Analysis Overview
SHA256
c2d1d95b82423901b1533bba4ea554cad396c20f211f093f36e249e23e9fc6fc
Threat Level: Shows suspicious behavior
The file #Set-Up--8597_P͛aʂS͛w0r𝘿s̩S̈##!.zip was found to be: Shows suspicious behavior.
Malicious Activity Summary
Executes dropped EXE
Loads dropped DLL
Reads user/profile data of web browsers
Enumerates connected drives
Suspicious use of SetThreadContext
Unsigned PE
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of SetWindowsHookEx
Suspicious use of FindShellTrayWindow
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-11-09 22:47
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-11-09 22:47
Reported
2024-11-09 23:18
Platform
win10v2004-20241007-en
Max time kernel
423s
Max time network
1151s
Command Line
Signatures
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe | N/A |
Reads user/profile data of web browsers
Enumerates connected drives
| Description | Indicator | Process | Target |
| File opened (read-only) | \??\F: | C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 864 set thread context of 64 | N/A | C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe | C:\Windows\SysWOW64\choice.exe |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\choice.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\SearchIndexer.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe | N/A |
Suspicious behavior: EnumeratesProcesses
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe | N/A |
| N/A | N/A | C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\choice.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\choice.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe | N/A |
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\choice.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\#Set-𝐔p-8597__Pa𝐒ŜwOʀDS𝕊!#.rar"
C:\Windows\System32\rundll32.exe
C:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding
C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe
"C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe"
C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe
C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe
C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe
"C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAkzjKkWEJOyESglCXFt1y3NzvXGt31E6uCSsIKlAtYljeMZ7l8KkKeFzTS6LXMwbcG02YaTL3rrxAbtpvrf5AXZejGuKNNf7oxXZVZuyxJxfXnALNjY1P91NLlt6qi6IV7QbRR8gGCjSv88UXP5dTknw7Eh7aGLpmasgsVKaUg1EmyK3FwAe8NPaBvvrzrbNKImWtvFH+mSqguWglZTH3GeDM7SEGPcrpfEYrvaK519kohTQtlKGqeC3pZ3e8swfabunycQjfrTUsil/
C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe
"C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe" --normal-stats1=https://i18nmmstat.ucweb.com/lv=1.0&encrypt_data=bTkwAnbjMxNyJNfKEAk9bo91OdenvWMxXVtLIKSnCJsns+m9wMNd7P+lducXABfdS4HEQ2Vm665Hj3wIseqrSrT4tY2JjZNs49LdnYmOhw5Py2Qsfj2pdOE+j/UpfrLA7CES7BxPuOIKGroWzJyN14RblUaEu8mnoCRQiyEgOEJwXf4xI3h1YJZeVCYBAVBA9++mrZGaByku92De5uFx28uXG0h0OHjjmerlRQMCcp1m5w/nDhUF5jnbjmrv6AoF1ohyIbn0oCUBfh2inpS5fV14VQ==
C:\Windows\SysWOW64\choice.exe
C:\Windows\SysWOW64\choice.exe
C:\Windows\SysWOW64\SearchIndexer.exe
C:\Windows\SysWOW64\SearchIndexer.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 241.150.49.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 15.164.165.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 99.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | i18nmmstat.ucweb.com | udp |
| US | 168.235.203.193:443 | i18nmmstat.ucweb.com | tcp |
| US | 168.235.203.193:443 | i18nmmstat.ucweb.com | tcp |
| US | 8.8.8.8:53 | styleclinic-beautyicon.shop | udp |
| US | 172.67.173.23:443 | styleclinic-beautyicon.shop | tcp |
| US | 8.8.8.8:53 | worddosofrm.shop | udp |
| US | 8.8.8.8:53 | mutterissuen.shop | udp |
| US | 8.8.8.8:53 | standartedby.shop | udp |
| US | 8.8.8.8:53 | nightybinybz.shop | udp |
| US | 8.8.8.8:53 | conceszustyb.shop | udp |
| US | 8.8.8.8:53 | bakedstusteeb.shop | udp |
| US | 8.8.8.8:53 | respectabosiz.shop | udp |
| US | 8.8.8.8:53 | moutheventushz.shop | udp |
| US | 8.8.8.8:53 | steamcommunity.com | udp |
| GB | 104.82.234.109:443 | steamcommunity.com | tcp |
| US | 8.8.8.8:53 | marshal-zhukov.com | udp |
| US | 8.8.8.8:53 | 23.173.67.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 109.234.82.104.in-addr.arpa | udp |
| US | 104.21.82.174:443 | marshal-zhukov.com | tcp |
| US | 8.8.8.8:53 | 174.82.21.104.in-addr.arpa | udp |
Files
C:\Users\Admin\Desktop\⧈SetUp⚝\Setup.exe
| MD5 | b43b96e4483dce09976dc250f87ecf1a |
| SHA1 | 4290076db1e87a46b73e8391186025f1f5b492bb |
| SHA256 | 5eaf95ad5163607ea220e439f13e58ae1bd9b408d94e06d5d721e8daca911c12 |
| SHA512 | 383b723d2d547f775a661bf6990e834b0233849822c7cbc3f0aaf0f276b1c05b0f7bde754dae3da133f7a8aae669b31547889495e5370a6617c09a2a3b61c438 |
memory/864-944-0x0000000000F00000-0x0000000000F01000-memory.dmp
C:\Users\Admin\Desktop\⧈SetUp⚝\pdfium.dll
| MD5 | 8057f67de20331fb5dad3fd9486b01c3 |
| SHA1 | 067e470192707b8f5eaa757bf4b121c94d505795 |
| SHA256 | fcbc591306dc6e4840de82372886428dd2260af4f9b7fe8494510aa1a80761eb |
| SHA512 | 68dedc7e5ba8fa16f18ded8ef811a41ecd9441639181b0a6e0854db96c7c0e35abe088c8409f226a42f3beb85139fbf67cd9de1c02325701a7482ac7fb6bd372 |
C:\Users\Admin\Desktop\⧈SetUp⚝\wmhhsfn
| MD5 | 1dcb5f7d98dfde582cc231c480eba329 |
| SHA1 | dc41a04034450908423f4ac8f73cf6389f6dd084 |
| SHA256 | c89abb0b00fd5a442b8a147027d3881b348974bf38298f05f0debaebca7fc16e |
| SHA512 | f2482f55ea6601bfe5fa0530fd3bbf2231c1d8e3355fada10bb57cba1ffd1bc8b43618e491d55bd317b6b0a74377b96da411961f53f7f4b28a35cbbca9c193fe |
C:\Users\Admin\Desktop\⧈SetUp⚝\yughafo
| MD5 | ad02ab9b946fb3306a8638ba7c30e0d2 |
| SHA1 | 6ce8d404243154a9ce3e7b6b87421f3ac5782367 |
| SHA256 | a83bc6bf9c243b9ac97593e1c6f15a3ea22ac9225ca7bfa86e92f8ec8649f1bc |
| SHA512 | 0b9fcd043a47f89a9126b6e9d815e05c18a6623d439a66e8c9d114030b8e307215c1d51c4d25605480c689d738becf1ac44ff76c0865f629e0e7ea441e2413f3 |
memory/864-949-0x0000000073B50000-0x0000000073DE1000-memory.dmp
memory/864-950-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp
memory/864-955-0x0000000073B50000-0x0000000073DE1000-memory.dmp
C:\Users\Admin\AppData\Roaming\EHC\JKGQVNOYTRRLYCR\uc-browser-6-12909-1603.exe
| MD5 | 649215a7c140fa697740693cf915d088 |
| SHA1 | 035ccb917c7be1ba40ccdad606ca3c67d127251e |
| SHA256 | 297bcec264323cd1d6de6286cfa69a572e92552df5a3347856f8bcce8d3e9eb1 |
| SHA512 | ec123a7f9af0926956d41bc002546a18b7b8b776fd11332f351eac828ac7ec02497f76351f2f5c026075746156583100287e09010269257dcd00cf70fa5a003c |
C:\Users\Admin\AppData\Local\UCBrowser\Online_Downloader\stats_uploader.exe
| MD5 | efdbe75dfe959d5eaa84334d4825adc2 |
| SHA1 | 9c7655a1052c2ce0d2e0b9571885e9c898dcb5cf |
| SHA256 | 5ef424188b952c5aef34f508b13cf422d4c22e1476c3330ee3b729082f7116ee |
| SHA512 | 4b6ce786ba90635d51e82c4dd7dede3394b5c0f19c394ebc835e182f0d8fd8c898a581b388bb23e348cc0744925b8352bfa3e683d193c5355849c89db9eaea35 |
memory/864-966-0x0000000000400000-0x0000000000C88000-memory.dmp
memory/864-967-0x0000000000F00000-0x0000000000F01000-memory.dmp
memory/864-968-0x0000000073B50000-0x0000000073DE1000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\c042511
| MD5 | a87ea5c9a3a885ce4bd0bf54e7cb4d0f |
| SHA1 | 672a9fdffce98cccb9cc0094c5bd87408dc13c2d |
| SHA256 | fd1eea5204f0a8e155d69868d25929d02024ee20b56bc37d681a5a8152c15838 |
| SHA512 | 2d3da201e82b38e2ea398634412949bf4f0b77acb3f02b82e5dd8f1561e8e023479f007ab5275112d29278b8c077ce2ac4db267b84373b68b7064677decc5827 |
memory/64-974-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp
memory/64-975-0x0000000073B50000-0x0000000073DE1000-memory.dmp
memory/2480-977-0x00007FFF14FD0000-0x00007FFF151C5000-memory.dmp
memory/2480-978-0x00000000004A0000-0x00000000004FD000-memory.dmp
memory/2480-981-0x00000000004A0000-0x00000000004FD000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-11-09 22:47
Reported
2024-11-09 23:18
Platform
win10ltsc2021-20241023-en
Max time kernel
1337s
Max time network
1169s
Command Line
Signatures
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeRestorePrivilege | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
| Token: 35 | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Program Files\7-Zip\7zFM.exe | N/A |
Processes
C:\Program Files\7-Zip\7zFM.exe
"C:\Program Files\7-Zip\7zFM.exe" "C:\Users\Admin\AppData\Local\Temp\#Set-𝐔p-8597__Pa𝐒ŜwOʀDS𝕊!#.rar"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 73.31.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | fd.api.iris.microsoft.com | udp |
| IE | 20.223.35.26:443 | fd.api.iris.microsoft.com | tcp |
| US | 8.8.8.8:53 | 200.163.202.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 107.209.201.84.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |