Analysis
-
max time kernel
29s -
max time network
34s -
platform
windows7_x64 -
resource
win7-20230220-en -
resource tags
arch:x64arch:x86image:win7-20230220-enlocale:en-usos:windows7-x64system -
submitted
22-03-2023 01:53
Behavioral task
behavioral1
Sample
ShxdowFNPriv.exe
Resource
win7-20230220-en
General
-
Target
ShxdowFNPriv.exe
-
Size
8.9MB
-
MD5
b71f7df698f84a4a2be07470c0211c42
-
SHA1
d5c136cb51351227171e712e5d13418f889a24ce
-
SHA256
dea30e9fae094570ec778a0c06c813de1d490b9941f3b147199b28bf6f04ab6d
-
SHA512
1078c75a89a2d3abfda257da636e2898ae8ed0bb3ff38105917f1ac6e79edd311157db90838bec7a3822374ef2e63b5228ff805980a4f38a0852e2f348cfcf17
-
SSDEEP
196608:KM5i3Gve7iiGc7oMcVnUWGdFo3ZOlQKtvRbKP37OLvRs:KM5TvIiUoMcOWxpOlhsTOTRs
Malware Config
Signatures
-
Identifies VirtualBox via ACPI registry values (likely anti-VM) 2 TTPs 1 IoCs
Processes:
ShxdowFNPriv.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__ ShxdowFNPriv.exe -
Checks BIOS information in registry 2 TTPs 2 IoCs
BIOS information is often read in order to detect sandboxing environments.
Processes:
ShxdowFNPriv.exedescription ioc process Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\VideoBiosVersion ShxdowFNPriv.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion ShxdowFNPriv.exe -
Loads dropped DLL 2 IoCs
Processes:
ShxdowFNPriv.exepid process 1616 ShxdowFNPriv.exe 1616 ShxdowFNPriv.exe -
Processes:
resource yara_rule behavioral1/memory/1616-58-0x000000013F540000-0x0000000140D78000-memory.dmp themida behavioral1/memory/1616-60-0x000000013F540000-0x0000000140D78000-memory.dmp themida behavioral1/memory/1616-59-0x000000013F540000-0x0000000140D78000-memory.dmp themida behavioral1/memory/1616-61-0x000000013F540000-0x0000000140D78000-memory.dmp themida behavioral1/memory/1616-66-0x000000013F540000-0x0000000140D78000-memory.dmp themida -
Processes:
ShxdowFNPriv.exedescription ioc process Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA ShxdowFNPriv.exe -
Suspicious use of NtSetInformationThreadHideFromDebugger 1 IoCs
Processes:
ShxdowFNPriv.exepid process 1616 ShxdowFNPriv.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ShxdowFNPriv.exe"C:\Users\Admin\AppData\Local\Temp\ShxdowFNPriv.exe"1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks BIOS information in registry
- Loads dropped DLL
- Checks whether UAC is enabled
- Suspicious use of NtSetInformationThreadHideFromDebugger
Network
MITRE ATT&CK Matrix ATT&CK v6
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\AppData\Local\Temp\d3d11.dllFilesize
2.4MB
MD5b284ae0d37cc7d47fc149bf93ef6a5bf
SHA13952b84377b0a1d267daae711ee47581749cb2a3
SHA2560d1fe975cc83acc64a5c2341fbed3700a10509fa3df64535bc50adddd95b7f8b
SHA512b3982d34808264907520602a5a7798c20b035e78152731856b2c3e0b83086a9b744377e2a2014a3ed91fcb9478468986360fcd62df98a544c9f8a856829ffc33
-
\Users\Admin\AppData\Local\Temp\d3dcompiler_47.dllFilesize
4.1MB
MD5222d020bd33c90170a8296adc1b7036a
SHA1612e6f443d927330b9b8ac13cc4a2a6b959cee48
SHA2564432bbd1a390874f3f0a503d45cc48d346abc3a8c0213c289f4b615bf0ee84f3
SHA512ad8c7ce7f6f353da5e2cf816e1a69f1ec14011612e8041e4f9bb6ebed3e0fa4e4ebc069155a0c66e23811467012c201893b9b3b7a947d089ce2c749d5e8910c6
-
memory/1616-58-0x000000013F540000-0x0000000140D78000-memory.dmpFilesize
24.2MB
-
memory/1616-60-0x000000013F540000-0x0000000140D78000-memory.dmpFilesize
24.2MB
-
memory/1616-59-0x000000013F540000-0x0000000140D78000-memory.dmpFilesize
24.2MB
-
memory/1616-61-0x000000013F540000-0x0000000140D78000-memory.dmpFilesize
24.2MB
-
memory/1616-66-0x000000013F540000-0x0000000140D78000-memory.dmpFilesize
24.2MB