Overview

overview

10

Static

static

3

Roshade.Se...xe.zip

windows7-x64

1

Roshade.Se...xe.zip

windows10-2004-x64

1

Roshade.Se...ve.exe

windows7-x64

Roshade.Se...ve.exe

windows10-2004-x64

10

changelog/...j8.png

windows7-x64

3

changelog/...j8.png

windows10-2004-x64

3

Resubmissions

25/08/2023, 13:21

230825-ql5hkaca48 10

25/08/2023, 13:18

230825-qj2znadg5w 10

Analysis

  • max time kernel
    16s
  • max time network
    19s
  • platform
    windows7_x64
  • resource
    win7-20230712-en
  • resource tags

    arch:x64arch:x86image:win7-20230712-enlocale:en-usos:windows7-x64system
  • submitted
    25/08/2023, 13:21

Sharing

Copy URL Twitter E-mail

Errors

Reason
Machine shutdown
Report Analysis Logs

General

  • Target

    Roshade.Setup.3.3.1.exe - Archive.exe

  • Size

    781KB

  • MD5

    34b3d82fe220ad1b6a93a68c903f9b86

  • SHA1

    c0b085af680a927e8c8bba8400904fc37c9b681e

  • SHA256

    6bc198921d872252f6e3b2c088f59c2c38460886b8438780d76d2453a97b4008

  • SHA512

    edf8749d04dce834a7f4aa57910462a2706932170cde091fbac8eeaf3e42da6b94c67e314dc532f37450e663fd8200933bd8e315e525ab21092251544f979207

  • SSDEEP

    24576:oY0d/kaCUc9Fd89fgOfzScpL4Jfo3W04G:zWkaCUIFd89fgOfzScpL4W3W04G

Score
10/10

Malware Config

Signatures

  • Suspicious use of NtCreateUserProcessOtherParentProcess 1 IoCs
  • Drops file in System32 directory 1 IoCs
  • Drops file in Program Files directory 1 IoCs
  • Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes

  • C:\Windows\Explorer.EXE
    C:\Windows\Explorer.EXE
    1⤵
      PID:1280
      • C:\Users\Admin\AppData\Local\Temp\Roshade.Setup.3.3.1.exe - Archive.exe
        "C:\Users\Admin\AppData\Local\Temp\Roshade.Setup.3.3.1.exe - Archive.exe"
        2⤵
        • Suspicious use of NtCreateUserProcessOtherParentProcess
        • Drops file in Program Files directory
        • Suspicious behavior: EnumeratesProcesses
        PID:1640
      • C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
        C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe Add-MpPreference -ExclusionPath @($env:UserProfile, $env:ProgramFiles) -Force
        2⤵
        • Drops file in System32 directory
        PID:2884

    Network

          MITRE ATT&CK Matrix

          Replay Monitor

          Loading Replay Monitor...

          Downloads

          • memory/1640-3-0x0000000001E70000-0x0000000002846000-memory.dmp

            Filesize

            9.8MB

            Download

          • memory/1640-4-0x0000000001E70000-0x0000000002846000-memory.dmp

            Filesize

            9.8MB

            Download

          • memory/1640-5-0x0000000000400000-0x00000000004BB000-memory.dmp

            Filesize

            748KB

            Download

          • memory/2884-10-0x000007FEF5410000-0x000007FEF5DAD000-memory.dmp

            Filesize

            9.6MB

            Download

          • memory/2884-11-0x0000000002750000-0x00000000027D0000-memory.dmp

            Filesize

            512KB

            Download

          • memory/2884-12-0x000000001AFA0000-0x000000001B282000-memory.dmp

            Filesize

            2.9MB

            Download

          • memory/2884-14-0x00000000024E0000-0x00000000024E8000-memory.dmp

            Filesize

            32KB

            Download

          • memory/2884-13-0x0000000002750000-0x00000000027D0000-memory.dmp

            Filesize

            512KB

            Download