Malware Analysis Report

2025-04-03 12:17

Sample ID 241109-2qv1gatgkd
Target #Set-Up--8597_P͛aʂS͛w0r𝘿s̩S̈##!.zip
SHA256 c2d1d95b82423901b1533bba4ea554cad396c20f211f093f36e249e23e9fc6fc
Tags
discovery spyware stealer
score
7/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
7/10

SHA256

c2d1d95b82423901b1533bba4ea554cad396c20f211f093f36e249e23e9fc6fc

Threat Level: Shows suspicious behavior

The file #Set-Up--8597_P͛aʂS͛w0r𝘿s̩S̈##!.zip was found to be: Shows suspicious behavior.

Malicious Activity Summary

discovery spyware stealer

Executes dropped EXE

Loads dropped DLL

Reads user/profile data of web browsers

Enumerates connected drives

Suspicious use of SetThreadContext

Unsigned PE

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of AdjustPrivilegeToken

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: MapViewOfSection

Suspicious use of SetWindowsHookEx

Suspicious use of FindShellTrayWindow

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-11-09 22:47

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-11-09 22:47

Reported

2024-11-09 23:18

Platform

win10v2004-20241007-en

Max time kernel

423s

Max time network

1151s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\#Set-𝐔p-8597__Pa𝐒ŜwOʀDS𝕊!#.rar"

Signatures

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe N/A

Reads user/profile data of web browsers

spyware stealer

Enumerates connected drives

Description Indicator Process Target
File opened (read-only) \??\F: C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 864 set thread context of 64 N/A C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe C:\Windows\SysWOW64\choice.exe

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\choice.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\SearchIndexer.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe N/A
N/A N/A C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\choice.exe N/A
N/A N/A C:\Windows\SysWOW64\choice.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe N/A

Suspicious behavior: MapViewOfSection

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe N/A
N/A N/A C:\Windows\SysWOW64\choice.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 864 wrote to memory of 860 N/A C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe
PID 864 wrote to memory of 860 N/A C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe
PID 864 wrote to memory of 860 N/A C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe
PID 860 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe
PID 860 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe
PID 860 wrote to memory of 836 N/A C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe
PID 860 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe
PID 860 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe
PID 860 wrote to memory of 4876 N/A C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe
PID 864 wrote to memory of 64 N/A C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe C:\Windows\SysWOW64\choice.exe
PID 864 wrote to memory of 64 N/A C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe C:\Windows\SysWOW64\choice.exe
PID 864 wrote to memory of 64 N/A C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe C:\Windows\SysWOW64\choice.exe
PID 864 wrote to memory of 64 N/A C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe C:\Windows\SysWOW64\choice.exe
PID 64 wrote to memory of 2480 N/A C:\Windows\SysWOW64\choice.exe C:\Windows\SysWOW64\SearchIndexer.exe
PID 64 wrote to memory of 2480 N/A C:\Windows\SysWOW64\choice.exe C:\Windows\SysWOW64\SearchIndexer.exe
PID 64 wrote to memory of 2480 N/A C:\Windows\SysWOW64\choice.exe C:\Windows\SysWOW64\SearchIndexer.exe
PID 64 wrote to memory of 2480 N/A C:\Windows\SysWOW64\choice.exe C:\Windows\SysWOW64\SearchIndexer.exe

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\#Set-𝐔p-8597__Pa𝐒ŜwOʀDS𝕊!#.rar"

C:\Windows\System32\rundll32.exe

C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding

C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe

"C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe"

C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe

C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe

C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe

"C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAkzjKkWEJOyESglCXFt1y3NzvXGt31E6uCSsIKlAtYljeMZ7l8KkKeFzTS6LXMwbcG02YaTL3rrxAbtpvrf5AXZejGuKNNf7oxXZVZuyxJxfXnALNjY1P91NLlt6qi6IV7QbRR8gGCjSv88UXP5dTknw7Eh7aGLpmasgsVKaUg1EmyK3FwAe8NPaBvvrzrbNKImWtvFH+mSqguWglZTH3GeDM7SEGPcrpfEYrvaK519kohTQtlKGqeC3pZ3e8swfabunycQjfrTUsil/

C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe

"C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAnbjMxNyJNfKEAk9bo91OdenvWMxXVtLIKSnCJsns+m9wMNd7P+lducXABfdS4HEQ2Vm665Hj3wIseqrSrT4tY2JjZNs49LdnYmOhw5Py2Qsfj2pdOE+j/UpfrLA7CES7BxPuOIKGroWzJyN14RblUaEu8mnoCRQiyEgOEJwXf4xI3h1YJZeVCYBAVBA9++mrZGaByku92De5uFx28uXG0h0OHjjmerlRQMCcp1m5w/nDhUF5jnbjmrv6AoF1ohyIbn0oCUBfh2inpS5fV14VQ==

C:\Windows\SysWOW64\choice.exe

C:\Windows\SysWOW64\choice.exe

C:\Windows\SysWOW64\SearchIndexer.exe

C:\Windows\SysWOW64\SearchIndexer.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 241.150.49.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 99.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 i18nmmstat.ucweb.com udp
US 168.235.203.193:443 i18nmmstat.ucweb.com tcp
US 168.235.203.193:443 i18nmmstat.ucweb.com tcp
US 8.8.8.8:53 styleclinic-beautyicon.shop udp
US 172.67.173.23:443 styleclinic-beautyicon.shop tcp
US 8.8.8.8:53 worddosofrm.shop udp
US 8.8.8.8:53 mutterissuen.shop udp
US 8.8.8.8:53 standartedby.shop udp
US 8.8.8.8:53 nightybinybz.shop udp
US 8.8.8.8:53 conceszustyb.shop udp
US 8.8.8.8:53 bakedstusteeb.shop udp
US 8.8.8.8:53 respectabosiz.shop udp
US 8.8.8.8:53 moutheventushz.shop udp
US 8.8.8.8:53 steamcommunity.com udp
GB 104.82.234.109:443 steamcommunity.com tcp
US 8.8.8.8:53 marshal-zhukov.com udp
US 8.8.8.8:53 23.173.67.172.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 109.234.82.104.in-addr.arpa udp
US 104.21.82.174:443 marshal-zhukov.com tcp
US 8.8.8.8:53 174.82.21.104.in-addr.arpa udp

Files

C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe

MD5 b43b96e4483dce09976dc250f87ecf1a
SHA1 4290076db1e87a46b73e8391186025f1f5b492bb
SHA256 5eaf95ad5163607ea220e439f13e58ae1bd9b408d94e06d5d721e8daca911c12
SHA512 383b723d2d547f775a661bf6990e834b0233849822c7cbc3f0aaf0f276b1c05b0f7bde754dae3da133f7a8aae669b31547889495e5370a6617c09a2a3b61c438

memory/864-944-0x0000000000F00000-0x0000000000F01000-memory.dmp

C:\Users\Admin\Desktop\⧈SetUp⚝\pdfium.dll

MD5 8057f67de20331fb5dad3fd9486b01c3
SHA1 067e470192707b8f5eaa757bf4b121c94d505795
SHA256 fcbc591306dc6e4840de82372886428dd2260af4f9b7fe8494510aa1a80761eb
SHA512 68dedc7e5ba8fa16f18ded8ef811a41ecd9441639181b0a6e0854db96c7c0e35abe088c8409f226a42f3beb85139fbf67cd9de1c02325701a7482ac7fb6bd372

C:\Users\Admin\Desktop\⧈SetUp⚝\wmhhsfn

MD5 1dcb5f7d98dfde582cc231c480eba329
SHA1 dc41a04034450908423f4ac8f73cf6389f6dd084
SHA256 c89abb0b00fd5a442b8a147027d3881b348974bf38298f05f0debaebca7fc16e
SHA512 f2482f55ea6601bfe5fa0530fd3bbf2231c1d8e3355fada10bb57cba1ffd1bc8b43618e491d55bd317b6b0a74377b96da411961f53f7f4b28a35cbbca9c193fe

C:\Users\Admin\Desktop\⧈SetUp⚝\yughafo

MD5 ad02ab9b946fb3306a8638ba7c30e0d2
SHA1 6ce8d404243154a9ce3e7b6b87421f3ac5782367
SHA256 a83bc6bf9c243b9ac97593e1c6f15a3ea22ac9225ca7bfa86e92f8ec8649f1bc
SHA512 0b9fcd043a47f89a9126b6e9d815e05c18a6623d439a66e8c9d114030b8e307215c1d51c4d25605480c689d738becf1ac44ff76c0865f629e0e7ea441e2413f3

memory/864-949-0x0000000073B50000-0x0000000073DE1000-memory.dmp

memory/864-950-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

memory/864-955-0x0000000073B50000-0x0000000073DE1000-memory.dmp

C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe

MD5 649215a7c140fa697740693cf915d088
SHA1 035ccb917c7be1ba40ccdad606ca3c67d127251e
SHA256 297bcec264323cd1d6de6286cfa69a572e92552df5a3347856f8bcce8d3e9eb1
SHA512 ec123a7f9af0926956d41bc002546a18b7b8b776fd11332f351eac828ac7ec02497f76351f2f5c026075746156583100287e09010269257dcd00cf70fa5a003c

C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe

MD5 efdbe75dfe959d5eaa84334d4825adc2
SHA1 9c7655a1052c2ce0d2e0b9571885e9c898dcb5cf
SHA256 5ef424188b952c5aef34f508b13cf422d4c22e1476c3330ee3b729082f7116ee
SHA512 4b6ce786ba90635d51e82c4dd7dede3394b5c0f19c394ebc835e182f0d8fd8c898a581b388bb23e348cc0744925b8352bfa3e683d193c5355849c89db9eaea35

memory/864-966-0x0000000000400000-0x0000000000C88000-memory.dmp

memory/864-967-0x0000000000F00000-0x0000000000F01000-memory.dmp

memory/864-968-0x0000000073B50000-0x0000000073DE1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\c042511

MD5 a87ea5c9a3a885ce4bd0bf54e7cb4d0f
SHA1 672a9fdffce98cccb9cc0094c5bd87408dc13c2d
SHA256 fd1eea5204f0a8e155d69868d25929d02024ee20b56bc37d681a5a8152c15838
SHA512 2d3da201e82b38e2ea398634412949bf4f0b77acb3f02b82e5dd8f1561e8e023479f007ab5275112d29278b8c077ce2ac4db267b84373b68b7064677decc5827

memory/64-974-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

memory/64-975-0x0000000073B50000-0x0000000073DE1000-memory.dmp

memory/2480-977-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp

memory/2480-978-0x00000000004A0000-0x00000000004FD000-memory.dmp

memory/2480-981-0x00000000004A0000-0x00000000004FD000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-11-09 22:47

Reported

2024-11-09 23:18

Platform

win10ltsc2021-20241023-en

Max time kernel

1337s

Max time network

1169s

Command Line

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\#Set-𝐔p-8597__Pa𝐒ŜwOʀDS𝕊!#.rar"

Signatures

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeRestorePrivilege N/A C:\Program Files\7-Zip\7zFM.exe N/A
Token: 35 N/A C:\Program Files\7-Zip\7zFM.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\7-Zip\7zFM.exe N/A

Processes

C:\Program Files\7-Zip\7zFM.exe

"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\#Set-𝐔p-8597__Pa𝐒ŜwOʀDS𝕊!#.rar"

Network

Country Destination Domain Proto
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 83.210.23.2.in-addr.arpa udp
US 8.8.8.8:53 73.31.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 fd.api.iris.microsoft.com udp
IE 20.223.35.26:443 fd.api.iris.microsoft.com tcp
US 8.8.8.8:53 200.163.202.172.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 107.209.201.84.in-addr.arpa udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp

Files

N/A