Overview

overview

9

Static

static

1

EpicInstal...1).msi

windows10-ltsc 2021-x64

9

Sharing

Copy URL
Twitter E-mail

General

  • Target

    EpicInstaller-15.17.1 (1).msi

  • Size

    176.5MB

  • Sample

    250115-2km3nszjcn

  • MD5

    7a2cf04ac0c504a8ea5aed805dde484d

  • SHA1

    0536d7a178d1a42cea1476ea6b44bc53ed26bc63

  • SHA256

    6f3f486d7a8409fc174198818c039152c6268bd9fdf210ee6be1c91bf832b7e9

  • SHA512

    42aeed1d015ab279df3065e04adff8001672a13180f4d73121ace3bc8989783f12c7a5d0b50c684c74fd138fc1b4f451439acd7b6342d4f60c7d3a18034e0988

  • SSDEEP

    3145728:oyKHxXZR5bsPL+buxE4ynkX+kKbtt3V8mIeDLhZ8muXNNE7byK88OmTZbOW/rXi:IP4PAwUnkuk8BNbLIxg7bUQ

Score
9/10
steamdefense_evasiondiscoverypersistencephishingprivilege_escalationransomware

Malware Config

Targets

    • Target

      EpicInstaller-15.17.1 (1).msi

    • Size

      176.5MB

    • MD5

      7a2cf04ac0c504a8ea5aed805dde484d

    • SHA1

      0536d7a178d1a42cea1476ea6b44bc53ed26bc63

    • SHA256

      6f3f486d7a8409fc174198818c039152c6268bd9fdf210ee6be1c91bf832b7e9

    • SHA512

      42aeed1d015ab279df3065e04adff8001672a13180f4d73121ace3bc8989783f12c7a5d0b50c684c74fd138fc1b4f451439acd7b6342d4f60c7d3a18034e0988

    • SSDEEP

      3145728:oyKHxXZR5bsPL+buxE4ynkX+kKbtt3V8mIeDLhZ8muXNNE7byK88OmTZbOW/rXi:IP4PAwUnkuk8BNbLIxg7bUQ

    Score
    9/10
    steamdefense_evasiondiscoverypersistencephishingprivilege_escalationransomware

    • Renames multiple (126) files with added filename extension

      This suggests ransomware activity of encrypting all the files on the system.

      ransomware

    • Blocklisted process makes network request

    • Modifies file permissions

      discovery

    • Adds Run key to start application

      persistence

    • Downloads MZ/PE file

    • Enumerates connected drives

      Attempts to read the root path of hard drives other than the default C: drive.

    • Checks computer location settings

      Looks up country code configured in the registry, likely geofence.

    • Detected potential entity reuse from brand STEAM.

      phishingsteam

    • Drops file in System32 directory

    • Event Triggered Execution: Component Object Model Hijacking

      Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.

      persistenceprivilege_escalation

    • Suspicious use of SetThreadContext

    behavioral1

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Privilege Escalation

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

Boot or Logon Autostart Execution

1
T1547

Registry Run Keys / Startup Folder

1
T1547.001

Event Triggered Execution

1
T1546

Component Object Model Hijacking

1
T1546.015

Defense Evasion

Access Token Manipulation

1
T1134

Create Process with Token

1
T1134.002

File and Directory Permissions Modification

1
T1222

Modify Registry

2
T1112

Subvert Trust Controls

2
T1553

Install Root Certificate

1
T1553.004

SIP and Trust Provider Hijacking

1
T1553.003

Credential Access

Discovery

Browser Information Discovery

1
T1217

Peripheral Device Discovery

2
T1120

Query Registry

7
T1012

System Information Discovery

6
T1082

System Location Discovery

1
T1614

System Language Discovery

1
T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Tasks