Analysis
-
max time kernel
423s -
max time network
1151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
09/11/2024, 22:47
Static task
static1
Behavioral task
behavioral1
Sample
#Set-𝐔p-8597__Pa𝐒ŜwOʀDS𝕊!#.rar
Resource
win10v2004-20241007-en
Behavioral task
behavioral2
Sample
#Set-𝐔p-8597__Pa𝐒ŜwOʀDS𝕊!#.rar
Resource
win10ltsc2021-20241023-en
General
-
Target
#Set-𝐔p-8597__Pa𝐒ŜwOʀDS𝕊!#.rar
-
Size
22.7MB
-
MD5
2b2edc5d7171915e541094b849d41cbd
-
SHA1
7619adc719ffcdcb88657ca691ce3a7d624a9f71
-
SHA256
2ea4e40753e96cb0961c44167a6b656eb79a400b4ae4e5cd94465cef670e9e05
-
SHA512
cafc628d99a5472fbbe1a0f84d79f42a0eaf3f1ec2e879498b2e823bfc3e08f734e0fe31875c6f646e8004c551d192209f4cdfe5c974a780cf8da14cb8540ceb
-
SSDEEP
393216:BxByI/m/kvcrjgXqnCzpN6rhUVPkS3KmrVBDKPtTjJLwCk3NR:9/mv8Xqshv3nMJLwCA
Malware Config
Signatures
-
Executes dropped EXE 4 IoCs
pid Process 864 Setup.exe 860 uc-browser-6-12909-1603.exe 836 stats_uploader.exe 4876 stats_uploader.exe -
Loads dropped DLL 1 IoCs
pid Process 864 Setup.exe -
Reads user/profile data of web browsers 3 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
-
Enumerates connected drives 3 TTPs 1 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
description ioc Process File opened (read-only) \??\F: uc-browser-6-12909-1603.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 864 set thread context of 64 864 Setup.exe 107 -
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stats_uploader.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language choice.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SearchIndexer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Setup.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language uc-browser-6-12909-1603.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stats_uploader.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 864 Setup.exe 864 Setup.exe 64 choice.exe 64 choice.exe -
Suspicious behavior: GetForegroundWindowSpam 2 IoCs
pid Process 1564 7zFM.exe 860 uc-browser-6-12909-1603.exe -
Suspicious behavior: MapViewOfSection 2 IoCs
pid Process 864 Setup.exe 64 choice.exe -
Suspicious use of AdjustPrivilegeToken 3 IoCs
description pid Process Token: SeRestorePrivilege 1564 7zFM.exe Token: 35 1564 7zFM.exe Token: SeSecurityPrivilege 1564 7zFM.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1564 7zFM.exe 1564 7zFM.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 864 Setup.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 864 wrote to memory of 860 864 Setup.exe 101 PID 864 wrote to memory of 860 864 Setup.exe 101 PID 864 wrote to memory of 860 864 Setup.exe 101 PID 860 wrote to memory of 836 860 uc-browser-6-12909-1603.exe 103 PID 860 wrote to memory of 836 860 uc-browser-6-12909-1603.exe 103 PID 860 wrote to memory of 836 860 uc-browser-6-12909-1603.exe 103 PID 860 wrote to memory of 4876 860 uc-browser-6-12909-1603.exe 105 PID 860 wrote to memory of 4876 860 uc-browser-6-12909-1603.exe 105 PID 860 wrote to memory of 4876 860 uc-browser-6-12909-1603.exe 105 PID 864 wrote to memory of 64 864 Setup.exe 107 PID 864 wrote to memory of 64 864 Setup.exe 107 PID 864 wrote to memory of 64 864 Setup.exe 107 PID 864 wrote to memory of 64 864 Setup.exe 107 PID 64 wrote to memory of 2480 64 choice.exe 109 PID 64 wrote to memory of 2480 64 choice.exe 109 PID 64 wrote to memory of 2480 64 choice.exe 109 PID 64 wrote to memory of 2480 64 choice.exe 109
Processes
-
C:\Program Files\7-Zip\7zFM.exe"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\#Set-𝐔p-8597__Pa𝐒ŜwOʀDS𝕊!#.rar"1⤵
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
PID:1564
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:3368
-
C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe"C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe"1⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:864 -
C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exeC:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of WriteProcessMemory
PID:860 -
C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe"C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAkzjKkWEJOyESglCXFt1y3NzvXGt31E6uCSsIKlAtYljeMZ7l8KkKeFzTS6LXMwbcG02YaTL3rrxAbtpvrf5AXZejGuKNNf7oxXZVZuyxJxfXnALNjY1P91NLlt6qi6IV7QbRR8gGCjSv88UXP5dTknw7Eh7aGLpmasgsVKaUg1EmyK3FwAe8NPaBvvrzrbNKImWtvFH+mSqguWglZTH3GeDM7SEGPcrpfEYrvaK519kohTQtlKGqeC3pZ3e8swfabunycQjfrTUsil/3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:836
-
-
C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe"C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAnbjMxNyJNfKEAk9bo91OdenvWMxXVtLIKSnCJsns+m9wMNd7P+lducXABfdS4HEQ2Vm665Hj3wIseqrSrT4tY2JjZNs49LdnYmOhw5Py2Qsfj2pdOE+j/UpfrLA7CES7BxPuOIKGroWzJyN14RblUaEu8mnoCRQiyEgOEJwXf4xI3h1YJZeVCYBAVBA9++mrZGaByku92De5uFx28uXG0h0OHjjmerlRQMCcp1m5w/nDhUF5jnbjmrv6AoF1ohyIbn0oCUBfh2inpS5fV14VQ==3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4876
-
-
-
C:\Windows\SysWOW64\choice.exeC:\Windows\SysWOW64\choice.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious behavior: MapViewOfSection
- Suspicious use of WriteProcessMemory
PID:64 -
C:\Windows\SysWOW64\SearchIndexer.exeC:\Windows\SysWOW64\SearchIndexer.exe3⤵
- System Location Discovery: System Language Discovery
PID:2480
-
-
Network
MITRE ATT&CK Enterprise v15
Credential Access
Credentials from Password Stores
1Credentials from Web Browsers
1Unsecured Credentials
1Credentials In Files
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
2.3MB
MD5a87ea5c9a3a885ce4bd0bf54e7cb4d0f
SHA1672a9fdffce98cccb9cc0094c5bd87408dc13c2d
SHA256fd1eea5204f0a8e155d69868d25929d02024ee20b56bc37d681a5a8152c15838
SHA5122d3da201e82b38e2ea398634412949bf4f0b77acb3f02b82e5dd8f1561e8e023479f007ab5275112d29278b8c077ce2ac4db267b84373b68b7064677decc5827
-
Filesize
338KB
MD5efdbe75dfe959d5eaa84334d4825adc2
SHA19c7655a1052c2ce0d2e0b9571885e9c898dcb5cf
SHA2565ef424188b952c5aef34f508b13cf422d4c22e1476c3330ee3b729082f7116ee
SHA5124b6ce786ba90635d51e82c4dd7dede3394b5c0f19c394ebc835e182f0d8fd8c898a581b388bb23e348cc0744925b8352bfa3e683d193c5355849c89db9eaea35
-
Filesize
1.3MB
MD5649215a7c140fa697740693cf915d088
SHA1035ccb917c7be1ba40ccdad606ca3c67d127251e
SHA256297bcec264323cd1d6de6286cfa69a572e92552df5a3347856f8bcce8d3e9eb1
SHA512ec123a7f9af0926956d41bc002546a18b7b8b776fd11332f351eac828ac7ec02497f76351f2f5c026075746156583100287e09010269257dcd00cf70fa5a003c
-
Filesize
8.3MB
MD5b43b96e4483dce09976dc250f87ecf1a
SHA14290076db1e87a46b73e8391186025f1f5b492bb
SHA2565eaf95ad5163607ea220e439f13e58ae1bd9b408d94e06d5d721e8daca911c12
SHA512383b723d2d547f775a661bf6990e834b0233849822c7cbc3f0aaf0f276b1c05b0f7bde754dae3da133f7a8aae669b31547889495e5370a6617c09a2a3b61c438
-
Filesize
4.3MB
MD58057f67de20331fb5dad3fd9486b01c3
SHA1067e470192707b8f5eaa757bf4b121c94d505795
SHA256fcbc591306dc6e4840de82372886428dd2260af4f9b7fe8494510aa1a80761eb
SHA51268dedc7e5ba8fa16f18ded8ef811a41ecd9441639181b0a6e0854db96c7c0e35abe088c8409f226a42f3beb85139fbf67cd9de1c02325701a7482ac7fb6bd372
-
Filesize
9KB
MD51dcb5f7d98dfde582cc231c480eba329
SHA1dc41a04034450908423f4ac8f73cf6389f6dd084
SHA256c89abb0b00fd5a442b8a147027d3881b348974bf38298f05f0debaebca7fc16e
SHA512f2482f55ea6601bfe5fa0530fd3bbf2231c1d8e3355fada10bb57cba1ffd1bc8b43618e491d55bd317b6b0a74377b96da411961f53f7f4b28a35cbbca9c193fe
-
Filesize
1.7MB
MD5ad02ab9b946fb3306a8638ba7c30e0d2
SHA16ce8d404243154a9ce3e7b6b87421f3ac5782367
SHA256a83bc6bf9c243b9ac97593e1c6f15a3ea22ac9225ca7bfa86e92f8ec8649f1bc
SHA5120b9fcd043a47f89a9126b6e9d815e05c18a6623d439a66e8c9d114030b8e307215c1d51c4d25605480c689d738becf1ac44ff76c0865f629e0e7ea441e2413f3