fd73b30a5225b5960e1b9f9d5d9e09d0b13acd0bdbe1dcb8265f3c235590cf06

Analysis

max time kernel
117s
max time network
128s
platform
windows7_x64
resource
win7-20230831-en
resource tags

arch:x64arch:x86image:win7-20230831-enlocale:en-usos:windows7-x64system
submitted
13/10/2023, 20:57

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

SHADOW-BYPASS 2.8/BYPASS/Memlib.dll
Size

12.1MB
MD5

412945cb7b854474d9dfe851717dfadd
SHA1

c18d958bf878caf2ae1e7f3eede5c176acffa0f5
SHA256

5c6b9809b455df8d4abcacf86af34895c656000c21a3f1401195da543a36e8a8
SHA512

35a9286a10c7f4eff98801ccb2e4be5a03a3a833a2da725864b6ae4da1a28e8f073d1f460694e3ee5a14dde0a3d5a3585d6587fc242b1c2cb446e3b1c066db64
SSDEEP

196608:ASEvUOQHf5DuekvJBuJYlyaGIuJj9L+Cw9RDOIFsd+ELs06UfZyneWRh0TZnMSl1:hlwhLuJiC5VwJsDeCw1Rh0NMS/

Score

5^/10

Malware Config

Signatures

Suspicious use of NtSetInformationThreadHideFromDebugger 2 IoCs

pid	Process
2212	rundll32.exe
2212	rundll32.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2928	2212	WerFault.exe	28

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
2212	rundll32.exe

Suspicious use of WriteProcessMemory 11 IoCs

description	pid	Process	procid_target
PID 2184 wrote to memory of 2212	2184	rundll32.exe	28
PID 2184 wrote to memory of 2212	2184	rundll32.exe	28
PID 2184 wrote to memory of 2212	2184	rundll32.exe	28
PID 2184 wrote to memory of 2212	2184	rundll32.exe	28
PID 2184 wrote to memory of 2212	2184	rundll32.exe	28
PID 2184 wrote to memory of 2212	2184	rundll32.exe	28
PID 2184 wrote to memory of 2212	2184	rundll32.exe	28
PID 2212 wrote to memory of 2928	2212	rundll32.exe	29
PID 2212 wrote to memory of 2928	2212	rundll32.exe	29
PID 2212 wrote to memory of 2928	2212	rundll32.exe	29
PID 2212 wrote to memory of 2928	2212	rundll32.exe	29

C:\Windows\system32\rundll32.exe
rundll32.exe "C:\Users\Admin\AppData\Local\Temp\SHADOW-BYPASS 2.8\BYPASS\Memlib.dll",#1
1⤵
- Suspicious use of WriteProcessMemory
PID:2184
- C:\Windows\SysWOW64\rundll32.exe
  rundll32.exe "C:\Users\Admin\AppData\Local\Temp\SHADOW-BYPASS 2.8\BYPASS\Memlib.dll",#1
  2⤵
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:2212
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2212 -s 208
    3⤵
    - Program crash
    PID:2928

Network

MITRE ATT&CK Matrix

Replay Monitor

Loading Replay Monitor...

Downloads

memory/2212-0-0x0000000070C30000-0x000000007220C000-memory.dmp

Filesize
21.9MB

Download
memory/2212-1-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2212-2-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2212-3-0x0000000000170000-0x0000000000171000-memory.dmp

Filesize
4KB

Download
memory/2212-4-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2212-6-0x0000000070C30000-0x000000007220C000-memory.dmp

Filesize
21.9MB

Download
memory/2212-7-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2212-8-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2212-5-0x0000000000180000-0x0000000000181000-memory.dmp

Filesize
4KB

Download
memory/2212-10-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2212-12-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/2212-13-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2212-15-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2212-17-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2212-22-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2212-20-0x00000000001B0000-0x00000000001B1000-memory.dmp

Filesize
4KB

Download
memory/2212-25-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2212-27-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2212-30-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2212-32-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2212-35-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2212-37-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2212-38-0x0000000070C30000-0x000000007220C000-memory.dmp

Filesize
21.9MB

Download