d548bfcde55e09b8314b273b6fc1eff79563961b965cb83a763f4bb1b6c424ac

General

Target

shedor2.2.exe
Size

337KB
MD5

2f536c946929c16c71d83f6e7dda1747
SHA1

b178d72a97b8e4a43c3173465d8b6f16a6862309
SHA256

d548bfcde55e09b8314b273b6fc1eff79563961b965cb83a763f4bb1b6c424ac
SHA512

22656d8136209c119b73d594e272acb708181037085c9e79e1e7d194ec87ef48b5da49c7c82ec5def50091a2be585ef8456ae68fe4f36b9fc16ab5e01154787c
SSDEEP

6144:mYa6mXMM4+mYDTuMjVFSMPVPwLzD92yVx+8bGKEAS/KdgCqE4bxMtJY:mYor4iDTuMjVFSMNIX4yVx+d5xCEbxM8

Score

8^/10

Malware Config

Signatures

Executes dropped EXE 2 IoCs

pid	Process
1492	pkjuxkgcq.exe
3812	pkjuxkgcq.exe

Reads data files stored by FTP clients 2 TTPs
Tries to access configuration files associated with programs like FileZilla.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of local email clients 2 TTPs
Email clients store some user data on disk where infostealers will often target it.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials in Files
T1081

Accesses Microsoft Outlook profiles 1 TTPs 3 IoCs

collection

Email Collection

T1114

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pkjuxkgcq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pkjuxkgcq.exe
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\15.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pkjuxkgcq.exe

Looks up external IP address via web service 2 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
18	api.ipify.org
19	api.ipify.org

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 1492 set thread context of 3812	1492	pkjuxkgcq.exe	78

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s). Likely ransomware behaviour.

System Information Discovery
T1082

Suspicious behavior: MapViewOfSection 1 IoCs

pid	Process
1492	pkjuxkgcq.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeDebugPrivilege	3812	pkjuxkgcq.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
3812	pkjuxkgcq.exe

Suspicious use of WriteProcessMemory 7 IoCs

description	pid	Process	procid_target
PID 2136 wrote to memory of 1492	2136	shedor2.2.exe	77
PID 2136 wrote to memory of 1492	2136	shedor2.2.exe	77
PID 2136 wrote to memory of 1492	2136	shedor2.2.exe	77
PID 1492 wrote to memory of 3812	1492	pkjuxkgcq.exe	78
PID 1492 wrote to memory of 3812	1492	pkjuxkgcq.exe	78
PID 1492 wrote to memory of 3812	1492	pkjuxkgcq.exe	78
PID 1492 wrote to memory of 3812	1492	pkjuxkgcq.exe	78

outlook_office_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Office\16.0\Outlook\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pkjuxkgcq.exe

outlook_win_path 1 IoCs

description	ioc	Process
Key opened	\REGISTRY\USER\S-1-5-21-2629973501-4017243118-3254762364-1000\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\Outlook\9375CFF0413111d3B88A00104B2A6676	pkjuxkgcq.exe

C:\Users\Admin\AppData\Local\Temp\shedor2.2.exe
"C:\Users\Admin\AppData\Local\Temp\shedor2.2.exe"
1⤵
- Suspicious use of WriteProcessMemory
PID:2136
- C:\Users\Admin\AppData\Local\Temp\pkjuxkgcq.exe
  "C:\Users\Admin\AppData\Local\Temp\pkjuxkgcq.exe" C:\Users\Admin\AppData\Local\Temp\rrauniuc.z
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - Suspicious behavior: MapViewOfSection
  - Suspicious use of WriteProcessMemory
  PID:1492
- - C:\Users\Admin\AppData\Local\Temp\pkjuxkgcq.exe
    "C:\Users\Admin\AppData\Local\Temp\pkjuxkgcq.exe"
    3⤵
    - Executes dropped EXE
    - Accesses Microsoft Outlook profiles
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - outlook_office_path
    - outlook_win_path
    PID:3812

Network

MITRE ATT&CK Enterprise v6

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Credentials in Files

3

T1081

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Data from Local System

Email Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\pkjuxkgcq.exe

Filesize
52KB

MD5
a741aca2374667f557a1cbcfbf5a4ea5

SHA1
d962577799ff096cf4a5fc4ecaf2bec58c4bcf34

SHA256
1afd8c279df2730e75f5c785a2f55802364f2ec099c7d462e125a4558ae7ee68

SHA512
5dfa8466f1d4e1421891464d321c9de55ef31fc30962a40e68e9cccc58270902b726eef3a7e000a2ab7442100ed3c863894f88db6eaef3a4cec6bd32f9495d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkjuxkgcq.exe

Filesize
52KB

MD5
a741aca2374667f557a1cbcfbf5a4ea5

SHA1
d962577799ff096cf4a5fc4ecaf2bec58c4bcf34

SHA256
1afd8c279df2730e75f5c785a2f55802364f2ec099c7d462e125a4558ae7ee68

SHA512
5dfa8466f1d4e1421891464d321c9de55ef31fc30962a40e68e9cccc58270902b726eef3a7e000a2ab7442100ed3c863894f88db6eaef3a4cec6bd32f9495d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\pkjuxkgcq.exe

Filesize
52KB

MD5
a741aca2374667f557a1cbcfbf5a4ea5

SHA1
d962577799ff096cf4a5fc4ecaf2bec58c4bcf34

SHA256
1afd8c279df2730e75f5c785a2f55802364f2ec099c7d462e125a4558ae7ee68

SHA512
5dfa8466f1d4e1421891464d321c9de55ef31fc30962a40e68e9cccc58270902b726eef3a7e000a2ab7442100ed3c863894f88db6eaef3a4cec6bd32f9495d39

Download Submit
C:\Users\Admin\AppData\Local\Temp\polrgojay.ci

Filesize
262KB

MD5
c2be7d140daddf0d45abc39559c7b466

SHA1
e2b14f2979dbd7d6ec101c045fe605d53f1babf7

SHA256
940b38a28bda13edfd8d31ef85266dbc273bee786c73943b6fc5c87787fb71df

SHA512
61fbcb4585687d82fa78f80fc79762429e142cfc7921e9763693c37f2d703cace00ef3232215919abf90a7cbf7faf51b19798d2085b815b223357e83fa872bca

Download Submit
C:\Users\Admin\AppData\Local\Temp\rrauniuc.z

Filesize
5KB

MD5
f4ae18d72904cd0d8bb477bfedc31382

SHA1
52953a6227f40dfb596b7687663d528011465909

SHA256
5f95774dad0df5c69f5c7f3b39c50ba62d9922314a597511653431ac324c498f

SHA512
37bc00bd007c6e6bc74020bce0b847f00d2e2ebddeace5c73c5437a316fb61af42272891960f804681420f1f280ad4230a34d3dcef75758cc6fb8644c1cc8a93

Download Submit
memory/3812-139-0x0000000000400000-0x0000000000441000-memory.dmp

Filesize
260KB

Download
memory/3812-140-0x0000000004B70000-0x0000000005114000-memory.dmp

Filesize
5.6MB

Download
memory/3812-141-0x00000000049D0000-0x0000000004A36000-memory.dmp

Filesize
408KB

Download
memory/3812-142-0x0000000006160000-0x00000000061F2000-memory.dmp

Filesize
584KB

Download
memory/3812-143-0x0000000006270000-0x000000000627A000-memory.dmp

Filesize
40KB

Download
memory/3812-144-0x0000000006540000-0x0000000006590000-memory.dmp

Filesize
320KB

Download
memory/3812-145-0x00000000066A0000-0x0000000006862000-memory.dmp

Filesize
1.8MB

Download

Analysis

Sharing