035c1959eb274806f26b2e6c29d13152eeacb976560de99a331b4ece1de367b8

General

Target

shfmi.exe
Size

725KB
MD5

a563df5a4a258bd3098ce027290e2e4a
SHA1

e06ae5cc8294258356362ef87d39a788ef4ab22d
SHA256

011d35c0e14b3d590c7adda7921e116c0b23960836c4cb208c40cefbf3c780de
SHA512

6ca422a08e7af24997a8bd4ca8093782dafeb11c68508056b4348607e70457f3a8b6936ef787b051d4af14d95ac55d03d7c13b5bb4e3e4ef443cf9a6a1c65aaf
SSDEEP

12288:vJxbz0t3/scnadOTSLcFpPVWAe/xZzoXGenADr3fE5VkTV9m:vvz0NsuiWS4FP4ZzoHY3s0T

Score

8^/10

persistence upx

Malware Config

Signatures

Blocklisted process makes network request 3 IoCs

Processes:

RUNDLL32.EXE

flow pid process

37 316 RUNDLL32.EXE
72 316 RUNDLL32.EXE
97 316 RUNDLL32.EXE
Executes dropped EXE 2 IoCs

Processes:

e.Exes.exe

pid process

4120 e.Exe
2392 s.exe

flow	pid	process
37	316	RUNDLL32.EXE
72	316	RUNDLL32.EXE
97	316	RUNDLL32.EXE

pid	process
4120	e.Exe
2392	s.exe

UPX packed file 3 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s.exe	upx
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s.exe	upx
behavioral8/memory/2392-141-0x0000000000400000-0x000000000040E000-memory.dmp	upx

Loads dropped DLL 1 IoCs

Processes:

RUNDLL32.EXE

pid process

316 RUNDLL32.EXE

pid	process
316	RUNDLL32.EXE

Adds Run key to start application 2 TTPs 3 IoCs

persistence

Registry Run Keys / Startup Folder

T1060

Modify Registry

T1112

Processes:

shfmi.exee.Exe

description	ioc	process
Key created	\REGISTRY\MACHINE\Software\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce	shfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	shfmi.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\GameInit = "RUNDLL32.EXE C:\\Recycle09102014\\GameUpdate.log,LoaderEntry"	e.Exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

e.Exe

pid process

4120 e.Exe
4120 e.Exe
Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

e.Exe

pid process

4120 e.Exe

pid	process
4120	e.Exe
4120	e.Exe

pid	process
4120	e.Exe

Suspicious use of WriteProcessMemory 9 IoCs

Processes:

shfmi.exee.Exe

description	pid	process	target process
PID 4568 wrote to memory of 4120	4568	shfmi.exe	e.Exe
PID 4568 wrote to memory of 4120	4568	shfmi.exe	e.Exe
PID 4568 wrote to memory of 4120	4568	shfmi.exe	e.Exe
PID 4120 wrote to memory of 316	4120	e.Exe	RUNDLL32.EXE
PID 4120 wrote to memory of 316	4120	e.Exe	RUNDLL32.EXE
PID 4120 wrote to memory of 316	4120	e.Exe	RUNDLL32.EXE
PID 4568 wrote to memory of 2392	4568	shfmi.exe	s.exe
PID 4568 wrote to memory of 2392	4568	shfmi.exe	s.exe
PID 4568 wrote to memory of 2392	4568	shfmi.exe	s.exe

C:\Users\Admin\AppData\Local\Temp\shfmi.exe
"C:\Users\Admin\AppData\Local\Temp\shfmi.exe"
1⤵
- Adds Run key to start application
- Suspicious use of WriteProcessMemory
PID:4568

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e.Exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e.Exe
2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4120

C:\Windows\SysWOW64\RUNDLL32.EXE
RUNDLL32.EXE C:\Recycle09102014\GameUpdate.log,LoaderEntry
3⤵
- Blocklisted process makes network request
- Loads dropped DLL
PID:316

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s.exe
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s.exe
2⤵
- Executes dropped EXE
PID:2392

Network

MITRE ATT&CK Matrix ATT&CK v6

Initial Access

Execution

Persistence

Registry Run Keys / Startup Folder

1

T1060

Privilege Escalation

Defense Evasion

Modify Registry

1

T1112

Credential Access

Discovery

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Recycle09102014\GameUpdate.log
Filesize
516KB

MD5
3196bab7bb193f1c9eb991aa62423560

SHA1
d631071a6eee1045bab89f1d379696c3ca754f4b

SHA256
9ca0e171b7d09e3b98c06a46f049deac46970d6d54777ef580384fcdbe139922

SHA512
81e8a356160467a8ad6cf8f4736a3cef78d46a933146d730bd17847bc11e1266c2415276fdf3161fc0a06027bb267c3524c2fb2a9c5959e445fcae7532e68a58

Download Submit
C:\Recycle09102014\GameUpdate.log
Filesize
516KB

MD5
3196bab7bb193f1c9eb991aa62423560

SHA1
d631071a6eee1045bab89f1d379696c3ca754f4b

SHA256
9ca0e171b7d09e3b98c06a46f049deac46970d6d54777ef580384fcdbe139922

SHA512
81e8a356160467a8ad6cf8f4736a3cef78d46a933146d730bd17847bc11e1266c2415276fdf3161fc0a06027bb267c3524c2fb2a9c5959e445fcae7532e68a58

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e.Exe
Filesize
556KB

MD5
027645b6392eaa09c26746b03249862a

SHA1
59ffb967089931fcd6723c11b31fc13219a940b0

SHA256
80473ab6e42dee6466a405f70e854b01c92c1eb10d9da17cf8a0fdca056b26ec

SHA512
370601c2cdbd949b62ba7c51288d3210158d6f22c56142e3d8d67e3742dee86565d8562be9507c8d99abac2fc81da33a93f1d1a07f6acb8bdc540c3577770b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\e.Exe
Filesize
556KB

MD5
027645b6392eaa09c26746b03249862a

SHA1
59ffb967089931fcd6723c11b31fc13219a940b0

SHA256
80473ab6e42dee6466a405f70e854b01c92c1eb10d9da17cf8a0fdca056b26ec

SHA512
370601c2cdbd949b62ba7c51288d3210158d6f22c56142e3d8d67e3742dee86565d8562be9507c8d99abac2fc81da33a93f1d1a07f6acb8bdc540c3577770b5c

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s.exe
Filesize
15KB

MD5
89a739f26a9dd2009e4b89f9ab2d510a

SHA1
78b40316177750cb5ed6eaf8fd7053c7ef7032b8

SHA256
8d0ed7798dd4cf5ada7ac0a904483989369535aff48829e5a87cbce6a60b786c

SHA512
528a0c08cfe79529d69d930759d9be2511ababa60fd2e8bc2360e37457d341f7c427a87c7c7166b1b8ed04ec514d629144acea2d875a30e93e6cc95553f3f285

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\s.exe
Filesize
15KB

MD5
89a739f26a9dd2009e4b89f9ab2d510a

SHA1
78b40316177750cb5ed6eaf8fd7053c7ef7032b8

SHA256
8d0ed7798dd4cf5ada7ac0a904483989369535aff48829e5a87cbce6a60b786c

SHA512
528a0c08cfe79529d69d930759d9be2511ababa60fd2e8bc2360e37457d341f7c427a87c7c7166b1b8ed04ec514d629144acea2d875a30e93e6cc95553f3f285

Download Submit
memory/316-135-0x0000000000000000-mapping.dmp

Download
memory/2392-138-0x0000000000000000-mapping.dmp

Download
memory/2392-141-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4120-132-0x0000000000000000-mapping.dmp

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v6

Replay Monitor

Loading Replay Monitor...

Downloads