Overview
overview
9Static
static
9madCHook.dll
windows7-x64
1madCHook.dll
windows10-2004-x64
1setup_C.cmd
windows7-x64
4setup_C.cmd
windows10-2004-x64
4setup_D.cmd
windows7-x64
1setup_D.cmd
windows10-2004-x64
1shfmi.exe
windows7-x64
8shfmi.exe
windows10-2004-x64
8shfres.dll
windows7-x64
8shfres.dll
windows10-2004-x64
8Analysis
-
max time kernel
171s -
max time network
189s -
platform
windows10-2004_x64 -
resource
win10v2004-20221111-en -
resource tags
arch:x64arch:x86image:win10v2004-20221111-enlocale:en-usos:windows10-2004-x64system -
submitted
23-11-2022 19:12
Behavioral task
behavioral1
Sample
madCHook.dll
Resource
win7-20221111-en
Behavioral task
behavioral2
Sample
madCHook.dll
Resource
win10v2004-20221111-en
Behavioral task
behavioral3
Sample
setup_C.cmd
Resource
win7-20221111-en
Behavioral task
behavioral4
Sample
setup_C.cmd
Resource
win10v2004-20220901-en
Behavioral task
behavioral5
Sample
setup_D.cmd
Resource
win7-20220901-en
Behavioral task
behavioral6
Sample
setup_D.cmd
Resource
win10v2004-20220812-en
Behavioral task
behavioral7
Sample
shfmi.exe
Resource
win7-20221111-en
Behavioral task
behavioral8
Sample
shfmi.exe
Resource
win10v2004-20221111-en
Behavioral task
behavioral9
Sample
shfres.dll
Resource
win7-20221111-en
Behavioral task
behavioral10
Sample
shfres.dll
Resource
win10v2004-20221111-en
General
-
Target
shfmi.exe
-
Size
725KB
-
MD5
a563df5a4a258bd3098ce027290e2e4a
-
SHA1
e06ae5cc8294258356362ef87d39a788ef4ab22d
-
SHA256
011d35c0e14b3d590c7adda7921e116c0b23960836c4cb208c40cefbf3c780de
-
SHA512
6ca422a08e7af24997a8bd4ca8093782dafeb11c68508056b4348607e70457f3a8b6936ef787b051d4af14d95ac55d03d7c13b5bb4e3e4ef443cf9a6a1c65aaf
-
SSDEEP
12288:vJxbz0t3/scnadOTSLcFpPVWAe/xZzoXGenADr3fE5VkTV9m:vvz0NsuiWS4FP4ZzoHY3s0T
Malware Config
Signatures
-
Blocklisted process makes network request 3 IoCs
Processes:
RUNDLL32.EXEflow pid process 37 316 RUNDLL32.EXE 72 316 RUNDLL32.EXE 97 316 RUNDLL32.EXE -
Executes dropped EXE 2 IoCs
Processes:
e.Exes.exepid process 4120 e.Exe 2392 s.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s.exe upx C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s.exe upx behavioral8/memory/2392-141-0x0000000000400000-0x000000000040E000-memory.dmp upx -
Loads dropped DLL 1 IoCs
Processes:
RUNDLL32.EXEpid process 316 RUNDLL32.EXE -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
shfmi.exee.Exedescription ioc process Key created \REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce shfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" shfmi.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GameInit = "RUNDLL32.EXE C:\\Recycle09102014\\GameUpdate.log,LoaderEntry" e.Exe -
Suspicious behavior: EnumeratesProcesses 2 IoCs
Processes:
e.Exepid process 4120 e.Exe 4120 e.Exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
e.Exepid process 4120 e.Exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
shfmi.exee.Exedescription pid process target process PID 4568 wrote to memory of 4120 4568 shfmi.exe e.Exe PID 4568 wrote to memory of 4120 4568 shfmi.exe e.Exe PID 4568 wrote to memory of 4120 4568 shfmi.exe e.Exe PID 4120 wrote to memory of 316 4120 e.Exe RUNDLL32.EXE PID 4120 wrote to memory of 316 4120 e.Exe RUNDLL32.EXE PID 4120 wrote to memory of 316 4120 e.Exe RUNDLL32.EXE PID 4568 wrote to memory of 2392 4568 shfmi.exe s.exe PID 4568 wrote to memory of 2392 4568 shfmi.exe s.exe PID 4568 wrote to memory of 2392 4568 shfmi.exe s.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\shfmi.exe"C:\Users\Admin\AppData\Local\Temp\shfmi.exe"1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e.ExeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e.Exe2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\RUNDLL32.EXERUNDLL32.EXE C:\Recycle09102014\GameUpdate.log,LoaderEntry3⤵
- Blocklisted process makes network request
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s.exeC:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s.exe2⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Recycle09102014\GameUpdate.logFilesize
516KB
MD53196bab7bb193f1c9eb991aa62423560
SHA1d631071a6eee1045bab89f1d379696c3ca754f4b
SHA2569ca0e171b7d09e3b98c06a46f049deac46970d6d54777ef580384fcdbe139922
SHA51281e8a356160467a8ad6cf8f4736a3cef78d46a933146d730bd17847bc11e1266c2415276fdf3161fc0a06027bb267c3524c2fb2a9c5959e445fcae7532e68a58
-
C:\Recycle09102014\GameUpdate.logFilesize
516KB
MD53196bab7bb193f1c9eb991aa62423560
SHA1d631071a6eee1045bab89f1d379696c3ca754f4b
SHA2569ca0e171b7d09e3b98c06a46f049deac46970d6d54777ef580384fcdbe139922
SHA51281e8a356160467a8ad6cf8f4736a3cef78d46a933146d730bd17847bc11e1266c2415276fdf3161fc0a06027bb267c3524c2fb2a9c5959e445fcae7532e68a58
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e.ExeFilesize
556KB
MD5027645b6392eaa09c26746b03249862a
SHA159ffb967089931fcd6723c11b31fc13219a940b0
SHA25680473ab6e42dee6466a405f70e854b01c92c1eb10d9da17cf8a0fdca056b26ec
SHA512370601c2cdbd949b62ba7c51288d3210158d6f22c56142e3d8d67e3742dee86565d8562be9507c8d99abac2fc81da33a93f1d1a07f6acb8bdc540c3577770b5c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e.ExeFilesize
556KB
MD5027645b6392eaa09c26746b03249862a
SHA159ffb967089931fcd6723c11b31fc13219a940b0
SHA25680473ab6e42dee6466a405f70e854b01c92c1eb10d9da17cf8a0fdca056b26ec
SHA512370601c2cdbd949b62ba7c51288d3210158d6f22c56142e3d8d67e3742dee86565d8562be9507c8d99abac2fc81da33a93f1d1a07f6acb8bdc540c3577770b5c
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s.exeFilesize
15KB
MD589a739f26a9dd2009e4b89f9ab2d510a
SHA178b40316177750cb5ed6eaf8fd7053c7ef7032b8
SHA2568d0ed7798dd4cf5ada7ac0a904483989369535aff48829e5a87cbce6a60b786c
SHA512528a0c08cfe79529d69d930759d9be2511ababa60fd2e8bc2360e37457d341f7c427a87c7c7166b1b8ed04ec514d629144acea2d875a30e93e6cc95553f3f285
-
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s.exeFilesize
15KB
MD589a739f26a9dd2009e4b89f9ab2d510a
SHA178b40316177750cb5ed6eaf8fd7053c7ef7032b8
SHA2568d0ed7798dd4cf5ada7ac0a904483989369535aff48829e5a87cbce6a60b786c
SHA512528a0c08cfe79529d69d930759d9be2511ababa60fd2e8bc2360e37457d341f7c427a87c7c7166b1b8ed04ec514d629144acea2d875a30e93e6cc95553f3f285
-
memory/316-135-0x0000000000000000-mapping.dmp
-
memory/2392-138-0x0000000000000000-mapping.dmp
-
memory/2392-141-0x0000000000400000-0x000000000040E000-memory.dmpFilesize
56KB
-
memory/4120-132-0x0000000000000000-mapping.dmp