Malware Analysis Report

2024-11-30 05:30

Sample ID 240709-223vfs1erp
Target !ŞetUp_64851--#PaSꞨKḙy#$$.zip
SHA256 22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055
Tags
score
5/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral4

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral7

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral8

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral6

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral3

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral5

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
5/10

SHA256

22613505c3fea6ac505f3ed2c8e0df9998331832f405fbba4f9f5a48de753055

Threat Level: Likely benign

The file !ŞetUp_64851--#PaSꞨKḙy#$$.zip was found to be: Likely benign.

Malicious Activity Summary


Suspicious use of SetThreadContext

Unsigned PE

Suspicious behavior: MapViewOfSection

Suspicious use of WriteProcessMemory

Suspicious behavior: EnumeratesProcesses

MITRE ATT&CK

N/A

Analysis: static1

Detonation Overview

Reported

2024-07-09 23:05

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-09 23:05

Reported

2024-07-09 23:06

Platform

win10-20240404-en

Max time kernel

24s

Max time network

18s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4664 set thread context of 2208 N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

N/A

Files

memory/4664-0-0x00000000007F0000-0x000000000084E000-memory.dmp

memory/4664-1-0x00007FFAAEA20000-0x00007FFAAEE5B000-memory.dmp

memory/4664-5-0x00007FFAAEA38000-0x00007FFAAEA39000-memory.dmp

memory/4664-6-0x00007FFAAEA20000-0x00007FFAAEE5B000-memory.dmp

memory/4664-7-0x00007FFAAEA20000-0x00007FFAAEE5B000-memory.dmp

memory/4664-9-0x00000000007F0000-0x000000000084E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c17ccd18

MD5 c36365df041bbd1dfe5c37709d7c5eed
SHA1 3da111c1a81245f40b5309fa84ecf98613ab1dbd
SHA256 f6e48cd13d95cb08d70231dab57b5a742a2c85e570c69805cb93348b0810e6e3
SHA512 a60c6919a344aecc3c88a62031c2bf0a7b1bc3160ca871fc8705c25637b08d0013a09ba2d33c74d10d7c11d745370d2194f0941d84f3f3599d7db8982bdb2c85

memory/2208-11-0x00007FFAB0350000-0x00007FFAB052B000-memory.dmp

memory/2208-13-0x0000000076CEE000-0x0000000076CF0000-memory.dmp

memory/2208-14-0x0000000076CE0000-0x00000000770FA000-memory.dmp

memory/2208-12-0x0000000076CE0000-0x00000000770FA000-memory.dmp

memory/2208-16-0x0000000076CE0000-0x00000000770FA000-memory.dmp

memory/3272-17-0x00007FFAB0350000-0x00007FFAB052B000-memory.dmp

memory/3272-18-0x0000000000240000-0x0000000000293000-memory.dmp

Analysis: behavioral4

Detonation Overview

Submitted

2024-07-09 23:05

Reported

2024-07-09 23:06

Platform

win11-20240709-en

Max time kernel

26s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4588 set thread context of 2848 N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

N/A

Files

memory/4588-0-0x0000000000840000-0x000000000089E000-memory.dmp

memory/4588-1-0x00007FFCA6B90000-0x00007FFCA6FFC000-memory.dmp

memory/4588-6-0x00007FFCA6B90000-0x00007FFCA6FFC000-memory.dmp

memory/4588-5-0x00007FFCA6BA8000-0x00007FFCA6BA9000-memory.dmp

memory/4588-7-0x00007FFCA6B90000-0x00007FFCA6FFC000-memory.dmp

memory/4588-9-0x0000000000840000-0x000000000089E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\5b8babe

MD5 1203fd5c3014022333b3958ec91830f6
SHA1 496ebdfe69c7305f1e84aa733c3765fea299855b
SHA256 814040fa3c97e5f98d16e5029859432c34be98c5b1824ef2cd002af97294cbbe
SHA512 2a4a2f3a81b39eabf36101b2d75d672df22a4a34af407780fc43a979376b2938966f25cc8ea7b5415330e338901ded62ce54ef32beb6859941ff5a79ee93f49b

memory/2848-11-0x00007FFCA8160000-0x00007FFCA8369000-memory.dmp

memory/2848-13-0x000000007577E000-0x0000000075780000-memory.dmp

memory/2848-14-0x0000000075770000-0x0000000075BAB000-memory.dmp

memory/2848-12-0x0000000075770000-0x0000000075BAB000-memory.dmp

memory/2848-16-0x0000000075770000-0x0000000075BAB000-memory.dmp

memory/1604-17-0x00007FFCA8160000-0x00007FFCA8369000-memory.dmp

memory/1604-18-0x0000000000BA0000-0x0000000000BF3000-memory.dmp

Analysis: behavioral7

Detonation Overview

Submitted

2024-07-09 23:05

Reported

2024-07-09 23:06

Platform

win10v2004-20240709-en

Max time kernel

2s

Max time network

5s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
N/A 100.64.99.220:443 g.bing.com tcp
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
N/A 100.64.99.220:443 g.bing.com tcp
N/A 100.64.99.220:443 g.bing.com tcp
US 8.8.8.8:53 220.99.64.100.in-addr.arpa udp
US 8.8.8.8:53 64.252.72.100.in-addr.arpa udp
US 8.8.8.8:53 113.113.69.100.in-addr.arpa udp

Files

memory/4816-0-0x0000000000400000-0x000000000045E000-memory.dmp

Analysis: behavioral8

Detonation Overview

Submitted

2024-07-09 23:05

Reported

2024-07-09 23:06

Platform

win11-20240709-en

Max time kernel

0s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1

Network

N/A

Files

memory/3516-0-0x0000000000400000-0x000000000045E000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-09 23:05

Reported

2024-07-09 23:06

Platform

win7-20240705-en

Max time kernel

25s

Max time network

17s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2656 set thread context of 2828 N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

N/A

Files

memory/2656-0-0x000007FEFE400000-0x000007FEFE5D7000-memory.dmp

memory/2656-4-0x000007FEFE418000-0x000007FEFE419000-memory.dmp

memory/2656-5-0x000007FEFE400000-0x000007FEFE5D7000-memory.dmp

memory/2656-8-0x0000000000400000-0x000000000045E000-memory.dmp

memory/2656-6-0x000007FEFE400000-0x000007FEFE5D7000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\4a1558fb

MD5 7c8932caed748ab9b9a397c0edd4462d
SHA1 5f0c8b89ad9cc6d7d218d6c70b2f80e5a3601e3b
SHA256 5daa44cf252202eec6ee6959b4047b0ae8d604427fbffb7b6aca31a7d119922f
SHA512 6f48d862da4890dee80d4663be0c9aeabab1b9b93299f2c765c7b26f9a6ed7a6a3f8cdc906ef7c8f932e28e4b7438ac0673ddbb199dfdfc405e2d0e66a59a772

memory/2828-10-0x0000000076F60000-0x0000000077109000-memory.dmp

memory/2828-12-0x00000000755AE000-0x00000000755B0000-memory.dmp

memory/2828-11-0x00000000755A0000-0x000000007573D000-memory.dmp

memory/2828-13-0x00000000755A0000-0x000000007573D000-memory.dmp

memory/2828-15-0x00000000755A0000-0x000000007573D000-memory.dmp

memory/2884-16-0x0000000076F60000-0x0000000077109000-memory.dmp

memory/2884-17-0x0000000000400000-0x0000000000453000-memory.dmp

Analysis: behavioral6

Detonation Overview

Submitted

2024-07-09 23:05

Reported

2024-07-09 23:06

Platform

win10-20240404-en

Max time kernel

15s

Max time network

20s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1

Network

N/A

Files

memory/3804-0-0x0000000000400000-0x000000000045E000-memory.dmp

Analysis: behavioral3

Detonation Overview

Submitted

2024-07-09 23:05

Reported

2024-07-09 23:06

Platform

win10v2004-20240709-en

Max time kernel

26s

Max time network

6s

Command Line

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"

Signatures

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 4448 set thread context of 4948 N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe C:\Windows\SysWOW64\more.com

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\more.com N/A

Processes

C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe

"C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\Setup.exe"

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\more.com

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
N/A 100.94.171.99:443 g.bing.com tcp
N/A 100.94.171.99:443 g.bing.com tcp
N/A 100.94.171.99:443 g.bing.com tcp
US 8.8.8.8:53 58.220.117.100.in-addr.arpa udp
US 8.8.8.8:53 20.119.114.100.in-addr.arpa udp
US 8.8.8.8:53 99.171.94.100.in-addr.arpa udp

Files

memory/4448-0-0x00000000007F0000-0x000000000084E000-memory.dmp

memory/4448-1-0x00007FFB4A3E0000-0x00007FFB4A852000-memory.dmp

memory/4448-5-0x00007FFB4A3F8000-0x00007FFB4A3F9000-memory.dmp

memory/4448-6-0x00007FFB4A3E0000-0x00007FFB4A852000-memory.dmp

memory/4448-7-0x00007FFB4A3E0000-0x00007FFB4A852000-memory.dmp

memory/4448-9-0x00000000007F0000-0x000000000084E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\44ae66b4

MD5 3a33e65916e10dcea8801f9b1538c775
SHA1 74c11af727f23d9c09ab112fe899994456214ebd
SHA256 fdbcfb33476cf24e7d11d0f478251edb9807825bf636adfe79b1ada713c812cd
SHA512 1a4a6afb307a3a4d2fab5b552dd614c0a676cc501d71a781e7fe7930e75ad27c2fac338da8c8c1ac2721506dcb1892da382024754e9b6145c8c63c40dad97495

memory/4948-11-0x00007FFB4B1F0000-0x00007FFB4B3E5000-memory.dmp

memory/4948-13-0x00000000758DE000-0x00000000758E0000-memory.dmp

memory/4948-12-0x00000000758D0000-0x0000000075D0C000-memory.dmp

memory/4948-14-0x00000000758D0000-0x0000000075D0C000-memory.dmp

memory/4948-16-0x00000000758D0000-0x0000000075D0C000-memory.dmp

memory/3584-17-0x00007FFB4B1F0000-0x00007FFB4B3E5000-memory.dmp

memory/3584-18-0x00000000005A0000-0x00000000005F3000-memory.dmp

Analysis: behavioral5

Detonation Overview

Submitted

2024-07-09 23:05

Reported

2024-07-09 23:06

Platform

win7-20240708-en

Max time kernel

17s

Max time network

18s

Command Line

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1

Signatures

N/A

Processes

C:\Windows\system32\rundll32.exe

rundll32.exe C:\Users\Admin\AppData\Local\Temp\!ŞetUp_64851--#PaSꞨKḙy#$$\tak_deco_lib.dll,#1

Network

N/A

Files

memory/1884-1-0x0000000001D30000-0x0000000001D8E000-memory.dmp

memory/1884-0-0x0000000001D30000-0x0000000001D8E000-memory.dmp