Overview

overview

8

Static

static

3

ep_setup.exe

windows10-2004-x64

8

ep_setup.exe

windows10-ltsc 2021-x64

8

Sharing

Copy URL
Twitter E-mail

General

  • Target

    ep_setup.exe

  • Size

    10.6MB

  • Sample

    241209-bnwacaxket

  • MD5

    f164888a6fbc646b093f6af6663f4e63

  • SHA1

    3c0bb9f9a4ad9b1c521ad9fc30ec03668577c97c

  • SHA256

    8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67

  • SHA512

    f1b2173962561d3051ec6b5aa2fc0260809e37e829255d95c8a085f990c18b724daff4372f646d505dabe3cc3013364d4316c2340527c75d140dbc6b5ebdeee1

  • SSDEEP

    196608:Yobw/inDWIRviYy06kRUEsyiFo2ItCC2bO+WxNtTYnepC5YbM/rN2kGBlSrnU:dw/2Bvc06kiEviXTCIKNtUnqYYA/A

Score
8/10
discoveryevasionexecutionpersistenceprivilege_escalation

Malware Config

Targets

    • Target

      ep_setup.exe

    • Size

      10.6MB

    • MD5

      f164888a6fbc646b093f6af6663f4e63

    • SHA1

      3c0bb9f9a4ad9b1c521ad9fc30ec03668577c97c

    • SHA256

      8c5a3597666f418b5c857e68c9a13b7b6d037ea08a988204b572f053450add67

    • SHA512

      f1b2173962561d3051ec6b5aa2fc0260809e37e829255d95c8a085f990c18b724daff4372f646d505dabe3cc3013364d4316c2340527c75d140dbc6b5ebdeee1

    • SSDEEP

      196608:Yobw/inDWIRviYy06kRUEsyiFo2ItCC2bO+WxNtTYnepC5YbM/rN2kGBlSrnU:dw/2Bvc06kiEviXTCIKNtUnqYYA/A

    Score
    8/10
    discoveryevasionexecutionpersistenceprivilege_escalation

    • Boot or Logon Autostart Execution: Active Setup

      Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

      persistence

    • Downloads MZ/PE file

    • Stops running service(s)

      evasionexecution

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Loads dropped DLL

    • Checks installed software on the system

      Looks up Uninstall key entries in the registry to enumerate software on the system.

      discovery

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Legitimate hosting services abused for malware hosting/C2

    behavioral1behavioral2

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

System Services

1
T1569

Service Execution

1
T1569.002

Persistence

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Boot or Logon Autostart Execution

1
T1547

Active Setup

1
T1547.014

Create or Modify System Process

1
T1543

Windows Service

1
T1543.003

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Impair Defenses

1
T1562

Modify Registry

2
T1112

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

6
T1012

System Information Discovery

5
T1082

Lateral Movement

Collection

Command and Control

Web Service

1
T1102

Exfiltration

Impact

Service Stop

1
T1489

Tasks