          SHA256

          bba2d1fd810d34849bd7a9054787f6ba4dc7dcab215c34b306352f9be1430807

          SHA512

          94837c83f7545706d86493afc9fbea172f628cb541b367cc83e2a3806260f91b4f84f88032a255acfb8a6a421af02931a36c4b13da92edffac83e0038663a08a

          Download Submit

        • C:\Windows\dxgi.dll
          Filesize

          681KB

          MD5

          e6117cbf19ef208598cfce4c790e9ef4

          SHA1

          ec1536a51fd2f0daffef5a99b24a4258a0d1e9f6

          SHA256

          289de0a26ee4d2e9a9d48f051cab8a795c055cd9a9f96466971fa8df723ee36e

          SHA512

          bb215c84452c2d3044b2aaf9aeeefa8d676c69b4b838edf5aca64dde767d9ee1e12ab1f438aa3910749e72f52af74ef2d34073662ea9e6714c3970352be07146

          Download Submit

        • memory/808-260-0x000002033FD80000-0x000002033FE80000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/808-173-0x000002033C4D0000-0x000002033C4F0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/808-172-0x000002033BE40000-0x000002033BE60000-memory.dmp

          Filesize

          128KB

          Download

        • memory/808-171-0x000002033A580000-0x000002033A5A0000-memory.dmp

          Filesize

          128KB

          Download

        • memory/808-137-0x000002033BFA0000-0x000002033C0A0000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/808-111-0x000002033A100000-0x000002033A200000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/808-78-0x0000020308560000-0x0000020308660000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/1608-46-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-34-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-54-0x00007FFDF68F0000-0x00007FFDF7123000-memory.dmp

          Filesize

          8.2MB

          Download

        • memory/1608-47-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-45-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-44-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-42-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-52-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-53-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-49-0x00007FFDF5B80000-0x00007FFDF614B000-memory.dmp

          Filesize

          5.8MB

          Download

        • memory/1608-41-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-43-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-39-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-37-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-36-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-35-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-33-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-32-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-38-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-59-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-31-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-60-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-56-0x00007FFE0BEC0000-0x00007FFE0C66E000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1608-74-0x00000000039E0000-0x00000000039E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/1608-50-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-51-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-48-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-40-0x00007FF65DD80000-0x00007FF65E244000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/1608-30-0x00007FFE0CE60000-0x00007FFE0D00C000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/1608-22-0x00007FFE0BEC0000-0x00007FFE0C66E000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1608-23-0x00007FFE0BEC0000-0x00007FFE0C66E000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/1608-24-0x00007FFDF5020000-0x00007FFDF5291000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/1608-26-0x00007FFDF5020000-0x00007FFDF5291000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/1608-27-0x00007FFDF5020000-0x00007FFDF5291000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/1608-28-0x00007FFDF5020000-0x00007FFDF5291000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/1608-364-0x00000000075A0000-0x0000000007A0C000-memory.dmp

          Filesize

          4.4MB

          Download

        • memory/1608-29-0x00007FFDF5020000-0x00007FFDF5291000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/1608-25-0x00007FFDF5020000-0x00007FFDF5291000-memory.dmp

          Filesize

          2.4MB

          Download