Overview

overview

8

Static

static

3

ep_setup.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    103s
  • max time network
    122s
  • platform
    windows11-21h2_x64
  • resource
    win11-20240802-en
  • resource tags

    arch:x64arch:x86image:win11-20240802-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    21/09/2024, 00:03

Sharing

Copy URL Twitter E-mail
Report Analysis Logs

General

  • Target

    ep_setup.exe

  • Size

    10.0MB

  • MD5

    45a5a443c01abd7618efef4827241312

  • SHA1

    5390d36a371f0598b86301961d5fdb329e368e7a

  • SHA256

    d7f98b8af8a3bfe9d93ce31558a62e4d5d0cd425bc30bbc0d517901e5b82bf46

  • SHA512

    0df6330a020ce3b52320f087f56023db069b56d4579b43a9827b8158be430585b88fb43d98004eae4e7a05f85086f5762da17f51af95fdb302669ae1c581f734

  • SSDEEP

    196608:aZN5gB3uI0Bn+2N8cL0yiao2ItCC2bO+WxNtTYneFC5YbMvr5GM6BZ2r34:QzgN4Bz7ieTCIKNtUniYYAvE

Score
8/10
discoveryevasionexecutionpersistenceprivilege_escalation

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Loads dropped DLL 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 5 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious behavior: GetForegroundWindowSpam 1 IoCs
  • Suspicious use of AdjustPrivilegeToken 36 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 45 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ep_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\ep_setup.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:2760
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:4736
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      2⤵
      • Launches sc.exe
      PID:4768
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      2⤵
      • Launches sc.exe
      PID:3932
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:860
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:788
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious behavior: GetForegroundWindowSpam
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:3408
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Loads dropped DLL
    • Suspicious use of SetWindowsHookEx
    PID:4636
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2000

Network

        MITRE ATT&CK Enterprise v15

        Reconnaissance

        Resource Development

        Initial Access

        Execution

        System Services

        1
        T1569

        Service Execution

        1
        T1569.002

        Persistence

        Boot or Logon Autostart Execution

        1
        T1547

        Active Setup

        1
        T1547.014

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Component Object Model Hijacking

        1
        T1546.015

        Privilege Escalation

        Boot or Logon Autostart Execution

        1
        T1547

        Active Setup

        1
        T1547.014

        Create or Modify System Process

        1
        T1543

        Windows Service

        1
        T1543.003

        Event Triggered Execution

        1
        T1546

        Component Object Model Hijacking

        1
        T1546.015

        Defense Evasion

        Impair Defenses

        1
        T1562

        Modify Registry

        2
        T1112

        Credential Access

        Discovery

        Peripheral Device Discovery

        2
        T1120

        Query Registry

        5
        T1012

        System Information Discovery

        4
        T1082

        Lateral Movement

        Collection

        Command and Control

        Exfiltration

        Impact

        Service Stop

        1
        T1489

        Replay Monitor

        Loading Replay Monitor...

        Downloads

        • C:\Program Files\ExplorerPatcher\WebView2Loader.dll
          Filesize

          161KB

          MD5

          c5f0c46e91f354c58ecec864614157d7

          SHA1

          cb6f85c0b716b4fc3810deb3eb9053beb07e803c

          SHA256

          465a7ddfb3a0da4c3965daf2ad6ac7548513f42329b58aebc337311c10ea0a6f

          SHA512

          287756078aa08130907bd8601b957e9e006cef9f5c6765df25cfaa64ddd0fff7d92ffa11f10a00a4028687f3220efda8c64008dbcf205bedae5da296e3896e91

          Download Submit

        • C:\Program Files\ExplorerPatcher\ep_gui.dll
          Filesize

          704KB

          MD5

          c83153ffc63411aaf525caa6c50c1ffc

          SHA1

          76ee60bbee697882fe5390d0f50a9f521f281bda

          SHA256

          422d9784435c893b810dc8d02b8eaa713a030ecdde0c29ae5a588c889ce6a7df

          SHA512

          363f259aa9ff47fe9d8f65a308eb3732581ecb703b827a773dd2c9aaa61bd90f89bfd1f8b1a1c5caa86f213799fc4487053182425676abaaa3a301453c4e8a0d

          Download Submit

        • C:\Program Files\ExplorerPatcher\ep_weather_host.dll
          Filesize

          238KB

          MD5

          f2920695ea15cc80e479d79f536437f1

          SHA1

          3b65e31bd40d371303fb8c82a712bc8e3cbdd451

          SHA256

          350535396c011ed00753f6cd2d30fa1d38fd0f48077b1f9d461cb3df1b1cf39d

          SHA512

          16fbf89d7b14f1fe6f1a2bf80838bbb28b9db9d79255eb194a0952097d63b29438b5d95b2e64b49293828e1932bf73f47780e90f06502eb32a9386e9a23de407

          Download Submit

        • C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll
          Filesize

          109KB

          MD5

          ab6aa536fcae0d915fc6856f66ff693c

          SHA1

          9b20eb39735c80a2ec5974f477cdddf72796d0fa

          SHA256

          0578867d07df70f0080e5eb864f77c7356745347b1d9cddd568f68e10fa8aa50

          SHA512

          e9bc6f57120f484c8e64a86f623e6b029e32f14ba49b70146ad6c16a84740c12a954f78b564f5619f55908af200ca2fac21e9e5dc35b6219a0fe7a6590b66524

          Download Submit

        • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk
          Filesize

          1KB

          MD5

          98892aed8da091cbe4abab637307571c

          SHA1

          57a611d6bed885d9d31e8c7ddd12eae37417a4b5

          SHA256

          6dcf47ecf776f8cc482d311320d4382064f5e774af6b34d113932d1c347ae354

          SHA512

          9d42d151e75e45d0e41d32591428f9ecee3d866fab475e29c03cd527fc95b07393dd16b18f4643b8db047d40035439e489067b3ca2efb56b539290f7b3c899ad

          Download Submit

        • C:\Users\Admin\AppData\Local\Microsoft\Windows\Explorer\iconcache_idx.db
          Filesize

          14KB

          MD5

          68ce3b35c39ef030b197ee84f9aa71f8

          SHA1

          8350e65eb2933be3011a431052bc059b5d248e4d

          SHA256

          e94e45a8712d54b18c8f8171d6775844bb309668f78a3aa9c01c5709302a8dab

          SHA512

          6621ec6eb8f54d824b35cb825c11b4f87d69605dd2cee309b4eb25466aa7827775c83abf2b14c4fb23005161c5b44ed26dc7d359a658ee519fe4c150bc46b63e

          Download Submit

        • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\ZTZW67SQ\www.bing[1].xml
          Filesize

          17KB

          MD5

          55085de7086ea95223cc9e5a8b1bbb9d

          SHA1

          56d06bdaa383526ca3d0d8707e4820a72836217d

          SHA256

          398c55bccf741979e4357dc094aeca774e061781907799f48b0414cb9f1d6947

          SHA512

          e22e311cc2e941b9ece897b876d80115ecc972ad360de38580afb22e58d9b1afcab52ef7959b2e3b2797d0f62cfb3f7a683e336c83fe8d70f284c27b44670aec

          Download Submit

        • C:\Users\Admin\AppData\Roaming\ExplorerPatcher\StartDocked.pdb
          Filesize

          16.4MB

          MD5

          2e3682c2244b6604851b0d6b3eb7b248

          SHA1

          047c762af86b37f582573d3a88b68ab1ab8dbab3

          SHA256

          9ac8bf7c0a79fe47bea4ca8d364aa3e7b3f92b02a27507d704528b89e7e0e776

          SHA512

          834bec41cfb5cac51e3cad91d21327581a1180df98ce5cbe1a04ae8c5a5c793a0ac49b95dfa309162d653fc8d174b4c7f38c7f1f02d3e0907582b8f5d2ec6c87

          Download Submit

        • C:\Users\Admin\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb
          Filesize

          24.0MB

          MD5

          def29fd81caf648be9b71298bb7513d0

          SHA1

          cd3ac3f22d51dc9d949409fd84848c4b1d8f6bab

          SHA256

          745f3e5f484b42c4650847b82ea36ff132b228d4096f49c493a2a7b1e32d5dce

          SHA512

          937ce45ba86505225e272b9ab8f1628722a8d70e523253758d6bdf8d531e279a256da3c9682aa63826c7ff0d41340bd936e88f066ba6b6c87d73370eda6ab889

          Download Submit

        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll
          Filesize

          700KB

          MD5

          57999ff1631929462de24ba18f61ae1c

          SHA1

          2aaae073e752d32c6fd08dac578c040924fe4b59

          SHA256

          b21c0ed7224784b642647a8efad45c634bf88646638823215818b25143fee86e

          SHA512

          0ad42cbe76ca39353fbfbdd95411df7ed830c960acf5d1b943ecc424972fb326b2c69cce680efd9003d9650d0e791120a91ac8f2be1af09404f3d1ec6c4553e7

          Download Submit

        • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.DLL
          Filesize

          163KB

          MD5

          9dfa9611910cbb453bce97162573763b

          SHA1

          85356b11e3b462aef75bacd97cee3608e8533eb1

          SHA256

          3d92aa567e6752b567de0c74caac777de56bb51d45c62c52a560a749a04f2ef7

          SHA512

          e63b603456105108e0b503674898c678c239b92bfa79404bffd182c096a2e5e7a79d50bdfa0751268780aaf0ef2762e306c4a4a02275ade9f5f3e0f1d80f7766

          Download Submit

        • C:\Windows\dxgi.dll
          Filesize

          700KB

          MD5

          a3f150cec06c4434460ef680417af1ac

          SHA1

          a32958417d97509be368cc48bab8d9a1c8a9050d

          SHA256

          f0d8fa3db3127abcded89abbf13f8d3c0071169618a0340570aa9b389034f176

          SHA512

          b7354b772dbc6c137d35aca2e9094e013d05a624a1a71f4b169edfb07e4212369ef9fd78f23d996ec2c2b3a1e4a4fd158b5e60e347a9ccba35e07cba97e64c80

          Download Submit

        • memory/2000-269-0x000001C1BD550000-0x000001C1BD650000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2000-147-0x000001C1B9B30000-0x000001C1B9C30000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2000-184-0x000001C1B8110000-0x000001C1B8130000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2000-137-0x000001C186000000-0x000001C186100000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2000-186-0x000001C1BA020000-0x000001C1BA040000-memory.dmp

          Filesize

          128KB

          Download

        • memory/2000-85-0x000001C186000000-0x000001C186100000-memory.dmp

          Filesize

          1024KB

          Download

        • memory/2000-185-0x000001C1B9A50000-0x000001C1B9A70000-memory.dmp

          Filesize

          128KB

          Download

        • memory/3408-38-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-59-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-48-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-44-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-43-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-42-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-39-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-37-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-36-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-35-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-34-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-33-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-41-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-40-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-32-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-52-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-53-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-54-0x00007FFBDF010000-0x00007FFBDF843000-memory.dmp

          Filesize

          8.2MB

          Download

        • memory/3408-60-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-49-0x00007FFBDE280000-0x00007FFBDE84B000-memory.dmp

          Filesize

          5.8MB

          Download

        • memory/3408-56-0x00007FFBF3860000-0x00007FFBF400E000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3408-51-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-50-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-68-0x00000000059E0000-0x00000000059E1000-memory.dmp

          Filesize

          4KB

          Download

        • memory/3408-46-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-47-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-45-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-31-0x00007FF7656B0000-0x00007FF765B74000-memory.dmp

          Filesize

          4.8MB

          Download

        • memory/3408-30-0x00007FFBF4ED0000-0x00007FFBF507C000-memory.dmp

          Filesize

          1.7MB

          Download

        • memory/3408-23-0x00007FFBF3860000-0x00007FFBF400E000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3408-25-0x00007FFBDD760000-0x00007FFBDD9D1000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/3408-22-0x00007FFBF3860000-0x00007FFBF400E000-memory.dmp

          Filesize

          7.7MB

          Download

        • memory/3408-24-0x00007FFBDD760000-0x00007FFBDD9D1000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/3408-26-0x00007FFBDD760000-0x00007FFBDD9D1000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/3408-29-0x00007FFBDD760000-0x00007FFBDD9D1000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/3408-27-0x00007FFBDD760000-0x00007FFBDD9D1000-memory.dmp

          Filesize

          2.4MB

          Download

        • memory/3408-28-0x00007FFBDD760000-0x00007FFBDD9D1000-memory.dmp

          Filesize

          2.4MB

          Download