| File name: | ep_setup.exe |
| Full analysis: | https://app.any.run/tasks/8a18f2fb-9958-4c61-a1de-1374754df253 |
| Verdict: | Malicious activity |
| Analysis date: | July 25, 2024, 15:55:06 |
| OS: | Windows 10 Professional (build: 19045, 64 bit) |
| Indicators: | |
| MIME: | application/x-dosexec |
| File info: | PE32+ executable (GUI) x86-64, for MS Windows |
| MD5: | 5458FA0F26DB7314F2E53B4936703ECE |
| SHA1: | D254E1DD2910E41A98F0F93E2308DB9298AD5ED3 |
| SHA256: | 6942DE4845CA2BFF1665CC1A0FB1A46EAA36404B7E4436DEE9552EA5F2216F92 |
| SSDEEP: | 49152:gcuS9WPpdBTdHbSFQs6ulcx3ET7PtlCBSWVmgm2scIhu7JWYCLOwrZ1SSTS0:gEQBTgQJGllUTBgcgYITrJ |
MALICIOUS
Drops the executable file immediately after the start
- ep_setup.exe (PID: 6588)
- ep_setup.exe (PID: 6332)
Registers / Runs the DLL via REGSVR32.EXE
- ep_setup.exe (PID: 6332)
SUSPICIOUS
Starts SC.EXE for service management
- ep_setup.exe (PID: 6332)
Uses TASKKILL.EXE to kill process
- ep_setup.exe (PID: 6332)
Executable content was dropped or overwritten
- ep_setup.exe (PID: 6332)
Process drops legitimate windows executable
- ep_setup.exe (PID: 6332)
The process creates files with name similar to system file names
- ep_setup.exe (PID: 6332)
Reads security settings of Internet Explorer
- ep_setup.exe (PID: 6588)
- StartMenuExperienceHost.exe (PID: 6696)
- ep_setup.exe (PID: 6332)
Creates a software uninstall entry
- ep_setup.exe (PID: 6332)
Reads the date of Windows installation
- StartMenuExperienceHost.exe (PID: 6696)
- SearchApp.exe (PID: 5428)
- ep_setup.exe (PID: 6588)
- ep_setup.exe (PID: 6332)
Creates/Modifies COM task schedule object
- regsvr32.exe (PID: 5540)
- regsvr32.exe (PID: 320)
The process executes via Task Scheduler
- explorer.exe (PID: 1028)
Application launched itself
- ep_setup.exe (PID: 6588)
INFO
Process checks computer location settings
- ep_setup.exe (PID: 6588)
- ep_setup.exe (PID: 6332)
- StartMenuExperienceHost.exe (PID: 6696)
- SearchApp.exe (PID: 5428)
Reads the computer name
- ep_setup.exe (PID: 6332)
- ep_setup.exe (PID: 6588)
- StartMenuExperienceHost.exe (PID: 6696)
- TextInputHost.exe (PID: 204)
- SearchApp.exe (PID: 5428)
Checks supported languages
- ep_setup.exe (PID: 6588)
- StartMenuExperienceHost.exe (PID: 6696)
- TextInputHost.exe (PID: 204)
- SearchApp.exe (PID: 5428)
- ep_setup.exe (PID: 6332)
Reads Microsoft Office registry keys
- explorer.exe (PID: 1028)
Reads security settings of Internet Explorer
- explorer.exe (PID: 1028)
Reads the machine GUID from the registry
- SearchApp.exe (PID: 5428)
Checks proxy server information
- SearchApp.exe (PID: 5428)
- explorer.exe (PID: 1028)
Process checks Internet Explorer phishing filters
- SearchApp.exe (PID: 5428)
Reads the software policy settings
- SearchApp.exe (PID: 5428)
- explorer.exe (PID: 1028)
Reads Environment values
- SearchApp.exe (PID: 5428)
Creates files or folders in the user directory
- explorer.exe (PID: 1028)
Creates files in the program directory
- ep_setup.exe (PID: 6332)
Find more information about signature artifacts and mapping to MITRE ATT&CK™ MATRIX at the full report
TRiD
| .exe | | | Win32 Executable (generic) (3.6) |
|---|---|---|
| .exe | | | Generic Win/DOS Executable (1.6) |
| .exe | | | DOS Executable Generic (1.5) |
EXIF
EXE
| MachineType: | AMD AMD64 |
|---|---|
| TimeStamp: | 2024:05:15 09:54:57+00:00 |
| ImageFileCharacteristics: | Executable, Large address aware |
| PEType: | PE32+ |
| LinkerVersion: | 14.38 |
| CodeSize: | 112128 |
| InitializedDataSize: | 2474496 |
| UninitializedDataSize: | - |
| EntryPoint: | 0x5544 |
| OSVersion: | 6 |
| ImageVersion: | - |
| SubsystemVersion: | 6 |
| Subsystem: | Windows GUI |
| FileVersionNumber: | 22621.3527.65.5 |
| ProductVersionNumber: | 22621.3527.65.5 |
| FileFlagsMask: | 0x003f |
| FileFlags: | (none) |
| FileOS: | Windows NT 32-bit |
| ObjectFileType: | Executable application |
| FileSubtype: | - |
| LanguageCode: | English (U.S.) |
| CharacterSet: | Unicode |
| CompanyName: | VALINET Solutions SRL |
| FileDescription: | ExplorerPatcher Setup Program |
| FileVersion: | 22621.3527.65.5 |
| InternalName: | ep_setup.exe |
| LegalCopyright: | Copyright (C) 2006-2024 VALINET Solutions SRL. All rights reserved. |
| OriginalFileName: | ep_setup.exe |
| ProductName: | ExplorerPatcher |
| ProductVersion: | 22621.3527.65.5 |
Total processes
142
Monitored processes
16
Malicious processes
2
Suspicious processes
0
Behavior graph
Click at the process to see the details
Process information
PID | CMD | Path | Indicators | Parent process | |||||||||||
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
| 204 | "C:\WINDOWS\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe" -ServerName:InputApp.AppXjd5de1g66v206tj52m9d0dtpppx4cgpn.mca | C:\Windows\SystemApps\MicrosoftWindows.Client.CBS_cw5n1h2txyewy\TextInputHost.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Version: 123.26505.0.0 Modules
| |||||||||||||||
| 320 | "C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host_stub.dll" | C:\Windows\System32\regsvr32.exe | — | ep_setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1028 | "C:\WINDOWS\explorer.exe" /NoUACCheck | C:\Windows\explorer.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Windows Explorer Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1408 | "C:\WINDOWS\explorer.exe" | C:\Windows\explorer.exe | — | ep_setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Windows Explorer Exit code: 2 Version: 10.0.19041.3758 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 1488 | C:\WINDOWS\System32\mobsync.exe -Embedding | C:\Windows\System32\mobsync.exe | — | svchost.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Microsoft Sync Center Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2432 | "C:\WINDOWS\system32\sc.exe" start ep_dwm_D17F1E1A-5919-4427-8F89-A1A8503CA3EB | C:\Windows\System32\sc.exe | — | ep_setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Service Control Manager Configuration Tool Exit code: 1060 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 2456 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | sc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5428 | "C:\WINDOWS\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe" -ServerName:CortanaUI.AppX8z9r6jm96hw4bsbneegw0kyxx296wr9t.mca | C:\Windows\SystemApps\Microsoft.Windows.Search_cw5n1h2txyewy\SearchApp.exe | svchost.exe | ||||||||||||
User: admin Company: Microsoft Corporation Integrity Level: MEDIUM Description: Search application Version: 10.0.19041.3996 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5500 | \??\C:\WINDOWS\system32\conhost.exe 0xffffffff -ForceV1 | C:\Windows\System32\conhost.exe | — | sc.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Console Window Host Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
| 5540 | "C:\WINDOWS\system32\regsvr32.exe" /s "C:\Program Files\ExplorerPatcher\ep_weather_host.dll" | C:\Windows\System32\regsvr32.exe | — | ep_setup.exe | |||||||||||
User: admin Company: Microsoft Corporation Integrity Level: HIGH Description: Microsoft(C) Register Server Exit code: 0 Version: 10.0.19041.1 (WinBuild.160101.0800) Modules
| |||||||||||||||
Total events
40 706
Read events
40 436
Write events
245
Delete events
25
Modification events
| (PID) Process: | (6588) ep_setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (6588) ep_setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (6588) ep_setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (6588) ep_setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (6332) ep_setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | ProxyBypass |
Value: 1 | |||
| (PID) Process: | (6332) ep_setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | IntranetName |
Value: 1 | |||
| (PID) Process: | (6332) ep_setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | UNCAsIntranet |
Value: 1 | |||
| (PID) Process: | (6332) ep_setup.exe | Key: | HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap |
| Operation: | write | Name: | AutoDetect |
Value: 0 | |||
| (PID) Process: | (6332) ep_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher |
| Operation: | write | Name: | UninstallString |
Value: "C:\Program Files\ExplorerPatcher\ep_setup.exe" /uninstall | |||
| (PID) Process: | (6332) ep_setup.exe | Key: | HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\{D17F1E1A-5919-4427-8F89-A1A8503CA3EB}_ExplorerPatcher |
| Operation: | write | Name: | DisplayName |
Value: ExplorerPatcher | |||
Executable files
14
Suspicious files
5
Text files
103
Unknown types
1
Dropped files
PID | Process | Filename | Type | |
|---|---|---|---|---|
| 6332 | ep_setup.exe | C:\Program Files\ExplorerPatcher\ep_dwm.exe | executable | |
MD5:7DFBDABC306CE83343FB223ABED3B9FD | SHA256:7C0BBF50AC4ED0CA3B180B07F91C7F8EA8751F69E9F1930E679F11AA91249F61 | |||
| 6332 | ep_setup.exe | C:\Program Files\ExplorerPatcher\ep_setup.exe | executable | |
MD5:5458FA0F26DB7314F2E53B4936703ECE | SHA256:6942DE4845CA2BFF1665CC1A0FB1A46EAA36404B7E4436DEE9552EA5F2216F92 | |||
| 6332 | ep_setup.exe | C:\Windows\dxgi.dll | executable | |
MD5:C2F528426A22F06CAE1EC991B64F1D9E | SHA256:E5D4128119ECDBFE3C59E19DA569EA672D25087B1C18B2255A385F7558C69EB3 | |||
| 6332 | ep_setup.exe | C:\Program Files\ExplorerPatcher\ExplorerPatcher.IA-32.dll | executable | |
MD5:9DB8A62E4F82C55DC613F53257C13D95 | SHA256:6A7A2C64795B9A3DF24C8CBDEC6A19E47A5F24CD762BD0CD30E1A3B6CB2F940A | |||
| 6332 | ep_setup.exe | C:\ProgramData\Microsoft\Windows\Start Menu\Programs\ExplorerPatcher\Properties (ExplorerPatcher).lnk | lnk | |
MD5:3EFDD3CC5CEA33D1D9E8A61BDB617967 | SHA256:97DCD59D2A99A50071C482F76DCFF5F0418C862B322C563DBBC8A600AD3D8E47 | |||
| 5428 | SearchApp.exe | C:\Users\admin\AppData\Local\Packages\Microsoft.Windows.Search_cw5n1h2txyewy\LocalState\AppIconCache\100\MicrosoftWindows_Client_CBS_cw5n1h2txyewy!WindowsBackup | image | |
MD5:07BBC578E9984DD98D364CB2AEFF0FFA | SHA256:FDD1DF762CCF2C036AEF6E14B2F13E2E00E2BBD3F7485BA79BA25035352D3B5C | |||
| 6332 | ep_setup.exe | C:\Program Files\ExplorerPatcher\ep_gui.dll | executable | |
MD5:14E957A982DB060F80D01F9BCECDAEC8 | SHA256:15FCA06B049E6FD7A7250EB0EE2BE390A63CE30193021A9E7165ECAAA1E71AD6 | |||
| 6332 | ep_setup.exe | C:\Windows\SystemApps\Microsoft.Windows.StartMenuExperienceHost_cw5n1h2txyewy\dxgi.dll | executable | |
MD5:4DC5C4EF26F8E30BE4635537B82ACC2C | SHA256:9EE551B2CC3F8E634441254DEEC3280BB84F10B5A2B8B70B362055C2F224C1E9 | |||
| 6332 | ep_setup.exe | C:\Program Files\ExplorerPatcher\ep_weather_host.dll | executable | |
MD5:4CDF1ABFFAC8182F316D203A0CBC0C1F | SHA256:3413F0A0058F9F2FCB5910AD4FD2376C4F2AEE3680D73A93CD977FF9059D396D | |||
| 6332 | ep_setup.exe | C:\Program Files\ExplorerPatcher\ExplorerPatcher.amd64.dll | executable | |
MD5:4DC5C4EF26F8E30BE4635537B82ACC2C | SHA256:9EE551B2CC3F8E634441254DEEC3280BB84F10B5A2B8B70B362055C2F224C1E9 | |||
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
HTTP(S) requests
12
TCP/UDP connections
30
DNS requests
11
Threats
0
HTTP requests
PID | Process | Method | HTTP Code | IP | URL | CN | Type | Size | Reputation |
|---|---|---|---|---|---|---|---|---|---|
1028 | explorer.exe | GET | — | 204.79.197.219:80 | http://msdl.microsoft.com/download/symbols/twinui.pcshell.pdb/3F0945AE4BC25ECE16353588B05D30B61/twinui.pcshell.pdb | unknown | — | — | whitelisted |
— | — | GET | 302 | 140.82.121.4:443 | https://github.com/valinet/ExplorerPatcher/releases/latest/download/ep_setup.exe | unknown | — | — | unknown |
— | — | GET | 302 | 140.82.121.4:443 | https://github.com/valinet/ExplorerPatcher/releases/download/22621.3527.65.5_6f6666b/ep_setup.exe | unknown | — | — | unknown |
— | — | GET | 200 | 104.126.37.131:443 | https://www.bing.com/manifest/threshold.appcache | unknown | text | 3.76 Kb | unknown |
— | — | POST | 204 | 104.126.37.161:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | unknown |
— | — | GET | 200 | 20.150.38.228:443 | https://vsblobprodscussu5shard3.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/080B121A2FD83C0D8B63759154B156A6F9B3E9C34815912BAECA0699D5F3792500.blob?sv=2019-07-07&sr=b&si=1&sig=Rl8Biqvd4vKRfxDfvoI2ux1QcovzxhODeXPFyz88q0U%3D&spr=https&se=2024-07-26T16%3A01%3A53Z&rscl=x-e2eid-1edc548a-a35c4f0b-9c1ed7d7-5e2ff78d-session-66eb0c68-ea304752-9276e106-af89a2bf | unknown | binary | 36.4 Mb | unknown |
— | — | POST | — | 104.126.37.155:443 | https://www.bing.com/threshold/xls.aspx | unknown | — | — | unknown |
— | — | GET | 200 | 104.126.37.129:443 | https://www.bing.com/rb/18/jnc,nj/6hU_LneafI_NFLeDvM367ebFaKQ.js?bu=DyIrb3t-gQF4cnWyAbUBK6UBK7gB&or=w | unknown | text | 21.3 Kb | unknown |
— | — | GET | — | 104.126.37.155:443 | https://r.bing.com/rb/16/jnc,nj/QNTKd9N_cxGKn9KFdn7srcri68M.js?bu=DygxcoQBiAGMAYEBe36_AcIBMbIBMcUB&or=w | unknown | — | — | unknown |
— | — | GET | — | 20.150.38.228:443 | https://vsblobprodscussu5shard3.blob.core.windows.net/b-4712e0edc5a240eabf23330d7df68e77/080B121A2FD83C0D8B63759154B156A6F9B3E9C34815912BAECA0699D5F3792500.blob?sv=2019-07-07&sr=b&si=1&sig=Rl8Biqvd4vKRfxDfvoI2ux1QcovzxhODeXPFyz88q0U%3D&spr=https&se=2024-07-26T16%3A01%3A53Z&rscl=x-e2eid-1edc548a-a35c4f0b-9c1ed7d7-5e2ff78d-session-66eb0c68-ea304752-9276e106-af89a2bf | unknown | — | — | unknown |
Download PCAP, analyze network streams, HTTP content and a lot more at the full report
Connections
PID | Process | IP | Domain | ASN | CN | Reputation |
|---|---|---|---|---|---|---|
3800 | svchost.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
4404 | RUXIMICS.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
6012 | MoUsoCoreWorker.exe | 51.104.136.2:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | IE | whitelisted |
— | — | 4.209.33.156:443 | — | MICROSOFT-CORP-MSN-AS-BLOCK | US | unknown |
— | — | 239.255.255.250:1900 | — | — | — | whitelisted |
4 | System | 192.168.100.255:138 | — | — | — | whitelisted |
— | — | 40.91.76.224:443 | activation-v2.sls.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | US | whitelisted |
4 | System | 192.168.100.255:137 | — | — | — | whitelisted |
3800 | svchost.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
6012 | MoUsoCoreWorker.exe | 20.73.194.208:443 | settings-win.data.microsoft.com | MICROSOFT-CORP-MSN-AS-BLOCK | NL | whitelisted |
DNS requests
Domain | IP | Reputation |
|---|---|---|
activation-v2.sls.microsoft.com |
| whitelisted |
google.com |
| whitelisted |
settings-win.data.microsoft.com |
| whitelisted |
www.bing.com |
| whitelisted |
github.com |
| shared |
r.bing.com |
| whitelisted |
msdl.microsoft.com |
| whitelisted |
vsblobprodscussu5shard3.blob.core.windows.net |
| whitelisted |
self.events.data.microsoft.com |
| whitelisted |