Analysis Overview
SHA256
22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055
Threat Level: Likely benign
The file !ŞetUp_64851--#PaSꞨKḙy#$$.zip was found to be: Likely benign.
Malicious Activity Summary
Suspicious use of SetThreadContext
Unsigned PE
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Analysis: static1
Detonation Overview
Reported
2024-07-09 23:05
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-09 23:05
Reported
2024-07-09 23:06
Platform
win10-20240404-en
Max time kernel
24s
Max time network
18s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4664 set thread context of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4664 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4664 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4664 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4664 wrote to memory of 2208 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 2208 wrote to memory of 3272 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2208 wrote to memory of 3272 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2208 wrote to memory of 3272 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2208 wrote to memory of 3272 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
Files
memory/4664-0-0x00000000007F0000-0x000000000084E000-memory.dmp
memory/4664-1-0x00007FFAAEA20000-0x00007FFAAEE5B000-memory.dmp
memory/4664-5-0x00007FFAAEA38000-0x00007FFAAEA39000-memory.dmp
memory/4664-6-0x00007FFAAEA20000-0x00007FFAAEE5B000-memory.dmp
memory/4664-7-0x00007FFAAEA20000-0x00007FFAAEE5B000-memory.dmp
memory/4664-9-0x00000000007F0000-0x000000000084E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c17ccd18
| MD5 | c36365df041bbd1dfe5c37709d7c5eed |
| SHA1 | 3da111c1a81245f40b5309fa84ecf98613ab1dbd |
| SHA256 | f6e48cd13d95cb08d70231dab57b5a742a2c85e570c69805cb93348b0810e6e3 |
| SHA512 | a60c6919a344aecc3c88a62031c2bf0a7b1bc3160ca871fc8705c25637b08d0013a09ba2d33c74d10d7c11d745370d2194f0941d84f3f3599d7db8982bdb2c85 |
memory/2208-11-0x00007FFAB0350000-0x00007FFAB052B000-memory.dmp
memory/2208-13-0x0000000076CEE000-0x0000000076CF0000-memory.dmp
memory/2208-14-0x0000000076CE0000-0x00000000770FA000-memory.dmp
memory/2208-12-0x0000000076CE0000-0x00000000770FA000-memory.dmp
memory/2208-16-0x0000000076CE0000-0x00000000770FA000-memory.dmp
memory/3272-17-0x00007FFAB0350000-0x00007FFAB052B000-memory.dmp
memory/3272-18-0x0000000000240000-0x0000000000293000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2024-07-09 23:05
Reported
2024-07-09 23:06
Platform
win11-20240709-en
Max time kernel
26s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4588 set thread context of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4588 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4588 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4588 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4588 wrote to memory of 2848 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 2848 wrote to memory of 1604 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2848 wrote to memory of 1604 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2848 wrote to memory of 1604 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 2848 wrote to memory of 1604 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
Files
memory/4588-0-0x0000000000840000-0x000000000089E000-memory.dmp
memory/4588-1-0x00007FFCA6B90000-0x00007FFCA6FFC000-memory.dmp
memory/4588-6-0x00007FFCA6B90000-0x00007FFCA6FFC000-memory.dmp
memory/4588-5-0x00007FFCA6BA8000-0x00007FFCA6BA9000-memory.dmp
memory/4588-7-0x00007FFCA6B90000-0x00007FFCA6FFC000-memory.dmp
memory/4588-9-0x0000000000840000-0x000000000089E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\5b8babe
| MD5 | 1203fd5c3014022333b3958ec91830f6 |
| SHA1 | 496ebdfe69c7305f1e84aa733c3765fea299855b |
| SHA256 | 814040fa3c97e5f98d16e5029859432c34be98c5b1824ef2cd002af97294cbbe |
| SHA512 | 2a4a2f3a81b39eabf36101b2d75d672df22a4a34af407780fc43a979376b2938966f25cc8ea7b5415330e338901ded62ce54ef32beb6859941ff5a79ee93f49b |
memory/2848-11-0x00007FFCA8160000-0x00007FFCA8369000-memory.dmp
memory/2848-13-0x000000007577E000-0x0000000075780000-memory.dmp
memory/2848-14-0x0000000075770000-0x0000000075BAB000-memory.dmp
memory/2848-12-0x0000000075770000-0x0000000075BAB000-memory.dmp
memory/2848-16-0x0000000075770000-0x0000000075BAB000-memory.dmp
memory/1604-17-0x00007FFCA8160000-0x00007FFCA8369000-memory.dmp
memory/1604-18-0x0000000000BA0000-0x0000000000BF3000-memory.dmp
Analysis: behavioral7
Detonation Overview
Submitted
2024-07-09 23:05
Reported
2024-07-09 23:06
Platform
win10v2004-20240709-en
Max time kernel
2s
Max time network
5s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| N/A | 100.64.99.220:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| N/A | 100.64.99.220:443 | g.bing.com | tcp |
| N/A | 100.64.99.220:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 220.99.64.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 64.252.72.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 113.113.69.100.in-addr.arpa | udp |
Files
memory/4816-0-0x0000000000400000-0x000000000045E000-memory.dmp
Analysis: behavioral8
Detonation Overview
Submitted
2024-07-09 23:05
Reported
2024-07-09 23:06
Platform
win11-20240709-en
Max time kernel
0s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1
Network
Files
memory/3516-0-0x0000000000400000-0x000000000045E000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-09 23:05
Reported
2024-07-09 23:06
Platform
win7-20240705-en
Max time kernel
25s
Max time network
17s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2656 set thread context of 2828 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
Files
memory/2656-0-0x000007FEFE400000-0x000007FEFE5D7000-memory.dmp
memory/2656-4-0x000007FEFE418000-0x000007FEFE419000-memory.dmp
memory/2656-5-0x000007FEFE400000-0x000007FEFE5D7000-memory.dmp
memory/2656-8-0x0000000000400000-0x000000000045E000-memory.dmp
memory/2656-6-0x000007FEFE400000-0x000007FEFE5D7000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\4a1558fb
| MD5 | 7c8932caed748ab9b9a397c0edd4462d |
| SHA1 | 5f0c8b89ad9cc6d7d218d6c70b2f80e5a3601e3b |
| SHA256 | 5daa44cf252202eec6ee6959b4047b0ae8d604427fbffb7b6aca31a7d119922f |
| SHA512 | 6f48d862da4890dee80d4663be0c9aeabab1b9b93299f2c765c7b26f9a6ed7a6a3f8cdc906ef7c8f932e28e4b7438ac0673ddbb199dfdfc405e2d0e66a59a772 |
memory/2828-10-0x0000000076F60000-0x0000000077109000-memory.dmp
memory/2828-12-0x00000000755AE000-0x00000000755B0000-memory.dmp
memory/2828-11-0x00000000755A0000-0x000000007573D000-memory.dmp
memory/2828-13-0x00000000755A0000-0x000000007573D000-memory.dmp
memory/2828-15-0x00000000755A0000-0x000000007573D000-memory.dmp
memory/2884-16-0x0000000076F60000-0x0000000077109000-memory.dmp
memory/2884-17-0x0000000000400000-0x0000000000453000-memory.dmp
Analysis: behavioral6
Detonation Overview
Submitted
2024-07-09 23:05
Reported
2024-07-09 23:06
Platform
win10-20240404-en
Max time kernel
15s
Max time network
20s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1
Network
Files
memory/3804-0-0x0000000000400000-0x000000000045E000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2024-07-09 23:05
Reported
2024-07-09 23:06
Platform
win10v2004-20240709-en
Max time kernel
26s
Max time network
6s
Command Line
Signatures
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 4448 set thread context of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\more.com | N/A |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 4448 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4448 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4448 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4448 wrote to memory of 4948 | N/A | C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe | C:\Windows\SysWOW64\more.com |
| PID 4948 wrote to memory of 3584 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 4948 wrote to memory of 3584 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 4948 wrote to memory of 3584 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
| PID 4948 wrote to memory of 3584 | N/A | C:\Windows\SysWOW64\more.com | C:\Windows\SysWOW64\SearchIndexer.exe |
Processes
C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe
"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\more.com
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| N/A | 100.94.171.99:443 | g.bing.com | tcp |
| N/A | 100.94.171.99:443 | g.bing.com | tcp |
| N/A | 100.94.171.99:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 58.220.117.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 20.119.114.100.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.171.94.100.in-addr.arpa | udp |
Files
memory/4448-0-0x00000000007F0000-0x000000000084E000-memory.dmp
memory/4448-1-0x00007FFB4A3E0000-0x00007FFB4A852000-memory.dmp
memory/4448-5-0x00007FFB4A3F8000-0x00007FFB4A3F9000-memory.dmp
memory/4448-6-0x00007FFB4A3E0000-0x00007FFB4A852000-memory.dmp
memory/4448-7-0x00007FFB4A3E0000-0x00007FFB4A852000-memory.dmp
memory/4448-9-0x00000000007F0000-0x000000000084E000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\44ae66b4
| MD5 | 3a33e65916e10dcea8801f9b1538c775 |
| SHA1 | 74c11af727f23d9c09ab112fe899994456214ebd |
| SHA256 | fdbcfb33476cf24e7d11d0f478251edb9807825bf636adfe79b1ada713c812cd |
| SHA512 | 1a4a6afb307a3a4d2fab5b552dd614c0a676cc501d71a781e7fe7930e75ad27c2fac338da8c8c1ac2721506dcb1892da382024754e9b6145c8c63c40dad97495 |
memory/4948-11-0x00007FFB4B1F0000-0x00007FFB4B3E5000-memory.dmp
memory/4948-13-0x00000000758DE000-0x00000000758E0000-memory.dmp
memory/4948-12-0x00000000758D0000-0x0000000075D0C000-memory.dmp
memory/4948-14-0x00000000758D0000-0x0000000075D0C000-memory.dmp
memory/4948-16-0x00000000758D0000-0x0000000075D0C000-memory.dmp
memory/3584-17-0x00007FFB4B1F0000-0x00007FFB4B3E5000-memory.dmp
memory/3584-18-0x00000000005A0000-0x00000000005F3000-memory.dmp
Analysis: behavioral5
Detonation Overview
Submitted
2024-07-09 23:05
Reported
2024-07-09 23:06
Platform
win7-20240708-en
Max time kernel
17s
Max time network
18s
Command Line
Signatures
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1
Network
Files
memory/1884-1-0x0000000001D30000-0x0000000001D8E000-memory.dmp
memory/1884-0-0x0000000001D30000-0x0000000001D8E000-memory.dmp