Overview

overview

8

Static

static

3

ep_setup.exe

windows7-x64

1

ep_setup.exe

windows10-2004-x64

8

ep_setup.exe

windows10-ltsc 2021-x64

8

ep_setup.exe

windows11-21h2-x64

8

Analysis

  • max time kernel
    595s
  • max time network
    450s
  • platform
    windows11-21h2_x64
  • resource
    win11-20241007-en
  • resource tags

    arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system
  • submitted
    04-11-2024 08:04

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    ep_setup.exe

  • Size

    10.6MB

  • MD5

    f164888a6fbc646b093f6af6663f4e63

  • SHA1

    3c0bb9f9a4ad9b1c521ad9fc30ec03668577c97c

  • SHA256

    8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67

  • SHA512

    f1b2173962561d3051ec6b5aa2fc0260809e37e829255d95c8a085f990c18b724daff4372f646d505dabe3cc3013364d4316c2340527c75d140dbc6b5ebdeee1

  • SSDEEP

    196608:Yobw/inDWIRviYy06kRUEsyiFo2ItCC2bO+WxNtTYnepC5YbM/rN2kGBlSrnU:dw/2Bvc06kiEviXTCIKNtUnqYYA/A

Score
8/10
discoveryevasionexecutionpersistenceprivilege_escalation

Malware Config

Signatures

  • Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

    Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

    persistence
  • Stops running service(s) 4 TTPs
    evasionexecution
  • Event Triggered Execution: Component Object Model Hijacking 1 TTPs

    Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

    persistenceprivilege_escalation
  • Loads dropped DLL 6 IoCs
  • Checks installed software on the system 1 TTPs

    Looks up Uninstall key entries in the registry to enumerate software on the system.

    discovery
  • Enumerates connected drives 3 TTPs 2 IoCs

    Attempts to read the root path of hard drives other than the default C: drive.

  • Drops file in Program Files directory 9 IoCs
  • Drops file in Windows directory 5 IoCs
  • Launches sc.exe 2 IoCs

    Sc.exe is a Windows utlilty to control services on the system.

  • Enumerates physical storage devices 1 TTPs

    Attempts to interact with connected storage/optical drive(s).

  • Checks SCSI registry key(s) 3 TTPs 58 IoCs

    SCSI information is often read in order to detect sandboxing environments.

  • Enumerates system info in registry 2 TTPs 2 IoCs
  • Kills process with taskkill 1 IoCs
    evasion
  • Modifies Internet Explorer settings 1 TTPs 1 IoCs
    adwarespyware
  • Modifies registry class 64 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 44 IoCs
  • Suspicious use of FindShellTrayWindow 64 IoCs
  • Suspicious use of SendNotifyMessage 28 IoCs
  • Suspicious use of SetWindowsHookEx 5 IoCs
  • Suspicious use of WriteProcessMemory 12 IoCs
  • Uses Task Scheduler COM API 1 TTPs

    The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.

    persistence
  • Uses Volume Shadow Copy WMI provider

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware
  • Uses Volume Shadow Copy service COM API

    The Volume Shadow Copy service is used to manage backups/snapshots.

    ransomware

Processes

  • C:\Users\Admin\AppData\Local\Temp\ep_setup.exe
    "C:\Users\Admin\AppData\Local\Temp\ep_setup.exe"
    1⤵
    • Drops file in Program Files directory
    • Drops file in Windows directory
    • Suspicious use of AdjustPrivilegeToken
    • Suspicious use of FindShellTrayWindow
    • Suspicious use of SendNotifyMessage
    • Suspicious use of WriteProcessMemory
    PID:3484
    • C:\Windows\system32\taskkill.exe
      "C:\Windows\system32\taskkill.exe" /f /im explorer.exe
      2⤵
      • Kills process with taskkill
      • Suspicious use of AdjustPrivilegeToken
      PID:2952
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" stop ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      2⤵
      • Launches sc.exe
      PID:1064
    • C:\Windows\system32\sc.exe
      "C:\Windows\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB
      2⤵
      • Launches sc.exe
      PID:2848
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:3092
    • C:\Windows\system32\regsvr32.exe
      "C:\Windows\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll"
      2⤵
      • Loads dropped DLL
      • Modifies registry class
      PID:4336
    • C:\Windows\explorer.exe
      "C:\Windows\explorer.exe"
      2⤵
      • Boot or Logon Autostart Execution: Active Setup
      • Loads dropped DLL
      • Enumerates connected drives
      • Checks SCSI registry key(s)
      • Modifies registry class
      • Suspicious behavior: EnumeratesProcesses
      • Suspicious use of AdjustPrivilegeToken
      • Suspicious use of FindShellTrayWindow
      • Suspicious use of SendNotifyMessage
      • Suspicious use of SetWindowsHookEx
      PID:2012
  • C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe
    "C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\SearchHost.exe" -ServerName:CortanaUI.AppXstmwaab17q5s3y22tp6apqz7a45vwv65.mca
    1⤵
    • Enumerates system info in registry
    • Modifies Internet Explorer settings
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:2388
  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe
    "C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\StartMenuExperienceHost.exe" -ServerName:App.AppXywbrabmsek0gm3tkwpr5kwzbs55tkqay.mca
    1⤵
    • Loads dropped DLL
    • Modifies registry class
    • Suspicious use of SetWindowsHookEx
    PID:4472

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

2
T1112

Credential Access

Discovery

Peripheral Device Discovery

2
T1120

Query Registry

5
T1012

System Information Discovery

4
T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Service Stop

1
T1489

Replay Monitor

Loading Replay Monitor...

Downloads

  • C:\Program Files\ExplorerPatcher\WebView2Loader.dll
    Filesize

    161KB

    MD5

    c5f0c46e91f354c58ecec864614157d7

    SHA1

    cb6f85c0b716b4fc3810deb3eb9053beb07e803c

    SHA256

    465a7ddfb3a0da4c3965daf2ad6ac7548513f42329b58aebc337311c10ea0a6f

    SHA512

    287756078aa08130907bd8601b957e9e006cef9f5c6765df25cfaa64ddd0fff7d92ffa11f10a00a4028687f3220efda8c64008dbcf205bedae5da296e3896e91

    Download Submit

  • C:\Program Files\ExplorerPatcher\ep_gui.dll
    Filesize

    734KB

    MD5

    81cd6d96f81b1e54aa327a4af6bcbe85

    SHA1

    b786c4bde03d1566b1b040eb8970b82f7b80a007

    SHA256

    b23bab1f5dc85c9e10145eeb32214d6cfe02fb5abcf956a37a3c9dd7e09fee67

    SHA512

    a1360b71ba11b529bd21f8c93c6ceec01c4faa9d33ca5e5fa62acb118cebf1e9e1d38ea17d236d1f8bd0d790f6b743329d41598d5a62c794b4786c14975782be

    Download Submit

  • C:\Program Files\ExplorerPatcher\ep_weather_host.dll
    Filesize

    238KB

    MD5

    aac2857727cff3cd7b291f9500196f73

    SHA1

    c86eedff45b672df58885f12e7a7aee3398c618b

    SHA256

    78ed3e3676d97c337fef071b522805f4cf742587a40f96af4aa4d74fee0af88a

    SHA512

    a4c54b4221b1745fe1de6d53fcd7a528b4bacda6b2c66e02d55bd5867d118e042a35490e45b64c2d24398a9ac06e356bf10a2822f83663d52c1a28e10f0a52e5

    Download Submit

  • C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll
    Filesize

    109KB

    MD5

    e477912c435db101603781dcc44289e1

    SHA1

    7b2eda1b6055e8874f37fb9b48bcc933bf69c1c3

    SHA256

    0930d2e71353a411d96dc4dfdd473dace98d1b7b9546ac4c185f8984f8b9c18b

    SHA512

    9f8089742099a789387381980ec5b493deec46bd73f39cf8fa9919be4dd772b20c70246e5e90d625011f052d5c3b2000b42c50843956d74fb85ff1b1d18eace9

    Download Submit

  • C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk
    Filesize

    1KB

    MD5

    b49ec771b4387d304cf575af4215095a

    SHA1

    486fd93a2f56a9c79cf8ebde53490c5368ebdee6

    SHA256

    9ae7c73feee6db360c4499f553279921f210c8b9cb45777bef860161e8716a63

    SHA512

    d9966c0b0571133a9b819df964a414c1a467cbcbe6c4118306215c344110329384c6860be7d34b31e1bbe5d3cb9210432029e098bd242a4733f5859a3e88446b

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\7955VA1W\www.bing[1].xml
    Filesize

    15KB

    MD5

    c2400202b4e450a9d37377bc1f5cf512

    SHA1

    2474df2fb6a7a59b2b0edd70e59e9520e766f401

    SHA256

    f62a7ae6d8baee22d391494baf1411e16854da3c409947025407f6a149ff3b2a

    SHA512

    19ce4230926c8be3d436035b10185393302b9f6722af074b9f55cebf63812428cbf0522779578b448662784745aa839e46052ca06e203d8e5d6b949643b2f333

    Download Submit

  • C:\Users\Admin\AppData\Local\Packages\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\LocalState\DeviceSearchCache\AppCache133751823644617405.txt
    Filesize

    68KB

    MD5

    c49501de1bbb5093472658120120f742

    SHA1

    253193982c9e3cbd30d9c231b84fae9e3aa7656b

    SHA256

    76e3307ba0fa4f4596e91263f76833acf7e4d84fbad76898cf549d41d831d7eb

    SHA512

    a3f1dd3e4772c69e8681988f21faf6c31a3b182a1fbf0c0b0cd2d5f16566f3b6f2d233cda59b8e5659ee2c8457b3b28c2b83b4ff906c48b7fcda75038b7ec9dd

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ExplorerPatcher\StartDocked.pdb
    Filesize

    16.4MB

    MD5

    2e3682c2244b6604851b0d6b3eb7b248

    SHA1

    047c762af86b37f582573d3a88b68ab1ab8dbab3

    SHA256

    9ac8bf7c0a79fe47bea4ca8d364aa3e7b3f92b02a27507d704528b89e7e0e776

    SHA512

    834bec41cfb5cac51e3cad91d21327581a1180df98ce5cbe1a04ae8c5a5c793a0ac49b95dfa309162d653fc8d174b4c7f38c7f1f02d3e0907582b8f5d2ec6c87

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ExplorerPatcher\StartUI.pdb
    Filesize

    34.0MB

    MD5

    8f9851f27ceebbbe2799bba2b19b3915

    SHA1

    841821920991665b6fd00952091a0501a180cd20

    SHA256

    095ad9d4d095282aa10038b86be989e543da3a547e07142ceab6f955c155b9cf

    SHA512

    9c02eca9dddda6dcb84c6ce9ffab631a4980ae25c10f2853cc124d91b099b669af508db271f02576bbf918cbf3c07e10b963c6a1a8c9482f29ca4e99258eea04

    Download Submit

  • C:\Users\Admin\AppData\Roaming\ExplorerPatcher\twinui.pcshell.pdb
    Filesize

    24.0MB

    MD5

    def29fd81caf648be9b71298bb7513d0

    SHA1

    cd3ac3f22d51dc9d949409fd84848c4b1d8f6bab

    SHA256

    745f3e5f484b42c4650847b82ea36ff132b228d4096f49c493a2a7b1e32d5dce

    SHA512

    937ce45ba86505225e272b9ab8f1628722a8d70e523253758d6bdf8d531e279a256da3c9682aa63826c7ff0d41340bd936e88f066ba6b6c87d73370eda6ab889

    Download Submit

  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll
    Filesize

    699KB

    MD5

    8bfca71add96d3de75173d464792e2b9

    SHA1

    fe6bc3c30c26d6ce1c149b173b5d79c80102d5b9

    SHA256

    5aaa6bab20b7116b32bddba1df216f7476557bb48397e1968a49ede14e6c377d

    SHA512

    b560415727d15ceeb09e5d9e39ea2b4043848bf4239fbf5068aaac86f64b3d05d4e21eb197416db0fb4172c68f782c05aeae18ac70c27f80566040b6ba79159a

    Download Submit

  • C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\wincorlib.dll
    Filesize

    164KB

    MD5

    b80816ee9fcdb1d9076b73fd929fc96b

    SHA1

    ff9a5a12dca164652419f5dee082af4a49b8a03b

    SHA256

    d63b9fc13c99000cf77d02ee6e5e84c825d02a92d87b728cb601681b5eb21671

    SHA512

    21cebca787a0fa0976b44315bf05b6eb4719306653ddbbfce41231244219bcd288cd8045980bacf21481ddabcf464c82795147db755148cc0e23167bbb874fd7

    Download Submit

  • C:\Windows\dxgi.dll
    Filesize

    699KB

    MD5

    047b192a9c703fc5a2c2764db869ff5c

    SHA1

    8c1494acc3119fbf8332ae3b6a4f854e5b4d37cb

    SHA256

    1971c57f88849b4069be06d3784e0968755c916fa1564a3f8f05610d3b02cdcc

    SHA512

    c7f80703db23611d56618a8b1b4ffff814a9264135e3846df99120c0ffc16da9d5b37c6465ac25d61d4f6e386d36b3de640c57c460098f06778c658cc19454cc

    Download Submit

  • memory/2012-32-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-49-0x00007FF9A05F0000-0x00007FF9A0BBB000-memory.dmp

    Filesize

    5.8MB

    Download

  • memory/2012-44-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-42-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-38-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-45-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-43-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-41-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-39-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-36-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-40-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-46-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-35-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-37-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-47-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-34-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-31-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-48-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-50-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-53-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-52-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-33-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-51-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-56-0x00007FF9B58F0000-0x00007FF9B609E000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2012-54-0x00007FF9A13D0000-0x00007FF9A1C03000-memory.dmp

    Filesize

    8.2MB

    Download

  • memory/2012-60-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-59-0x00007FF668870000-0x00007FF668D34000-memory.dmp

    Filesize

    4.8MB

    Download

  • memory/2012-30-0x00007FF9B63D0000-0x00007FF9B657C000-memory.dmp

    Filesize

    1.7MB

    Download

  • memory/2012-22-0x00007FF9B58F0000-0x00007FF9B609E000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2012-24-0x00007FF99F980000-0x00007FF99FBF1000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2012-75-0x0000000004690000-0x0000000004691000-memory.dmp

    Filesize

    4KB

    Download

  • memory/2012-26-0x00007FF99F980000-0x00007FF99FBF1000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2012-99-0x0000000003EA0000-0x0000000003F4F000-memory.dmp

    Filesize

    700KB

    Download

  • memory/2012-28-0x00007FF99F980000-0x00007FF99FBF1000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2012-23-0x00007FF9B58F0000-0x00007FF9B609E000-memory.dmp

    Filesize

    7.7MB

    Download

  • memory/2012-27-0x00007FF99F980000-0x00007FF99FBF1000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2012-29-0x00007FF99F980000-0x00007FF99FBF1000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2012-25-0x00007FF99F980000-0x00007FF99FBF1000-memory.dmp

    Filesize

    2.4MB

    Download

  • memory/2388-306-0x000001AFD76C0000-0x000001AFD77C0000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2388-220-0x000001AFD3780000-0x000001AFD37A0000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2388-219-0x000001AFD3C00000-0x000001AFD3D00000-memory.dmp

    Filesize

    1024KB

    Download

  • memory/2388-218-0x000001AFD3AE0000-0x000001AFD3B00000-memory.dmp

    Filesize

    128KB

    Download

  • memory/2388-79-0x000001AF9FAB0000-0x000001AF9FBB0000-memory.dmp

    Filesize

    1024KB

    Download