Overview

overview

10

Static

static

3

b56e537748...32.exe

windows7-x64

7

b56e537748...32.exe

windows10-2004-x64

10

$PLUGINSDI...ls.dll

windows7-x64

3

$PLUGINSDI...ls.dll

windows10-2004-x64

3

$PLUGINSDI...em.dll

windows7-x64

3

$PLUGINSDI...em.dll

windows10-2004-x64

3

LICENSES.c...m.html

windows7-x64

3

LICENSES.c...m.html

windows10-2004-x64

4

d3dcompiler_47.dll

windows10-2004-x64

1

ffmpeg.dll

windows7-x64

1

ffmpeg.dll

windows10-2004-x64

1

libEGL.dll

windows7-x64

1

libEGL.dll

windows10-2004-x64

1

libGLESv2.dll

windows7-x64

1

libGLESv2.dll

windows10-2004-x64

1

resources/...dex.js

windows7-x64

3

resources/...dex.js

windows10-2004-x64

3

resources/....2.bat

windows7-x64

7

resources/....2.bat

windows10-2004-x64

7

resources/elevate.exe

windows7-x64

3

resources/elevate.exe

windows10-2004-x64

3

vk_swiftshader.dll

windows7-x64

1

vk_swiftshader.dll

windows10-2004-x64

1

vulkan-1.dll

windows7-x64

1

vulkan-1.dll

windows10-2004-x64

1

zadasd.exe

windows7-x64

1

zadasd.exe

windows10-2004-x64

10

$PLUGINSDI...7z.dll

windows7-x64

3

$PLUGINSDI...7z.dll

windows10-2004-x64

3

Analysis

  • max time kernel
    151s
  • max time network
    157s
  • platform
    windows10-2004_x64
  • resource
    win10v2004-20250314-en
  • resource tags

    arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system
  • submitted
    18/03/2025, 07:43

Sharing

Copy URL
Twitter E-mail
Report Analysis Logs

General

  • Target

    zadasd.exe

  • Size

    168.4MB

  • MD5

    2255529e3642bbe1fd72802505a054d0

  • SHA1

    b1ef88ba4f076a5ace9ca06b14e5268b31913ce9

  • SHA256

    6c364b190c38b2a86e05923431e0f9999e80639386ea70688a92039ba96b8c84

  • SHA512

    98543ff588cfa39556fbe276c4a907c1319996ec5918ca0325831ea1b71b2c565f30ee12e6ffc7ebaad6df49effaa4f73c16062a27d80754ec07b1c35e64b8b3

  • SSDEEP

    1572864:OFMGWm9AKuVLWFivYPZ9eNo6pIaIPbDjK14DTbGWeUVXIHzzx9dbF5Zwa80aSesY:BGFWZoNaKDTopXz

Score
10/10
epsilondiscoverypersistenceprivilege_escalationspywarestealer

Malware Config

Signatures

  • Epsilon Stealer

    Information stealer.

    stealerepsilon
  • Epsilon family
    epsilon
  • Checks computer location settings 2 TTPs 1 IoCs

    Looks up country code configured in the registry, likely geofence.

  • Loads dropped DLL 2 IoCs
  • Reads user/profile data of web browsers 3 TTPs

    Infostealers often target stored browser data, which can include saved credentials etc.

    spywarestealer
  • Looks up external IP address via web service 2 IoCs

    Uses a legitimate IP lookup service to find the infected system's external IP.

  • Enumerates processes with tasklist 1 TTPs 1 IoCs
    discovery
  • Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

    Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

    persistenceprivilege_escalation
  • System Network Configuration Discovery: Wi-Fi Discovery 1 TTPs 2 IoCs

    Adversaries may search for information about Wi-Fi networks, such as network names and passwords, on compromised systems.

    discovery
  • Detects videocard installed 1 TTPs 1 IoCs

    Uses WMIC.exe to determine videocard installed.

  • Suspicious behavior: EnumeratesProcesses 2 IoCs
  • Suspicious use of AdjustPrivilegeToken 64 IoCs
  • Suspicious use of WriteProcessMemory 64 IoCs

Processes

  • C:\Users\Admin\AppData\Local\Temp\zadasd.exe
    "C:\Users\Admin\AppData\Local\Temp\zadasd.exe"
    1⤵
    • Checks computer location settings
    • Loads dropped DLL
    • Suspicious use of WriteProcessMemory
    PID:232
    • C:\Windows\system32\cmd.exe
      C:\Windows\system32\cmd.exe /d /s /c "wmic CsProduct Get UUID"
      2⤵
      • Suspicious use of WriteProcessMemory
      PID:2200
      • C:\Windows\System32\Wbem\WMIC.exe
        wmic CsProduct Get UUID
        3⤵
        • Suspicious use of AdjustPrivilegeToken
        PID:2428
    • C:\Users\Admin\AppData\Local\Temp\zadasd.exe
      "C:\Users\Admin\AppData\Local\Temp\zadasd.exe" --type=gpu-process --user-data-dir="C:\Users\Admin\AppData\Roaming\zadasd" --gpu-preferences=WAAAAAAAAADgAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAAAEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=1760 --field-trial-handle=1764,i,10773897808805445077,7416434767828571614,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:2
      2⤵
        PID:3804
      • C:\Users\Admin\AppData\Local\Temp\zadasd.exe
        "C:\Users\Admin\AppData\Local\Temp\zadasd.exe" --type=utility --utility-sub-type=network.mojom.NetworkService --lang=en-US --service-sandbox-type=none --user-data-dir="C:\Users\Admin\AppData\Roaming\zadasd" --mojo-platform-channel-handle=1832 --field-trial-handle=1764,i,10773897808805445077,7416434767828571614,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:3
        2⤵
          PID:3900
        • C:\Windows\system32\cmd.exe
          C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions""
          2⤵
          • Suspicious use of WriteProcessMemory
          PID:3624
          • C:\Windows\system32\reg.exe
            C:\Windows\system32\reg.exe QUERY "HKCU\SOFTWARE\Martin Prikryl\WinSCP 2\Sessions"
            3⤵
              PID:4728
          • C:\Windows\system32\cmd.exe
            C:\Windows\system32\cmd.exe /d /s /c "C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath"
            2⤵
            • Suspicious use of WriteProcessMemory
            PID:2604
            • C:\Windows\system32\reg.exe
              C:\Windows\system32\reg.exe QUERY "HKCU\Software\Valve\Steam" /v SteamPath
              3⤵
                PID:4840
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "tasklist"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:904
              • C:\Windows\system32\tasklist.exe
                tasklist
                3⤵
                • Enumerates processes with tasklist
                • Suspicious use of AdjustPrivilegeToken
                PID:4764
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:4792
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic /Node:localhost /Namespace:\\root\SecurityCenter2 Path AntiVirusProduct Get displayName /Format:List
                3⤵
                • Suspicious use of AdjustPrivilegeToken
                PID:6040
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "wmic path win32_VideoController get name"
              2⤵
              • Suspicious use of WriteProcessMemory
              PID:3416
              • C:\Windows\System32\Wbem\WMIC.exe
                wmic path win32_VideoController get name
                3⤵
                • Detects videocard installed
                PID:5424
            • C:\Windows\system32\cmd.exe
              C:\Windows\system32\cmd.exe /d /s /c "cmd /c chcp 65001>nul && netsh wlan show profiles"
              2⤵
              • System Network Configuration Discovery: Wi-Fi Discovery
              • Suspicious use of WriteProcessMemory
              PID:628
              • C:\Windows\system32\cmd.exe
                cmd /c chcp 65001
                3⤵
                • Suspicious use of WriteProcessMemory
                PID:2024
                • C:\Windows\system32\chcp.com
                  chcp 65001
                  4⤵
                    PID:2028
                • C:\Windows\system32\netsh.exe
                  netsh wlan show profiles
                  3⤵
                  • Event Triggered Execution: Netsh Helper DLL
                  • System Network Configuration Discovery: Wi-Fi Discovery
                  PID:5516
              • C:\Users\Admin\AppData\Local\Temp\zadasd.exe
                "C:\Users\Admin\AppData\Local\Temp\zadasd.exe" --type=gpu-process --disable-gpu-sandbox --use-gl=disabled --gpu-vendor-id=4318 --gpu-device-id=140 --gpu-sub-system-id=0 --gpu-revision=0 --gpu-driver-version=10.0.19041.546 --user-data-dir="C:\Users\Admin\AppData\Roaming\zadasd" --gpu-preferences=WAAAAAAAAADoAAAMAAAAAAAAAAAAAAAAAABgAAAAAAA4AAAAAAAAAAAAAABEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAGAAAAAAAAAAYAAAAAAAAAAgAAAAAAAAACAAAAAAAAAAIAAAAAAAAAA== --mojo-platform-channel-handle=2532 --field-trial-handle=1764,i,10773897808805445077,7416434767828571614,262144 --enable-features=kWebSQLAccess --disable-features=SpareRendererForSitePerProcess,WinDelaySpellcheckServiceInit,WinRetrieveSuggestionsOnlyOnDemand --variations-seed-version /prefetch:8
                2⤵
                • Suspicious behavior: EnumeratesProcesses
                PID:64

            Network

            MITRE ATT&CK Enterprise v15

            Replay Monitor

            Loading Replay Monitor...

            Downloads

            • C:\Users\Admin\AppData\Local\Temp\54de6311-32a5-4f40-8142-edb3ab532c6d.tmp.node
              Filesize

              126KB

              MD5

              1ca6e9085852bc3dba34ba35a39692de

              SHA1

              3154b90a17f7a1a67c98078c4e47f57dc7271d87

              SHA256

              6b2bfc6cf087208dbba6eae1672aa60b981fb1aab5f02ecd3c9b97942e16f913

              SHA512

              eaf2ba60bd900049ac31552561ce7f0cc91cee07400bc2460b4731a969dea62c3115fd3e5d509302285162bca2bbeaaa12822f8acca25f0720bfb5e01079caba

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\Web Data
              Filesize

              228KB

              MD5

              ee463e048e56b687d02521cd12788e2c

              SHA1

              ee26598f8e8643df84711960e66a20ecbc6321b8

              SHA256

              3a07b3003758a79a574aa73032076567870389751f2a959537257070da3a10d8

              SHA512

              42b395bf6bd97da800385b9296b63a4b0edd7b3b50dc92f19e61a89235a42d37d204359b57d506e6b25ab95f16625cce035ed3b55ef2d54951c82332498dab0f

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\epsilon-Admin\Antivirus.txt
              Filesize

              231B

              MD5

              dec2be4f1ec3592cea668aa279e7cc9b

              SHA1

              327cf8ab0c895e10674e00ea7f437784bb11d718

              SHA256

              753b99d2b4e8c58bfd10995d0c2c19255fe9c8f53703bb27d1b6f76f1f4e83cc

              SHA512

              81728e3d31b72905b3a09c79d1e307c4e8e79d436fcfe7560a8046b46ca4ae994fdfaeb1bc2328e35f418b8128f2e7239289e84350e142146df9cde86b20bb66

              Download Submit

            • C:\Users\Admin\AppData\Local\Temp\fb8df61a-7d30-4e44-865f-492601a161d7.tmp.node
              Filesize

              1.6MB

              MD5

              9e6a91d0e8ab5d97e4ff8622c83a9da5

              SHA1

              f157b7cda8b59fb17dc86cdbca7268e35a2cd16b

              SHA256

              1961ae8783a767ad6c9ea2a4c21e3c7e38105195fd6ac6ba7dc7528d6161beeb

              SHA512

              a9860de3a5e4e3f47672e001941a1678fe6b8ef4ce19bd43a17c8dafa8bf16606e0e4cafd8fcefa7532fb53bec73531bb0e68367fd3b85ba1c00b05f882c670c

              Download Submit

            • memory/64-68-0x0000018D02380000-0x0000018D02381000-memory.dmp

              Filesize

              4KB

              Download

            • memory/64-58-0x0000018D02380000-0x0000018D02381000-memory.dmp

              Filesize

              4KB

              Download

            • memory/64-56-0x0000018D02380000-0x0000018D02381000-memory.dmp

              Filesize

              4KB

              Download

            • memory/64-67-0x0000018D02380000-0x0000018D02381000-memory.dmp

              Filesize

              4KB

              Download

            • memory/64-66-0x0000018D02380000-0x0000018D02381000-memory.dmp

              Filesize

              4KB

              Download

            • memory/64-65-0x0000018D02380000-0x0000018D02381000-memory.dmp

              Filesize

              4KB

              Download

            • memory/64-64-0x0000018D02380000-0x0000018D02381000-memory.dmp

              Filesize

              4KB

              Download

            • memory/64-63-0x0000018D02380000-0x0000018D02381000-memory.dmp

              Filesize

              4KB

              Download

            • memory/64-62-0x0000018D02380000-0x0000018D02381000-memory.dmp

              Filesize

              4KB

              Download

            • memory/64-57-0x0000018D02380000-0x0000018D02381000-memory.dmp

              Filesize

              4KB

              Download