Overview
overview
9Static
static
9madCHook.dll
windows7-x64
1madCHook.dll
windows10-2004-x64
1setup_C.cmd
windows7-x64
4setup_C.cmd
windows10-2004-x64
4setup_D.cmd
windows7-x64
1setup_D.cmd
windows10-2004-x64
1shfmi.exe
windows7-x64
8shfmi.exe
windows10-2004-x64
8shfres.dll
windows7-x64
8shfres.dll
windows10-2004-x64
8Analysis
-
max time kernel
176s -
max time network
187s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 19:12
Behavioral task
behavioral1
Sample
madCHook.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
madCHook.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
setup_C.cmd
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
setup_C.cmd
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
setup_D.cmd
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
setup_D.cmd
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
shfmi.exe
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
shfmi.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral9
Sample
shfres.dll
Resource
win7-20221111-en
Behavioral task
behavioral10
Sample
shfres.dll
Resource
win10v2004-20221111-en
General
-
Target
shfres.dll
-
Size
14KB
-
MD5
e341e3babd8c1aa0f9afd2f1dfda88b3
-
SHA1
8d5668854322b4b323ef8cf36cfdc1d2cfca1dfa
-
SHA256
fc9fd53ee4896414b3d8ce1b59d4764dbabde014bc37ef0364f292c69189ccf8
-
SHA512
e3012c4862dd8a87653ee84cb7ebac922f3540c35e3192a4621f4f436d4635ccafed49ddfe289364096ff9ab9d7c2c206c495ee5675e84d82c5d77235eae0994
-
SSDEEP
192:/n7sMpNoeVVhzNQXFiG+RhEekYlxeLBiqq2mJbixmBGnziiBMv3p6pajojEFk2XD:4MpaeBzNekG+RlS9c2mJbigbB2anLX
Malware Config
Signatures
-
Processes:
resource yara_rule behavioral10/memory/4700-133-0x0000000010000000-0x000000001000E000-memory.dmp upx -
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
rundll32.exepid process 4700 rundll32.exe 4700 rundll32.exe 4700 rundll32.exe 4700 rundll32.exe -
Suspicious use of AdjustPrivilegeToken 19 IoCs
Processes:
rundll32.exedescription pid process Token: SeIncreaseQuotaPrivilege 4700 rundll32.exe Token: SeSecurityPrivilege 4700 rundll32.exe Token: SeTakeOwnershipPrivilege 4700 rundll32.exe Token: SeLoadDriverPrivilege 4700 rundll32.exe Token: SeSystemProfilePrivilege 4700 rundll32.exe Token: SeSystemtimePrivilege 4700 rundll32.exe Token: SeProfSingleProcessPrivilege 4700 rundll32.exe Token: SeIncBasePriorityPrivilege 4700 rundll32.exe Token: SeCreatePagefilePrivilege 4700 rundll32.exe Token: SeShutdownPrivilege 4700 rundll32.exe Token: SeDebugPrivilege 4700 rundll32.exe Token: SeSystemEnvironmentPrivilege 4700 rundll32.exe Token: SeRemoteShutdownPrivilege 4700 rundll32.exe Token: SeUndockPrivilege 4700 rundll32.exe Token: SeManageVolumePrivilege 4700 rundll32.exe Token: 33 4700 rundll32.exe Token: 34 4700 rundll32.exe Token: 35 4700 rundll32.exe Token: 36 4700 rundll32.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
rundll32.exedescription pid process target process PID 1288 wrote to memory of 4700 1288 rundll32.exe rundll32.exe PID 1288 wrote to memory of 4700 1288 rundll32.exe rundll32.exe PID 1288 wrote to memory of 4700 1288 rundll32.exe rundll32.exe
Processes
-
C:\Windows\system32\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\shfres.dll,#11⤵
- Suspicious use of WriteProcessMemory
PID:1288 -
C:\Windows\SysWOW64\rundll32.exerundll32.exe C:\Users\Admin\AppData\Local\Temp\shfres.dll,#12⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
PID:4700